Resubmissions
10-04-2024 19:40
240410-ydkgescg9z 110-04-2024 19:27
240410-x6ewzace5s 1010-04-2024 19:16
240410-xzannshb36 610-04-2024 19:04
240410-xq4kdsca2y 1010-04-2024 18:56
240410-xlmq3sbg4y 1010-04-2024 18:54
240410-xka1wsbf9s 710-04-2024 18:49
240410-xga7gsgd82 610-04-2024 18:41
240410-xbrmaabd2x 8Analysis
-
max time kernel
540s -
max time network
543s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
10-04-2024 19:04
Static task
static1
Behavioral task
behavioral1
Sample
sample.html
Resource
win11-20240221-en
Errors
General
-
Target
sample.html
-
Size
467KB
-
MD5
12b9d6652e7d1689ed510c50c53bd38c
-
SHA1
013a1cc01a97a97d9b18dfbafcfec91a57e6232a
-
SHA256
4b1aa26e12d9f06ba494ad2e2223466c8ddc5bc61b5f189630dffea54f3d93ce
-
SHA512
0ce40b9a4d137d99330f7bc2776734d121d485d3f1e3af23ede4bbebead330c30de2c4568029303259812d591ef7bbc52bd1f16d8912dd5ea006523008346e7c
-
SSDEEP
6144:DFoiM/iMTiMkiMriM2iMSiMliMziMViMuMt:D2iciiiViQibiRimiIiOiXMt
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_The-MALWARE-Repo-master.zip\\The-MALWARE-Repo-master\\Ransomware\\Annabelle.exe" Annabelle.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" Annabelle.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Annabelle.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Annabelle.exe Set value (int) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Annabelle.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 1404 NetSh.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns64.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpg4dmod.dll Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secpol.msc Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydocs.dll\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\url.dll\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemexplorer.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllhost.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DCIMAN32.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpg4dmod.dll\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.msc Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chkdsk.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DBGHELP.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DBGHELP.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usbui.dll Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webcheck.dll Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedge.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.msc\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usbui.dll\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllhost.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmplayer.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shellstyle.dll Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shellstyle.dll\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secpol.msc\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedgecp.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chkdsk.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydocs.dll Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webcheck.dll\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns64.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemexplorer.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yandex.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedge.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedgecp.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rasman.dll\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\url.dll Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns.exe Annabelle.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_The-MALWARE-Repo-master.zip\\The-MALWARE-Repo-master\\Ransomware\\Annabelle.exe" Annabelle.exe Set value (str) \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000\Software\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_The-MALWARE-Repo-master.zip\\The-MALWARE-Repo-master\\Ransomware\\Annabelle.exe" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_The-MALWARE-Repo-master.zip\\The-MALWARE-Repo-master\\Ransomware\\Annabelle.exe" Annabelle.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2468 vssadmin.exe 832 vssadmin.exe 2284 vssadmin.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "75" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-627134735-902745853-4257352768-1000\{A3F65DB4-E6C6-4954-871F-F4267D79B3DE} msedge.exe Key created \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-627134735-902745853-4257352768-1000_Classes\Local Settings OpenWith.exe -
