Analysis
-
max time kernel
324s -
max time network
327s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
08-04-2024 11:46
Static task
static1
Behavioral task
behavioral1
Sample
wallpaper.jpg
Resource
win11-20240221-en
Errors
General
-
Target
wallpaper.jpg
-
Size
11KB
-
MD5
d246e2938a820cde7586bed0f346900c
-
SHA1
c03acdafeee855fdeca8e06b8abc712a1e85b505
-
SHA256
94e5de9b6c0b0f3376df8563b7e70df7392a452513082300da8b113992cde728
-
SHA512
0a574f6c84aee25d71479eed5c78d06a12d98f558628a311b08fb1d17609f12403f7d94d2d6d2179faf6252c0e96537a9bb88cae420282d6d211a1e821165d27
-
SSDEEP
192:khdfAW3/1AMExkhiiNEsD4SbAo0Y2dRhEN8hTA2zVXIDNgPx54mjmx7xDsVQzWB+:CfAmvMkhfNE+PbAox2JEWVXIDmPP4p7d
Malware Config
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Processes:
RedEye.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection RedEye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" RedEye.exe -
Processes:
RedEye.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RedEye.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (533) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables RegEdit via registry modification 2 IoCs
Processes:
RedEye.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" RedEye.exe Set value (int) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" RedEye.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
NetSh.exepid process 13488 NetSh.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
Processes:
RedEye.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill64.com\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedge.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RKill.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedgecp.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\recoverydrive.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RKill64.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.msc RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwCleaner.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill.com\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yandex.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rkill-unsigned64.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill.scr RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yandex.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rkill-unsigned.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RKill.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RKill64.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iExplore64.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill64.scr RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill64.scr\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HitmanPro_x64.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedgecp.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwCleaner.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HitmanPro.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns64.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill64.com RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HitmanPro.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iExplore64.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZAM.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mb3-setup-1878.1878-3.3.1.2183.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\recoverydrive.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rkill-unsigned64.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill.scr\Debugger = "RIP" RedEye.exe -
Deletes itself 1 IoCs
Processes:
CoronaVirus.exepid process 4052 CoronaVirus.exe -
Drops startup file 5 IoCs
Processes:
CoronaVirus.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-9AD7F29C.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-9AD7F29C.[coronavirus@qq.com].ncov CoronaVirus.exe -
Executes dropped EXE 10 IoCs
Processes:
CoronaVirus.exeCoronaVirus.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exeRedEye.exepid process 4052 CoronaVirus.exe 26864 CoronaVirus.exe 26944 msedge.exe 8164 msedge.exe 14332 msedge.exe 7292 msedge.exe 15592 msedge.exe 13924 msedge.exe 11744 msedge.exe 12516 RedEye.exe -
Loads dropped DLL 7 IoCs
Processes:
msedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exepid process 26944 msedge.exe 8164 msedge.exe 14332 msedge.exe 7292 msedge.exe 15592 msedge.exe 13924 msedge.exe 11744 msedge.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
