Resubmissions
02-07-2024 23:48
240702-3tl3eawdpf 1002-07-2024 23:39
240702-3nl58awbkg 1002-07-2024 23:36
240702-3lzzaszekr 602-07-2024 06:39
240702-heslesvapn 1002-07-2024 06:28
240702-g8c76atgjr 1002-07-2024 06:22
240702-g4z65azepb 602-07-2024 06:05
240702-gs9leszbja 602-07-2024 06:00
240702-gqde7szaje 8Analysis
-
max time kernel
626s -
max time network
629s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
02-07-2024 06:28
Static task
static1
Behavioral task
behavioral1
Sample
piggy.png
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
piggy.png
Resource
win10v2004-20240611-en
Errors
General
-
Target
piggy.png
-
Size
1.3MB
-
MD5
db441b970d8b070324fad09acb7ca77f
-
SHA1
d71a69ffc7c67b2bc338d809b2a7933d1139638a
-
SHA256
38ce15ff72fe07a74ac9e4692fac7c0b964ca3c4f6def07d942fd94ecfd80981
-
SHA512
49b8b422831afec6f9600f9ee03b6ff237abf548ffecb607a38992ae72c6d27820e980e79217c784b13b6df70d56482b26a06f058bb00a326e1564f7fcb1b55d
-
SSDEEP
24576:bNkiU39wq+8/EV7QXZyP2wWYMmxtJMdhBgf0n1BcFvnbz:bNV09wq+gECnGfJ0Bu0n1OZP
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
Processes:
Annabelle.exeAnnabelle.exeAnnabelle.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\Downloads\\Annabelle.exe" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\Downloads\\Annabelle.exe" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\Downloads\\Annabelle.exe" Annabelle.exe -
Processes:
Annabelle.exeAnnabelle.exeAnnabelle.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Annabelle.exe -
Processes:
Annabelle.exeAnnabelle.exeAnnabelle.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Annabelle.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Disables RegEdit via registry modification 6 IoCs
Processes:
Annabelle.exeAnnabelle.exeAnnabelle.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Annabelle.exe Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Annabelle.exe Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Annabelle.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
Processes:
Annabelle.exeAnnabelle.exeAnnabelle.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DCIMAN32.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cabinet.dll\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shellstyle.dll\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksuser.dll Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rasman.dll\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DCIMAN32.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmplayer.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllhost.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DBGHELP.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.msc\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemexplorer.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedgecp.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shellstyle.dll\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DCIMAN32.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chkdsk.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\url.dll Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydocs.dll\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cabinet.dll\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DBGHELP.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmplayer.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secpol.msc Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmplayer.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedgecp.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rasman.dll\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\url.dll\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DBGHELP.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllhost.exe\Debugger = "RIP" Annabelle.exe -
Modifies Windows Firewall 2 TTPs 3 IoCs
Processes:
NetSh.exeNetSh.exeNetSh.exepid process 2916 NetSh.exe 2064 NetSh.exe 1592 NetSh.exe -
Processes:
resource yara_rule C:\Users\Admin\Downloads\Unconfirmed 909674.crdownload aspack_v212_v242 C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000036 aspack_v212_v242 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Annabelle.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation Annabelle.exe -
Executes dropped EXE 33 IoCs
Processes:
YouAreAnIdiot.exeYouAreAnIdiot.exeYouAreAnIdiot.exeYouAreAnIdiot.exeYouAreAnIdiot.exeHydra.exeCookieClickerHack.exeCookieClickerHack.exeFlasher.exeFlasher.exeFlasher.exeFlasher.exeFlasher.exeFlasher.exeFlasher.exeFlasher.exeFlasher.exeFlasher.exeFlasher.exeFlasher.exeFlasher.exePopup.exerickroll.exerickroll.exerickroll.exeWinNuke.98.exeWinNuke.98 (1).exeAnnabelle.exeAnnabelle.exeAnnabelle.exeWinNuke.98.exerickroll.exeAnnabelle.exepid process 1116 YouAreAnIdiot.exe 4788 YouAreAnIdiot.exe 1752 YouAreAnIdiot.exe 2424 YouAreAnIdiot.exe 1844 YouAreAnIdiot.exe 4192 Hydra.exe 4008 CookieClickerHack.exe 1612 CookieClickerHack.exe 1304 Flasher.exe 1084 Flasher.exe 596 Flasher.exe 2996 Flasher.exe 1444 Flasher.exe 4808 Flasher.exe 4032 Flasher.exe 2752 Flasher.exe 4820 Flasher.exe 2492 Flasher.exe 4708 Flasher.exe 1372 Flasher.exe 652 Flasher.exe 3580 Popup.exe 4388 rickroll.exe 5020 rickroll.exe 1876 rickroll.exe 4360 WinNuke.98.exe 1360 WinNuke.98 (1).exe 4496 Annabelle.exe 4896 Annabelle.exe 368 Annabelle.exe 3016 WinNuke.98.exe 3244 rickroll.exe 4368 Annabelle.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
Processes:
Annabelle.exeAnnabelle.exeAnnabelle.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\MinimalX = "1" Annabelle.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\MinimalX = "1" Annabelle.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\MinimalX = "1" Annabelle.exe -
Adds Run key to start application 2 TTPs 9 IoCs
Processes:
Annabelle.exeAnnabelle.exeAnnabelle.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe" Annabelle.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe" Annabelle.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe" Annabelle.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe" Annabelle.exe -
Processes:
Annabelle.exeAnnabelle.exeAnnabelle.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Annabelle.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