NTFS ADS 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\MrsMajor-3.0-master.zip:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\MrsMajor-3.0-master (1).zip:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 4632 msedge.exe 4632 msedge.exe 2824 msedge.exe 2824 msedge.exe 3516 msedge.exe 3516 msedge.exe 3388 msedge.exe 3388 msedge.exe 4000 identity_helper.exe 4000 identity_helper.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 1368 msedge.exe 3852 msedge.exe 3852 msedge.exe 900 msedge.exe 900 msedge.exe 2984 msedge.exe 2984 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 30 IoCs
pid Process 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeBackupPrivilege 2344 vssvc.exe Token: SeRestorePrivilege 2344 vssvc.exe Token: SeAuditPrivilege 2344 vssvc.exe Token: SeShutdownPrivilege 2480 shutdown.exe Token: SeRemoteShutdownPrivilege 2480 shutdown.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe 2824 msedge.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2200 OpenWith.exe 4220 OpenWith.exe 1984 OpenWith.exe 2680 OpenWith.exe 4036 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2824 wrote to memory of 2844 2824 msedge.exe 79 PID 2824 wrote to memory of 2844 2824 msedge.exe 79 PID 2824 wrote to memory of 4472 2824 msedge.exe 80 PID 2824 wrote to memory of 4472 2824 msedge.exe 80 PID 2824 wrote to memory of 4472 2824 msedge.exe 80 PID 2824 wrote to memory of 4472 2824 msedge.exe 80 PID 2824 wrote to memory of 4472 2824 msedge.exe 80 PID 2824 wrote to memory of 4472 2824 msedge.exe 80 PID 2824 wrote to memory of 4472 2824 msedge.exe 80 PID 2824 wrote to memory of 4472 2824 msedge.exe 80 PID 2824 wrote to memory of 4472 2824 msedge.exe 80 PID 2824 wrote to memory of 4472 2824 msedge.exe 80 PID 2824 wrote to memory of 4472 2824 msedge.exe 80 PID 2824 wrote to memory of 4472 2824 msedge.exe 80 PID 2824 wrote to memory of 4472 2824 msedge.exe 80 PID 2824 wrote to memory of 4472 2824 msedge.exe 80 PID 2824 wrote to memory of 4472 2824 msedge.exe 80 PID 2824 wrote to memory of 4472 2824 msedge.exe 80 PID 2824 wrote to memory of 4472 2824 msedge.exe 80 PID 2824 wrote to memory of 4472 2824 msedge.exe 80 PID 2824 wrote to memory of 4472 2824 msedge.exe 80 PID 2824 wrote to memory of 4472 2824 msedge.exe 80 PID 2824 wrote to memory of 4472 2824 msedge.exe 80 PID 2824 wrote to memory of 4472 2824 msedge.exe 80 PID 2824 wrote to memory of 4472 2824 msedge.exe 80 PID 2824 wrote to memory of 4472 2824 msedge.exe 80 PID 2824 wrote to memory of 4472 2824 msedge.exe 80 PID 2824 wrote to memory of 4472 2824 msedge.exe 80 PID 2824 wrote to memory of 4472 2824 msedge.exe 80 PID 2824 wrote to memory of 4472 2824 msedge.exe 80 PID 2824 wrote to memory of 4472 2824 msedge.exe 80 PID 2824 wrote to memory of 4472 2824 msedge.exe 80 PID 2824 wrote to memory of 4472 2824 msedge.exe 80 PID 2824 wrote to memory of 4472 2824 msedge.exe 80 PID 2824 wrote to memory of 4472 2824 msedge.exe 80 PID 2824 wrote to memory of 4472 2824 msedge.exe 80 PID 2824 wrote to memory of 4472 2824 msedge.exe 80 PID 2824 wrote to memory of 4472 2824 msedge.exe 80 PID 2824 wrote to memory of 4472 2824 msedge.exe 80 PID 2824 wrote to memory of 4472 2824 msedge.exe 80 PID 2824 wrote to memory of 4472 2824 msedge.exe 80 PID 2824 wrote to memory of 4472 2824 msedge.exe 80 PID 2824 wrote to memory of 4632 2824 msedge.exe 81 PID 2824 wrote to memory of 4632 2824 msedge.exe 81 PID 2824 wrote to memory of 4700 2824 msedge.exe 82 PID 2824 wrote to memory of 4700 2824 msedge.exe 82 PID 2824 wrote to memory of 4700 2824 msedge.exe 82 PID 2824 wrote to memory of 4700 2824 msedge.exe 82 PID 2824 wrote to memory of 4700 2824 msedge.exe 82 PID 2824 wrote to memory of 4700 2824 msedge.exe 82 PID 2824 wrote to memory of 4700 2824 msedge.exe 82 PID 2824 wrote to memory of 4700 2824 msedge.exe 82 PID 2824 wrote to memory of 4700 2824 msedge.exe 82 PID 2824 wrote to memory of 4700 2824 msedge.exe 82 PID 2824 wrote to memory of 4700 2824 msedge.exe 82 PID 2824 wrote to memory of 4700 2824 msedge.exe 82 PID 2824 wrote to memory of 4700 2824 msedge.exe 82 PID 2824 wrote to memory of 4700 2824 msedge.exe 82 PID 2824 wrote to memory of 4700 2824 msedge.exe 82 PID 2824 wrote to memory of 4700 2824 msedge.exe 82 PID 2824 wrote to memory of 4700 2824 msedge.exe 82 PID 2824 wrote to memory of 4700 2824 msedge.exe 82 PID 2824 wrote to memory of 4700 2824 msedge.exe 82 PID 2824 wrote to memory of 4700 2824 msedge.exe 82 