Analysis
-
max time kernel
462s -
max time network
467s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
02-03-2024 10:10
Static task
static1
Behavioral task
behavioral1
Sample
HLlib.dll
Resource
win11-20240221-en
Errors
General
-
Target
HLlib.dll
-
Size
7B
-
MD5
6629e06467507a1cec63e311e5bfef95
-
SHA1
01e9b7f87a4e1484293b5f688480740bc5251544
-
SHA256
af9323627c09003e6979528b9ec9c1ba8064d0e42103564d006ff205634823db
-
SHA512
a8cf7ba7d73a2428009d9f23ffddf8f9c4dced97f1d9f42dd839a7cd6da5cd9c942e3496acc95832853f9ae8650d039a79273d8e578d2e9658d738b8a0a88156
Malware Config
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Annabelle.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\Downloads\\Annabelle.exe" Annabelle.exe -
Processes:
Annabelle.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" Annabelle.exe -
Processes:
Annabelle.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Annabelle.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (539) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables RegEdit via registry modification 2 IoCs
Processes:
Annabelle.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Annabelle.exe Set value (int) \REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Annabelle.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
NetSh.exepid process 23196 NetSh.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
Processes:
Annabelle.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemexplorer.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DCIMAN32.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yandex.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksuser.dll\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\recoverydrive.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns64.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns64.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secpol.msc\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\url.dll\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DBGHELP.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedge.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.msc\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DBGHELP.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksuser.dll Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpg4dmod.dll\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\recoverydrive.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yandex.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllhost.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedgecp.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shellstyle.dll\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secpol.msc Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usbui.dll Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DCIMAN32.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rasman.dll\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedgecp.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemexplorer.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chkdsk.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmplayer.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydocs.dll Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmplayer.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedge.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.msc Annabelle.exe -
Deletes itself 1 IoCs
Processes:
CoronaVirus.exepid process 2856 CoronaVirus.exe -
Drops startup file 5 IoCs
Processes:
CoronaVirus.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-6B75748B.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-6B75748B.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini CoronaVirus.exe -
Executes dropped EXE 9 IoCs
Processes:
DanaBot.exeDanaBot.exeCoronaVirus.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exeAnnabelle.exepid process 2396 DanaBot.exe 5116 DanaBot.exe 2856 CoronaVirus.exe 7960 msedge.exe 18480 msedge.exe 12228 msedge.exe 11572 msedge.exe 23640 msedge.exe 23808 Annabelle.exe -
Loads dropped DLL 6 IoCs
Processes:
msedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exepid process 30064 msedge.exe 7960 msedge.exe 18480 msedge.exe 12228 msedge.exe 11572 msedge.exe 23640 msedge.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
Annabelle.exeCoronaVirus.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe" Annabelle.exe Set value (str) \REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000\Software\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe" Annabelle.exe -
Processes:
Annabelle.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Annabelle.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
CoronaVirus.exedescription ioc process File opened for modification C:\Users\Admin\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Searches\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Libraries\desktop.ini CoronaVirus.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3084248216-1643706459-906455512-1000\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Music\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Documents\desktop.ini CoronaVirus.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-3084248216-1643706459-906455512-1000\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Music\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Documents\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Videos\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Videos\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files (x86)\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Downloads\desktop.ini CoronaVirus.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 2 IoCs
Processes:
CoronaVirus.exedescription ioc process File created C:\Windows\System32\CoronaVirus.exe CoronaVirus.exe File created C:\Windows\System32\Info.hta CoronaVirus.exe -
Drops file in Program Files directory 64 IoCs
Processes:
CoronaVirus.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-heap-l1-1-0.dll.id-6B75748B.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\VSTOFiles.cat.id-6B75748B.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Common Files\System\msadc\msdaprsr.dll CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_x64__8wekyb3d8bbwe\Assets\contrast-white\StoreLogo.scale-200_contrast-white.png CoronaVirus.exe File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-rtlsupport-l1-1-0.dll.id-6B75748B.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\root\ui-strings.js.id-6B75748B.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sk-sk\ui-strings.js CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Office16\REFEDIT.DLL.id-6B75748B.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\Java\jdk-1.8\legal\jdk\asm.md.id-6B75748B.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\VideoLAN\VLC\lua\http\js\common.js.id-6B75748B.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\NewsAppList.targetsize-16_altform-lightunplated.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PaintAppList.targetsize-80.png CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019R_OEM_Perp-pl.xrm-ms.id-6B75748B.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_KMS_Client_AE-ppd.xrm-ms CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ul-oob.xrm-ms CoronaVirus.exe File created C:\Program Files\VideoLAN\VLC\plugins\stream_out\libstream_out_chromecast_plugin.dll.id-6B75748B.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\bg-BG\tipresx.dll.mui CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\TITLE.XSL.id-6B75748B.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square44x44Logo.targetsize-32_altform-unplated.png CoronaVirus.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\prism_common.dll.id-6B75748B.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_18.svg.id-6B75748B.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_output\libamem_plugin.dll.id-6B75748B.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\Microsoft.PackageManagement.MsuProvider.resources.dll.id-6B75748B.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\osmux.x-none.msi.16.x-none.boot.tree.dat CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2020.503.58.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\contrast-white\CameraMedTile.scale-200.png CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe.id-6B75748B.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\css\main-selector.css.id-6B75748B.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\SearchBox.js CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdO365R_SubTest-ul-oob.xrm-ms CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\OWSCLT.DLL CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\ResiliencyLinks\Locales\devtools\ja.pak.DATA CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.Ping.dll.id-6B75748B.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Diagnostics.TraceSource.dll.id-6B75748B.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PaintAppList.targetsize-24_altform-unplated.png CoronaVirus.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\msedgeupdateres_da.dll.id-6B75748B.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PaintStoreLogo.scale-125.png CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_link_18.svg.id-6B75748B.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-ja_jp_2x.gif.id-6B75748B.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\en-il\ui-strings.js CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSYUBIN7.DLL CoronaVirus.exe File created C:\Program Files\Mozilla Firefox\api-ms-win-crt-environment-l1-1-0.dll.id-6B75748B.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\es\WindowsFormsIntegration.resources.dll CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.50.24002.0_x64__8wekyb3d8bbwe\Assets\GameBar_StoreLogo.scale-200.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Images\StoreLogo.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\root\ui-strings.js.id-6B75748B.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_x64__8wekyb3d8bbwe\Assets\Store\SplashScreen.scale-150.altform-colorful.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\Graphing.targetsize-32_contrast-white.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\Download_on_the_App_Store_Badge_tr_135x40.svg.id-6B75748B.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\OneNote\prnSendToOneNote.cat CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-de_de_2x.gif.id-6B75748B.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-ppd.xrm-ms CoronaVirus.exe File opened for modification C:\Program Files (x86)\Common Files\System\ado\msadox.dll CoronaVirus.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-cn.dll CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Diagnostics.FileVersionInfo.dll.id-6B75748B.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\check_2x.png CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Retail-ul-phn.xrm-ms.id-6B75748B.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\dark\dd_arrow_small.png CoronaVirus.exe File created C:\Program Files (x86)\Google\Update\1.3.36.151\goopdateres_ro.dll.id-6B75748B.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linesdistinctive.dotx CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\Label.js CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\jfr.jar CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\uk-ua\ui-strings.js CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Locales\el.pak.id-6B75748B.[coronavirus@qq.com].ncov CoronaVirus.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2656 2396 WerFault.exe DanaBot.exe 4180 5116 WerFault.exe DanaBot.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 2 TTPs 5 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 8076 vssadmin.exe 16112 vssadmin.exe 6400 vssadmin.exe 23220 vssadmin.exe 23252 vssadmin.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "124" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe -
Modifies registry class 2 IoCs