NetSh.exeNetSh.exeNetSh.exedescription ioc process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe -
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 792 1116 WerFault.exe YouAreAnIdiot.exe 3248 4788 WerFault.exe YouAreAnIdiot.exe 716 1752 WerFault.exe YouAreAnIdiot.exe 4028 2424 WerFault.exe YouAreAnIdiot.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 3 TTPs 9 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 3908 vssadmin.exe 1224 vssadmin.exe 1512 vssadmin.exe 4660 vssadmin.exe 2320 vssadmin.exe 2832 vssadmin.exe 5080 vssadmin.exe 4616 vssadmin.exe 872 vssadmin.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "64" LogonUI.exe -
Modifies registry class 34 IoCs
Processes:
msedge.exePopup.exemsedge.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Popup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Pictures" Popup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" Popup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" Popup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" Popup.exe Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Popup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads" Popup.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259} Popup.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Popup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" Popup.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2447855248-390457009-3660902674-1000\{8829DD77-F18F-43EA-8A13-D25DCD10FC56} msedge.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Popup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2" Popup.exe Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Popup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" Popup.exe Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff Popup.exe Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff Popup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" Popup.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 Popup.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy Popup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" Popup.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings Popup.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell Popup.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" Popup.exe Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 Popup.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 Popup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" Popup.exe Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff Popup.exe Set value (int) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" Popup.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell Popup.exe Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e8005398e082303024b98265d99428e115f0000 Popup.exe Set value (data) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Popup.exe -
NTFS ADS 11 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 112755.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 909674.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 16040.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 334406.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 740554.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 475881.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 976590.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 539034.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 974181.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 924786.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 723463.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 56 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exetaskmgr.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exepid process 2332 msedge.exe 2332 msedge.exe 2316 msedge.exe 2316 msedge.exe 3288 identity_helper.exe 3288 identity_helper.exe 4212 msedge.exe 4212 msedge.exe 4808 msedge.exe 4808 msedge.exe 1584 msedge.exe 1584 msedge.exe 1584 msedge.exe 1584 msedge.exe 4712 msedge.exe 4712 msedge.exe 2896 msedge.exe 2896 msedge.exe 4492 msedge.exe 4492 msedge.exe 1836 msedge.exe 1836 msedge.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 4356 msedge.exe 4356 msedge.exe 3104 msedge.exe 3104 msedge.exe 3300 msedge.exe 3300 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe 1664 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
Popup.exemsedge.exepid process 3580 Popup.exe 2316 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 28 IoCs
Processes:
msedge.exepid process 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
taskmgr.exevssvc.exeshutdown.exedescription pid process Token: SeDebugPrivilege 1652 taskmgr.exe Token: SeSystemProfilePrivilege 1652 taskmgr.exe Token: SeCreateGlobalPrivilege 1652 taskmgr.exe Token: 33 1652 taskmgr.exe Token: SeIncBasePriorityPrivilege 1652 taskmgr.exe Token: SeBackupPrivilege 212 vssvc.exe Token: SeRestorePrivilege 212 vssvc.exe Token: SeAuditPrivilege 212 vssvc.exe Token: SeShutdownPrivilege 4528 shutdown.exe Token: SeRemoteShutdownPrivilege 4528 shutdown.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepid process 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
msedge.exetaskmgr.exepid process 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 2316 msedge.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe 1652 taskmgr.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