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8d6a83cb8,0x7ff8d6a83cc8,0x7ff8d6a83cd82⤵PID:2844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,1089535193074257095,10006407134511508952,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:22⤵PID:4472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,1089535193074257095,10006407134511508952,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,1089535193074257095,10006407134511508952,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:82⤵PID:4700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1089535193074257095,10006407134511508952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:12⤵PID:2660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1089535193074257095,10006407134511508952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:12⤵PID:856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1089535193074257095,10006407134511508952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:12⤵PID:4876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1089535193074257095,10006407134511508952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4040 /prefetch:12⤵PID:4820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1908,1089535193074257095,10006407134511508952,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5072 /prefetch:82⤵PID:1988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1908,1089535193074257095,10006407134511508952,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5160 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,1089535193074257095,10006407134511508952,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3388
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1089535193074257095,10006407134511508952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:12⤵PID:3176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1089535193074257095,10006407134511508952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:12⤵PID:1296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1089535193074257095,10006407134511508952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:12⤵PID:5060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,1089535193074257095,10006407134511508952,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5736 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1089535193074257095,10006407134511508952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:12⤵PID:3144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1089535193074257095,10006407134511508952,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:12⤵PID:4140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1089535193074257095,10006407134511508952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:12⤵PID:1888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1089535193074257095,10006407134511508952,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:12⤵PID:3220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1089535193074257095,10006407134511508952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:12⤵PID:2212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1089535193074257095,10006407134511508952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6564 /prefetch:12⤵PID:1948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,1089535193074257095,10006407134511508952,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6876 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1089535193074257095,10006407134511508952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:12⤵PID:3240
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1089535193074257095,10006407134511508952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:12⤵PID:2912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1089535193074257095,10006407134511508952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:12⤵PID:1468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1089535193074257095,10006407134511508952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:12⤵PID:4920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1089535193074257095,10006407134511508952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵PID:4232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1089535193074257095,10006407134511508952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3700 /prefetch:12⤵PID:3640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,1089535193074257095,10006407134511508952,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4764 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1089535193074257095,10006407134511508952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:12⤵PID:3700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1089535193074257095,10006407134511508952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵PID:2696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1089535193074257095,10006407134511508952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:12⤵PID:1596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1089535193074257095,10006407134511508952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3892 /prefetch:12⤵PID:4196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1089535193074257095,10006407134511508952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:12⤵PID:4956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1089535193074257095,10006407134511508952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6868 /prefetch:12⤵PID:3648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1089535193074257095,10006407134511508952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2932 /prefetch:12⤵PID:4040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,1089535193074257095,10006407134511508952,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5860 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1089535193074257095,10006407134511508952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6896 /prefetch:12⤵PID:3988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1089535193074257095,10006407134511508952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:12⤵PID:4904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1089535193074257095,10006407134511508952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:12⤵PID:2696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,1089535193074257095,10006407134511508952,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:12⤵PID:1028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,1089535193074257095,10006407134511508952,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6888 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2984
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:488
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5060
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2000
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2200
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4220
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1984
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2680
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\Annabelle.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\Annabelle.exe"1⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Adds Run key to start application
PID:396 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:2468
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:2284
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:832
-
-
C:\Windows\system32\NetSh.exeNetSh Advfirewall set allprofiles state off2⤵
- Modifies Windows Firewall
PID:1404
-
-
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" -r -t 00 -f2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2480
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2344
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39c0855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4036
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5d4604cbec2768d84c36d8ab35dfed413
SHA1a5b3db6d2a1fa5a8de9999966172239a9b1340c2
SHA2564ea5e5f1ba02111bc2bc9320ae9a1ca7294d6b3afedc128717b4c6c9df70bde2
SHA512c8004e23dc8a51948a2a582a8ce6ebe1d2546e4c1c60e40c6583f5de1e29c0df20650d5cb36e5d2db3fa6b29b958acc3afd307c66f48c168e68cbb6bcfc52855
-
Filesize
152B
MD5577e1c0c1d7ab0053d280fcc67377478
SHA160032085bb950466bba9185ba965e228ec8915e5
SHA2561d2022a0870c1a97ae10e8df444b8ba182536ed838a749ad1e972c0ded85e158
SHA51239d3fd2d96aee014068f3fda389a40e3173c6ce5b200724c433c48ddffe864edfc6207bb0612b8a811ce41746b7771b81bce1b9cb71a28f07a251a607ce51ef5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\5a234582-c880-4c7d-9200-27398efbbab4.tmp
Filesize6KB
MD50ac637bc3442ab79672c59ae18313a69
SHA163e34a1308d13fbb8844d6168e3e517aab87cff0
SHA2568cb3ad3c2cad92e2e667585db60a7dfa8d791e10b048bccb1ecdcc4e835b297a
SHA512243a51b32515ae8c7b332c8c825b6f0b7ffb7cd27a11b1a6f45d0b2c532a8286f90ab1800447722d1954c434c3f2ec3419d5d716f6d738364d971e9e454c14c2
-
Filesize
64KB
MD5d6b36c7d4b06f140f860ddc91a4c659c
SHA1ccf16571637b8d3e4c9423688c5bd06167bfb9e9
SHA25634013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92
SHA5122a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487
-
Filesize
67KB
MD5d2d55f8057f8b03c94a81f3839b348b9
SHA137c399584539734ff679e3c66309498c8b2dd4d9
SHA2566e273f3491917d37f4dbb6c3f4d3f862cada25c20a36b245ea7c6bd860fb400c
SHA5127bcdbb9e8d005a532ec12485a9c4b777ddec4aee66333757cdae3f84811099a574e719d45eb4487072d0162fa4654349dd73705a8d1913834535b1a3e2247dc6
-
Filesize
35KB
MD5a053b626552864ee4e93f684617be84c
SHA1977f090d070e793072bfb7dce69812dc41883d4e
SHA25625b3ad881a0a88c6228e12688078638fe0b96210d0f0e20721e3c911a5b37dd4
SHA512f7b444b1a1c465a4614cd1b9bd678875251f44e227abaaaf1fa6b35bb67bb25932b9b11cc8fabd19d2d5d6e80c6ad0b15149869e6e41f6345db3d49f08683e36
-
Filesize
19KB
MD52e86a72f4e82614cd4842950d2e0a716
SHA1d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA5127a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1
-
Filesize
65KB
MD556d57bc655526551f217536f19195495
SHA128b430886d1220855a805d78dc5d6414aeee6995
SHA256f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4
SHA5127814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb
-
Filesize
88KB
MD5b38fbbd0b5c8e8b4452b33d6f85df7dc
SHA1386ba241790252df01a6a028b3238de2f995a559
SHA256b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd
SHA512546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16
-
Filesize
1.1MB
MD5d404b61450122b2ad393c3ece0597317
SHA1d18809185baef8ec6bbbaca300a2fdb4b76a1f56
SHA25603551254e2231ecd9c7ee816b488ecbde5d899009cd9abbe44351d98fbf2f5fb
SHA512cb1a2867cc53733dc72cd294d1b549fa571a041d72de0fa4d7d9195bcac9f8245c2095e6a6f1ece0e55279fa26337cdcc82d4c269e1dd186cbbd2b974e2d6a70
-
Filesize
32KB
MD5bbc7e5859c0d0757b3b1b15e1b11929d
SHA159df2c56b3c79ac1de9b400ddf3c5a693fa76c2d
SHA256851c67fbabfda5b3151a6f73f283f7f0634cd1163719135a8de25c0518234fc2
SHA512f1fecb77f4cdfe7165cc1f2da042048fd94033ca4e648e50ebc4171c806c3c174666bb321c6dda53f2f175dc310ad2459e8f01778acaee6e7c7606497c0a1dea
-
Filesize
74KB
MD5bc9faa8bb6aae687766b2db2e055a494
SHA134b2395d1b6908afcd60f92cdd8e7153939191e4
SHA2564a725d21a3c98f0b9c5763b0a0796818d341579817af762448e1be522bc574ed
SHA512621386935230595c3a00b9c53ea25daa78c2823d32085e22363dc438150f1cb6b3d50be5c58665886fac2286ae63bf1f62c8803cb38a0cac201c82ee2db975c4
-
Filesize
24KB
MD5e1831f8fadccd3ffa076214089522cea
SHA110acd26c218ff1bbbe6ac785eab5485045f61881
SHA2569b9a4a9191b023df1aa66258eb19fc64ae5356cfc97a9dda258c6cc8ba1059ac
SHA512372c486ac381358cc301f32cd89b7a05da7380c03fa524147c2ddf3f5e23f9b57c17485aaedc85b413461a879afc42e729547b0c96c26c49bbdb7301cd064298
-
Filesize
49KB
MD5e1f8c1a199ca38a7811716335fb94d43
SHA1e35ea248cba54eb9830c06268004848400461164
SHA25678f0f79cdd0e79a9fba9b367697255425b78da4364dc522bc59a3ce65fe95a6c
SHA51212310f32ee77701c1e3491325a843d938c792f42bfdbbc599fe4b2f6703f5fe6588fbcd58a6a2d519050fc9ef53619e2e35dfadcbda4b218df8a912a59a5381a
-
Filesize
44KB
MD5a9ed0f3a37bc313d7df62e595ca1ce2d
SHA13cd166ea5f37f3f645ebf7ee064057f7cd013eef
SHA2563a44f7be6fcf889e508b789374c0fe29344dc6fa7a25348083888f7c98f0c57a
SHA5126631523a8bd34ec39c69b2361c2192abfa998bea86d8690f0f5d25124b1ea4cbbef0e1d406b0afeffa5be537b9c75154fe7710c80650d9885ba81a444a30a5ac
-
Filesize
21KB
MD5939b17598242605d4cda089e4c40e52a
SHA1cb7e96bbb89879ab97002ef7764e868d8536fdbd
SHA25614d0a9ba41b036d7702963b2f0048a670f138372fbc3644ec4f009cd3184e041
SHA512d62140ff22453508964a7fc40602adc68b2ceea883eb7e77206a84569b2cb6ffad4b0796371ca28ce1a7110adf58786b374854d5fb1dc53a42588d61c79143e7
-
Filesize
20KB
MD58b2813296f6e3577e9ac2eb518ac437e
SHA16c8066353b4d463018aa1e4e9bb9bf2e9a7d9a86
SHA256befb3b0471067ac66b93fcdba75c11d743f70a02bb9f5eef7501fa874686319d
SHA512a1ed4d23dfbe981bf749c2008ab55a3d76e8f41801a09475e7e0109600f288aa20036273940e8ba70a172dec57eec56fe7c567cb941ba71edae080f2fdcc1e0c
-
Filesize
23KB
MD58afc0b779211c04de66abb7d3a425b6e
SHA1cfa3994bff79c945aa3552852aa75801f7029782
SHA25674fd2a65c888063313021b081707991510bfa53e9869626a05c2f4610e006daa
SHA5129a9c44507d3810789fb4dc3332d327666f05ae67f8a5fa5d91c8e3d03e91801bf0be550d226824167419d26649d65e684cf41fd0bcca7dcdebf85d518faa211e
-
Filesize
21KB
MD5e1bcbcbff08ad26b8ccc9c0a82c5b703
SHA1de44d9ba23492404a7663ace05f82147af193268
SHA2568701fd45aabbacc8605d62ec6f64ea910c1bb844b0975f2e78f6e795a122a1d7
SHA512f4a011fb066bebe222213462e2fc691ff109da417e1f1909ad16c6a561cb09fc0fdf9a1991d2b748b304701d6b04c903958212c83dd67f890f891f22ea194406
-
Filesize
59KB
MD5063fe934b18300c766e7279114db4b67
SHA1d7e71855cf6e8d1e7fbaa763223857f50cd1d4bd
SHA2568745914e0214bcd9d2e6a841f0679a81084ef3fc3d99125876bee26653f4253e
SHA5129d0dfc21306b3a56c2ecdf1265392271969e3765e161e117c8765125b34793e24458217cf6514b364f351f47e65baaaf5856be0d13406a789f844d6ba8c7075f
-
Filesize
65KB
MD50f8092bcce67b0b6b4a308c8887cf0ed
SHA1a12fd75c93ef65aa7d0b6140bd515334e384beff
SHA256c410d812fc6eeb6e0f02c719f2d26fe81b0b9d931a3aa29838ca1c29ad43413a
SHA512435c6bfd39ddfdcc47c80d396eaa557843083d00223f576e4de3dfde9ebd64c507678ffb994ad0d9c18b17a0b9edf69238f3976554ffd0118c3ab7c9190917af
-
Filesize
151KB
MD5da800376add972af643bd5ff723c99a5
SHA144fe56009c6740ec7e25e33e83a169acff4c6b6c
SHA256bf252b560c9cc78dfa63abe0ae5caa03b83e99b1ca5fae3c9515483c57aaae3f
SHA512292819ce339d4546d478fc0aca22ae63f4b7231f6a0aca3fbe1069d53ad09e1e3c936205cdbeb53bbedbfcbc33f3b6077f84364a150f7627f87ac091de08952d
-
Filesize
23KB
MD5efe81e4daef615b00dbe73ce495ca572
SHA1efa6284b26573a32770851c3ccfc54de3d6642d2
SHA2568a2115d91ed4df1f74c0bff1d7800c6c776fed3addf7e6ce4637a1bd0c9f81be
SHA512a561f8475dc2ec744dad499bfdb45b5c113a216d93c3873321e9fbbf22dfdde932af4dedd5819f4f4e0c8bd614efb77e68825561aaf05ec69c19df6eb7271b06
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD5b5f20d69c943d83ed80cef509256833f
SHA18b969a9009a94823848c426151e26623df15cfea
SHA2560ee885e00a9e8459d7a9307d8ae16a2183bae7fa55e379ca6daf1c2e4ff22a23
SHA512f8198ee709b8009549c984cb99673966f8b5287e5fb33e4c755c4da51ca7896e3c61c9d0dae4f6c05c29f586e1b8072e64ce1fbae9b60b33b46e6e37890d5edd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD5ca4b7857340f00c36c561e3a33e65738
SHA1ac7bde7ba564bcb3c19e3bab9db25c34a79044a1
SHA256a907b4f8806b09b976b0579cf565ebbee340bffadb10ad45b76a6ae297bfbf5e
SHA5125b385c3c370d86ccc83cc6650c092c1c30d09fe9f9b072f737d805854d6b6c13b072184d14f83da66cd581ea2618fa75ec0ce207235788307a5b74c272f0445e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD5e26d9f9ad30f90560261b6499a5fc58e
SHA1886b271f54ced521b87c0633d2b99ecaf2d88824
SHA256a29d146b1cbe98f088cab0ebe76fff24144522b2cad65932f3b3814d85135622
SHA51243077685cfc935291080da6c489331ce7d9c7fdfb516bfc23dab3375f3e29b432711729749876be405f2e355ad707e2d0ac18bbd057bf8ca3ea01855c5df8e87
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD5cadeb05534103979ab3601eb05b35cc3
SHA1f2da550265502f67394016b20841317c19453438
SHA256d7298a40f76c5f9c5400df69e2670031c0ca2680e08ccbac19e6a56f5466b14c
SHA5123034c989e349ef4ae78441d956c1ed22f899c67d0f5f0f8ff062f32e030bde78fdbf273ecd41548ebe4077b6ffec8883ab42a03fb569836d3f6eaeba010658ec
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD53f07664e48df79c908a957ed8efc422d
SHA1a07862e01e6b0ac8f980c99a8686a74b32dc1231
SHA2565b1cf64a9a4f2232cef2d7610762ca700f226d3b1ad608d79059b1cfa6e32bb1
SHA5122304b513fdf2d3d7ea50d15c3d14182009deb9a9eeb6d7ac00abd2fa3afbde45f44d84fe7ab0df9b0fb7e2307e5c4511b501705a54ca1e206349dc382c348f1e
-
Filesize
2KB
MD55951ea7f9f3e3d1c836ccbb6433e10d5
SHA1e50870656ab563e6c0aa71245c0399fd906b50da
SHA256793cb3e9435aba0ba475532055910c2a06bad846ac0dbe278e443f6ee080ba99
SHA51264815cbc1fc10ddaf4b73e6c1f15cbbce559f2b3640b469d3db10774147d30262deeb4619700623cd04f1eb281f2fe8914ac3a18a935a01785b84796a810037b
-
Filesize
1KB
MD5237e27c1adf80f4e1ce629861a3a234d
SHA1703b4384033ebbe8efe23694a959578f365422e7
SHA256cb99f616300462b053b841ac6988d62f28f921f941c11a99b242db791da8a6ca
SHA512161c45018f00ff4cb6338f17029d7b09d605fac295ca0cdf145ad952e0f38544ff4af28c059d7f2d9ac638f078f95fea5142576828b6360cedc23df67efdd501
-
Filesize
2KB
MD543b13fb9e7e1ba50e7b0fba5a0d95a49
SHA1c9d86d01e030b5aa3cd43042ae23bc9ef16706d7
SHA25634b76d95d5cc41eb2cdf28e1e0d7f6d9b0f05f7620db587a5293ecd2a95653ad
SHA5121ca8b6e91161a55b4f82e794995f05b27e77321e6408f44590b8d25e43b20a8203472ec07513ab0cf56f3a5889b8235e53eaec143090e3bf626833bfcc566702
-
Filesize
1KB
MD5af0109724c5ec3465986ee0653f006bb
SHA15998ab6926fad21cfb807aeeee148d28dca71591
SHA2568f90c91f74dcdf48b5518ff4f70ca5e38f365bdcd26c4184841e90ded10082b1
SHA512b3873eb4319554ce8b11c7ec8d12b72b39526f61e440065d13454db2c59c716895be8c8256ee04224f86b7b090afc9335833a565951d56b94fa026e4f5e0efc2
-
Filesize
5KB
MD524db73956a7c695fb5cbff9a02cb85b3
SHA1d5d1f765030a0d6028c23e9073204ce6a72be0c2
SHA2565b3e207cb7ffd9438f5c0d374a89d824c23e9fc073c883986acebbc8c6abf1f2
SHA5129e5f18749489385454e1d52541e7eee6fa22d49cd83bae956db4ff5b77c4b86004c504f4a36fe595995f967706d27527f3c802e22e6797e50c73a52f6a28ac05
-
Filesize
5KB
MD5a3e560576d8b202a5cd5b971f3b5fe14
SHA1ef4285146a88738356add67db872697193a7c735
SHA2568739707acb5c9235eca2808b6c42e7d7df77b97f953086feab10472d9ce62202
SHA512c5a1b5c57962358fdfca7dcb815576527674a9d3644cc2a3c9518fa2783989614c60ba5e64157eb0cd7e3d147b18bf7a19e0885e05fa4a8657b64e28fadd34a3
-
Filesize
6KB
MD5834dc089860f033ea4a658418ef1d64d
SHA16a69f7b849aa6332b12d1faa62a339f68cda1a3b
SHA2561aa7e7697b33737ba1cdb99a6809ed5b65928a966329a4f152c86a008ea6bae4
SHA512e7596d9ef0d7f9111dd2632afe83c6305f0afa7992c330abb97653b4cf7d6d6413880fabc9c5b698712a17ac41ae7242c4ed7b94ab145e26a18822ba416e6027
-
Filesize
7KB
MD5ee176aae89b8bad1de3f181c94a22d7c
SHA15a197189933a593c4554b515158aba7660d834a1
SHA256b187437d233e56bc4f14a76292650c10a44423918800acec4d803b79ffd89317
SHA512ec90bca79318f5d8cd614f3565a03de1feba177b0134b576f837b11ea8e8681633a93d06eeed4aa0aec8b3f27db92ab068c8984bdb28b201d0978c0f6878ef20
-
Filesize
7KB
MD56d12b52c0dde1075c0bbccb56e6b88e0
SHA11823327c56a1378b18af260d15ad8c8da070641f
SHA256fe804b59605a37e8ad683b9b3953cb9e13ca84b685144ba5f8d0e1acb779f61f
SHA512251efe88ee220e17f2eeac59f2f0ed13478530f1188f694107677f0b7583e21f8fca2c1cb6269c3438b8fe1cea7e371f4a1802cf5e26a0ce307b0bf6dee5e151
-
Filesize
7KB
MD5eeda746f304a92ad4cf28f291ee5e271
SHA1b5464664cc0f98294c64acfe9c4e3fc7c91d4d5d
SHA2563abc39555c00b6f33fabe95d33167541a32bbe754ca7df453535db539c6d9adc
SHA512bc00384d4f76be4142e4051d3be5c046ec404a0b0d3a62eac84a8459bb70f9ace20ef95ee62647488e16a05e5499f325621d2ad7230b313619b27ba0831320e6
-
Filesize
7KB
MD51abf32c362091c0862b2f70249acfd0a
SHA146e245de708b46a5e203469269355c6d685db836
SHA2569404247095acc0883ddf0cd2b759c318efcf8411a5d1c98c306429fbc2e31012
SHA512e11d731a754eba15437ed237486bb6c57c42b30059ecd78a88ac5a94d9b2e5d693d64e04ec1c9f2f1edd68f121e46bf734371ec9010bf45c773c13a4595cda03
-
Filesize
7KB
MD594e2bbbda8c15dfeb471bf10bf00f297
SHA154f106de2e94f8fbd7bbfc3f46428f4f2af98289
SHA256b1343c25ffa0f80786c284f4a94550ca85b9d09ddb2cd1bdba601ce945c49771
SHA512629ac6e7b569a992dcda0bc13c53447ed366d1d53561c0dfcc5b397390ae48dae9b649cc40c40e7c9e2083b07fbb815bfcef261b9f7b7a697578cc2e60d0e5c1
-
Filesize
7KB
MD52595d2107440999ddd46a399bab2a7f9
SHA15e5c94383593906e395287dce24a58d7451408c8
SHA256767cce0c9d4a5384448c0761c48fd2666bdf8b185f1fa66ad7d54f8eaca7d68a
SHA512bc75d0c938006b6571763d778c550219a167170e51c3351eb9ac0a213b1672a764c27c41afa543221b192a3b0fe6d9982630366f8ed8b4b62a194122a17b167e
-
Filesize
7KB
MD5c1009546ba4d808b20be1b09f34f5984
SHA118264e75e159a45e8989d2deba6b759b460accdf
SHA2569b3b67e98e65660870795e86163a1ce64f36c3228b9d0da2d4709a89e3903d2e
SHA51236f2d806e15383bd61840da97dc88ad1ab2ce7b7279549ba4eda54a3e056f6cd624987cb37e1c8e896dd0301758ae150654039334792df83cfe9b077d832e28a
-
Filesize
2KB
MD5c9d1b37ff9e51fcae0b1083000bda77d
SHA14d619d3eeb0f772df55e9f6a2443ff49f57b0422
SHA256b05494a7d3155029daa34910f6e36e95b37ef65bd9888b0e6e647f12c65bd367
SHA51234fb03bd72c9fdbb40f33a4ddea8be0aa78083c09eac7ef2cef29ef9d086e583eec753fdbba26d4e86c6dc993fbdb38a2ab32c93fead8caabc0bfb4fcce42993
-
Filesize
2KB
MD59e288ac806ed533adbac3520bb0fcd34
SHA16df824a4d2e4dfcab6fcb2daf32308e762520263
SHA25686e919bc827e1d60f0e6c95b812cad9f2558183f3b83026cf6eadad279182024
SHA512b3ae0f6409c0acd25507983f1cc980e18ac1d6e4d0156c6cabf938a0fa6683da4bf9139a41a2db154d6c1b812f02ee8617139b6bf4b071f45f84a7c992bedc7f
-
Filesize
1KB
MD56da5ecf7e3db9da21b0978c636266160
SHA10c119e2a92b7f2abe4a153e7417fd8c75d3bc5ba
SHA256d68ef05be8ed60ee226a1c76a0c1f64f35f1e672741cd616db4fe4f807ce759c
SHA5120b45af55a2542666bc26739ac62cc0f42d89fa9137eef260dcd16a7417762161e72a2ded76840e4c0871fb1dbf03552699c919af32c2c77faac6b50bb6e00b5d
-
Filesize
1KB
MD54bdff325ca381831b7e668d548b09f3a
SHA18275d37c63eecd86ac46a84b067b1329c211bc02
SHA256330f429cc8093be43126031076e0883d1675aaa23508abe6da2236ac6ca21098
SHA512740a7143fafb74d421c4a2e2e6b3719f13d2b83e53dc21e311b0d18467a74b48325a6f239736f6e19e29ffa9d8c4de8de4e022970e4c7284de1686be88f0a86d
-
Filesize
1KB
MD5654455b0d348052e341856982f6f8e6c
SHA116e49c303f6c25f137719648ae5ebab82aac6c1d
SHA25638188a3e918d4c9e008d62d209250507974f7db2c2c0dbe36dfce016a7514352
SHA512f5d41f6da630a3a85aa0d68f7f6141777f542b0de4bda715941a131291130ae1199c0f3acb5612f66aafa3776234ae5741ff2d6c529fca7c1847d0a2ef94e55a
-
Filesize
1KB
MD5626ef9d9880dd3e9db70b69babd79b1c
SHA16fd2f389a2a3759cf0e00c352c6dd2329e55976d
SHA256cdb898a041e747406ef438bc4794eb7403d1339d2fa07eef777a8b011453a166
SHA5127b32f036a4605103af56243f0a2c5a46582cb5e91f4c09f205a028ecdf850a73d3fe2a76062c472cb836360e6cae137887eeafe754a1147c9275e8720d65bb8d
-
Filesize
1KB
MD500822a7f2fe8db1e9671bf9f6c3e8279
SHA173a9ffcdcf8bbee79e02e5807e9875c62847cee6
SHA2562a27e17cde833e8150fdb4264f311947102568956cf47856b1af6acfb5a07f4c
SHA512d2b16871546b204b7cbae52734370354a0532092c3832e0ee1eef8cc9a163ce6f0255d50177d819c0df6edfb383eb5cecc8f4a947d81b41182252c6affd49416
-
Filesize
1KB
MD527a94c3ed823c71e809632c052b4427c
SHA10b2371873b8e73401c5eb8dc70b32f5c39dc60f3
SHA2560e91d3b6c1162985c6f7a07b4765fb46b53d4c2dc5be7d202f8094652336052f
SHA512e16748edfec758e863b7cc4c2bd38d3bd751b14c2f653dffbef61787438d71302172d255f0f866dee3dc0143d1fce7a6ebfc3ecd88d2e7380a400e1248c24b77
-
Filesize
2KB
MD553cce2fc1975f16db488b6ee2ab31691
SHA17db2460d72be7a23ff680bd6f932fbb2facd84da
SHA256de4cdedd52ba042681e45ee01c1843320146e3cd29fa87b058316e7b48e8aebd
SHA512cf223c4f7d53ed222d1ffca1b1743de6e77dbfe9cbb5a59e3200e1d7008a505e2063bab1223c3fc248bbeecad8ff6d04a8572c8bd0382868b42da0090acd914a
-
Filesize
1KB
MD5a9f0d32cc5de5fffbda49c9f1fa327eb
SHA10d3ffc4cff76a0b20f1607a6f047a4fc16dc41e0
SHA256d408787974aa718b5f48cbb14cf36e370efed073e7a554e3fa2c6f8d439caae7
SHA5120d252bd87dd7cd41f83c68b3230818ec245640b72904e5d8b0082f0b3f3c3c22a8670d22565498e7126a2d2028a2e924436095a1e7754f5ba131237dcfb85a46
-
Filesize
1KB
MD5a036f8b4eea5a4340ee10489de51e157
SHA1c2f3b3272646c35116193352454f9633b1353c50
SHA256db1ff04a4bc244f8585c279bcf0681564bd4a609a480803b6c5f0d4a3f7364ae
SHA512841a90dcdd60dd510d329ac1b928c59893cf8fb636d106f07ddb1d8590791a1f151f99a2734ac9585c444652a65f58f6b429e25a96d8dc7ea6b09f5f1fb8244d
-
Filesize
2KB
MD580eae2d8fbc3b6a4ea2abc296b5b0577
SHA10f70568cb15b1534de38f082000b01810a398b69
SHA256ddfc0db96bf1d2784374b9079f81399eb014d03cd53f002ab0ab81eed4f5fd13
SHA5128161570ce32adccd972822e774c5e2b7cc9f26c7694b5a5f75ce1ffc61e774062d2b03ee85b549ac1c074b80c81ca1e9f89c158779dfca7efab3bf134f944e4d
-
Filesize
2KB
MD55582c3c1d7ee28cec951901d7ef7f47c
SHA1d960e24209ca1f7cc0f4e950a71edb327110a822
SHA25600e22f5f31815db4a3a8ed27c976574d6e235ab7748c73cb29bad375dbbae875
SHA51260003ece65d0a459d9788f71d350cc5b6c1055bb296a4ecef6b519273c409dd4e87594ca2c375358f6225313fabbc8db3d698e2d22b6daa1b47cdcd397b47680
-
Filesize
1KB
MD525a0a6590d0fc8457cf1e7868650f470
SHA1403327929d0aea0f3cedc7ab4af6f879a4d4b7ce
SHA256800536e3837ef29c4aec2f90cbae087fba643802e4973dbcb8aa5401b0d1fdb8
SHA512848f52ce71bbf15b757a1b31ce23b382c8c24ed714c2663849525741797335a6832d9c6714938bbf1e52ad10bc1309044e124686ca74dd68b8c45c689dab0164
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5144fc46f001be4b6f3872c6518cf2fd2
SHA181a014aed43ce820e481e86e857e6f91c18d29d4
SHA25606e0ebdd01cff5adc21216540b749b87a53543e42482b0048f42ce5fb77fdafe
SHA512a9e584920fdb516443c80904fdaac7defac6b6fdb1402bb9ee45fc8e1ca6668b12e8581da76f1538c917181ebf2a64223c47d18d535ac0cbfa148581c4b35c75
-
Filesize
11KB
MD50ae1dc8661560cebeadf031517f60fc0
SHA1974f23267670c80a6b315af15dfcdec2caa19ddd
SHA2562d3d24fca62af95793b06eeb66b8788fb2045b8442196e9ef13dc641036ca661
SHA5128e1d420288dc3853e1fa4603197e4d7365cab58cf4da5a6557b4b2f48ffcc195caa22e1b51d0d7789be2f0c4ff8daad14de983cbdda3637b7e352a8734c7bf27
-
Filesize
11KB
MD52598d731da01115ff1f6ea72b7c44417
SHA1674dd814739a6b088ac5bcbb9e0d3aac88a97501
SHA256130e4ac3053160125be8909271a85cf7afbeed45e470ec512470de72e0a2e139
SHA51219d5cf6703503f0fb2db2fa6ac1a67557cf970848c3f5f4e90dff360d35ee7ef7687ee813bdeb8d2a240840186a0e0d82c84343ceeca07dbcc064a3723a3660c
-
Filesize
11KB
MD589b0aadb5e5bb371516e72fe079c2c72
SHA1bbd15f83ce078b36d0bb51fdfbf4d538ace61600
SHA256305def861b48eaeca5bfb284bd9f4e3b93e1cbaee7a81e14427765572bea4e67
SHA512d37f1cbc67f2f6712f06ffddd254e9dccf099471515b87019ccf283580b3558e71886ca80ac3521dfaf9e6740c4490e6f7b1bc9a8d81bdd4fcf8e8a230b7098b
-
Filesize
11KB
MD5ca212205065758868d466ce641b372bf
SHA19ee643e926992bc47939d1b6822d385e17265746
SHA256d14574ede2706092ccf5f69f6916e18b12df02992b2b6e79fa3587ff7e16b001
SHA51245eb295ede62c5f6cd8a0307e2d632ce9c0ccb10ff48e1c91e8d6ade6b5e9bb3c14c7a13e77e154cda9bdaaddf766309f15fb3253a2d380c3254447d580bc7f0
-
Filesize
11KB
MD591fa836444876d13f8b9085ccbc5c40b
SHA1b8de652fa31af1f334e4d00571c6a234ba88abe5
SHA256b09ddaa10dbaa95d5fe015f56e57537929d03c2ac8d9ff0ea565f8ab341837af
SHA512472c1f677ba659cabdc09f7fc6895bbf7bf4f997049b300ec5c26f74668b9ef6bc3aa97a7d967ea56cd8391106a563b76cff596247f875e2ad85054c5f33a171
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize10KB
MD5ff70a4688b3e66104fe9662bf6ab0d07
SHA1408db40193e7be14b388e9d10149f645400f8d01
SHA25631e4dc2b5232497970e76db506597efa77965acbf88e2bf0594cc9141bee51e2
SHA512c4badd616d1e56a89171bf12273619f3498f3ca63778f8e6c6774a9f0997b8982c23082124981e14a7bd18b04d573a14d6613477ca170b79a492729e68f11341
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize10KB
MD5165b9effc4cf014a58bc60b6a11dd79c
SHA182a23315342caf817d08b9c4f95ea1c6675503fa
SHA25685bf2467f0a55c0c3232d10d14b6e5a599394a44016bff0c0c1b62331a322cab
SHA512a68e39c103a991e12843302f721d85b23c10996f7ba6e79ccae2ffd281e6c35cd457210c92c0e0edff3bcdea6e17a7a30dbfbbf94a38d106c1903291168538f4
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
198.8MB
MD5af60ad5b6cafd14d7ebce530813e68a0
SHA1ad81b87e7e9bbc21eb93aca7638d827498e78076
SHA256b7dd3bce3ebfbc2d5e3a9f00d47f27cb6a5895c4618c878e314e573a7c216df1
SHA51281314363d5d461264ed5fdf8a7976f97bceb5081c374b4ee6bbea5d8ce3386822d089d031234ddd67c5077a1cc1ed3f6b16139253fbb1b3d34d3985f9b97aba3
-
Filesize
5.2MB
MD53251e9a3d318a4c9b90f318ff3c3a93c
SHA1c57d73b9998572826e0ea2861b6e185720ef5eee
SHA2560c8f8d566cde1484ae2c98dc0d8f58d3eac6dd63e3e79fbcb0f25f3afa5e8fa0
SHA51274e934b13e626d9fc09c237921158d0e27f0e2c724f8c557177d2c83d81b859742109a08d3948ab6518833c58e70f585de9b2bcfa1e39807c87926caf681d8ea
-
Filesize
4.2MB
MD529132eed47875d6c1ec60baa17c8b3f6
SHA1b85a449867026eac90dfda008743784ae7baee93
SHA256f2cfbf9c4061c865c56b52a7d9814b03bb4ccff2fcca9a80bf73f8004cf59d2e
SHA512d7d20f75633d594a7c5ac74f44a9f70f93caf920c4a4d92b119b141c6329fa303d28c952b76dc58d36a697ac6ffd3d2296dfa803c5023565a27fa84552317e76