Analysis
-
max time kernel
543s -
max time network
491s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
14-03-2024 10:02
Static task
static1
General
-
Target
b28242123ed2cf6000f0aa036844bd29.dll
-
Size
87KB
-
MD5
b28242123ed2cf6000f0aa036844bd29
-
SHA1
915f41a6c59ed743803ea0ddde08927ffd623586
-
SHA256
fd563cf7c0c862ab910cf558b5a123354b616e84902d277edf09f378ff6f9786
-
SHA512
08e5966ca90f08c18c582e6c67d71186a6f9c025fc9f78020e1ce202814de094171111b7f3623d81f7371acdf92206446f7c0425e08e8f5f5b6fd969007d9fca
-
SSDEEP
1536:0A1KsVHBnVJ0T1rFTQHUPx+nVP7ZSRILMZoXyqqEbzPCAdt6rFTc:0A1rVIrFTOUsnVP7sRILgAPCvrFTc
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\Cov29Cry.exe.death family_chaos behavioral1/memory/4284-1558-0x0000000000610000-0x0000000000630000-memory.dmp family_chaos behavioral1/memory/2756-1562-0x0000000000400000-0x00000000005D5000-memory.dmp family_chaos behavioral1/memory/2756-1580-0x0000000000400000-0x00000000005D5000-memory.dmp family_chaos -
Processes:
reg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1920 bcdedit.exe 2648 bcdedit.exe -
Processes:
wbadmin.exepid process 4672 wbadmin.exe -
Disables Task Manager via registry modification
-
Drops startup file 3 IoCs
Processes:
svchost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\covid29-is-here.txt svchost.exe -
Executes dropped EXE 4 IoCs
Processes:
mbr.exeCov29Cry.exesvchost.exeCov29LockScreen.exepid process 4556 mbr.exe 4284 Cov29Cry.exe 240 svchost.exe 2272 Cov29LockScreen.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/2756-1385-0x0000000000400000-0x00000000005D5000-memory.dmp upx behavioral1/memory/2756-1562-0x0000000000400000-0x00000000005D5000-memory.dmp upx behavioral1/memory/2756-1580-0x0000000000400000-0x00000000005D5000-memory.dmp upx -
Drops desktop.ini file(s) 34 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-4280069375-290121026-380765049-1000\desktop.ini svchost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs
Processes:
flow ioc 135 raw.githubusercontent.com 53 camo.githubusercontent.com 86 drive.google.com 87 drive.google.com 150 raw.githubusercontent.com 152 raw.githubusercontent.com 51 camo.githubusercontent.com 68 drive.google.com 88 drive.google.com -
Mark of the Web detected: This indicates that the page was originally saved or cloned. 1 IoCs
Processes:
flow ioc 79 https://whyisyoung.github.io/BODMAS/ -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
mbr.exedescription ioc process File opened for modification \??\PhysicalDrive0 mbr.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\64acnic5v.jpg" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2108 3720 WerFault.exe regsvr32.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
msedge.exeEXCEL.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2332 vssadmin.exe -
Kills process with taskkill 1 IoCs
Processes:
taskkill.exepid process 232 taskkill.exe -
Modifies registry class 61 IoCs
Processes:
NOTEPAD.EXEsvchost.exemsedge.exemsedge.execmd.exedescription ioc process Key created \Registry\User\S-1-5-21-4280069375-290121026-380765049-1000_Classes\NotificationData NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg NOTEPAD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe110000001eb78b63c764da01d8a07b65c764da0157fb7f86c764da0114000000 NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 NOTEPAD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings svchost.exe Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000 NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2" NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 NOTEPAD.EXE Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4280069375-290121026-380765049-1000\{EE0C4311-D53E-4623-9887-A67BF5C9ADE8} msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings cmd.exe Set value (int) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 NOTEPAD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic" NOTEPAD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 NOTEPAD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads" NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff NOTEPAD.EXE -
Modifies registry key 1 TTPs 7 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 400 reg.exe 3224 reg.exe 4904 reg.exe 2216 reg.exe 4888 reg.exe 3952 reg.exe 4788 reg.exe -
NTFS ADS 3 IoCs
Processes:
msedge.exemsedge.exemsedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\bodmas_malware_category.csv:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\3e35a2a6b58853ab7443aef40d22dc37c3d94848ec9f5b9ca27c1892082b4f07.txt:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Covid29 Ransomware.zip:Zone.Identifier msedge.exe -
Opens file in notepad (likely ransom note) 2 IoCs
Processes:
NOTEPAD.EXENOTEPAD.EXEpid process 2104 NOTEPAD.EXE 1672 NOTEPAD.EXE -
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
EXCEL.EXEsvchost.exepid process 3680 EXCEL.EXE 240 svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exeCov29Cry.exesvchost.exepid process 4476 msedge.exe 4476 msedge.exe 5092 msedge.exe 5092 msedge.exe 3556 identity_helper.exe 3556 identity_helper.exe 3724 msedge.exe 3724 msedge.exe 1352 msedge.exe 1352 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 5088 msedge.exe 1324 msedge.exe 1324 msedge.exe 2760 msedge.exe 2760 msedge.exe 5116 msedge.exe 5116 msedge.exe 4284 Cov29Cry.exe 4284 Cov29Cry.exe 4284 Cov29Cry.exe 4284 Cov29Cry.exe 4284 Cov29Cry.exe 4284 Cov29Cry.exe 4284 Cov29Cry.exe 4284 Cov29Cry.exe 4284 Cov29Cry.exe 4284 Cov29Cry.exe 4284 Cov29Cry.exe 4284 Cov29Cry.exe 4284 Cov29Cry.exe 4284 Cov29Cry.exe 4284 Cov29Cry.exe 4284 Cov29Cry.exe 4284 Cov29Cry.exe 4284 Cov29Cry.exe 4284 Cov29Cry.exe 4284 Cov29Cry.exe 4284 Cov29Cry.exe 4284 Cov29Cry.exe 4284 Cov29Cry.exe 4284 Cov29Cry.exe 4284 Cov29Cry.exe 4284 Cov29Cry.exe 4284 Cov29Cry.exe 4284 Cov29Cry.exe 240 svchost.exe 240 svchost.exe 240 svchost.exe 240 svchost.exe 240 svchost.exe 240 svchost.exe 240 svchost.exe 240 svchost.exe 240 svchost.exe 240 svchost.exe 240 svchost.exe 240 svchost.exe 240 svchost.exe 240 svchost.exe 240 svchost.exe 240 svchost.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs
Processes:
msedge.exepid process 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe -
Suspicious use of AdjustPrivilegeToken 53 IoCs
Processes:
shutdown.exeCov29Cry.exetaskkill.exesvchost.exevssvc.exeWMIC.exewbengine.exedescription pid process Token: SeShutdownPrivilege 1660 shutdown.exe Token: SeRemoteShutdownPrivilege 1660 shutdown.exe Token: SeDebugPrivilege 4284 Cov29Cry.exe Token: SeDebugPrivilege 232 taskkill.exe Token: SeDebugPrivilege 240 svchost.exe Token: SeBackupPrivilege 656 vssvc.exe Token: SeRestorePrivilege 656 vssvc.exe Token: SeAuditPrivilege 656 vssvc.exe Token: SeIncreaseQuotaPrivilege 2852 WMIC.exe Token: SeSecurityPrivilege 2852 WMIC.exe Token: SeTakeOwnershipPrivilege 2852 WMIC.exe Token: SeLoadDriverPrivilege 2852 WMIC.exe Token: SeSystemProfilePrivilege 2852 WMIC.exe Token: SeSystemtimePrivilege 2852 WMIC.exe Token: SeProfSingleProcessPrivilege 2852 WMIC.exe Token: SeIncBasePriorityPrivilege 2852 WMIC.exe Token: SeCreatePagefilePrivilege 2852 WMIC.exe Token: SeBackupPrivilege 2852 WMIC.exe Token: SeRestorePrivilege 2852 WMIC.exe Token: SeShutdownPrivilege 2852 WMIC.exe Token: SeDebugPrivilege 2852 WMIC.exe Token: SeSystemEnvironmentPrivilege 2852 WMIC.exe Token: SeRemoteShutdownPrivilege 2852 WMIC.exe Token: SeUndockPrivilege 2852 WMIC.exe Token: SeManageVolumePrivilege 2852 WMIC.exe Token: 33 2852 WMIC.exe Token: 34 2852 WMIC.exe Token: 35 2852 WMIC.exe Token: 36 2852 WMIC.exe Token: SeIncreaseQuotaPrivilege 2852 WMIC.exe Token: SeSecurityPrivilege 2852 WMIC.exe Token: SeTakeOwnershipPrivilege 2852 WMIC.exe Token: SeLoadDriverPrivilege 2852 WMIC.exe Token: SeSystemProfilePrivilege 2852 WMIC.exe Token: SeSystemtimePrivilege 2852 WMIC.exe Token: SeProfSingleProcessPrivilege 2852 WMIC.exe Token: SeIncBasePriorityPrivilege 2852 WMIC.exe Token: SeCreatePagefilePrivilege 2852 WMIC.exe Token: SeBackupPrivilege 2852 WMIC.exe Token: SeRestorePrivilege 2852 WMIC.exe Token: SeShutdownPrivilege 2852 WMIC.exe Token: SeDebugPrivilege 2852 WMIC.exe Token: SeSystemEnvironmentPrivilege 2852 WMIC.exe Token: SeRemoteShutdownPrivilege 2852 WMIC.exe Token: SeUndockPrivilege 2852 WMIC.exe Token: SeManageVolumePrivilege 2852 WMIC.exe Token: 33 2852 WMIC.exe Token: 34 2852 WMIC.exe Token: 35 2852 WMIC.exe Token: 36 2852 WMIC.exe Token: SeBackupPrivilege 3932 wbengine.exe Token: SeRestorePrivilege 3932 wbengine.exe Token: SeSecurityPrivilege 3932 wbengine.exe -
Suspicious use of FindShellTrayWindow 59 IoCs
Processes:
msedge.exepid process 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe -
Suspicious use of SendNotifyMessage 16 IoCs
Processes:
msedge.exepid process 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe 5092 msedge.exe -
Suspicious use of SetWindowsHookEx 20 IoCs
Processes:
EXCEL.EXENOTEPAD.EXEPickerHost.exeCov29LockScreen.exepid process 3680 EXCEL.EXE 3680 EXCEL.EXE 3680 EXCEL.EXE 3680 EXCEL.EXE 3680 EXCEL.EXE 3680 EXCEL.EXE 3680 EXCEL.EXE 3680 EXCEL.EXE 3680 EXCEL.EXE 3680 EXCEL.EXE 3680 EXCEL.EXE 3680 EXCEL.EXE 3680 EXCEL.EXE 3680 EXCEL.EXE 3680 EXCEL.EXE 3680 EXCEL.EXE 3680 EXCEL.EXE 2104 NOTEPAD.EXE 4068 PickerHost.exe 2272 Cov29LockScreen.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
regsvr32.exemsedge.exedescription pid process target process PID 1972 wrote to memory of 3720 1972 regsvr32.exe regsvr32.exe PID 1972 wrote to memory of 3720 1972 regsvr32.exe regsvr32.exe PID 1972 wrote to memory of 3720 1972 regsvr32.exe regsvr32.exe PID 5092 wrote to memory of 3940 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3940 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3104 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3104 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3104 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3104 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3104 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3104 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3104 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3104 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3104 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3104 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3104 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3104 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3104 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3104 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3104 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3104 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3104 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3104 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3104 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3104 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3104 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3104 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3104 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3104 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3104 