CoronaVirus.exeRedEye.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\Downloads\\RedEye.exe" RedEye.exe Set value (str) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\Downloads\\RedEye.exe" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\Downloads\\RedEye.exe" RedEye.exe -
Processes:
RedEye.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RedEye.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
CoronaVirus.exedescription ioc process File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Documents\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files (x86)\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Videos\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Documents\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-1637591879-962683004-3585269084-1000\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Music\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Downloads\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Libraries\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1637591879-962683004-3585269084-1000\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini CoronaVirus.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
RedEye.exedescription ioc process File created C:\autorun.inf RedEye.exe File opened for modification C:\autorun.inf RedEye.exe -
Drops file in System32 directory 2 IoCs
Processes:
CoronaVirus.exedescription ioc process File created C:\Windows\System32\Info.hta CoronaVirus.exe File created C:\Windows\System32\CoronaVirus.exe CoronaVirus.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
RedEye.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1637591879-962683004-3585269084-1000\Control Panel\Desktop\WallPaper = "C:\\redeyebmp.bmp" RedEye.exe -
Drops file in Program Files directory 64 IoCs
Processes:
CoronaVirus.exedescription ioc process File created C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ul-phn.xrm-ms.id-9AD7F29C.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\it\PresentationFramework.resources.dll.id-9AD7F29C.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\main-selector.css CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fr-ma\ui-strings.js.id-9AD7F29C.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\fxplugins.dll.id-9AD7F29C.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_es.properties.id-9AD7F29C.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_base_non_fips.dll.id-9AD7F29C.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.altform-unplated_targetsize-32.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosBadgeLogo.contrast-white_scale-200.png CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-pl.xrm-ms.id-9AD7F29C.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libg711_plugin.dll.id-9AD7F29C.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\IEAWSDC.DLL CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange.xml.id-9AD7F29C.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN096.XML CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\warning.gif CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest3-ul-oob.xrm-ms CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-20_altform-lightunplated.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\cs-cz\ui-strings.js.id-9AD7F29C.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-process-l1-1-0.dll CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Reflection.eftx.id-9AD7F29C.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libchorus_flanger_plugin.dll.id-9AD7F29C.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsWideTile.scale-100_contrast-white.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square44x44Logo.targetsize-64_altform-unplated.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\ui-strings.js CoronaVirus.exe File created C:\Program Files\VideoLAN\VLC\lua\playlist\appletrailers.luac.id-9AD7F29C.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\ResiliencyLinks\msedgewebview2.exe.sig.DATA CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4.id-9AD7F29C.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\UIAutomationClientSideProviders.resources.dll CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelVL_KMS_Client-ul.xrm-ms.id-9AD7F29C.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\Microsoft.PackageManagement.MsuProvider.resources.dll.id-9AD7F29C.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe.id-9AD7F29C.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Threading.Thread.dll.id-9AD7F29C.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail2-pl.xrm-ms.id-9AD7F29C.