OpenWith.exePopup.exepid process 2292 OpenWith.exe 3580 Popup.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 2316 wrote to memory of 724 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 724 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1384 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1384 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1384 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1384 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1384 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1384 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1384 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1384 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1384 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1384 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1384 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1384 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1384 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1384 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1384 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1384 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1384 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1384 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1384 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1384 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1384 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1384 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1384 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1384 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1384 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1384 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1384 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1384 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1384 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1384 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1384 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1384 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1384 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1384 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1384 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1384 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1384 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1384 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1384 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 1384 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 2332 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 2332 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 4612 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 4612 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 4612 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 4612 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 4612 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 4612 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 4612 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 4612 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 4612 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 4612 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 4612 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 4612 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 4612 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 4612 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 4612 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 4612 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 4612 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 4612 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 4612 2316 msedge.exe msedge.exe PID 2316 wrote to memory of 4612 2316 msedge.exe msedge.exe -
System policy modification 1 TTPs 27 IoCs
Processes:
Annabelle.exeAnnabelle.exeAnnabelle.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Annabelle.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\WindowsDefenderMAJ = "1" Annabelle.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Annabelle.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\WindowsDefenderMAJ = "1" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Annabelle.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\WindowsDefenderMAJ = "1" Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Annabelle.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Annabelle.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Annabelle.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\piggy.png1⤵PID:708
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdaa6f46f8,0x7ffdaa6f4708,0x7ffdaa6f47182⤵PID:724
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:22⤵PID:1384
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2420 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2332 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:82⤵PID:4612
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:12⤵PID:1628
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:12⤵PID:2064
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:12⤵PID:4440
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:12⤵PID:2576
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3572 /prefetch:82⤵PID:3784
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3572 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3288 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:12⤵PID:3276
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:12⤵PID:844
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5368 /prefetch:82⤵PID:4932
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5508 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4212 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:12⤵PID:2924
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:12⤵PID:1300
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:12⤵PID:392
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:12⤵PID:4756
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4340 /prefetch:12⤵PID:4212
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:12⤵PID:1212
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:12⤵PID:5060
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5416 /prefetch:82⤵PID:4756
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:12⤵PID:4320
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6304 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4808 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6792 /prefetch:12⤵PID:2108
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6828 /prefetch:12⤵PID:5052
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7140 /prefetch:12⤵PID:1744
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:12⤵PID:1056
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5872 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1584 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6748 /prefetch:12⤵PID:2916
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6172 /prefetch:82⤵PID:716
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1296 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4712 -
C:\Users\Admin\Downloads\YouAreAnIdiot.exe"C:\Users\Admin\Downloads\YouAreAnIdiot.exe"2⤵
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 12043⤵
- Program crash
PID:792 -
C:\Users\Admin\Downloads\YouAreAnIdiot.exe"C:\Users\Admin\Downloads\YouAreAnIdiot.exe"2⤵
- Executes dropped EXE
PID:4788 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 12003⤵
- Program crash
PID:3248 -
C:\Users\Admin\Downloads\YouAreAnIdiot.exe"C:\Users\Admin\Downloads\YouAreAnIdiot.exe"2⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 12003⤵
- Program crash
PID:716 -
C:\Users\Admin\Downloads\YouAreAnIdiot.exe"C:\Users\Admin\Downloads\YouAreAnIdiot.exe"2⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 12003⤵
- Program crash
PID:4028 -
C:\Users\Admin\Downloads\YouAreAnIdiot.exe"C:\Users\Admin\Downloads\YouAreAnIdiot.exe"2⤵
- Executes dropped EXE
PID:1844 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:12⤵PID:4588
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7028 /prefetch:82⤵PID:4428
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7144 /prefetch:12⤵PID:4632
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2896 -
C:\Users\Admin\Downloads\Hydra.exe"C:\Users\Admin\Downloads\Hydra.exe"2⤵
- Executes dropped EXE
PID:4192 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:12⤵PID:1308
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6004 /prefetch:82⤵PID:3448
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6940 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4492 -
C:\Users\Admin\Downloads\CookieClickerHack.exe"C:\Users\Admin\Downloads\CookieClickerHack.exe"2⤵
- Executes dropped EXE
PID:4008 -
C:\Users\Admin\Downloads\CookieClickerHack.exe"C:\Users\Admin\Downloads\CookieClickerHack.exe"2⤵
- Executes dropped EXE
PID:1612 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1968 /prefetch:12⤵PID:5116
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6740 /prefetch:82⤵PID:1916
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3024 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1836 -
C:\Users\Admin\Downloads\Flasher.exe"C:\Users\Admin\Downloads\Flasher.exe"2⤵
- Executes dropped EXE
PID:1304 -
C:\Users\Admin\Downloads\Flasher.exe"C:\Users\Admin\Downloads\Flasher.exe"2⤵
- Executes dropped EXE
PID:1084 -
C:\Users\Admin\Downloads\Flasher.exe"C:\Users\Admin\Downloads\Flasher.exe"2⤵
- Executes dropped EXE
PID:596 -
C:\Users\Admin\Downloads\Flasher.exe"C:\Users\Admin\Downloads\Flasher.exe"2⤵
- Executes dropped EXE
PID:2996 -
C:\Users\Admin\Downloads\Flasher.exe"C:\Users\Admin\Downloads\Flasher.exe"2⤵
- Executes dropped EXE
PID:1444 -
C:\Users\Admin\Downloads\Flasher.exe"C:\Users\Admin\Downloads\Flasher.exe"2⤵
- Executes dropped EXE
PID:4808 -
C:\Users\Admin\Downloads\Flasher.exe"C:\Users\Admin\Downloads\Flasher.exe"2⤵
- Executes dropped EXE
PID:4032 -
C:\Users\Admin\Downloads\Flasher.exe"C:\Users\Admin\Downloads\Flasher.exe"2⤵
- Executes dropped EXE
PID:2752 -
C:\Users\Admin\Downloads\Flasher.exe"C:\Users\Admin\Downloads\Flasher.exe"2⤵
- Executes dropped EXE
PID:4820 -
C:\Users\Admin\Downloads\Flasher.exe"C:\Users\Admin\Downloads\Flasher.exe"2⤵
- Executes dropped EXE
PID:1372 -
C:\Users\Admin\Downloads\Flasher.exe"C:\Users\Admin\Downloads\Flasher.exe"2⤵
- Executes dropped EXE
PID:652 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4424 /prefetch:12⤵PID:364
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7048 /prefetch:82⤵PID:3232
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6516 /prefetch:82⤵PID:4600
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6728 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4356 -
C:\Users\Admin\Downloads\Popup.exe"C:\Users\Admin\Downloads\Popup.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3580 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7016 /prefetch:12⤵PID:4396
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6928 /prefetch:82⤵PID:1344
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6068 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3104 -
C:\Users\Admin\Downloads\rickroll.exe"C:\Users\Admin\Downloads\rickroll.exe"2⤵
- Executes dropped EXE
PID:4388 -
C:\Users\Admin\Downloads\rickroll.exe"C:\Users\Admin\Downloads\rickroll.exe"2⤵
- Executes dropped EXE
PID:5020 -
C:\Users\Admin\Downloads\rickroll.exe"C:\Users\Admin\Downloads\rickroll.exe"2⤵
- Executes dropped EXE
PID:1876 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6772 /prefetch:12⤵PID:2352
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6796 /prefetch:82⤵PID:4624
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1760 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3300 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:12⤵PID:3004
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4396 /prefetch:82⤵PID:2700
-
C:\Users\Admin\Downloads\WinNuke.98.exe"C:\Users\Admin\Downloads\WinNuke.98.exe"2⤵
- Executes dropped EXE
PID:4360 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6256 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1664 -
C:\Users\Admin\Downloads\WinNuke.98 (1).exe"C:\Users\Admin\Downloads\WinNuke.98 (1).exe"2⤵
- Executes dropped EXE
PID:1360 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4436 /prefetch:12⤵PID:3384
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6964 /prefetch:82⤵PID:4656
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6264 /prefetch:82⤵PID:5088
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,12616514243304262712,11329423419477690377,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6760 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1664 -
C:\Users\Admin\Downloads\Annabelle.exe"C:\Users\Admin\Downloads\Annabelle.exe"2⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Checks computer location settings
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- System policy modification
PID:4496 -
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1224 -
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:1512 -
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:3908 -
C:\Windows\SYSTEM32\NetSh.exeNetSh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1592 -
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" -r -t 00 -f3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4528 -
C:\Users\Admin\Downloads\Annabelle.exe"C:\Users\Admin\Downloads\Annabelle.exe"2⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- System policy modification
PID:4896 -
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2832 -
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:2320 -
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:4660 -
C:\Windows\SYSTEM32\NetSh.exeNetSh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2916 -
C:\Users\Admin\Downloads\Annabelle.exe"C:\Users\Admin\Downloads\Annabelle.exe"2⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- System policy modification
PID:368 -
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:5080 -
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:4616 -
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:872 -
C:\Windows\SYSTEM32\NetSh.exeNetSh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2064
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3404
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:516
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2292
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 1116 -ip 11161⤵PID:2492
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 4788 -ip 47881⤵PID:968
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1752 -ip 17521⤵PID:2080
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2424 -ip 24241⤵PID:1216
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2708
-
C:\Users\Admin\Downloads\Flasher.exe"C:\Users\Admin\Downloads\Flasher.exe"1⤵
- Executes dropped EXE
PID:2492
-
C:\Users\Admin\Downloads\Flasher.exe"C:\Users\Admin\Downloads\Flasher.exe"1⤵
- Executes dropped EXE
PID:4708
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:1652
-
C:\Users\Admin\Downloads\WinNuke.98.exe"C:\Users\Admin\Downloads\WinNuke.98.exe"1⤵
- Executes dropped EXE
PID:3016
-
C:\Users\Admin\Downloads\rickroll.exe"C:\Users\Admin\Downloads\rickroll.exe"1⤵
- Executes dropped EXE
PID:3244
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:212
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\eab971bbf1e1417c8c0ed44698064140 /t 400 /p 34521⤵PID:4928
-
C:\Users\Admin\Downloads\Annabelle.exeC:\Users\Admin\Downloads\Annabelle.exe1⤵
- Executes dropped EXE
PID:4368
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa38b0055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
PID:2656
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
2Safe Mode Boot
1Indicator Removal
2File Deletion
2Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD53a09f853479af373691d131247040276
SHA11b6f098e04da87e9cf2d3284943ec2144f36ac04
SHA256a358de2c0eba30c70a56022c44a3775aa99ffa819cd7f42f7c45ac358b5e739f
SHA512341cf0f363621ee02525cd398ae0d462319c6a80e05fd25d9aca44234c42a3071b51991d4cf102ac9d89561a1567cbe76dfeaad786a304bec33821ca77080016
-
Filesize
62KB
MD5c3c0eb5e044497577bec91b5970f6d30
SHA1d833f81cf21f68d43ba64a6c28892945adc317a6
SHA256eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb
SHA51283d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38
-
Filesize
67KB
MD59e3f75f0eac6a6d237054f7b98301754
SHA180a6cb454163c3c11449e3988ad04d6ad6d2b432
SHA25633a84dec02c65acb6918a1ae82afa05664ee27ad2f07760e8b008636510fd5bf
SHA5125cea53f27a4fdbd32355235c90ce3d9b39f550a1b070574cbc4ea892e9901ab0acace0f8eeb5814515ca6ff2970bc3cc0559a0c87075ac4bb3251bc8eaee6236
-
Filesize
41KB
MD559cb232c37a25811223c1101b7aaf371
SHA16290c495c0acfbc1931b2d4290e5e780e2397994
SHA256156f9d51bef921526c82613f57aed91f7a498452f1c9a33e9adb502304b9eae1
SHA51285a87d653b551cb1edc64a61348f632217d33cab3eac1e636c2235c15a2f3fd13479151f787af1047d891f4b9449669d11296298da36ac96f087a29df011761e
-
Filesize
19KB
MD52e86a72f4e82614cd4842950d2e0a716
SHA1d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA5127a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1
-
Filesize
65KB
MD556d57bc655526551f217536f19195495
SHA128b430886d1220855a805d78dc5d6414aeee6995
SHA256f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4
SHA5127814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb
-
Filesize
84KB
MD574e33b4b54f4d1f3da06ab47c5936a13
SHA16e5976d593b6ee3dca3c4dbbb90071b76e1cd85c
SHA256535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287
SHA51279218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2
-
Filesize
1.2MB
MD5620dd00003f691e6bda9ff44e1fc313f
SHA1aaf106bb2767308c1056dee17ab2e92b9374fb00
SHA256eea7813cba41e7062794087d5d4c820d7b30b699af3ec37cb545665940725586
SHA5123e245851bfa901632ea796ddd5c64b86eda217ec5cd0587406f5c28328b5cb98c5d8089d868e409e40560c279332ba85dd8ce1159ae98e8588e35ed61da2f006
-
Filesize
37KB
MD5f31a1ab9f483d9db21349522e39dd16e
SHA101a275d7fc1c4f578fa506c8e0bf9b7787dd4806
SHA256463800c9ec072ae72a4f6fdc1f2f779c792cb7ceb6f57c7d1231eabefad2bd9d
SHA512cab9bf13c36b854bef939e1d09c8d896caf1d7c20f6948f70f27eaf2869e49c8b9be728b4c95926ba869a987516a79d3193d416b0582b7570a58269c8caa7603
-
Filesize
37KB
MD5669b1563b95fce26d9ddc3c7e9bdc538
SHA1275e4ae2606a0da908003b77ea06b24ea8b66214
SHA256d46765072d87d9892a0f6f8f9849eafe0abecee9d662e99f8b45d8c5b22ac667
SHA51209e066f5a1974927b2cb607a8b953f2732928c7347f65cdfcdb573170840562de6eae091a61108827b3ae0799c16bfbd41d858ee1a8bc57d9bb1fac814438302
-
Filesize
20KB
MD5628ba8d31375849e0943894669cd033c
SHA14fa6d50a37fa2dadec892474d3e713ef9de2d8a1
SHA25680e3440c312f921afe33a7d4a3d11d1d2dc7162f8f50b748b796f424441d10d6
SHA512d4406493dc8767c479460f3039b038866549feebf392280384da08adbcad2e871720d046220cb67ebe3ab75c14e06a31df2fa7c0f2c17f91eda26ba0a709d27f
-
Filesize
22KB
MD518afd1da750d6447a8954b3e2e0c446e
SHA1f8c8a7cbf81af5c9de298e031dfd69c1ec836f81
SHA256446938498d26217dd63160bcd02aa1ee15e7fa76b8f0902b459ec6db609d1cc7
SHA512a033fcfacf5f9f74ce8a02ffb6adc4766fbfe1d25f86ee4afc54c5f3ca1ea9655d65f6c29c67e7a86ef28edca1e8b2fcaa362730e8a6bedbdd8a16b52142dfb8
-
Filesize
20KB
MD50f3de113dc536643a187f641efae47f4
SHA1729e48891d13fb7581697f5fee8175f60519615e
SHA2569bef33945e76bc0012cdbd9941eab34f9472aca8e0ddbbaea52658423dc579f8
SHA5128332bf7bd97ec1ebfc8e7fcf75132ca3f6dfd820863f2559ab22ac867aa882921f2b208ab76a6deb2e6fa2907bb0244851023af6c9960a77d3ad4101b314797f
-
Filesize
56KB
MD5f817e737bd803df8a4f12c1937ab0d51
SHA124e172cdf9d4b77b0cb4c271aed4a7c9eba98fc9
SHA25617b0202476b336c41e4108aa245ac863c3e19ef8c5e430fe112a0900f0a18802
SHA512d417d62e0fdcdfa883d4ffb317546e7ac5258aac538cbfad4eb111b134839750a65c55b5230507ff6912ffd272c0eb6317bcdd95c38cfb81c63b8e85b1359346
-
Filesize
59KB
MD54bc7fdb1eed64d29f27a427feea007b5
SHA162b5f0e1731484517796e3d512c5529d0af2666b
SHA25605282cd78e71a5d9d14cc9676e20900a1d802016b721a48febec7b64e63775f6
SHA5129900aecac98f2ca3d642a153dd5a53131b23ceec71dd9d3c59e83db24796a0db854f49629449a5c9fe4b7ca3afcdd294086f6b1ba724955551b622bc50e3ba1e
-
Filesize
130KB
MD57fb1f32a308a59e167e201dc4c1160ec
SHA18f52c9884726d22f48751040d9d622213840d605
SHA256c38018600386a5b57c7a90afaf3dadad705c210ee49b58854133b0614da81226
SHA512b9d96a8518c6e5a61166e4077f084da92664e356515c29c7cc064525714d3035074e4031ea9b1ad929b62be6616eace309c8a8302b9fc3990ec0d21af0e9615d
-
Filesize
21KB
MD50e52c094a93d5bcd8875cce575d7da9a
SHA1de9ecbf399f77a497c96c1a4b3509153ad9751a2
SHA256abafb66ae53e45e075a02ab40e19bc2dbb0126d83f4da5f1fbd3bed1a4b4fdce
SHA512b2cbb5075eb1cf84b9b24c2a2f3165675496d506d5e98a8868c18514c5740c366b5a29a925dcf6f6cacdb8ce6e39eb8673b15ebb55c5e9078e0d7eff631905cb
-
Filesize
373KB
MD59c3e9e30d51489a891513e8a14d931e4
SHA14e5a5898389eef8f464dee04a74f3b5c217b7176
SHA256f8f7b5f20ca57c61df6dc8ff49f2f5f90276a378ec17397249fdc099a6e1dcd8
SHA512bf45677b7dd6c67ad350ec6ecad5bc3f04dea179fae0ff0a695c69f7de919476dd7a69c25b04c8530a35119e4933f4a8c327ed6dcef892b1114dfd7e494a19a7
-
Filesize
15.9MB
MD50f743287c9911b4b1c726c7c7edcaf7d
SHA19760579e73095455fcbaddfe1e7e98a2bb28bfe0
SHA256716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac
SHA5122a6dd6288303700ef9cb06ae1efeb1e121c89c97708e5ecd15ed9b2a35d0ecff03d8da58b30daeadad89bd38dc4649521ada149fb457408e5a2bdf1512f88677
-
Filesize
1KB
MD5f2a5fa224a7973d8197eaf115b7c66fb
SHA112095d6c6f8dc057f3e022f7e0aa20ff42943237
SHA256e208045af9648d880b8d65fec6c55821b3e70ff6e9496ce7cf9daad978562934
SHA512c67fa1d60258e3d52cc52f3701cd952bded484837647f18b8f8c81d4183c58cf8e5c865299336fb1b13d8e69bfedbbe56e4ae183dd8a7c858c5e6fd68988ae9e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD5bf28ebbcea7418b23aa739cfe1ee85f5
SHA134e9765ac4fe88781f1a3a3804d9cad443ab0148
SHA256132dbfdfacfe1603c9aa811dc44fc05859a5a7c536921ac130cb35a58ca8752e
SHA512d4568dde937d7f746110085cd9c38adb3521d19365c52fd2d443b673566a76a3177c90401bc40a21cf85375039e8689342450abe8dbb2d96081ef89c07068b4b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD555db151d9a2760133ad0a36610289c3c
SHA1333514b39a2210364aba1cf44abc898e59ba4ddf
SHA256a074e8a090da3a0d5d542566f9033415a165ad80bddaf740107e21e8e5ee629e
SHA512d945f39b1a916c60faf80dc840978c13898e98ef45273374f58668c639592e5852ea12277576fffd1a29a2f2b79eb619dc7046a7e4b6214b6d9f77078413da81
-
Filesize
970B
MD528cfd339cba3f9c1942df7c316073c4d
SHA192dd6af557f3c970e35ea9f21553bdd59e6482ca
SHA25621d4b9a4abb61f2d2ebef0ea17cc9711625886969571bdd7763ce9ff838bb403
SHA51219983081a459fbf78a368c1a8cdd1b3b82cf1dcc3b9080e0bfc81e557c0cead499933e1220b44747460dde8c21cd32798aecdc640895f42ed6ac0450207146e5
-
Filesize
1KB
MD55b922a2f3108ab8cec9f52eb3e560563
SHA1c57cf1458a6bfeb98f937283305b6e8734bdfb69
SHA256a69d93b3f628a27557e4291f18370136e1e2f24c2c26b74a81c6244547f45a8f
SHA5126b90bdd9c05a897e4200144b916401520b101e942f1f3108b4a869cd3c1379324bb894ce2530f324f241776de66ff57e22070743de64398fb1be9ec4ac5b2c3d
-
Filesize
6KB
MD5da88d869764948a449905eefe2319300
SHA14c191268507bcb613dfd10c12e8966638547cab6
SHA2563cf878aaabce718795568f0063d7852c3ae3e858e3191760edee75fae6a21819
SHA512a2c076894412e71dd710e1e142bfacaae7766f769ec3a4ff2c67054cbdd508c54370680c0c67edeabb9d0f8c6f709e56a7f0d13efb3bb8df2e1182c617a8cc1b
-
Filesize
6KB
MD57c0a496e46445f0c8ab289087fcbeea5
SHA188c901e66e51a78fdb3b005d5cef4f47a406fe79
SHA2560b056f531bb58e3b1eae185614441cc81a3ac53b894b842c413164789f3fde60
SHA512d8532be18493633b134844f9569407343e0d4ee3317eb51a1de9099026371de829244f4c5dcaf60a126ea5100106dad870d97aa4d1852e0454bee9681fa3e31b
-
Filesize
5KB
MD518d36b5770878077a714fe7076e75491
SHA1293f4c95015d75331357806f179fc0fb64e094a6
SHA256119bc0f5a96b00ad58654aa7cf9c3d993c4b86954d03f460959b72c59ceb4e15
SHA5120c6af3041b31ca9f3f8a269db8a27266ca962cfe2107c2540f7fc0c05f8137cc319eb64a476349da113c69faaa28dff294f73b80f3febe3e2e2cda7339de78d6
-
Filesize
6KB
MD5c821fd5a7864eecdb380fb089c9344aa
SHA1d907277f4fd91c54e7445a768ba319431e22c1ca
SHA256790e415aacadd1d6eaf02b2e4597a69e9aa3656b782b8ee600f15a9a92d9e06d
SHA512265668393b9936a3b5f90db7525e69b453da338966504c7c6a6338ce565eba8c7226c6beb9eec42c940ccbdfa0b9446738a720ac6d8c2a6820e052215cf3c54d
-
Filesize
7KB
MD55b3bca98c742c0ed979f560d229e303a
SHA14b1cb1f95ed9d51cbf99d6b9cc63c386e5d1291d
SHA256416774cfd0370394b5e95c8c0740cf47f9ffbfea415f66ff0cbf44a825923170
SHA5128bc9281f0239eb1746a78b140c2b3eff35107aab38c12f61314c6dbd2cf1f6f6e20e9461e3ca5f8650e2a9defa33ac0df089ecfea6bdfa189e7ea74069a00246
-
Filesize
7KB
MD546bb313c2265c92276ddaa494dceb289
SHA19bdb9a1426d76ea62a9248c3b8c18db1fe297cd3
SHA256ba986174d6b3f971aface00cdd90b2676650041bb6ebf0a90c795a76229d3791
SHA5122ae4953a6da5f45f8df65c3fd8ef2d66d501e12fb86f16a00e2ca6e88434a586de288e092087a4d35999afd408a2063181fb1ca982d2d9379b09ef2319a5d33c
-
Filesize
6KB
MD502d9adbb518ebaa58606c96e3433a017
SHA18c435b11a76ef6cdcbe7fce2c0deaefcef6c96a9
SHA2561b7ce21fc9628f7590553f65b1ffb69c736082efc9724d825e7047bc3b35ba51
SHA5125ad8e492674ac611c960dc1db5913e8623460a9d56dbeb54d3d84874e88272d6cc8b0a3bce6b49530680ab6ab2fd042bbbe92a72bb7f5216cad9515e184e95bb
-
Filesize
7KB
MD5a5e072db62645936a8a0ad1bb91cf256
SHA1ea014104bad60705570dbcf7fe63e80b2a84ad0b
SHA256643dfb53e47247d1d18460c8c049a3cad097c1e13bdf237d48cee1c4795a5a5a
SHA512444d7d37c63f78aa3729a5dc51a0589c6743141ee0694a5d9a2bf85bdf73a9fd6b3afca5c80e84344a62a5ec729fb613cb32f821c5316680503cc1a5990cf002
-
Filesize
7KB
MD596023ff56f72e340774daf762aca0f61
SHA178f510bc40d9b2f73d63642a0f248463f920f71e
SHA256ba71cec80465fd624e92772811d67b71013b57aea888a9f9f98414c30f8b1b76
SHA5121592750bec7c7d426ee53d08f4fd62bbac145ed02392fabed740c9e6c8a25214f260c465520479b01c9f70a5221f274c48ebe170c762ea03b36d55874698f5ec
-
Filesize
7KB
MD5571fa9f61b41121fb44810a65d0cb618
SHA1804c28c8a44b96a76dab13f70e5eabf53519133c
SHA256e94ae684016b53e23aec3272875e72ff7fe7a18699293d6e5cf123c4c120cf76
SHA512a4389533f1811737dca97ebd89df3b18b94babd2f196fb4f5af501a74ec444d03466a7a40809ae9e08ff59e91631a2bf92e24014ec68432579b4d6eeea97ccf8
-
Filesize
1KB
MD55485beb6e3c193d2acaa9e943f8c3e5a
SHA1ad730d01eda84aae06715aaf8bd504ab0350cec9
SHA256e9028b02cf8f2e10c0a8f63e598a0d56fc1760692ecc52d21f8dbf5b3044fbb7
SHA51208b8a15b98d6bdce454bfb27c13f63cd046ae09438da84b5408371e96ce71796131074f8c178a9cb0a0b30c91b6d2c79ea1c9a27f902b41f4fff35ae15167820
-
Filesize
1KB
MD53ddfa9eca1d36e6e1cf5af6ee5391de7
SHA1d636aabbde7eb7ca8464001800090868611aee3c
SHA256db76c50ef2d57b55acfdc6eb45be1842a503b64cfdccf07eef9e79bfc23bdeea
SHA51233f2a7422898131cad37e72120b12c66a4eaf741bc9100a63a0a263c3245de431c0a9e386f2b4b70c111b650834ab7ec061594f2d848f94315fa07dacbfcd257
-
Filesize
1KB
MD50b5c8f11e8ea50d1b51e39b8d3317ef4
SHA11c0fa4747504af5a618b0245cb9f0755e4955328
SHA2560db8f30545c658fb4cfc71b4581f8b35435946274bfd88e88077a0d82d7d36f1
SHA512e51e698a95fafae906a144ef4eff28e18e71a4faaaca14d184d68c9338f14b257504166f1a78b66680061152bbcae6bb9157d5142ca968f5610931749c4e25cc
-
Filesize
1KB
MD564b56eb9f92487d6a5285d4583e954cb
SHA10c0e1fbca0f4faea9cde1021608e66024e5e40f5
SHA256cb63d60b196c09f5cc0dcaafa2c2407dcc2b7d1c5b2018183fddf3399b452db6
SHA512d01e9996b1c5a48958dd234747269bb2133fdcce7e3e566293fca099e5b8fdc61931f6ef17e688c0b8e52025855518a54ae4d0b718fda3d2fcf6e8511ff4ee56
-
Filesize
1KB
MD5ccc034a13930d3b1f0404e4180376eab
SHA1af939a8cfbbdf70c3326d8196f1313f6492b2b30
SHA2561a9a603081d106e74a4637a603c62a8a005b1da6c0265d7d482e4564cf0c2cc7
SHA5120763fdd929d4d827bf647e56823e30cbbd09df20f388ec568d0f360746f607c3077d9c3ea6b1af6bd6ff6b239c78f2da973d9ef7c4e813cb1f71bce5c3bcf9ed
-
Filesize
1KB
MD5b0cc3678b24eb443081847f456dd0a3f
SHA1ebf264938d56b9a26696658043b1fedfc33e74c8
SHA2566dbd253e1cb77cee041c6bfa676e29388afdddd71a29717d12e90e29c81d1b0b
SHA5124326cef0c03e183930ddc8947906b6bb6115053121fb9719419ccb88d104394512b3bba0bbaac03c16d70ea0d8a009419b82ab507c79811ec4ecf9f4ab47a948
-
Filesize
1KB
MD5dcdddaf7bded2cdd65b3ef87277444fc
SHA13078fea439fd3a1e4f3ae076280293cae8015036
SHA2564cb04aa328d96d0048ef56333c8921f1d8f08e0ca3f677cb70b9e8eb11f11496
SHA512306d8aeece16bfa560fd8136142a678603843267310fd2773aa3039e7521d0af7eb2b6c819e8fa6d7e7125c8271273fe7c25e5ce79e4288ebe96e93248cd0300
-
Filesize
1KB
MD5467b4536587a67358634690c5e718110
SHA19ef111781e6b266811f8db161ddfa5a8cec412dd
SHA2561fac0e6611b4330972eb6dede1b541a2f1785e97431da34f45743781e337aaa8
SHA5125ac2a2b6a51e1bf3a9b9c783a7611fa3be89d9185f68fec10d4b5433cbf2d722907aae93a597c60dd32ed5e01a1988940e8280a2a4741757f8603164a18c56e9
-
Filesize
1KB
MD5124194a5165162a3a3bfdaaf16bcfb26
SHA1552379e7bdbe780ee35cbe74a320922d21aee9de
SHA256b8ca56fae94fdd354ad65df68ed52da16006703e046588cf25883741ef315c2e
SHA51258334775ad6ad097b12f29b4a8af5eddb12c140144b43b6e19b7864aa620eccab75ef0b7357f03a87648ff41824489c6f840035a2d7e8658bbc2b98e770e6bfe
-
Filesize
1KB
MD54ad5665ac29cbab164fb9864e645231d
SHA16d69982be6cae49fd76154921a7ea20d8ccc43c5
SHA256b89dccf51dbb7d366569c4ee5f4062a269c233f93b5cd9b62c9ed0f023e2a2af
SHA5124354f51f75d16593506c8832cd9e437885e1bee95521fb0bc48c05169ea2c224dbe231e78c537e87eb5a19c4886d09d2143b760e411f0ec2eea239fb69d870e0
-
Filesize
1KB
MD5b754b723be00e99e0e69c0d9119859b0
SHA18303690b6016aa195d15cb531fd09ea37e25d689
SHA256195c4d2d8b62fa6db1cf64db8b0578b23dcb31e42fa5964eb5e48d3ecdd2a363
SHA5121448b73e274868ba8ab509b10629eee0ded1ce409662f4015c7c009dce6e18a0c5081b39a4acefad39a90afb011d40b6a46dc51031888183184abeb02432ca95
-
Filesize
1KB
MD50ab45a68bcab8d99f5cd38f39b2ef5a3
SHA1e59c4f90308a520ef60a2856e06f55d53f59b54d
SHA2567aa9a44b9db523265ac785c737cef4f4f7793d9c235739a1471f3a5841ffae62
SHA5129e0da3cbada88dc5fac734042549f45e62a7f4c7599638ee8a826ddcdd064f49e103f566c050d677fbb16c6eee324aa100928f3da68048db00a72d404ac6db3b
-
Filesize
1KB
MD5bf95d6768e6ed5d47071402a5c8b3bd5
SHA1f47e71184a15d2fc59001b1770f29e5af0d7ee4f
SHA256188dd2bdd7f71c6a4884cfe3c4182dbd28449ff7cd633ec0cbf842f5c2dff01c
SHA5129431bc86ce14a0f3e94683bc37acc518c524f140ea5079db667495950a5484094ff86e4a90d05ab5766920e9ee4da3ffa986a8e058b1871b674c75b707ab0004
-
Filesize
1KB
MD51ac3f022762fda3b5ef14f0bc3670071
SHA1f86ed2ad81b24d0e336c203f5bcda3f29c1faad1
SHA2569f2a4c336844fefeb6bb0a37ece868ce17c44e9efbf6a5b10b37dfe72ae92621
SHA5124376127444d06b14b7b352bb0c191595043386407b6bdad026e1720ffb0425b6a8bf4348292abaa530bdfdd458ef02bbc94d4d07295aa1547c45fe3b9b8a7426
-
Filesize
1KB
MD5a957b8209de4767970d59f2f867c38dc
SHA1e6c93bc326a7da472db02c04438d8eff7f2868cd
SHA2567f4e9ef1b6e49d00bb932b232b75b71bb12131e1c0d78ce2e36365df55f930cc
SHA512c498b88b26fcff17a1792e68aeb40de808dc10396e09b178ac861bc81d3329e3b824eff3447205b7849fe5d3857a3ea70ccfd0947904b0ebd1cac8ff6829c4e2
-
Filesize
1KB
MD591685d576a640bbd98793b20acdf4732
SHA19ac2115e4c9e9b0d05e34c714cbee0615e5efcf4
SHA2567a541cec2e887e5b293a3ce9b30d65cc25a081e4c6b81c0e075372a323799c0d
SHA512aa315f994e5171f15281b08806254b573c0e1dca84ce829633e452b87adadc5ec480a12586e616e3415458a543133d45ce89f8fdc97277c8a897c9671a2996f2
-
Filesize
1KB
MD575e1cd7eb18c189debe8a2ca8d3b519e
SHA14c351c46be033f77036cdc5479d11744aa0cdf1e
SHA256cde31f5fdb4a2af8ed20366d82fdd8361c870ba5b7d503ce5d142f5eb115f2e3
SHA512a2379304bb719dddc464cddd5886a38a7576edffe6e6993fcae4c6589928b7aa68be1b0b008b279b9ba13f849ff1c16050443d8fb4d2408664eb90ebc655e1c6
-
Filesize
1KB
MD55540e246832a190ae7b9ebb4438c9c80
SHA13ebbe7c2967481bdd3fd15101c8598e455e92fd9
SHA25643f014246741e5d599cba8e130983dcaf56193fc11c0eed68964dfa585dccca1
SHA512e474855a258da28c9de9c44d00c3cb40a9ef4c96153d4c3f4713114a91bdaec6af6877827da6ecb1eac97ddd8897d7ab915108571cf14cf119c812401469540f
-
Filesize
1KB
MD56ffb871c4d8fee7e5fc56f8557d328d0
SHA1b10a9fef2b837a476cea0814402f617c7edd5b3e
SHA2563b0dd1d9a6229b0c1d968c732ac46b4d38da509f57021a81fea31fb23516032d
SHA51204166d3123035fcb0e6cc00057d89b50897d4c404a89e7cee2d52938bb298aa93a75189bfcf68643031a20648275dd2fcc633175a97007bfaf81c51021eeb967
-
Filesize
1KB
MD5067d185cac92900458caf58ff36c5ea5
SHA17ada041cbbee3549edbc6973c5a6fc70adc4b074
SHA2561209dfb08a4c8599974d97d0f6e7a6c61bde9c37dc71923948f2e269c9bfd852
SHA51207724617f105f694a8ade65049fca0aff82b153973e81671a35ae513849f5ddfe75a968a8e29d8165a117090149d6e5b3e3880278ad2ab0a8117fcbeda0486b4
-
Filesize
1KB
MD5d94422f94e0cccb28119642e401505dc
SHA12eb318ef4e316fab00a6e6a0f95adb1d14a84aa3
SHA2562f1af7974f2748288a15bde054b43e6fbcc3ad6058b3e1d1d26aa2ccfbbf5168