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3104 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3104 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3104 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3104 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3104 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3104 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3104 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3104 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3104 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3104 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3104 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3104 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3104 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3104 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3104 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 4476 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 4476 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3328 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3328 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3328 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3328 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3328 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3328 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3328 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3328 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3328 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3328 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3328 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3328 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3328 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3328 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3328 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3328 5092 msedge.exe msedge.exe PID 5092 wrote to memory of 3328 5092 msedge.exe msedge.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\b28242123ed2cf6000f0aa036844bd29.dll1⤵
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\b28242123ed2cf6000f0aa036844bd29.dll2⤵PID:3720
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3720 -s 4603⤵
- Program crash
PID:2108
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3720 -ip 37201⤵PID:2664
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9ce533cb8,0x7ff9ce533cc8,0x7ff9ce533cd82⤵PID:3940
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1876 /prefetch:22⤵PID:3104
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4476 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:82⤵PID:3328
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:12⤵PID:1660
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:12⤵PID:4920
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:12⤵PID:2916
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4528 /prefetch:12⤵PID:4144
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3556 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:12⤵PID:3620
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:12⤵PID:3588
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5192 /prefetch:82⤵PID:3832
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5268 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3724 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:12⤵PID:4396
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1352 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4528 /prefetch:12⤵PID:4832
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:12⤵PID:1488
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:12⤵PID:4540
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:12⤵PID:4272
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:12⤵PID:1380
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:12⤵PID:5032
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:12⤵PID:2480
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6048 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5088 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:12⤵PID:3860
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:12⤵PID:2748
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6584 /prefetch:12⤵PID:1536
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:12⤵PID:1620
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6208 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1324 -
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Downloads\bodmas_malware_category.csv"2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3680 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:12⤵PID:4588
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7068 /prefetch:12⤵PID:4840
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2660 /prefetch:12⤵PID:4768
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7072 /prefetch:12⤵PID:3804
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:12⤵PID:4576
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1280 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2760 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\3e35a2a6b58853ab7443aef40d22dc37c3d94848ec9f5b9ca27c1892082b4f07.txt2⤵
- Modifies registry class
- Opens file in notepad (likely ransom note)
- Suspicious use of SetWindowsHookEx
PID:2104 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1332 /prefetch:12⤵PID:1524
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1784,11675327164829650233,8546519728444149150,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3516 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:5116