Processes:
msedge.exemsedge.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3084248216-1643706459-906455512-1000\{50A81656-8F54-418B-9A0C-56512444FF34} msedge.exe Key created \REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000_Classes\Local Settings msedge.exe -
NTFS ADS 11 IoCs
Processes:
msedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Ransomware.Mamba.zip:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Ransomware.Jigsaw.zip:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\DanaBot.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\MadMan.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 167525.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 46744.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 419242.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 922947.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 71217.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Annabelle.exe:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exeCoronaVirus.exepid process 1908 msedge.exe 1908 msedge.exe 1532 msedge.exe 1532 msedge.exe 4608 identity_helper.exe 4608 identity_helper.exe 3448 msedge.exe 3448 msedge.exe 2032 msedge.exe 2032 msedge.exe 3328 msedge.exe 3328 msedge.exe 576 msedge.exe 576 msedge.exe 576 msedge.exe 576 msedge.exe 4948 msedge.exe 4948 msedge.exe 4904 msedge.exe 4904 msedge.exe 4652 msedge.exe 4652 msedge.exe 1356 msedge.exe 1356 msedge.exe 2856 CoronaVirus.exe 2856 CoronaVirus.exe 2856 CoronaVirus.exe 2856 CoronaVirus.exe 2856 CoronaVirus.exe 2856 CoronaVirus.exe 2856 CoronaVirus.exe 2856 CoronaVirus.exe 2856 CoronaVirus.exe 2856 CoronaVirus.exe 2856 CoronaVirus.exe 2856 CoronaVirus.exe 2856 CoronaVirus.exe 2856 CoronaVirus.exe 2856 CoronaVirus.exe 2856 CoronaVirus.exe 2856 CoronaVirus.exe 2856 CoronaVirus.exe 2856 CoronaVirus.exe 2856 CoronaVirus.exe 2856 CoronaVirus.exe 2856 CoronaVirus.exe 2856 CoronaVirus.exe 2856 CoronaVirus.exe 2856 CoronaVirus.exe 2856 CoronaVirus.exe 2856 CoronaVirus.exe 2856 CoronaVirus.exe 2856 CoronaVirus.exe 2856 CoronaVirus.exe 2856 CoronaVirus.exe 2856 CoronaVirus.exe 2856 CoronaVirus.exe 2856 CoronaVirus.exe 2856 CoronaVirus.exe 2856 CoronaVirus.exe 2856 CoronaVirus.exe 2856 CoronaVirus.exe 2856 CoronaVirus.exe 2856 CoronaVirus.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msedge.exepid process 1908 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 31 IoCs
Processes:
msedge.exepid process 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
vssvc.exeshutdown.exedescription pid process Token: SeBackupPrivilege 23944 vssvc.exe Token: SeRestorePrivilege 23944 vssvc.exe Token: SeAuditPrivilege 23944 vssvc.exe Token: SeShutdownPrivilege 19364 shutdown.exe Token: SeRemoteShutdownPrivilege 19364 shutdown.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepid process 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe -
Suspicious use of SendNotifyMessage 26 IoCs
Processes:
msedge.exepid process 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe 1908 msedge.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
msedge.exeLogonUI.exepid process 1908 msedge.exe 1908 msedge.exe 19016 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 1908 wrote to memory of 5080 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 5080 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 2380 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 2380 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 2380 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 2380 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 2380 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 2380 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 2380 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 2380 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 2380 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 2380 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 2380 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 2380 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 2380 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 2380 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 2380 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 2380 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 2380 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 2380 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 2380 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 2380 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 2380 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 2380 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 2380 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 2380 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 2380 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 2380 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 2380 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 2380 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 2380 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 2380 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 2380 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 2380 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 2380 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 2380 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 2380 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 2380 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 2380 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 2380 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 2380 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 2380 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 1532 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 1532 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 676 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 676 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 676 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 676 