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libpva_plugin.dll CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\visualization\libgoom_plugin.dll.id-9AD7F29C.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_SubTrial-ul-oob.xrm-ms.id-9AD7F29C.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\PICTIM32.FLT.id-9AD7F29C.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_school.png.id-9AD7F29C.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\core_icons_retina.png.id-9AD7F29C.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-cn\ui-strings.js.id-9AD7F29C.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\tr\System.Windows.Forms.resources.dll.id-9AD7F29C.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\MSSRINTL.DLL CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.29231.0_x64__8wekyb3d8bbwe\vcamp140.dll CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Net.Sockets.dll.id-9AD7F29C.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_lg.gif.id-9AD7F29C.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_wer.dll.id-9AD7F29C.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_MAK-pl.xrm-ms.id-9AD7F29C.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hu-hu\ui-strings.js.id-9AD7F29C.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libtrivial_channel_mixer_plugin.dll.id-9AD7F29C.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Locales\mt.pak CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-20_contrast-white.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\pdf.gif CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\CAPSULES.INF.id-9AD7F29C.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Locales\tr.pak CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PaintLargeTile.scale-125.png CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ko-kr\AppStore_icon.svg.id-9AD7F29C.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ul-phn.xrm-ms.id-9AD7F29C.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\SnippingTool\Assets\StoreLogo.scale-200.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib-amd\motion\FluentMotion.js CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ul-phn.xrm-ms.id-9AD7F29C.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_K_COL.HXK.id-9AD7F29C.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.Security.Principal.Windows.dll.id-9AD7F29C.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_K_COL.HXK CoronaVirus.exe -
Drops file in Windows directory 1 IoCs
Processes:
RedEye.exedescription ioc process File created C:\Windows\Nope.txt RedEye.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 2 TTPs 5 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 15920 vssadmin.exe 9524 vssadmin.exe 13220 vssadmin.exe 11036 vssadmin.exe 13144 vssadmin.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "156" LogonUI.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1637591879-962683004-3585269084-1000\{B2890584-7349-4FA3-8F40-34B212DB8FC5} msedge.exe -
NTFS ADS 8 IoCs
Processes:
RedEye.exemsedge.exemsedge.exemsedge.exemsedge.exedescription ioc process File created C:\windows.exe\:SmartScreen:$DATA RedEye.exe File created C:\windows.exe\:Zone.Identifier:$DATA RedEye.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 811609.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 472682.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Locky.AZ.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 683811.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\RedEye.exe:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeCoronaVirus.exepid process 1380 msedge.exe 1380 msedge.exe 1384 msedge.exe 1384 msedge.exe 1964 msedge.exe 1964 msedge.exe 5072 identity_helper.exe 5072 identity_helper.exe 3584 msedge.exe 3584 msedge.exe 4208 msedge.exe 4208 msedge.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe 4052 CoronaVirus.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msedge.exepid process 1384 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs
Processes:
msedge.exepid process 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
vssvc.exeRedEye.exeshutdown.exedescription pid process Token: SeBackupPrivilege 20284 vssvc.exe Token: SeRestorePrivilege 20284 vssvc.exe Token: SeAuditPrivilege 20284 vssvc.exe Token: SeDebugPrivilege 12516 RedEye.exe Token: SeShutdownPrivilege 14992 shutdown.exe Token: SeRemoteShutdownPrivilege 14992 shutdown.exe -
Suspicious use of FindShellTrayWindow 63 IoCs
Processes:
msedge.exepid process 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe -
Suspicious use of SendNotifyMessage 16 IoCs
Processes:
msedge.exepid process 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe 1384 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
msedge.exeLogonUI.exepid process 1384 msedge.exe 15204 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 1384 wrote to memory of 2112 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 2112 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 2116 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 2116 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 2116 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 2116 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 2116 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 2116 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 2116 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 2116 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 2116 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 2116 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 2116 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 2116 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 2116 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 2116 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 2116 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 2116 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 2116 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 2116 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 2116 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 2116 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 2116 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 2116 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 2116 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 2116 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 2116 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 2116 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 2116 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 2116 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 2116 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 2116 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 2116 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 2116 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 2116 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 2116 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 2116 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 2116 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 2116 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 2116 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 2116 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 2116 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 1380 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 1380 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 3340 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 3340 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 3340 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 3340 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 3340 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 3340 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 3340 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 3340 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 3340 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 3340 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 3340 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 3340 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 3340 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 3340 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 3340 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 3340 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 3340 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 3340 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 3340 1384 msedge.exe msedge.exe PID 1384 wrote to memory of 3340 1384 msedge.exe msedge.exe -
System policy modification 1 TTPs 11 IoCs
Processes:
RedEye.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\WindowsDefenderMAJ = "1" RedEye.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System RedEye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" RedEye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer RedEye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" RedEye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System RedEye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RedEye.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer RedEye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "4" RedEye.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\wallpaper.jpg1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffee1053cb8,0x7ffee1053cc8,0x7ffee1053cd82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2520 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4476 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4568 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3180 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5548 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5420 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6356 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6224 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"2⤵
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
-
C:\Windows\system32\mode.commode con cp select=12514⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
-
C:\Windows\system32\mode.commode con cp select=12514⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵
-
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1648 /prefetch:22⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:12⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6020 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5988 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
- NTFS ADS
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:12⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1052 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1928,4711510440611481807,1410216629413252910,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6104 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
- NTFS ADS
-
C:\Users\Admin\Downloads\RedEye.exe"C:\Users\Admin\Downloads\RedEye.exe"2⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops autorun.inf file
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SYSTEM32\NetSh.exeNetSh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
-
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" -r -t 00 -f3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004C4 0x00000000000004C01⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\732a37df7c50440fa2057faa5a2b3242 /t 9312 /p 93881⤵
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\d0216effadf049f1a7cedcec557f9b80 /t 9548 /p 96481⤵
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39c2055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Privilege Escalation
Create or Modify System Process
2Windows Service
2Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id-9AD7F29C.[coronavirus@qq.com].ncovFilesize
2.9MB
MD54852daa75094981d32f84be670de937d
SHA1e820a1628160e346e647b7500b80a7f73c17b52f
SHA25617cedebe459ca32ca96febacfd044d8e2773f0f8da93959ec343b8b1d7e6ca77
SHA512109c62baa6d8187a015d4f3fe46fe70519a1e050bc144d77df97f9f707fe4bd04af8f271c4754ca2418a8c0f056e2aefa7fc9750042061608b7c4c127375b101
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\52fb04f1-848f-47d3-b97a-0350a7d2b4fb.tmpFilesize
11KB
MD5bb3e297ed1b4a08c3ab7e8f9a3ec29b1
SHA1efc4886a3bdc683b03a5aa5481e331f5bfc867f2
SHA256a7ec1aba1a039c29665d3eecb9b39c622dc6a942b80cb7b3c25d6c2360603a71
SHA512896d217eb3f18bc144e5998c771e65917105dbed16f3386e98a93acf7485dfd65c483fa6a8dabd44d57dd7f60e4173d97c7a2851db0be4b848f77d1c7192b715
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5d459a8c16562fb3f4b1d7cadaca620aa
SHA17810bf83e8c362e0c69298e8c16964ed48a90d3a
SHA256fa31bc49a2f9af06d325871104e36dd69bfe3847cd521059b62461a92912331a
SHA51235cb00c21908e1332c3439af1ec9867c81befcc4792248ee392080b455b1f5ce2b0c0c2415e344d91537469b5eb72f330b79feb7e8a86eeb6cf41ec5be5dfd2f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5656bb397c72d15efa159441f116440a6
SHA15b57747d6fdd99160af6d3e580114dbbd351921f
SHA256770ed0fcd22783f60407cdc55b5998b08e37b3e06efb3d1168ffed8768751fab
SHA5125923db1d102f99d0b29d60916b183b92e6be12cc55733998d3da36d796d6158c76e385cef320ec0e9afa242a42bfb596f7233b60b548f719f7d41cb8f404e73c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\79c0bfa0-4a7a-449a-9ca7-080d03952853.tmpFilesize
5KB
MD5516f6db038e325afd889e994c2fd7d7a
SHA10e3f79f5a405977137a613914f128ace8bf784b6
SHA2569ecb23e1e7a2394e0c0663ebd63f550349983b599d288456462918f02e4953d7
SHA5127cbddb3757ab8fa10cc981e3d6377ff05dd80ac264a859d6ed9ad5acbd5e50215bfd70f1e22ada69e641ce2d041ca6a06cd44baf3ce45afda576c38c0800b736
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD51451512ab33ef59186edb8b58d796add
SHA10b0063dcd1a2449e975b8fc08543cbb0eaaaa8d6