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1384
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5080
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\3e35a2a6b58853ab7443aef40d22dc37c3d94848ec9f5b9ca27c1892082b4f07.txt1⤵
- Opens file in notepad (likely ransom note)
PID:1672
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\3e35a2a6b58853ab7443aef40d22dc37c3d94848ec9f5b9ca27c1892082b4f07.bat" "1⤵PID:4532
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2732
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Covid29 Ransomware.zip\TrojanRansomCovid29.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_Covid29 Ransomware.zip\TrojanRansomCovid29.exe"1⤵PID:2756
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\TrojanRansomCovid29.bat" "2⤵
- Modifies registry class
PID:2032 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\fakeerror.vbs"3⤵PID:4752
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 23⤵
- Runs ping.exe
PID:380 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
PID:400 -
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
PID:3224 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
PID:4904 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
PID:2216 -
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f3⤵
- Modifies registry key
PID:4888 -
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- Modifies registry key
PID:3952 -
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- Modifies registry key
PID:4788 -
C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\mbr.exembr.exe3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:4556 -
C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\Cov29Cry.exeCov29Cry.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4284 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:240 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete5⤵PID:2512
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet6⤵
- Interacts with shadow copies
PID:2332 -
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2852 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no5⤵PID:3704
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures6⤵
- Modifies boot configuration data using bcdedit
PID:1920 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no6⤵
- Modifies boot configuration data using bcdedit
PID:2648 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet5⤵PID:1408
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet6⤵
- Deletes backup catalog
PID:4672 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\covid29-is-here.txt5⤵PID:4644
-
C:\Windows\SysWOW64\shutdown.exeshutdown /r /t 300 /c "5 minutes to pay until you lose your data and system forever"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1660 -
C:\Windows\SysWOW64\PING.EXEping localhost -n 93⤵
- Runs ping.exe
PID:4008 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:232 -
C:\Users\Admin\AppData\Local\Temp\B4C7.tmp\Cov29LockScreen.exeCov29LockScreen.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2272
-
C:\Windows\System32\PickerHost.exeC:\Windows\System32\PickerHost.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:4068
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:656
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3932
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:3816
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:3568
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
3File Deletion
3Modify Registry
3Pre-OS Boot
1Bootkit
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5a0407c5de270b9ae0ceee6cb9b61bbf1
SHA1fb2bb8184c1b8e680bf873e5537e1260f057751e
SHA256a56989933628f6a677ad09f634fc9b7dd9cf7d06c72a76ddbb8221bc4a62ffcd
SHA51265162bf07705dfdd348d4eaf0a3feba08dc2c0942a3a052b4492d0675ab803b104c03c945f5608fac9544681e0fe8b81d1aaca859663e79aa87fcb591ddb8136
-
Filesize
152B
MD5ded21ddc295846e2b00e1fd766c807db
SHA1497eb7c9c09cb2a247b4a3663ce808869872b410
SHA25626025f86effef56caa2ee50a64e219c762944b1e50e465be3a6b454bc0ed7305
SHA512ddfaa73032590de904bba398331fdbf188741d96a17116ada50298b42d6eb7b20d6e50b0cfae8b17e2f145997b8ebce6c8196e6f46fbe11f133d3d82ce3656db
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\7ae8ac53-5c35-494b-bb98-6a3713725a9d.tmp
Filesize8KB
MD5f5beb8af7b1cb59e58dc17ebfd08621f
SHA1cde3f81b331a981b19b73e13845c4367d3ba5196
SHA256d21431305f71f477aac25f88346c23426c9af101a30ecd6817890324cf724470
SHA512879ef56d4281787c4d2d3df67dd3ef1cc0a8af373003201a72808f9d98d56d2f484996cdf6a2a1c5b2e566afaf0ec22d6d2e86637253ed9421ee95c9b7f72a02
-
Filesize
49KB
MD593ab4cf70b3aa1641a4b258c3fe03f24
SHA1cba2ddecb8e019e6e5a91dcf867c6d6094f39b63
SHA256d6c2f9f2bb35841cdb53abb660544e6e6f44e39d6542323992cc1c63e998fa16
SHA51270fa907afd9b52ed54a3cf755e394c40a3ff7a83041540b435cba47d889c1c9401afc9fb23a5e879d85bed42fd5df40cd7540d428b3ee7a9cdc278a314770884
-
Filesize
44KB
MD5d1a5de56e99839dbab128260f0d6929d
SHA1598e110db0d43581f3d7f0892d1ed6140a570739
SHA25641e5f6aff0dbd029c60a0b64e0760fafc592084e48e21ca48277a4e2b68e3cef
SHA512645c31db374ca378e773392b09d2ba698eefa5879ba8e14e3b31cb661e34dd00c16c8005b8857a2951797d0fd38344899b3914da8828fa0b72d7565d6f5899f7
-
Filesize
24KB
MD543dac252d21bddd2477439e023621c6c
SHA1a7a81cd955811fd15dad91f443e0880d7aa08d79
SHA256fedd9610bd4c2237de2d9eebba3143424967690767ba25ca7ab369f7aab3bb4a
SHA512cc5aac6a7e47a0548ebc9a606eff04d175e1c76844160069bf4787349be6fe897cffd1444f9c00dddc214502ebd5a8ab97a1527d219679af894a28858de40fc3
-
Filesize
22KB
MD56c0d7b869b0581b57bfa61f385c2ea91
SHA1c26d2c58a8b6cd2843ab8db8cd48ff8960bb9daf
SHA2565c9fa7df7f446408d1aa91e9ab4d445b0be2ba4adc316c0bfa5a19cb0376b1dc
SHA51211f7883bf9d439c48343639fd610fb7b1015179ea434c0aa5e3282f9eab24dbd3e5aee3f4fa8d65e130bf8938c10bf790f29b4c9f4f476f2fa7cb176fc4e191d
-
Filesize
20KB
MD58b2813296f6e3577e9ac2eb518ac437e
SHA16c8066353b4d463018aa1e4e9bb9bf2e9a7d9a86
SHA256befb3b0471067ac66b93fcdba75c11d743f70a02bb9f5eef7501fa874686319d
SHA512a1ed4d23dfbe981bf749c2008ab55a3d76e8f41801a09475e7e0109600f288aa20036273940e8ba70a172dec57eec56fe7c567cb941ba71edae080f2fdcc1e0c
-
Filesize
63KB
MD5aa6ffba997d9e6535da1a2c26a004749
SHA19ed525230c4bccae34454a71adf723fb7479b53b
SHA256db0eecba023386f47ac57fef8a8cdab5f12e04637da91c13b81b8b60b43025d0
SHA512ba7e79b263af9d9939059a28d7c73683f9cdb2c9a986adc54d8ad54d28e237c2b0f88010a4829392addb3be5a8d08923cd5931a71ff7558eee9e4b6007273d2b
-
Filesize
19KB
MD5a22bba8496b44ce03e78393762962309
SHA1e40a5c761e2752898bff478212e73423720e62e4
SHA256cc755756eafdc0478fd311c22224aacdd9422bb756c75e134bf7ecc12340db42
SHA512283dbb5b1091232602b9ef06e0c1246c9928407bde42d6d3d88bd95a5416aa8e49036674e401f76d8d7c074ffbdc30b1c52f6417415b54e4c07d8b314d98ad77
-
Filesize
59KB
MD5063fe934b18300c766e7279114db4b67
SHA1d7e71855cf6e8d1e7fbaa763223857f50cd1d4bd
SHA2568745914e0214bcd9d2e6a841f0679a81084ef3fc3d99125876bee26653f4253e
SHA5129d0dfc21306b3a56c2ecdf1265392271969e3765e161e117c8765125b34793e24458217cf6514b364f351f47e65baaaf5856be0d13406a789f844d6ba8c7075f
-
Filesize
151KB
MD5e0595142a80771d317d27440fd29b8e6
SHA1db3710d0d8d60dcb64430c342c6fd921d6792fcd
SHA2563ba245011d9a8ade367074a3774a786f50ca51d71a83956dbb0ad2647a14d7ed
SHA5126d298295955fce4166720ee7cc42bf4562ff311b6820025a7ea710a19dd8553d8677fe194876db5e2e6440d9d21aeb603a6b3fcd73f656405428d4ec00dba288
-
Filesize
21KB
MD578ac8f2b69aa06a62c0396eec2465414
SHA17c6c2c9465955c34e62f2802896afae2053591c0
SHA2566c86d8c0c6067e4eb4055d4201159df4e5772c88d0784adbe1f9d0419243e9c5
SHA512b5e8fa423a003e6259293b5a37302894be43efe93161d2bd3c4f89296630662ee32bb3639dd4856431ec597d31c83f280f594180d925469e31665450802db0ab
-
Filesize
19KB
MD54b36af377345ba07e1b4e00028a59119
SHA15b92e3b727172e455570822b194e4b6e833fd6bf
SHA256581a19ecaeac7df979ff1023c17e0825e87afd897f077f0dbeba804f5d2d91cf
SHA5127abc3b8ebbb50683fbb18d54a61f52d2faa9ea2201c3f730a9dd49e2b00ab1fe2ca984fbe1ed918de879d04c72ad12b33f77991c7ce117578335205a09da0d24
-
Filesize
23KB
MD577a781823d1c1a1f70513ffeda9e996d
SHA160776ceeb79ed41e7cd49b1ee07b1e09ff846f25
SHA256b093599957b103def2cc82ffd2d42d57a98292ace5a6596e3e4439a6cce063b2
SHA5129aa66273ad419e1fc4ee825ec9e9fea4297139eca060572d3f59ed9bccbf2e1dbd03a006a0a35c6d37196e8297ec9a49fb787f0a31c3772b17911603eca62aac
-
Filesize
88KB
MD50806b6e9447e69980d8dd1e5bc9bd923
SHA1b621a55dd41a093b7066c7347d4fc7d33e6ae3c0
SHA2567f78d2882870c48a3611e13c0f64b81313ae7d1a22d7e50dea2ca6b79ca4d4ad
SHA5122deb48e2f088a9a162eb8992fe8457fba2e4bdc255869d01a2eafc143a2217d824070ec75d78959646fcc84df81636653f28688c05759b353d2d17dd84d34926
-
Filesize
27KB
MD5ce0b8d11a00256be872539d386e3f8e5
SHA164658a28b3b3a52c5332c9e1fdb8875411a4f9d2
SHA2563a009c2e78435c0b5f5454d3a39090a76111f8dcdb35ae665332afacb6f2d83e
SHA51206fd4d8b19f485e8fafabaebef5f48217d86ff8d59a1889e3a47bc28eaafb23892fe0f85d4e2165cdfbe70761fc006c0650e7304b2534960ee8962fdcef8cb4a
-
Filesize
39KB
MD52216add26a4a6b9ec7972a958d25d5db
SHA153abdd20e25e0aabb473431e84470f7f88e53801
SHA25662c51a443593a01dfc001d11a990bb5b86fa3da82a1df988d0089749d9d3a17d
SHA512fe4bab34366ff4f8935c10969a5bd88f9572fbb869d404a8cc5fdb41aec2074a31784f9fa613fad7f27ea9cbe07b087b2c1e2a7ae8ce1c16247d1db51ba54370
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD597088b3450c9decf52d6ad6022a56114
SHA16d4fbed310481d5c6edfd7b8918ed52c0e9c616f
SHA2568aa9dbf093e33c32268e7be2bed1bdb27d20ea4ef94cde1dc4bf2204e176c3e1
SHA512c9861a6d096459e06be45e1df79590e7b29c3b80016b49b8d445a4ceae113e4f567f2e2ecc2cc13227382e93af4635fee16f65648f3602c37b79759f8090aa5a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD5e3d27be089c8638e2a8418209d9988c6
SHA1dab2405a7c446c8e1bd34962d4932cf2c535b288
SHA256ad722427221935371e110b78666922a04990896509783dad9c3b32d940ac08c2
SHA5128a3639ab765bb8c0babb2af06cae7e02419bc456aef79611364144870d123bd70aac647fc4c730686895150b13f6d1bc35b56633383f7c4f6788d1e5ee1d871f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD573034b60b53bde3865e6441af13580e4
SHA1f079df27501421a3cbc86e886c6bfea810b79a6c
SHA2565971c4061397d3b2091c851999fb086e9e1301dd90871e03de33f84b730aeef5
SHA512471a01e819c9b0067e4bfb81caab16570d467db81e7acaa1a65faaa5f0a6964ec86e209b3d7815b49be8792ebf107a518c95f18100e294f3ea901fea2c688c4c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5220235a7f8d851ac5e122e2ea66cfdb9
SHA1f3f8502851e77899ec90fac23e57ecdfd2deed2f
SHA25604f5a60920481aadf50b84ba604d2ee53c696dc9d3a331269590ed681ccbef21
SHA5122aff27ee0dffa1eec95a2a1e352df313c0cc34cdafadeabed28b04e7214e5508cfaecf414f5648e109e78d54c233fbd8f77bcb43191977d4ea87cb637012f775
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD529036d3c1ecb0c8f319d837f99608ddd
SHA1f2927667876a7daaaddc69abbb8d5e97a4f57a5d
SHA256aefd8d572db62663f0015e0c6cfbb47d20f7b283e0064af5d7bc696bb2888414
SHA512c0240b1080d570d4333a9791e91c7861168fe996cee9f7dfb31d5f626230d21b74497e774e88553642137f61a5bc4499f7828c3860a0a0f4dc7bfe73c9a07954
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD520d218a86a8ef658cf5488a7b34ba62f
SHA1d7aed71f2ff91b16aeb00580b58854958afbb686
SHA256e248ad9e507250c64713043d9e311ff406b057eb314737ac7362b203f62966f6
SHA512bcbbb1fda3d6876e11251a0b9c33c5e506d0c23f3134635f08f438fc0ed730d097edcbc11d9a24ec32a80fef4f69819da1e8bd889fcdb70a96b951a9c6c9439f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD53e89491acc925b731dc355c9922699d7
SHA16d8c871157f703f36d29c123675942bb763c22c8
SHA2561280e8cc658030c990c2313b9aa5d68946c730dae388de7ecea604c9db86aa76
SHA512408b9e0e623731ae021bf70eb1b7d4eb71e326edc237c98ac02944babe73c257186dc052150ad724b9071a697f81734565b644baa75c367a8566c293f4a2bf63
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD5758b8a767461df074c5145d247ba488e
SHA1bd13d8a3bb2add4b957379ef2eafb21929383dd8
SHA256d823e6317a9491c462ee304a1c9e539ff16ba75bdf118191cf5fe3d33db654df
SHA51248398e3ffc761f38569256bcf08b9a5adfda9ca3f1ffee9c29a409b4d58145482fcdfed5e366175e9147531c156b5e3ac37536362be276d57843686d41b47070
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD51ba4cd58a76511f58b943d69a9a75a5e
SHA18f32fc5d40603af38d439c5c8378342ef954062f
SHA256ccab7005fa60dddae1094158c7215f49b0439bb8b3dbe978f1285bb14c2f2f0c
SHA512e77e3e86a372afa51f4b30d5626dbec8223440bc90b609f0781222ed965479e5f4ca2bfa86c61b44a7a4122bd6d28350ee631b041f88c99ff87c3b7b027a1719
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
1008B
MD5e7f0875927543a5cd2ed537c8bbd2899
SHA15f586ecd7de5c49419c96915a6e70c8627f66665
SHA2561bdfadc344b9f9a4b32636d535d4b27762cac3666ec4a48228cd6e0d9f529c64
SHA512425f95896f06ea2ad8832290d23861cffbaa7148dfa55a31cb89da8e4bd52a81ba977be6c763b797e1cc9ebb735ccafa214e638fd49345e4f18e9a54ad9deaac
-
Filesize
1KB
MD505144d974465ec9258c8c583f8fb58dd
SHA170b8fb7936b739dddc6c17fc9086c434b4c8c349
SHA25675ffe5776824b7d84bf44557ffe4dcfcbb9efaf64a0a3b34e7d9be99d78cf7ab
SHA51268a7bdeb2df1e264926a365c61dbb5675cb33922f6637f0ff1b64c12a62e582b423888b98bb040d41fa2de895d82b9faacb11951666e058824f038a98cd1b6d5
-
Filesize
5KB
MD5271eb932ea5cad3a8e8eb671e1488b5d
SHA112873cacdb94b964ccee7fa1f3199e9eba212f14
SHA256643a2c8308051d0ebea9429bc07d0c3ac05c3ed8ab43a174a4eef33322ba00ff
SHA512c9b7fef71466f1d8027df6e661cca196d8a5636054a86beb3ce7e30aaa9c348813981f501547cd2777eb579a3e6e048e6d83b5a22f08a8a79b58e89e888c49d5
-
Filesize
5KB
MD579161945d4e5d8537386b34def2b6eef
SHA1f7ae03a3b31e671eac943e4bf8e2fb642567eeb2
SHA2565fcaf84c9a59d56fbb5d811d491542a4bb81fb0de99e1704aadd5f2614d9d61f
SHA512c6a17d92770cd3365598f3128e14346a3a80607001e562a844b55f82272528dc77f4fc5f7baf8c33176ee8b4522de2d28a8ca67256dd3ab43ca4ce3bcab07658
-
Filesize
1KB
MD5197667cf0073f5e78fcd4fbd89fe6512
SHA126e454e049ee04f6f7a786925254cccb842ae142
SHA2561f9808262ce1885c53cb0e01dd5d8758436c2acab097dba3082ee65508b4e272
SHA5128bda533b1111d5267fa6b2e9ddee7e06e37e962572c32fae2d77127e28cb489ceeb63e2dca6e9af0360a2af561c927338c802887f0ba3cf5268487ffc6a385e4
-
Filesize
5KB
MD56f9138385bef7453efd0d7822db3a1b6
SHA15f67d0aef96f38b2b454c8a3a8ed1824df94916d
SHA256b72f1362307568639cbb8e4da6ed03ad575f1c38586ac4a12daa9dc11f342b0d
SHA5127d8e366851578a7f2295d5dc42a3dff01386fd04f04f6074a8f5b2b78e49635c9225c30ff1e620108b78042de3b0eb65c418b9d006e36beac80af9cd1205e242
-
Filesize
7KB
MD56f9fbc1b54116409a4b07380ea3dceb4
SHA1725fe3841dc378565d0d683231a56601152574b4
SHA256b01c0971075d9eef5882cef50dda179919c9e6ae4199136c708c13e6b3ee5740
SHA512015b45a1fcb2cad06e1fb2864dc5d1cee1c4449da1886ca23ef5678f3d42ed9f830a8c3501138ebd5f66df41cc8c063715216011a435d87cce07cedf3dbbbd7b
-
Filesize
7KB
MD5766f021826b9ca49646424ffe502cfc5
SHA103620e566c4a44ef0187483387d9fcc1a1bbe310
SHA256f1c75f163e6023ce706cee32c3b4da032a0ad96a541ce554fb6a33afbdecd409
SHA5128a1b0a2fe668ef53ac0dc83cf985fb2f36a4cf1fba0825affc84c5f3a21cf65977fca7da402e8e2369a6426140851755a1b6427cbbd3c9b6775edff2cc37d8db
-
Filesize
6KB
MD5e9238872ffc3998766b4f649cd7ba595
SHA100ae8e81165b9e625d35852fc5bf3d3af9c9f067
SHA256be12c43b88f16c86c73830323fc4a421c722cb16a7516a557b50f4259ed679cd
SHA512c5872b19759507a54bc894860c3b1861711a4b3811c09e8101bd83b78f22c0733414fc1bb249849b3e5f37223ec625ae33ea156e961a0670f6a1682167414a7a
-
Filesize
7KB
MD5d8e42fe19769b8c397bcb14dd34f3777
SHA19bb72b77d04ed5e5c7dabcc6caf9efc0a46b44f4
SHA256a3f98aef9bccfa407673e1a6a548e30fc02f28abb4f8968ea3e93048c4996e56
SHA51261327c148907bebd77026dce097991ed1e34b0419b20f6a233b4d1f25101b91befaa5c807baff4a3487d8ce353ca15a3724b3ac73a0e58072a8efcd65085c8c7
-
Filesize
6KB
MD59a178a2fcb2b11411b458b94784144fc
SHA10e851b8bdbfe20a5dee1c054173ea9f0021ba602
SHA256a936ace828a5e75bdbcd3df45947bacd7b44c19786470d66902399c3428802cd
SHA51202090bf18cbf08364456dec81c45e277b24e0bfcd6b5804935619dd03cb6b6db965c08bbdbcd3d98297fbaa41382c7bed2ac27fefdfebffb761fcb06b207c29d
-
Filesize
7KB
MD5459674898334e9c57b5abfdde4c78a37
SHA1f7549523ee257fc57b8a2e3ec9cfd8912565bf8a
SHA2563f7bc7991fb7123f974b6deaa78f60329b0c85bc3f742618372be83d5dd75932
SHA51286ceddb1eae9dd540ecd621584a501223279c147fb7c0355362e0d40c74cc6040f1ca306c9032518694923c613ba0470aa6726c0e485dd0e8c5cf81b6c2d71fc
-
Filesize
7KB
MD501231712f3a011fd1aec089e9279a1ae
SHA1c9943927361971a1e9f651080e07ee7c2d44d242
SHA25610c1c87270a99c93699ef390ac85bdd0bb8ecde1ecddd978ea29c90f7ecf5f96
SHA512e005a48f1f1e4f17c1800ae2ae64bedc9862a00a97bb8520fe2e56739cf82e797088010ee223d3e91803745cf1662b6acd886ee9b837002de339e42b9a58957c
-
Filesize
7KB
MD58fc0f40396dbc93065bbfe5d1746ad9d
SHA19fca4168dfb30a2e03a38b0f92ccdd5d655e9b22
SHA2567f59ed5a2014cb395a805ff3c3bf10a54637321570334fc735f3682cbb8b8965
SHA5128707a1c14194011f27824d8e1d287f2dfde9ba51cd4bc501e8bc9a977347f76d98a6966dfc2c6e442eb1ae4c0e0b9c7b491497fd4f21e54850b5dfe2053ef1dd
-
Filesize
1KB
MD564664e3024e011212b9541ea78229f41
SHA11977477a695243d17ee58ba5b0d9e628ebbcd79e
SHA2569bad2f980d339b9134c0ab2c720b142764efcd77988057494836152b3d6bb4cb
SHA512b81f179659a5547b1dfe3151deb1bac01df9fdce6a7799c052ac913095ff4e4b69603426c81da843c7516576a982f68500f86ff4003ab54d097e1a292e56b8cd
-
Filesize
3KB
MD5cac4e8717dff6a70ce6d8e3a066ee2e8
SHA131c5e72c0fd49189f5c5c9b6a44568275ff23c3d
SHA256887c710da42b7e5007144b37f22e931a4971a328c61ed83dcd5ca9e79ef18849
SHA512fcecab095003778efd14108028b648f7d36437ef215cf58827722e6297daa671f730a1f605491096e5e1060bcf2ac9d756819dfb5a6087c30df78b014b4ea158
-
Filesize
3KB
MD563c5c743a1ab4ba5cdb2e82789b6936e
SHA191666b88ca368bb323a24056be21f33a77ad28d7
SHA2561cb3cc4efa9f7d10c5bd4eb5887ea70c9fc50ce4905666f4e28ea23b2b5e8576
SHA512787556c30344b27c4a2944b34f83ca2638ab8b3875589d2212a46d3400f9de282bc0a53e32fdeaabc95495fd2be1cf49490a32824223944c7121dc8186266f1b
-
Filesize
1KB
MD5afdbd8d4c2da9b305751460234fe64be
SHA1c5d77a8d583f2af16dedc6d6c0cc853c98f7ced3
SHA2565fcc8c0b526e9e40d453bd1f9d2a107167c2bef5479dd59405cea46f077bc2c7
SHA51279763578439f1cf8f84137a9b8bfd366b90dc6b0b2d9bc7f25ab664dfa89b946a6f68c0258ab5370da46903338b57dbcee98dbe4f456f9db18884733f163ca7f
-
Filesize
2KB
MD54868b53b4efc074b6772c46ee9d3e90e
SHA1f0052a8914e1d59337047906886b56ee7a66eff8
SHA25645d7b7581f622b33f602f6341055d5d4a1998daaebc5dec895047fdee6291fa7
SHA512b5356b88d98a2f46f785322bcb4a7c4e737713bca98bfa70d952b28b21de87275a8f403887fa8d701d48a8f6354b6b63cb77099343177b7d0c123989a95d407a
-
Filesize
2KB
MD57cd627413e5292baf2467d48b4c55dc6
SHA18c98b8b1c898aac21f68f7d20febd966b3dbcffe
SHA2567042af1b63c2291f58fa9aca026f6cb74adec3d8bb9578e3ab257e6112f26afe
SHA5121b3c54d78f3798297ba06ed34bf360dc6ffc894bf557082096a44810b7fbdfc3397af47cc66912c84e75ef72981c8b36d2d0f0e7164d7933bac8df304949ed6a
-
Filesize
3KB
MD52c472bcb9c7082c179f4f7581332f617
SHA10428d6cf65aea648b7469465a5452c6f7c99abb8
SHA256235bc9564b0c531a6cea9cf5526a54265d826b5fe6ce929110fd360aabe530c8
SHA512ff5c3a9d8d5c0831f90bb48c15029c4151f510405955a71312cba5b52f178b31c5b53eac638e903ec08e1da5b8cf053cb0701e105e91ec41468992562e6e07ff
-
Filesize
1KB
MD531552377f72c84ef0bcd9721cb897880
SHA1bc6d58f3937063d573dad3fcdf6c31e37e4d3d13
SHA25635934dc6fd2cb0772534c0dabec10deea4d464b2cc4e7cafc53167898b3d1b88
SHA51266c6d54dc8fd6ee0e5b3da5864c8cfbf8525a65f98a18bbe115ba98c372d43731d8c671d1fa7113e2a96cbdf37162bff7522353dd547b3d33a685e74be8024b8
-
Filesize
2KB
MD567d309b9f26a8f87a99d76597aaf0828
SHA19d50a34643ecdc626f20f61a34c5f72378e3e61f
SHA25605008720dd583f052edc9fcaa199b85b87a9d1bc32664a3260b47b971352e5a8
SHA5125cb6104c9c7688778c574ba245611a997caf73a954cbe7ecb9566960ad4adfc0afe6a9e9f3b92990ef90899f82e8ee18710a108dcb9edb8c08537eea269d4299
-
Filesize
3KB
MD5a49d2c51e9e715480fb418ea944ecd45
SHA1a01f9953e3443ba4f9b312d5a3d7601b2cb3fe50
SHA256ed0c78cb1dade616b4a679d697b28138d21a3523fc9fa7b4c61b26d737364b8e
SHA512bccc579f7e6f9fa567c5b4104fea6828aa908cc9dda39e61b50a03681dec236313c1df50a1b1ef6f14b3c59f9dd13f8511f9f6bcf797412f8ba6c249db9679ab
-
Filesize
1KB
MD506f333285ee98e921d1263952d7158e1
SHA128232d649073a4975c5c330b26c2cbdaf2db1929
SHA25670c30d6410ebc41b0196c4bbaa0aab03c555e6e02a87d8cad036fbb0b9ad209e
SHA512908e6699da3cf97a6a611853d242a94cb38b027e05d4c6db20d4d848004b3a90bdda97a7e513653431bd738ee35ccded4f5291f2d540e764bf83c376df5390a8
-
Filesize
3KB
MD5153654fbb6ac02027aaa9d736d5285cd
SHA128a610e5dc4a54280f2780de6925e5b1d13b0979
SHA256cf427b1c41a97ba3a0526f6452b3de660eb8535f35f08a4112ead35bd0d1c743
SHA512b933da25e1a31cc0bbc021f70e2084215ba0cc9570dc7192a1ad480e9cfdc1807d8be586097d0ee6daa3c1dc5a4c6e22d175fc189f9a72f700849f4f4de8237a
-
Filesize
3KB
MD59d7184344b7cb53cb7440f3da75354ab
SHA1f0f956bfa5c36f24d091efde5c4ef1a9a2cb3180
SHA2562a8e815704243fd2053417a753c56aea11243fc9f8c08716cf4a41bc8a0a0a4d
SHA5124bc104164c31f1113e70e997672f8fc35166356d4d2e9c3151a0249a90de9dd24297dd77f6042d1ab63e88f60efe6db0b50f302fcbddbb4da2904de07abdf4db
-
Filesize
1KB
MD5a3f44d465209953d70e3a6481e66d276
SHA1fd4b26246915955d0e315080123d4951da540111
SHA256ab9df4a80115966fd451b6658374c057d13d134ca2d32e9b4c495b049544514f
SHA512b93bb863c6cc7efd377d5fcaae64c8c02d6ab5f37daa76fcca06d108396c5f4357082c74ea7bb0db5ffccd47febf729b17548f31adecdad5f8d13103c8a30774
-
Filesize
538B
MD51c2020956c89fbd786545bbe1ae23564
SHA14f58e75be3ba1585b29ff372642122779d70d21b
SHA2562f93b8913d9d0c3b6e1b2c13907af7b44aa0eed29125e9b0459d189d288aeac9
SHA512cae588f247768c8a0617d5f04312aec4d1af9be3afcf1921f04114a9af4307d5994c2bc4d60a81fbbfd133cb21177fd6dec64465fa6e55b523004bee46743651
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD50b1659c4941fd16c1cbd3dd90ec603c0
SHA1e8792e34e4ba41783c58905eae6a0b780e79c2eb
SHA256504779c188dc85d9c0a3371143311d8e6827bddf204f96419c4f2d9004c2142c
SHA512777c781e7a4ccfa8163c00a48fab8f46038d875735b010022e71ce948a3cd4dd3f00c53b91a56022a567a13c0fbe070024094b8c306674b4dfe4142c3da39104
-
Filesize
12KB
MD578728ff4ca59f6e8e733cfa9b00cd87b
SHA1dcdd5a63c48c12ebd5ad79d6a7d8cce12dd5fabc
SHA2564932cafff66fbdc882585ed8793855fb16d6c1f0d48e310fae33184a5d013027
SHA512d94152b17fc6ea10aee42136bffbee3d7d392c4905e050ed5c276889efeda0c34d6a4f5d4619f5810f579743a33700f8d2aa3903c08e5b9967510846eda9e84a
-
Filesize
12KB
MD5b9dc637f7773f06c1f9e6a49a08f9ba6
SHA1c976a2a167b88b593c27309aeaf0fabcfc239218
SHA256852b625106d14dfb7c233ee8f6d919dd50a5c22b156ed94f19122bf6f1cccb35
SHA51208008be3791260fb558b8fd7bbab19c3ff9ce11a441d516fc33766bd689b76bedc5193a07d2595258b554213e50f7abd82dea4343c7a5825c6858e9741287a94
-
Filesize
12KB
MD569c559f25cc341fa36e2b18381b12091
SHA103ad56a5f0ee5de667436cb84664c59e4bec7e32
SHA25601f4673c8f1d1a78060da149f5f1c1e0c5654c4f17903ac82282a2d7b7ecbd55
SHA51243c563eca83d08519e39a3caf80fc00a3bbb0a6cacd708341bfe908e74e52c4c8ee63fbb748f0a2336ba7ad6f797692c4574654b425ddc3254f8bc0006de34e8
-
Filesize
103KB
MD58bcd083e16af6c15e14520d5a0bd7e6a
SHA1c4d2f35d1fdb295db887f31bbc9237ac9263d782
SHA256b4f78ff66dc3f5f8ddd694166e6b596d533830792f9b5f1634d3f5f17d6a884a
SHA51235999577be0626b50eeab65b493d48af2ab42b699f7241d2780647bf7d72069216d99f5f708337a109e79b9c9229613b8341f44c6d96245fd1f3ac9f05814d6a
-
Filesize
48KB
MD5f724c6da46dc54e6737db821f9b62d77
SHA1e35d5587326c61f4d7abd75f2f0fc1251b961977
SHA2566cde4a9f109ae5473703c4f5962f43024d71d2138cbd889223283e7b71e5911c
SHA5126f83dd7821828771a9cae34881c611522f6b5a567f5832f9e4b9b4b59bf495f40ad78678bd86cba59d32ea8644b4aa5f052552774fea142b9d6da625b55b6afc
-
Filesize
1KB
MD557f0432c8e31d4ff4da7962db27ef4e8
SHA1d5023b3123c0b7fae683588ac0480cd2731a0c5e
SHA256b82e64e533789c639d8e193b78e06fc028ea227f55d7568865120be080179afc
SHA512bc082486503a95f8e2ce7689d31423386a03054c5e8e20e61250ca7b7a701e98489f5932eba4837e05ec935057f18633798a10f6f84573a95fcf086ee7cabcbf
-
Filesize
144B
MD5c0437fe3a53e181c5e904f2d13431718
SHA144f9547e7259a7fb4fe718e42e499371aa188ab6
SHA256f2571f03eb9d5ee4dca29a8fec1317ded02973c5dd233d582f56cebe98544f22
SHA512a6b488fc74dc69fc4227f92a06deb297d19cd54b0e07659f9c9a76ce15d1ef1d8fa4d607acdd03d30d3e2be2a0f59503e27fc95f03f3006e137fa2f92825e7e3
-
Filesize
512KB
MD547ab73389c507df1a98129f33ac5ce24
SHA1e77e35c1df4e40ed43d66defd4e75415606c3686
SHA256fd464d15c2ef67a6cdc083cf2bcab8aaefd79682056f3b7d06c45ee21acf00f7
SHA5129ff782a04066aca518d3e8e50f19ecc12a74f52d85a00d532c67e80588742e570bbd9dbb0e2f240879f800af45b27c960704bba25daf0fb6c0ab73c472d76614
-
Filesize
531KB
MD5eb1db124a4630fcee1d9d8a4f46bdf73
SHA1ace8981732f47384cae871b53648dd8db004a081
SHA25646ba350d72fd36afcb550dc1a20d9f269d2d654674275cb8b4f20f0a64ca2eb0
SHA51200a1019922015a9082084053b730bad87ea52e7d2dbc603f55f2b14b813c72456352c5fa069cc96d5c144f589c2904fd95459b6e356aa05d087c10e493cbe3f5
-
Filesize
448KB
MD56ce2edb96e8d4702690ba88ba6f1d3e4
SHA175373644d9944e0005a52a44759bcbd1820c85bd
SHA25658faae4aed2450e464fa193484e41d5a3d6b4ab15b22b0f4836cda45160aef84
SHA51246852da00be9b3b7ebc001453d73fc7e76a551939cdf3de5e4e4d3549380b9faa8fdfe11efdf4668685be7d0462c1120055ed1f6504423024647db0f83e59166
-
Filesize
1005KB
MD5c8b8463a5e7fcf02a24357e0d02b2356
SHA1d03134eebda3ada20f0e3675b7b1d52b52c228eb
SHA2566e6da81048a8dbc81d40980a3886671f8c2e9976ef2adfed290e2e05fc4dc806
SHA512ab57a5d87f86ef4dffcd85cf197961912f4ee127b61ff8bb19eba86cbd5c04ffcb8d59a2d72e2602cdc0ddee63b8765e5527b8880a9623e8a0b766fa49cd3f36
-
Filesize
1KB
MD5bf9b6582b2fba958a70934a20ded62d9
SHA15ac3d1665173e7aaec154730a443e4078dae5ca2
SHA2568087000c4eb30d3fc94f9dd3a2c51ce6db98056aaeb5412a240e35777772cbea
SHA5122327575ec2925d9621ee62473f73cb94608dc9a724061a27546ea0557f46dea3c81b12444fb75504077733b8c083a52b9f66cf89c88034dc62deb790489b3135
-
Filesize
272B
MD5c6f2ca6680bd739e6f0bf66bc71d71a5
SHA1c9542da9488bcb3e353a534f691c0569aea4377c
SHA256f5ee06ced61a67430525f44273e21239aa52f210b36b4f47867c58bf4cc441ec
SHA5124d29c73d3759d3879d9aaa40ff96f235a6590b20387b7bf5c7ae2bd413c13a8f912186a7b359b43c6b18f1220cf6eef2db42eca808db60a14aeb2a16386e601e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize24B
MD54fcb2a3ee025e4a10d21e1b154873fe2
SHA157658e2fa594b7d0b99d02e041d0f3418e58856b
SHA25690bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228
SHA5124e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize696B
MD5acaa257c350297e1ffe32dbc8d18d84c
SHA18315c9939273e9f6a6c7b4ef303fc716e8a59abd
SHA256e55c7e68728c960273df0ea9faf0f1506aa63e05e4bf3e323a6c3214de1f8533
SHA5128bd86154e12da3ec902e16a8d7210fb2339b7096076523f2b18f8eb797fadc463bb8ad0e65c9f2bc3d0d2a22e6fe930e89761238da3bc0ce37649be405432a3b
-
Filesize
861B
MD5c53dee51c26d1d759667c25918d3ed10
SHA1da194c2de15b232811ba9d43a46194d9729507f0
SHA256dd5b3d185ae1809407e7822de4fced945115b48cc33b2950a8da9ebd77a68c52
SHA512da41cef03f1b5f21a1fca2cfbf1b2b180c261a75d391be3a1ba36e8d4d4aefab8db024391bbee06b99de0cb0b8eb8c89f2a304c27e20c0af171b77db33b2d12c
-
Filesize
225B
MD59f8d59f3d76e4c2ddd0ffaac45b38f65
SHA15de908723c985286e419daabb9477681a42b5063
SHA2563e35a2a6b58853ab7443aef40d22dc37c3d94848ec9f5b9ca27c1892082b4f07
SHA512db07ad401dc28833bcda99486d981e01ea5cd53bf305e0402b8b209848838f881851afeadf04db53996c9ef334c6d4009cde0b46c7a9caecf4d285134a9ba121
-
C:\Users\Admin\Downloads\3e35a2a6b58853ab7443aef40d22dc37c3d94848ec9f5b9ca27c1892082b4f07.txt:Zone.Identifier
Filesize55B
MD50f98a5550abe0fb880568b1480c96a1c
SHA1d2ce9f7057b201d31f79f3aee2225d89f36be07d
SHA2562dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1
SHA512dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6
-
Filesize
1.7MB
MD5272d3e458250acd2ea839eb24b427ce5
SHA1fae7194da5c969f2d8220ed9250aa1de7bf56609
SHA256bbb5c6b4f85c81a323d11d34629776e99ca40e983c5ce0d0a3d540addb1c2fe3
SHA512d05bb280775515b6eedf717f88d63ed11edbaae01321ec593ecc0725b348e9a0caacf7ebcd2c25a6e0dc79b2cdae127df5aa380b48480332a6f5cd2b32d4e55c
-
Filesize
268B
MD5cc5daa5e579a9052ed7eb1b6f3d65779
SHA1adf793f0bc9a645e6793d4838524f59c4ff27074
SHA256def828abad22f799785354f6af5c2396103d734bb7c20f96b3e62cd0d55d8398
SHA512af7418c56e2f66f74f1a25fed7f9bc3e2a19fbbdc6cc97d6b52f6bb058deace600ace6a349249dc138398c186e4f23ea93df7bfa6f46f4907ca416b46ea87f21
-
Filesize
3.9MB
MD533b2402ddff10aaaff199cb29ebe144c
SHA18fb676f8deb631ee6519706cd6829d2b8cfde154
SHA256617fda69347ec907a79f198add431c8bb39102781de41cc03b7cd1718cff2198
SHA51253724d87f226b37bd853353e68a136d035eb179545dc3dfdd7f4f6089f6cfddf6ae8078b0da0fdf1d5fb4dfd5a53651a3f88ad652ed6ab2e39cbe671b96b906a
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e