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 676 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 676 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 676 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 676 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 676 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 676 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 676 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 676 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 676 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 676 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 676 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 676 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 676 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 676 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 676 1908 msedge.exe msedge.exe PID 1908 wrote to memory of 676 1908 msedge.exe msedge.exe -
System policy modification 1 TTPs 9 IoCs
Processes:
Annabelle.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\WindowsDefenderMAJ = "1" Annabelle.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Annabelle.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Annabelle.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\HLlib.dll,#11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8b2543cb8,0x7ff8b2543cc8,0x7ff8b2543cd82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4420 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3564 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5344 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4584 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6632 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6584 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7056 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7080 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6100 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6200 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6448 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4512 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6744 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5620 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5772 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\DanaBot.exe"C:\Users\Admin\Downloads\DanaBot.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 2963⤵
- Program crash
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7320 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7340 /prefetch:12⤵
-
C:\Users\Admin\Downloads\DanaBot.exe"C:\Users\Admin\Downloads\DanaBot.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 2563⤵
- Program crash
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7484 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7728 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7692 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8044 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8136 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7244 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"2⤵
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
-
C:\Windows\system32\mode.commode con cp select=12514⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
-
C:\Windows\system32\mode.commode con cp select=12514⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7584 /prefetch:12⤵
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7700 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7492 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
- NTFS ADS
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:12⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:12⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1924,10515316447855256158,16276142815154515757,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6376 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\Downloads\Annabelle.exe"C:\Users\Admin\Downloads\Annabelle.exe"2⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\NetSh.exeNetSh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
-
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" -r -t 00 -f3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\DataExchangeHost.exeC:\Windows\System32\DataExchangeHost.exe -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2396 -ip 23961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5116 -ip 51161⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39c3855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Abuse Elevation Control Mechanism
1Bypass User Account Control
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id-6B75748B.[coronavirus@qq.com].ncovFilesize
2.6MB
MD5bef099276f099131c7f4e22690b92738
SHA1da4d10f9f4283553261bd53d88997d1d73a081bc
SHA256ef815aa83d3459d09b4140360555b82f8554e299e191ecd64240bb1263bdbee4
SHA512a8fdb8af8376c7efed21f9bece8fd1acafa7b32135818773c05569bd3ad84d2b634a7de88c36070f9e01ed0229fadf2b5dc1b599ec53400a0cc095431d3ef532
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5caaacbd78b8e7ebc636ff19241b2b13d
SHA14435edc68c0594ebb8b0aa84b769d566ad913bc8
SHA256989cc6f5cdc43f7bac8f6bc10624a47d46cbc366c671c495c6900eabc5276f7a
SHA512c668a938bef9bbe432af676004beb1ae9c06f1ba2f154d1973e691a892cb39c345b12265b5996127efff3258ebba333847df09238f69e95f2f35879b5db7b7fc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57c194bbd45fc5d3714e8db77e01ac25a
SHA1e758434417035cccc8891d516854afb4141dd72a
SHA256253f8f4a60bdf1763526998865311c1f02085388892f14e94f858c50bf6e53c3
SHA512aca42768dcc4334e49cd6295bd563c797b11523f4405cd5b4aeb41dec9379d155ae241ce937ec55063ecbf82136154e4dc5065afb78d18b42af86829bac6900d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4ba7590c-6915-4599-9865-15327189e7d1.tmpFilesize
1KB
MD5260c6a98331bb441c70c9236e00d022f
SHA1df6e03aded2195710c7e29b633523dfe017a8aa5
SHA2565a4289957158886f893e13c306d1f1590cdb7fb96cd2ceb9fc1e70bbcfb640e8
SHA512e9ebf79600a788e1d2e39c825d89a9b418cecfe221c192c1b103f4b32f334bc86defe304bf5c9c4b96a3ef8e5efdc8a93152c31bc74c475f6dd04bc5fcc757a5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002Filesize
62KB
MD5c3c0eb5e044497577bec91b5970f6d30
SHA1d833f81cf21f68d43ba64a6c28892945adc317a6
SHA256eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb
SHA51283d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003Filesize
69KB
MD5a127a49f49671771565e01d883a5e4fa
SHA109ec098e238b34c09406628c6bee1b81472fc003
SHA2563f208f049ffaf4a7ed808bf0ff759ce7986c177f476b380d0076fd1f5482fca6
SHA51261b54222e54e7ab8743a2d6ca3c36768a7b2cf22d5689a3309dee9974b1f804533720ea9de2d3beab44853d565a94f1bc0e60b9382997abcf03945219f98d734
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004Filesize
31KB
MD5acd3f8bcdca044e4382c0bb6246b0234
SHA11c83d89a3c40835a82f06e6bea0af86f52901bc5
SHA256cec8af8be960f3b13ad0f554c338ab88688ae5b4ddfcda5471fc8268ce66db25
SHA5123cbf100cc72f4a63c7aebe0ec029fc3635b97addbb0a4e83febbd127e00ff1455fc0b4cb90839f3bec498a7cdb848d8fde4d6991cc6a1f479669e70ad220b5a1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005Filesize
19KB
MD52e86a72f4e82614cd4842950d2e0a716
SHA1d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA5127a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006Filesize
65KB
MD556d57bc655526551f217536f19195495
SHA128b430886d1220855a805d78dc5d6414aeee6995
SHA256f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4
SHA5127814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007Filesize
84KB
MD574e33b4b54f4d1f3da06ab47c5936a13
SHA16e5976d593b6ee3dca3c4dbbb90071b76e1cd85c
SHA256535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287
SHA51279218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008Filesize
1.1MB
MD5ae6fba4a8a4923ae8fb23bbe54365bb4
SHA1fb04d11d5f8433a5149dbbf05323cdbcbdfaf3c5
SHA256d3effbeee1babe87697c39dab95237973aef8f4755a273b3a04b6585d927f7f3
SHA512275b997c5819b5c360b1f5f1a8239e6f7e1631a0c75677a4d428c8a25e03400314e8eca58f54af524fb93c3b609b7c47e60ae05a7ba874651ed58b54281a2ed5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009Filesize
37KB
MD5848304416018523d94a3c05d103959ba
SHA11b53b586cce313283d74285208827d115764f6c4
SHA256a28b31ed7c62940af21dd2a5e86a1e0e50a15b740ee3078b0ba42a575ac45ce1
SHA5124a9a3a5bb6495c7799b1413d61ee7232b2cbe3d5096f81a6b2ddaac1cab5b6db1ad694ed449be622741572d623697ea1348d0a465e1c2767a5d8c376654e9f4e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000bFilesize
33KB
MD53cd0f2f60ab620c7be0c2c3dbf2cda97
SHA147fad82bfa9a32d578c0c84aed2840c55bd27bfb
SHA25629a3b99e23b07099e1d2a3c0b4cff458a2eba2519f4654c26cf22d03f149e36b
SHA512ef6e3bbd7e03be8e514936bcb0b5a59b4cf4e677ad24d6d2dfca8c1ec95f134ae37f2042d8bf9a0e343b68bff98a0fd748503f35d5e9d42cdaa1dc283dec89fb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000cFilesize
74KB
MD5bc9faa8bb6aae687766b2db2e055a494
SHA134b2395d1b6908afcd60f92cdd8e7153939191e4
SHA2564a725d21a3c98f0b9c5763b0a0796818d341579817af762448e1be522bc574ed
SHA512621386935230595c3a00b9c53ea25daa78c2823d32085e22363dc438150f1cb6b3d50be5c58665886fac2286ae63bf1f62c8803cb38a0cac201c82ee2db975c4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000eFilesize
40KB
MD53051c1e179d84292d3f84a1a0a112c80
SHA1c11a63236373abfe574f2935a0e7024688b71ccb
SHA256992cbdc768319cbd64c1ec740134deccbb990d29d7dccd5ecd5c49672fa98ea3
SHA512df64e0f8c59b50bcffb523b6eab8fabf5f0c5c3d1abbfc6aa4831b4f6ce008320c66121dcedd124533867a9d5de83c424c5e9390bf0a95c8e641af6de74dabff
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000fFilesize
53KB
MD568f0a51fa86985999964ee43de12cdd5
SHA1bbfc7666be00c560b7394fa0b82b864237a99d8c
SHA256f230c691e1525fac0191e2f4a1db36046306eb7d19808b7bf8227b7ed75e5a0f
SHA5123049b9bd4160bfa702f2e2b6c1714c960d2c422e3481d3b6dd7006e65aa5075eed1dc9b8a2337e0501e9a7780a38718d298b2415cf30ec9e115a9360df5fa2a7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\a6591353e7e8bb2c_0Filesize
8KB
MD52d33ab920622242c483314c03ebf1a6d
SHA1c5e7ea367eb2f7c6a09293e1a1aed5cc97423410
SHA256b153268c29fb0689ff1b015955658f209c164ee6c7acb363fb19ed83e8c169c0
SHA512b546fab7d5f0169c21a2de1c384101b4e55bd0ad355c2bbab9d102196743c8dcb7c0af1e669c82070303dda9d6c96cc1fed7e766a80a8ad0023c1762be2b84b9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
4KB
MD51ce4bc6b418c60fdc9160595e02cc474
SHA1a8e1441c1d9f3a27c690013edb43c1c799f0522c
SHA256a287e02bf3c02f11b1aa4b3c3950594b5937bba2ea9bafaed0f008039004295b
SHA51287ed9013397d629515bb252c0c6f94b66626c22a6831a758961961f1b61885ec8f38b9ecfcc10f68c0579126dc791d9a49b72074952283676f5491761e606250
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
4KB
MD52ec8bbb56af5af8f05d486feb20c989c
SHA1ab7872d2dceb956e4641878e07d8a7fd3dbb9367
SHA256a35b8eff9e459edd3b8719ef29db70ff46e0d9dd2bb2574c0028ea1e2ec77b28
SHA512b3b000435dd1ecbb31a98917432a8f7f547fa2f52e9713c152b73db761aa29060319a2b7a4f37e990729fc5657bf8e0fc9308487470a5edd5fc8870c360e1fb1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD57fbc8cc6930a780296062e77e253e0da
SHA1c6443c173a71f4e729d14d3296c3e1fe090e2072
SHA256d861648890978bc2fa1c34f7b9d95d459c996f3dad7d103bf25334746a8856f9
SHA512a44c5df62f7f8b46a3ea745b3ba249dc58bede5cdb142def86c3a4c6ad99765379ee8dbf421deff286e9fb36c08ebf9a4d19d2033ec33ff32361d3877542ce87
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
2KB
MD5f54027174d361a8b2b66c70141912e8f
SHA19efcceefc1fb367ff0e82fb9cf789ec1470deaa9
SHA25644f468e5b54cd78a6e6f289b2f955ec0887de7ba6ac896f253eecc62b9fdbdab
SHA512706a30e52a9f78f2fb4fcf58cc499d24a0eb1c9c5de92ef8a38c284c0ac513e4733b8f4e865226172def4f1e66a8c12edf6c278ec9d67ef2503a423338b1e27c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5e814432fd4077893ec5caddb99969f9f
SHA103cf4faf403b886bb6f88e4641ae618c3777c312
SHA256c38c72587b341ce0184ad2547677b45e2bd39e5bbe4462588ca6f3749f9aeecd
SHA5129e0b5b7de71828b1732357c2e24995cc6f7e95d4df3d1e14b8f5ff6d64948f040c195d1c83c648e7e7a111ab76818a4d04cf5d3130be06239b87ee112b07d054
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5081eec127727905ca9d9c0716bec62ea
SHA11914f9653ac607807d6ec950f94ed6d3f2e93891
SHA25643c3eea07c5b310f6f72f01aca489ac4793522170682a707a48abb85a2833c94
SHA51231713e69d04229a751423ad3648d85a6594e97a4edf1c00e3d72a39c340181fed8db5fa18810a768a4d4a0d0eb5a9d7ec4ad25dc8a0fd83041f11ac1ce9fd6f1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD514014ebcde1135eb0a3ff09a8fe78b3b
SHA143e27d0204ad9f1f6737a93b3e6a6658e48fe1cc
SHA25690740777be156ff5cd3ea640debd004de132f6ff61db9eb66926f1f5af11aed1
SHA512cf8a71e0c005d6feef8e5df5d02f57e6538aa9076eba609a0ba77a462e89b16e689bd656b65a05adc715cf1a56296f0f138ab73998f77064b318b1a369ced5ad
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5f23616d1757ba44d8a94be5aaa6f558d
SHA15431d34549e1ca7cfd0ae5d340676f7e1d0ab1a9
SHA2567d2b3953e71848ebde986b0d22c8fb0df2745b83d2968b000d2145385b1a5e1e
SHA512e28b804aa1c820f92c5955b4992d5dea39c4b148e5a2146b87f8370e8b1ce9998f224b8daebabfd1ff6733e2d13f96f776f4d8e2087c8e635acb0624ae654eef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD56f03164287eaaebeda59796606616a1d
SHA144ea6e9080300e4f86f1338b5698ef3477ce89ec
SHA2563f75c984c566738c58e28808230820da29f836ffac737c08480c46d2be39a30d
SHA51224b43beb437e77c342cb5032ccaa5a7f87229f9dcbba3efe0e89eb3eccd9b6d167c8265718c9e4e1f72691c35c9f1c18768ad1ecb297b2836d456b43bb39ada2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5e987eb2f44e95d40d6aa33decf389040
SHA1ed381c60199ff90ce21f61a596f19337f1d6d88d
SHA2569eaa0ed3649f0490c7051d007b2f09abcb632e0ef6134a84d481359a84a9318d
SHA5120b4d8fa7f5e321ec1739d1a18330393094d50b2334008efc319d3539d0b48f0db6504fecaac36b5d7cad966ae7695d31c81156da80dd97884aece66bc35065a5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD55bbd37496a3825135885676dd07f9338
SHA16c3489104df866eecc2e615e1e904772affc64ff
SHA256f70787a7e91d11fab19f15a36bcf100e90939af74aa20cc83ff7791fcd8d163d
SHA5124a37996415852870ef3b5be7cfb1167f2e4ae81889f17cc5c64307bbf279dd631c3472e65dcf122557b5893bd55f4e82dca7c1325b33b5d961af6a36989f5c1f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD515cb082238680fcd8c4b1e98c3a453c4
SHA1dc8e8a083600b2aa65c07463b6a72264c99e7a41
SHA25694ce224fdb6897df1a79ab09f7cfab2716cd3c5bca2b522c82611c8260ee2954
SHA51203221b00ee60244ac9d2fa7c7b5c5751cb42c4d018293db13bcb2e9363644f9b8069bfa41ca1b67bae12b4fcffec6fc3fba555d555b50d6c3c4dc9ad47f1db46
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD53b874c4fb17ccad64cc37150cf275f83
SHA18a6cbf4a3d92250088d05fc4ede7264e85d2621f
SHA256d689e6ab344d6b8fb26de8253e0177ea20dd2439f7a3a3a830d35f4adada42b0
SHA512eb38f2a680a7b1da3a5465867e0f8e9ceb40de3aa8db8a93f9f014f4553622a1ed0258a1e1584803296bd7ee94f2666c6cabac69a5b8e94aa96cd9bb1809dadf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD57e6856c78da85bf4c1939fc79ce68041
SHA1f179c5f5904017535b9f7d037ba4d4d583041d2b
SHA2560e1b0a8b285fa8b948aabfac83994739e6182b90f8dc0b84db44cdc22931c3c7
SHA512f3386d509829e1170773ea871db5e9a5f94cf228b772d93ab15119573798768e5db1085f2832d239fe379b88cf64eb57acf5838a891c52d162825e930f966eb1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD55772685cd6bb627e470340db3ff73ae4
SHA1392b7c2e0e9f38da52b6293014d4b83635f8c098
SHA2565b3cab0461a98fa663f5e3a19fed756c2e1ad5060a74c1e585e701aad670c7c9
SHA51215672224b53ea43b1147f2daa91ea903a3ba82593566ca3fad974ae25c7d17c467e65e8d3c95ca668f18f8785c74173c85a02b4aba31bc1a8bc2eb4e4e5a80e1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD59f824ecfad6baf58741487e1b6238cb5
SHA19447976e5d47b76ad31df58f9f127fb34d9c23b7
SHA256d9c131a82ac265d0646f46c7609fbe68683db0cf23aec7edcad95ccd52c0ab08
SHA5128f4f76e07c1e7c2c11d6d58f0dcd6ff14586ae50834a5077e52c13352baa9a30b9e463a8f5a5d47c867110a135cc4b6ea790decb24a606f68f373025110cbfd7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5cd7614f434223f11dfcd8cf60567f46e
SHA1c9ba4824c2c83fdf63509444aeefee70e7e5ab34
SHA256333ad3163a8474177af45ff6d2dbfa787edee0f8ae4eb9db57a1b896224d6c44
SHA5129735adfe03f39e719d19dab1eb2e2553b4cc53553de15087f5af4b9e7554c0c955ef15d3e9464e432984c3531f4c07bd5a4dda5f0f18305ace31bd6ea4a24ca6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5149234c31698fe6f42d9a346fdefa4b4
SHA103db34e248fac05f2a8c6fda26ac76cff6fceb31
SHA256678cbb50acd8799b93e347bd018e3dd268d8dcf7882f555bb291cae7134f0fef
SHA512fa4e75784bd9b02b930c63c0c4ce1866387354f776ea98bf7096d8e84afba557dcbd61bcfc400449d3df127bab6bc6c01c4eb2b19a22bbe03e96b1596d70bc5d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5e665073325f568c2ab5ef6a821f8e84a
SHA1ad7d48583f07b266a7e93f2d17617f02f85f9707
SHA25690a7fc82a406d7705666e45d73c5dbc7da648cb5682eaecf0505889b27740d39
SHA51210ee837d797932125786e84f2e321dbe5d1c297ede1a35aef327589454c39b187083f7117fa40a9b8e2220df3a5b7aeba685676cf7f7a6c1bd8ebee097cc735f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5e5eb1e8058bd28b468cfba93c36c0537
SHA1c5f6b6943c12ece1c55fd57a9fd8755576a1a4ac
SHA25638e4f3f23ab641d51968b54b1c0759e88219b30766b59ba594919416b166bb1d
SHA5125d0fb228144fc57f402ff222082095393755104afc80972a8313ca78926b7d08350933d6d5b13a138ce6ce8fc06dfa90f6f6bba88fa0666c9968239ed2ce7b6e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
871B
MD5f25fd42c3a747a5b930df091b2c9c49a
SHA1a8bba0edd8daf354d79828498c9572ae822e2743
SHA256a5848956119ce898cc0ecbaf45b5298b2fe7255ca9ec93df00f08ec48457888b
SHA5125a35f396f8b727cf69b4d404d673342db9e2472ab96199af81b0794b3cf24e0f49e24108ec64df551da8b678bf62a7ec6b7d481e631dc9d5a415898db6d410e8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD56667b8b255430475a50bffd72fd60b30
SHA138609530995e8338d57e407d28818ec37d9bc02a
SHA2568acd1bde2f3ee6d193166fca6c592c8b8ce01e8b137d34e47133e3c4dbef7ebb
SHA51255b51d4f50c6c48d6a59965e81f9c203d30df239f3798532f502e7955cbabc5c3770809767867fc373f264a92a681624f9469caaef857ca7319040e887d59b64
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5e1eb3fe63cd7b7adf7c3d3324a8d20e4
SHA1ca49ca635564cc5a76adbd587f4905bcc5de9fbf
SHA256523aba81a81af95741f33ba31f55e9e33fda4aec2bf064f51971b082ed8a59cc
SHA512220e63eb22e351d8951c19da3f54312e0f277e0cb0cf88a70f23307ddae14a79fb4506022e85321b5fed790a49de61903c74a10f2d23bc6a0b751e68cb6ba51a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5ab8d2f27ae5ae2e43768ea0ddf726be6
SHA106c30284aa4eda2612ebffb4f4de4997062e134b
SHA2565d244c650fde7fdfdba00a4bb8f7b68714c9d86dc1dd089654d1cf3d320c990c
SHA512d703cc2663d66b434aeb00da6b251ae419180ac4a7878e3317c78628e3fbcfd2753746b479a27ee53c616b4bdff5f4f889236b80605d727056254d4a31431700
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5836730e9bc2100e9b52e15cf865b8f94
SHA1602b379285686d53c93e2ec0e2f9fabdf918cd06
SHA256edb6f6fd2294ceac53e60d1915f64831d8a4144f116ea3bb2bc7284f3c4e3f0a
SHA512354e0f0d1dbb3637a44740f3a2b56afbd38a3feaaeffa1b0ec8b07c68493b284da48b651a9fe6e45e0e546bd155064eb259fc36ed4b82d3f28e6c26f9fca4d48
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD504d7cfbad0370f9e2075b27bfe7144e5
SHA16374ac656f2b5854463a2f4a0ff430b274b606cb
SHA256a4e5512a41bdb40d548af96b2f032991efded2e67a520ed2365f8c138c910e93
SHA512f2bf5a5cd13391acf808d76aee1d10197cac38701d9129e4be3994504fed47a2969e57146109a58f2d59c8f76e38532042933fd9c0a9c7f36ab4fb0e5b215941
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5c22cefd7fe3fd8a66c0b8bc0c3f16a37
SHA195c8e1902fb65ada1e13f37465c05df07746d404
SHA2564d55f98c24557bbb8c5c12588c8a2cb64379f10086bac49d200ab5f25a739ee2
SHA51272adc52da93c2cf04ed12e7e22650e178449e89765c6d8332fca9621902baaae16efeddb613870cee5b7070d5b0db69fc98c31e099fec9e00ffe7cbef41eadab
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5ba508851ab762fd8641d7787d4cc4aab
SHA1e07e96a4da0f7b2d931868807a22d8c156c5206c
SHA25675e0d992c15ed38ca71605adda073a7e9f85e1dea8e09730e47febe517e89b9a
SHA512f4a8c5e9e00a2d2178f8887a92ac1f6009fb07f291f1ca3696c9d85c2e44e6962b41c6a96c3335729ebc77ec49b21c12992d28ce19e048a9005bbf612189af45
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5138ccc28d7dbbbeb28e944d8f2b35a96
SHA175cbe7f98c69d23cdc0f36e4bed97febdca66a72
SHA2566cfc0482ad2eb35cf281481299b5f62c119b5b3d7e35b66155788f4b4fc6669c
SHA512b5b32aef51c572e69f422e200b16531766e4a11bd310a65b29c2ee0c96b195596768fe40b58166d3412c822ca2308a34bd020bd7f81ca3a31c652ff8c9232375
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD55e4a51b3f1e05e03f18b728914b14403
SHA10e3b7868b8326a25637832dc0efc1788f5058440
SHA2564f41d521fe4a16f29aa2851407ee6e805de37b9f8f9b37bae1b0ab963118a210
SHA51236b4e87127c4da66a3c5ec3ea26c3b8f40fa5343972570c4aabf3e423f64ffcd02846a5de00424afe51b8943a92a8500835dcf8fa9df9b84239820f656bb92b2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5ddf5307d64db7837128773660a95be4e
SHA14644047d29321925b4ee321ac891dfa61a29d5c6
SHA25670fb3f4fb0d5afdb36f0ac04824e5427a0c745686bdc8db1e183fc6c7292ff54
SHA5120ba587525d1bb77777f6480fe80841cb7b0120ac28102e9bf84c1b5a2afbc2314fbd4a689270b91846af04403ab5b2929b192d6173a26bd9f4d7d1b1ec393cc2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD58b43e7603555844f0cd2192008e0c0e6
SHA1062330ff09ed75bfe1f297d0d54ff605d270bdab
SHA2566fc03a4d14a368ac16ebd506357ed2842dbd33de452dcd3d13d65ece2f6dcc80
SHA512b154de0b31752ac9543d186246ec715a0f2c09ef5b3615e0dfa46e88efa3c7aabfdfe290aafbdd71e8f29fbc648d4284eb85c4260129d3c125d3ef21d6938225
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581b15.TMPFilesize
536B
MD5b11742892f39c1a2cc5654a02b7d773f
SHA1471175d998882745a077adbf17d7ec27387ce488
SHA2566f9420d21b3a6a2ab05f99020b0bbae9423188058989423e925864eecda8088f
SHA512100dd546a90d8d932f4edeb60ccdf7ee84ab87446fb32f6c1ded320a26b9b8eaeaf451321b9d3d5055f833be3e5cb3a03444f360eca837818a3d51f8fe55d054
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5d040a.TMPFilesize
1KB
MD540d985f797f7a91e6f316fd362bd1620
SHA15272b4afff3edbb67a3585359dd3faee30489ce7
SHA256363a76cd9cf3030741a8ebda7b2cb9d79553f43ab6ef488af575ec9362ff1d04
SHA512cda726b9f93b3ac850472e5aeb9d214898994051ef74a5ef0a1cddbe16eebcc4a9ffef2f9b0ad13eeac71187998927d294a46025024f275ebf34839e36191825
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.dbFilesize
76KB
MD5d9eba8f856c0b39e3f635ce4c7e5862a
SHA1bd28ef6a8deaaee6b7109eb2123e800c8b01cad9
SHA2566701e9cbd5e57eb2afecd30ee50096bcac876315c2bc0721661eb3af38bcaff1
SHA5125f03e7bb0fa896a7c2c8a93fc700bede6b6204435ce4d73b435209d631e6c92eb3eb17d026b824543f9310383449659ceca9519a31a6196b2d6f54711ef1f034
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5737185932f882ad461ef798cba1789dd
SHA1ef911272078bd8745b603b5de3d10f08cc2929d9
SHA2563539d8ec04ee9acf4c6890f9c57f44acac24129b823d60247d8a747674347946
SHA5124586cc3abc3e55e8803d68fb888f9c455faa62076f094c6133743095c878c96e64adb2ce8e7696ce01668587f824e3ade2ccd1a3ebe347d9d06c986d5813af91
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD51e550bba4b52f187251f0be7cc42753d
SHA1645fc8685c78c280d4db26b240321077ac570ce4
SHA256bb3c191b7abd2e52a9d47ce4ed06ace98e0cb2904c35c0ab5e3f90472fa76a23
SHA512d020d67dc162d2d3a219cd354ed32f05340a5c8f3e59c031b72ca08e908225b961d6d17a546139f69781dbba0408ddafaa3e5d6d9fbff46123b0907767a701d2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD547cafb20ef51c7f8cc9c79d89710fbdf
SHA14ca4db7c53ec8d58672237bf932fc4a21cb35d1d
SHA25632d3499c11cc001feb8535e587381396132e8eb00a02884b883026ceaa0ab838
SHA5126a46bae4197d64c64168ea5a3dc60836b4b5358d1e25a29ff8e198b971ae225157938283907e3a38e31f0f043b7eddc154dfbf1a3e9df66746c1ec52f5ab0aa2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5352e6ce5eda4cd52263d5d336b2c895e
SHA16685c657efe53592d60b9f91b892f7c463c811c7
SHA256ce4fb1ad08aef3f2e6539326c6ff16bc9966eff7689704f38e1a67d0536be0ab
SHA512eca232c76b0895af29a3deaae5e320cf9bd0b97243bf129cd1b6ac0e1e170bc66f9477e3a55b935760b382d037dbd85bc5463ed295faee13311181accaecf53f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD591a08be3981636fe13202c7c93e207ad
SHA1ec47cd2318fd88f2f60ed12931b03db6aeb94bc2
SHA2565738da78169dd2d0f95aedfd4a65ededc8d5d19ff69eb2e957e6a67332530ab3
SHA512a2b9a1da3cbb80adf919901795a6069940a2e9132922285b7e0c6cc3a5548b29ad58aa2ae5a77ecfa9ce183f5982cd6d39e08beb80f0a3e2dec283a2bd74a186
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD566cf0166e1c89d1c05f9b7b73fd47495
SHA14fee1b6faef4a327b7c66919d814cbdbb2ad7b91
SHA2561dd3219ec7744cca07e798c78791f41198b2352ae2f395f08f0c67f57dc87b1b
SHA5122427dd2ce90415aee795f57701c9b151ca04fdfee4e05cceeb5e234c465b38dbc2dcf52bcce9759661068f46a8df231d33c0a25b8390ccad42315866598d62fc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD500d2557f2821e325dedc724338c62562
SHA13eddf91936809a1c890dae7454b45d883416f752
SHA25643cafbd9fd75d29af17f7d78d9ba927adb695b3300235b27f74e842b908184be
SHA512b23e2b6ac72c635ff87ecfb1222c7bb37010b482a0f7b9a111d29f7d4d56dc399e450abe0a637cced312dd11e1b11e741f5f6405a8be6be47b04971fa17b6a02
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD582301461a08d8ba90ec066335e079fc5
SHA1a82571c25c9bb0eb6016bf931bf69835eab7adc2
SHA256d483254d706154838c67aa27dd88a7c791230131711c3e6b5cda07b01cf1c92a
SHA5129465df6a1c2110eac4ddbd59f85c6ded711e13bf82d41f1bb357042eea98ffedeb19b134bef1259b8ef50ea99fafc3ed6d962c4a2e5f0653dc09a9776ff5ac66
-
C:\Users\Admin\Downloads\CoronaVirus.exeFilesize
1.0MB
MD5055d1462f66a350d9886542d4d79bc2b
SHA1f1086d2f667d807dbb1aa362a7a809ea119f2565
SHA256dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
SHA5122c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
-
C:\Users\Admin\Downloads\DanaBot.exeFilesize
2.7MB
MD548d8f7bbb500af66baa765279ce58045
SHA12cdb5fdeee4e9c7bd2e5f744150521963487eb71
SHA256db0d72bc7d10209f7fa354ec100d57abbb9fe2e57ce72789f5f88257c5d3ebd1
SHA512aef8aa8e0d16aab35b5cc19487e53583691e4471064bc556a2ee13e94a0546b54a33995739f0fa3c4de6ff4c6abf02014aef3efb0d93ca6847bad2220c3302bd
-
C:\Users\Admin\Downloads\DanaBot.exe:Zone.IdentifierFilesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
C:\Users\Admin\Downloads\MadMan.exe:Zone.IdentifierFilesize
206B
MD50fde7d2b01484a8769a6714265dc7030
SHA1dd86dfd03d9bfea3c873703ce0f2874bcb901598
SHA25605fc511d197314bd7e8fb4c07d5f76a1236ddf97e69ab503ed17af58ea30167b
SHA512ce11744154cfab9ff2258431c8e49319fa50e0baa7dd09e2427268dc69833f35e710d445ef777ac70915ff805107a66572d117cf0ddf17133587130bdabd5d8d
-
C:\Users\Admin\Downloads\Ransomware.Jigsaw.zipFilesize
239KB
MD53ad6374a3558149d09d74e6af72344e3
SHA1e7be9f22578027fc0b6ddb94c09b245ee8ce1620
SHA25686a391fe7a237f4f17846c53d71e45820411d1a9a6e0c16f22a11ebc491ff9ff
SHA51221c21b36be200a195bfa648e228c64e52262b06d19d294446b8a544ff1d81f81eb2af74ddbdebc59915168db5dba76d0f0585e83471801d9ee37e59af0620720
-
C:\Users\Admin\Downloads\Ransomware.Jigsaw.zip:Zone.IdentifierFilesize
228B
MD5fa3374f52c14a969c628a0b9898935ba
SHA12125b2297e81491ff74004202a697fc560030f40
SHA256f4f781121f08d2b7264b09bb87c50a5afc0de6268856be4227d19de331d59cdc
SHA51293fb5d4d7bdb87aec0929d27032416eaab30dc300544cb845f292c2a216793ce724729e2c1327103277fdbe1d05edf8cfe016519213e1f79760c6faa1e829a82
-
C:\Users\Admin\Downloads\Ransomware.Mamba.zipFilesize
1.0MB
MD5f94d1f4e2ce6c7cc81961361aab8a144
SHA188189db0691667653fe1522c6b5673bf75aa44aa
SHA256610a52c340ebaff31093c5ef0d76032ac2acdc81a3431e68b244bf42905fd70a
SHA5127b7cf9a782549e75f87b8c62d091369b47c1b22c9a10dcf4a5d9f2db9a879ed3969316292d3944f95aeb67f34ae6dc6bbe2ae5ca497be3a25741a2aa204e66ad
-
C:\Users\Admin\Downloads\Ransomware.Mamba.zip:Zone.IdentifierFilesize
122B
MD50ad609e88a621526e722998c8677ae8d
SHA15fb7f2e54e3b1f3e68f3325ca23859d38f1be94e
SHA256016ba74bf5d6cc6bcee76140f4d2dd89491f470af938a3aa474344338ab1ab50
SHA512dd25a30e7c61ed7e4f5f6fd763d34863b315e08f21237c28b55d0b4e261117bfc19bffcd87cf8b205d164ab72bae0644a06cb44fcfb01e5cf91dd1d4df957644
-
C:\Users\Admin\Downloads\Unconfirmed 167525.crdownload:SmartScreenFilesize
7B
MD54047530ecbc0170039e76fe1657bdb01
SHA132db7d5e662ebccdd1d71de285f907e3a1c68ac5
SHA25682254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750
SHA5128f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e
-
C:\Users\Admin\Downloads\Unconfirmed 419242.crdownloadFilesize
2KB
MD5a56d479405b23976f162f3a4a74e48aa
SHA1f4f433b3f56315e1d469148bdfd835469526262f
SHA25617d81134a5957fb758b9d69a90b033477a991c8b0f107d9864dc790ca37e6a23
SHA512f5594cde50ca5235f7759c9350d4054d7a61b5e61a197dffc04eb8cdef368572e99d212dd406ad296484b5f0f880bdc5ec9e155781101d15083c1564738a900a
-
C:\Users\Admin\Downloads\Unconfirmed 46744.crdownloadFilesize
2.3MB
MD5fdf213d8fdb25db14a3958b1dfb7aad8
SHA124c31f351c2117ab94f05a62922405a3370c04c3
SHA256ffdac13c99d4afb7541f0ba7a72ea5308fd527cfbbd19b7c88ec9c1a6a146f07
SHA5125971d450ffd616bb53f9abd29bc52c86d1e66ec26b4d6a5634a003223f352ddac33b651d166c0e3fa569a9e2e044fbabfa35567f3fd6b00f1f204f0b48e81765
-
C:\Users\Admin\Downloads\Unconfirmed 71217.crdownloadFilesize
4.0MB
MD50d4195dcb31e326aafdcac60ca990670
SHA1361b5b30ea4b986903f1fee4d2627ceece406da2
SHA2565d82e770927c2b4a713efd6e8931c1a9bb72ff564ec587d2273860b1e84d50db
SHA512fd11f305b765c201965cc9d317b9b7608629d03e7eadfa133dc3bc08bf5ff330c347dc80e95d9c5a06268953ca70fc83c5ed6b49d5f97d2b0ed1c27b65b4ea68
-
C:\Users\Admin\Downloads\Unconfirmed 922947.crdownloadFilesize
802KB
MD5b098ae06e0941adba783613265bff686
SHA1656c7b6cb35d0b950fd6739a66e1e6198880a685
SHA256f108d958115cc38f1a0253a2a66c6fa26997f1a15039459a909b0fa898dee4ca
SHA512c07ccb96a266d2b831e75e1afcd2e31d5fbde8dbff93ed88f7a8ffdb0bd7d0a02b249cbe52453e7b6680b4c2a19d4c8fd1363b8adf86d95ed53ce16a614a9c6e
-
\??\pipe\LOCAL\crashpad_1908_MHQKJDRPTSLCDWZPMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2396-1525-0x00000000028F0000-0x0000000002B71000-memory.dmpFilesize
2.5MB
-
memory/2396-1526-0x0000000002B80000-0x0000000002E0D000-memory.dmpFilesize
2.6MB
-
memory/2856-1753-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/2856-1721-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/2856-25893-0x000000000A6A0000-0x000000000A6D4000-memory.dmpFilesize
208KB
-
memory/2856-4414-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/2856-1752-0x000000000A6A0000-0x000000000A6D4000-memory.dmpFilesize
208KB
-
memory/5116-1544-0x00000000027E0000-0x0000000002A63000-memory.dmpFilesize
2.5MB
-
memory/23808-25954-0x000001E80AF50000-0x000001E80BF44000-memory.dmpFilesize
16.0MB
-
memory/23808-25986-0x000001E8267A0000-0x000001E827D2E000-memory.dmpFilesize
21.6MB
-
memory/23808-25987-0x000001E826790000-0x000001E8267A0000-memory.dmpFilesize
64KB
-
memory/23808-25953-0x00007FF89C4C0000-0x00007FF89CF82000-memory.dmpFilesize
10.8MB
-
memory/23808-26080-0x00007FF89C4C0000-0x00007FF89CF82000-memory.dmpFilesize
10.8MB
-
memory/23808-26203-0x00007FF89C4C0000-0x00007FF89CF82000-memory.dmpFilesize
10.8MB