SHA256b5e520ba72eff8f1b6ccb7803d85e05c650e6da298052b035371c58d7cdf3e03
SHA512b2dd5d6f0020ddf1c6973aacd341f9554efb43e8ba9e8e3324524a4fa388e31cbd3cf2ba189a6b9546c3f02e16e69288adbfb5e6e486863bd605c33585bdb9b0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
3KB
MD5919513b7df65d48c15836933fe4581de
SHA1e88dd191b5b0902ebd1f74f20961ef98de2b28ea
SHA2561f29e57b16de6cc0ce9d7fc1a8a804ea2223ffe348b9e8aaccef3f76469c2e37
SHA5127a685617a45d7f559e44e4ad609be402e2ea6c4c6af49596213a48e66996c80877cfe6ffe7b089b705d329b2952c58dd8c9e648a2fc93a86a46379bfa78a8f3d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1024B
MD52dbe52fdf0e78919193eb1f974e9851b
SHA1b6ccc46f954e09a1ee8f86a305769bd234f70216
SHA256065b956a1483174cebc2e3590d6fa7dac7de840c898887815662f898a31d83c9
SHA512483395e7c7ad58feb872aaf72f55f7fae5831f176672fe5175e84d16ff3f066b75f71cf7c94d01c4217be1dc28d752ad3d882f787be9d4c15797baa31c978b25
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5f06601c356cecda2da4d081648fcb2f4
SHA1705b277cc2a480d12258cd89f3b2f1a85a1d4297
SHA25638a77df5f100ca5ff5cd1c626cadbe1c6c786b89b1d0d1a9208764d7870f5a73
SHA5123f775833d1cdd80d09381fc03b787f066c96c70699f500558bfc744b801ee6760e6515ace7382eba4d184f36c21a2e55e663cd9c97a1bec641773f3b7dd215f6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5c5ecc3f154dd42584bf508ed63d7b859
SHA1e87988a70aa7a0cd02fc58ef2e4e4613c5885464
SHA256c6954d4b7d277c8d1ad27a209474d9e1a353f606f1837e4692e7651134ce51d5
SHA51283ede4bfe5bf53bc46c002bc4318b952cb168a9e0f3bbe5d0b2980a0529fcd01079a94449f55bd83b8088d6d7761274d52ac58b6b110594990eaca4c26ee53ee
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5ea171893d39eda8b1f6200eee9cd211b
SHA186abd986756cd70b41a1c346f95bb4932277ccda
SHA256447ff4aae45ab9ea9f837ffaf209670f10873b340ad7f1d03272495962599624
SHA512e87f30b0803ccb3dd5ef112ac4e0b7ec310211e098ce100f03e2ee8624f756b63527dfe17c7b916d02d20448380c3d6414d35aa9f51d5cb008db3e24a0fac5a6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences~RFe5b4552.TMPFilesize
6KB
MD58982a5e2596be83ea4a2ff4e900309ab
SHA12869a20ba8bddfac80703777343549409b993aa5
SHA25615bef7227d50b5b2cbe435374f63a97550b5248a649e7a0fc8b0819e18443b22
SHA512238dda64c049b7dafa7e8e6a8cf87807bed2a2c42a9d10c5dea16a2bc02177ef82af81f20572f4b17c9bb58d0087eed8bc193507ba77d6e85ac236c57e37921c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5d95c82089f45baf024a22fa985126581
SHA1a0d6625e6a3e588cde25741b579316861320c833
SHA2562a572a468b6b9abacf43452f97f4329587ebc43b614a3d6224f62dfb4c241eaa
SHA512de3090dd1768aa6c1fa687f4f213ba1b396f9cce4a66d2a94b087f43f7e7c92fb9ad4b5f535b91b70a1241031294ae09fa7782bb8de758da1e603591cb9ef021
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD527a997b0beec11bc9c1122ac857e4165
SHA10390a97ef1895c47c3e0d924bb9ffbddc93eebd3
SHA256c8c9c375bf4ec220f06aac3b466cdafde824ed3c2c73fa9b9e53d3e75c465179
SHA5123f554fb359561ab0e633f29ac6b254a7937c5e1579c1d8d37776fa1a169f9d076d44d225889f5a4de406feb04fd98c58318191f3e959f97b2ddf05ef049b90d0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD533bed489f6f6ebee3601679683eaf2b9
SHA15a8db8d6fc31c6e38fb5ca410027f18f88becc09
SHA256dc2911dbfc9c1497929a6abff1b41e39316780a0032989edff5eb088c7a3891c
SHA512af74aabf59c6417ed3ce2e03d185cf40fceecf772d0c4215d9fb17cece9990c7b6f1a432bbb45eb7ca548d3b99d9328ee81472f4420102785933c5050bc16abd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD54daf49471411598d7ecdc6a32751a4af
SHA1dcda36de2e94c452efb2b850b08360286ab103e2
SHA256a729a223659b50972297561ddfa1096087ebb1126fdea97f88d313fdf0689341
SHA5125b39e56cff9575f6bd27d55d84fc7017707dfe9f5918c0638c529c18cf6f06b8704c55410c5915568eae4d387ef3e05fd12d1d31043f22424f2511eb39be7132
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD55a5f51e7da2d5091617bf8e73846a385
SHA14159dbb564022d55cb059b8aa1920d9af917d620
SHA256147ecd6e86acb147a574b570c24876a52849f9ce94532bbfdf087b30c9e95710
SHA512a9ca1b21d73ff2320292a10a5ec756aa06b6f1ccef1130e4d5908a65e27c7dd85db0921f596fc92a6753a1deef33dc1308a126d4f8e2932245d3fbf280a91532
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD594c1d9bbc102da257e71f3df3021dfeb
SHA1bab64b884da90e9ec14f2102b243f1b92f0d3881
SHA256a12f5f9ce158e2cc7f8f2f67e1d226c4b7d5484479ddf3e97701ef3e685c2576
SHA51295953e3dd734adbea45fefb413ab6c0c2646ece4d1555d17d98f52bfd809d1962e3277927b1b8850227474b6046898bc6f41373c958a19d5d24521dee849f7eb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58e0c6.TMPFilesize
538B
MD515c9d9bcd97aec204f2120e0e1280140
SHA1a1ba96f30352c6d41592a376dd37c79d2b707248
SHA25652486807420d02c8830de61a985282ddbf46a4f5fe401ab96a7e70073370cf6e