SHA512d957dd344701703d3e4840c94d0cc07050db2ae41692e38a98fda5365b0649320460e5345068e9bc67e93f216df085a211c08e6f258013b78337d207846eceac
-
Filesize
1KB
MD514047075ad24090a3c036b28bef3137d
SHA15f766a1cdb5f131a3d0abbe6066416aabb82ad0f
SHA256ffd07cb8642392ebcedd4800124200fe347558a620f8bc5f02f522abf885776e
SHA512a4938d7a8a8db3a0d69d4b6c52ea55eeb0f8db8ad01c7edeeca147d0e2df084a82716eff9906a004dfe820a7dcc182ae7c1e630a018d55078866a879cf80a18b
-
Filesize
1KB
MD58bde7417a4071ea284a7a001bf3ef3fe
SHA1ccf97951c6833e8fd02812ab7d5e53e8dd252052
SHA256da94c87a8cd2328543d1775759a4c314fee1e09ef27164f7f0e2864bb31e3811
SHA5126a7f113e80712dc239c0f3972c675165a58dffda5cb79739394d20bd1598b6a5708a9a115bc8042addb94b3289e76998673d65e137369c65a0b7aa2142085000
-
Filesize
536B
MD5e8ecdbeeb5d8997abf349beb22ad3343
SHA1b7b65a86a14abbc5007d986d04c1da0125960774
SHA256fde86e1a0642636335d4c47e95634bef4df67eda9c2d3538d189c45497f5c496
SHA512a176ae7faf95f1f1ddd1f0b2e61356302443fd789c55e9f9e2dd3692874a8d74516de8d01143ba048c47e092a7aa76023c2f9210e895c2fa425b6aadb34192b3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\991eec12-e4f8-47ef-bbb4-3a76c7db7020\1
Filesize10.9MB
MD5c2c4450dd9dd82f2214c555cead43118
SHA1af8f5b2955f2f1976128d08045b35d6c939495f5
SHA256838fa0b08fba45c99233254dd2e1b02840c6f2c842a3848ee1fd343d0f3dc6b7
SHA5126e30efbaab63f33776e263a72a42a52fa15cf145edee80b129b50ac80be97411285dc1263cb4609896be6150ba49ba59fae3f906e9cdf55f8539da0d79837de9
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD52f67ee20a4f3e355db1d615e3ffff499
SHA15a2cca47c88a8b0463e4b10d3f0cea8b92ea834f
SHA256f745e65214bf92d1f2122d318468df1401066834802eed26d7ecd27704dafd96
SHA512115dd1e91ae9274aae055fa08808718299e49727fda072a6c48b0b03004ab83d44bebff80c82a8d188bad6dac19968a49df6cef7718e03aa103989ffe2fe4383
-
Filesize
12KB
MD58fda7d6ac1784a8580d9cca280c947fb
SHA188e3f46c9f459cbbc05b9341783306824a200906
SHA256a7441fbd135fba66ee711ede9751a83e845b7ee29c1dd563c3af3d2b9d00cc0a
SHA512f034da7176392cb8a0c64eb4957650474957bb23f774c0d90ad7dc7673feaa5614c8cced2116bf62fa9fc24c7aafb93b893052abe4b2fc990d00047424ae5b73
-
Filesize
12KB
MD56178422c3e6c31f983f5b99dabdef841
SHA189b49817ca0e1172f11d8292ea2101216d3d467d
SHA25610206378ab1e0c349f6f5d02ba6aa2699b7f799147509d057329b8fc4711cbb4
SHA5126d745a477d0a56f9ffc62f902909ff410d97114a461fba499ba8902213e9caf23e6f6d37d3e20605145c09f5039f796403418a34a25d5c8694002ea4b1448178
-
Filesize
12KB
MD5af6094220b8f74294f67419cfe5a428f
SHA11efa69139fa92f438f3d7fb2ce7657f390e9ec25
SHA2560d8714fbe72d8fcb5feeb388f1e40c52f0ddade7eb45cdb1a243898c27e5d0b5
SHA5126c3e3ac154270fbee6507c7ad0a9a5310536d7950343d9dd3a2082ed6fb34655d32cd05d829d132e6b0de2631544f43c024319bf1a6f79ed79d8abe5ffe875d1
-
Filesize
12KB
MD51ac44251efde9691fa394228e0327830
SHA1e3a93c828f2791c8547e7b20943aff7dc9d8f4ba
SHA2561bcad23bf4ac09e83e5915852e4e5f1836ec423555de432dbc86a7216ab53bc0
SHA512c2133a4ce7c4f4bb3de62d8d1521e2b24604a87d94cd22d5203e0adcca0c7c872783128b8694eb9a676cceca190a7e29d153c87c56dad4c91a5a3d830fbc68d2
-
Filesize
12KB
MD549881ca96a64a8f747003a454bbde748
SHA166cfc5d3ae65eba2a51930c65b539b033a0ba6d9
SHA256416bc52f1cced6011bf5d7bb69380dabe4e24ef3f21597777e9ccbd5b19571e5
SHA512869dbc79eea11fa95dd1862a0622cfe727f7de503054e2049f05a014a6805bbea9f9e421fc4bb843dfb6960a86e2ac42a0f693d03079414a87151682db86113d
-
Filesize
12KB
MD527b33df9c417ef52815f361f78fc61d0
SHA1478c03bb6115a913771b4c3c7651f9f781ae4e92
SHA256912b28b8ec2182a1214c870b5f3053fb9b772a0cb39f39b60b737733b0fa33c1
SHA512221079f717e98881a628b70c0195f9a88ed832d05bd0bd7f6afdc1ddeb88c0071f3ed03ddb423a6dc2b965c9748852483ec41f361e361cf5f275f14a34c8240a
-
Filesize
12KB
MD5355052915da63d0fb250f60f5c42f1dc
SHA13a3f2729c837038dfa301f74a47be979686536af
SHA2569d2934146f6a44f4e6cd3f462255231dd1732e9173fde5a930c514afd0f04007
SHA512a348e7c4a7aa239c648090233f5be80ae1d26236c1ec5e35273b120002a586b684324d8e12eb73e629a0028d92fb2413de511ffb52043cbe5145a95f94980b62
-
Filesize
1KB
MD5607c56333f829244a7bbd94505381bea
SHA1d38b47b7aa3ebbfd6d2130708581c60e03a8c9d0
SHA256baf34a243bda12c7bfda937cc998acb1edb5c815c42730504d603817a21afe40
SHA5126a6125fb7d64ba598c07543d4f54761eeb10a740a6dc1e7549392585ffe715bdb4996bade57060dc39ebb7e5f33be205bd5efbce21c0cf209607d51faeccec3c
-
Filesize
424KB
MD5e263c5b306480143855655233f76dc5a
SHA1e7dcd6c23c72209ee5aa0890372de1ce52045815
SHA2561f69810b8fe71e30a8738278adf09dd982f7de0ab9891d296ce7ea61b3fa4f69
SHA512e95981eae02d0a8bf44493c64cca8b7e50023332e91d75164735a1d0e38138f358100c93633ff3a0652e1c12a5155cba77d81e01027422d7d5f71000eafb4113
-
Filesize
129KB
MD50ec108e32c12ca7648254cf9718ad8d5
SHA178e07f54eeb6af5191c744ebb8da83dad895eca1
SHA25648b08ea78124ca010784d9f0faae751fc4a0c72c0e7149ded81fc03819f5d723
SHA5121129e685f5dd0cb2fa22ef4fe5da3f1e2632e890333ce17d3d06d04a4097b4d9f4ca7d242611ffc9e26079900945cf04ab6565a1c322e88e161f1929d18a2072
-
Filesize
43KB
MD5b2eca909a91e1946457a0b36eaf90930
SHA13200c4e4d0d4ece2b2aadb6939be59b91954bcfa
SHA2560b6c0af51cde971b3e5f8aa204f8205418ab8c180b79a5ac1c11a6e0676f0f7c
SHA512607d20e4a46932c7f4d9609ef9451e2303cd79e7c4778fe03f444e7dc800d6de7537fd2648c7c476b9f098588dc447e8c39d8b21cd528d002dfa513a19c6ebbf
-
Filesize
7B
MD54047530ecbc0170039e76fe1657bdb01
SHA132db7d5e662ebccdd1d71de285f907e3a1c68ac5
SHA25682254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750
SHA5128f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e
-
Filesize
246KB
MD59254ca1da9ff8ad492ca5fa06ca181c6
SHA170fa62e6232eae52467d29cf1c1dacb8a7aeab90
SHA25630676ad5dc94c3fec3d77d87439b2bf0a1aaa7f01900b68002a06f11caee9ce6
SHA512a84fbbdea4e743f3e41878b9cf6db219778f1479aa478100718af9fc8d7620fc7a3295507e11df39c7863cb896f946514e50368db480796b6603c8de5580685a
-
Filesize
32KB
MD5eb9324121994e5e41f1738b5af8944b1
SHA1aa63c521b64602fa9c3a73dadd412fdaf181b690
SHA2562f1f93ede80502d153e301baf9b7f68e7c7a9344cfa90cfae396aac17e81ce5a
SHA5127f7a702ddec8d94cb2177b4736d94ec53e575be3dd2d610410cb3154ba9ad2936c98e0e72ed7ab5ebbcbe0329be0d9b20a3bcd84670a6d1c8d7e0a9a3056edd2
-
Filesize
68KB
MD5bc1e7d033a999c4fd006109c24599f4d
SHA1b927f0fc4a4232a023312198b33272e1a6d79cec
SHA25613adae722719839af8102f98730f3af1c5a56b58069bfce8995acd2123628401
SHA512f5d9b8c1fd9239894ec9c075542bff0bcef79871f31038e627ae257b8c1db9070f4d124448a78e60ccc8bc12f138102a54825e9d7647cd34832984c7c24a6276
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e