SHA5120c0ed01869e59141ce66c3a8009621a3d656a573d3a94ec297dfdb657cbd32380ab93a9d343dcfc6ef1bc2bad2005ace5f2e53891c82b7f7b12469254029bbcc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a7a71.TMPFilesize
1KB
MD591acf151cf2ffbed0357d55a521a6e6b
SHA148f00d01136915ba53337b8ab072d06170cea1a6
SHA256d4a041f95cc8af5dd5572fa796c2c5023f309b8d1eece5cc8e5a50d7180f9dcb
SHA512895c28dd3efabba3e14b2831ca1519124568eb473fc37bb24f643cb548e6eee657de36a1b2cbcba80f91b2ace76a147ce656da5da61bd515e5d8827f71605d77
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.dbFilesize
16KB
MD59a8e0fb6cf4941534771c38bb54a76be
SHA192d45ac2cc921f6733e68b454dc171426ec43c1c
SHA2569ee9211a57c3f6fa211fe0323fa8cd521e7cbffcd8ff0896645a45795dc472be
SHA51212ed22537dcc79d53f6c7d39e92a38f8fea076d793198928f5b7a5dd1234d50a3c0b4815632f3fadf8bc4ef0499773d22bd83f961d2d0ffd8afacf471bd3a5ae
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\previews_opt_out.dbFilesize
16KB
MD5d926f072b41774f50da6b28384e0fed1
SHA1237dfa5fa72af61f8c38a1e46618a4de59bd6f10
SHA2564f7b0e525d4bfc53d5df49589e25a0bccf2fcf6a1a0ca3f94d3285bb9cf0a249
SHA512a140df6ec0d3099ef374e8f3ece09bf91bc896ac4a1d251799a521543fe9bdea796ba09fa47932bd54fa939118495078f9258557b32c31d3d4011b0666a4723f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5808fccf20b3e8d3d8e8e4d68642df5b1
SHA1111b28623d14ba1beb651bb33a69e52daa259857
SHA2561315fc6bdf6920a35566729fad134c6daefd4228e6b1f5e58d5aa7f123583fa9
SHA5129a716ac8b8cfbacd6a39619aa14b0082d783a8d91ddd9026815dfb26ec1934a4af9fed59cfbb386fa1a285e2d064707e674ff56de6044bb374287ff4b2f343f7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD593235623585cb3bdef63ac1a7a1f9e02
SHA15f79a8a81970468a259b0646ddff84abaa94a97d
SHA256cb8a060964ecf257f435a545cb32597d531f6225e273419f6918a59624428753
SHA512362fd3f929af65ef255039b53c3c66ec47a34e9e82e4b8b7356a8fa4f21b0fba2661e437efe6d8792117b478bef9005d31e5875d15428871ec051e3cd707b1f1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5c3c0ad4656d2fd8658affb066a37cf68
SHA100eacbdd25b5f72be9f334e0a20a4423ccee3112
SHA256ed61566dea3efadcfd90accb3a59a876f36806e1fa6e35406f40d4fe084d6a4a
SHA512026dd534519d9ad1c8161e479c05058d1464897954fc95d45b5b88b53343b449f53be1ade81fdb2e454ec66bc7fde48e5ebe433be7f5c8dd544837f17688f957
-
C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.IdentifierFilesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
C:\Users\Admin\Downloads\Unconfirmed 472682.crdownloadFilesize
181KB
MD50826df3aaa157edff9c0325f298850c2
SHA1ed35b02fa029f1e724ed65c2de5de6e5c04f7042
SHA2562e4319ff62c03a539b2b2f71768a0cfc0adcaedbcca69dbf235081fe2816248b
SHA512af6c5734fd02b9ad3f202e95f9ff4368cf0dfdaffe0d9a88b781b196a0a3c44eef3d8f7c329ec6e3cbcd3e6ab7c49df7d715489539e631506ca1ae476007a6a6
-
C:\Users\Admin\Downloads\Unconfirmed 683811.crdownloadFilesize
10.6MB
MD5e9e5596b42f209cc058b55edc2737a80
SHA1f30232697b3f54e58af08421da697262c99ec48b
SHA2569ac9f207060c28972ede6284137698ce0769e3695c7ad98ab320605d23362305
SHA512e542319beb6f81b493ad80985b5f9c759752887dc3940b77520a3569cd5827de2fcae4c2357b7f9794b382192d4c0b125746df5cf08f206d07b2b473b238d0c7
-
C:\Users\Admin\Downloads\Unconfirmed 811609.crdownloadFilesize
1.0MB
MD5055d1462f66a350d9886542d4d79bc2b
SHA1f1086d2f667d807dbb1aa362a7a809ea119f2565
SHA256dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
SHA5122c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
-
\??\pipe\LOCAL\crashpad_1384_PEKMJTEMLCUVOQMVMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/4052-495-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/4052-13089-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/4052-470-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/4052-494-0x000000000A6A0000-0x000000000A6D4000-memory.dmpFilesize
208KB
-
memory/12516-24296-0x000002F7DA7B0000-0x000002F7DB7C6000-memory.dmpFilesize
16.1MB
-
memory/12516-24294-0x000002F7BF5E0000-0x000002F7C007C000-memory.dmpFilesize
10.6MB
-
memory/12516-24295-0x00007FFEDD550000-0x00007FFEDE012000-memory.dmpFilesize
10.8MB
-
memory/12516-24297-0x000002F7C0480000-0x000002F7C0486000-memory.dmpFilesize
24KB
-
memory/12516-24298-0x000002F7DA6B0000-0x000002F7DA6C0000-memory.dmpFilesize
64KB
-
memory/12516-24351-0x00007FFEDD550000-0x00007FFEDE012000-memory.dmpFilesize
10.8MB
-
memory/26864-14483-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/26864-24142-0x000000000A560000-0x000000000A594000-memory.dmpFilesize
208KB
-
memory/26864-24143-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/26864-24158-0x000000000A560000-0x000000000A594000-memory.dmpFilesize
208KB
-
memory/26864-24157-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB