Analysis
-
max time kernel
1007s -
max time network
1009s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
13-07-2024 20:53
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://google.com
Resource
win11-20240709-en
Errors
General
Malware Config
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Annabelle.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\Downloads\\Annabelle.exe" Annabelle.exe -
Processes:
Annabelle.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" Annabelle.exe -
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
Processes:
Annabelle.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Annabelle.exe -
WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
Processes:
resource yara_rule behavioral1/memory/4752-1255-0x0000000005C10000-0x0000000005C38000-memory.dmp rezer0 -
Renames multiple (563) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables RegEdit via registry modification 2 IoCs
Processes:
Annabelle.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Annabelle.exe Set value (int) \REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Annabelle.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
Processes:
Annabelle.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmplayer.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksuser.dll Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\url.dll Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedgecp.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemexplorer.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rasman.dll\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webcheck.dll\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.msc Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns64.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yandex.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns64.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cabinet.dll\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usbui.dll\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\recoverydrive.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllhost.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\recoverydrive.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DBGHELP.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpg4dmod.dll Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usbui.dll Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedgecp.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemexplorer.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powershell.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webcheck.dll Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmplayer.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shellstyle.dll Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedge.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DCIMAN32.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rasman.dll Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chkdsk.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chkdsk.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpg4dmod.dll\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\url.dll\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe\Debugger = "RIP" Annabelle.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
NetSh.exepid process 39684 NetSh.exe -
Processes:
resource yara_rule C:\Users\Admin\Downloads\Unconfirmed 983539.crdownload aspack_v212_v242 -
Drops startup file 5 IoCs
Processes:
CoronaVirus.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-BF08C0AC.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-BF08C0AC.[[email protected]].ncov CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta CoronaVirus.exe -
Executes dropped EXE 19 IoCs
Processes:
Launcher.exeWindowsUpdate.exeYouAreAnIdiot.exeTime.exeTime.exeWarzoneRAT.exeWarzoneRAT.exeCoronaVirus.exeCoronaVirus.exemsedge.exemsedge.exemsedge.exeNoMoreRansom.exeNoMoreRansom.exemsedge.exemsedge.exemsedge.exemsedge.exeAnnabelle.exepid process 1440 Launcher.exe 4664 WindowsUpdate.exe 240 YouAreAnIdiot.exe 3408 Time.exe 1392 Time.exe 4752 WarzoneRAT.exe 2208 WarzoneRAT.exe 1640 CoronaVirus.exe 49340 CoronaVirus.exe 12084 msedge.exe 11988 msedge.exe 10608 msedge.exe 37900 NoMoreRansom.exe 38212 NoMoreRansom.exe 39056 msedge.exe 39160 msedge.exe 39216 msedge.exe 39352 msedge.exe 39524 Annabelle.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 1 IoCs
Processes:
Annabelle.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\MinimalX = "1" Annabelle.exe -
Loads dropped DLL 7 IoCs
Processes:
msedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exepid process 12084 msedge.exe 11988 msedge.exe 10608 msedge.exe 39056 msedge.exe 39160 msedge.exe 39216 msedge.exe 39352 msedge.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 7 IoCs
Processes:
NoMoreRansom.exeAnnabelle.exeCoronaVirus.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" NoMoreRansom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe" Annabelle.exe Set value (str) \REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000\Software\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\Annabelle.exe" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" CoronaVirus.exe -
Processes:
Annabelle.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Annabelle.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
CoronaVirus.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files (x86)\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Music\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Documents\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-3766757357-1293853516-507035944-1000\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Searches\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Videos\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Videos\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Music\desktop.ini CoronaVirus.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3766757357-1293853516-507035944-1000\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Documents\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Downloads\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Libraries\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 2 IoCs
Processes:
CoronaVirus.exedescription ioc process File created C:\Windows\System32\Info.hta CoronaVirus.exe File created C:\Windows\System32\CoronaVirus.exe CoronaVirus.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
WarzoneRAT.exeWarzoneRAT.exedescription pid process target process PID 4752 set thread context of 5100 4752 WarzoneRAT.exe MSBuild.exe PID 2208 set thread context of 3568 2208 WarzoneRAT.exe MSBuild.exe -
Drops file in Program Files directory 64 IoCs
Processes:
CoronaVirus.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-36.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailWideTile.scale-100.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\components\Breadcrumb\Breadcrumb.js CoronaVirus.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\ea-sym.xml CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsSplashScreen.scale-100_contrast-black.png CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4.id-BF08C0AC.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardVL_KMS_Client-ul-oob.xrm-ms.id-BF08C0AC.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\cmm\CIEXYZ.pf CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_neutral_split.scale-200_8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.scale-200.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\ExchangeMediumTile.scale-400.png CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\rhp_world_icon_hover_2x.png.id-BF08C0AC.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\AUDIOSEARCHMAIN.DLL CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\vlc.mo.id-BF08C0AC.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\office.x-none.msi.16.x-none.boot.tree.dat.id-BF08C0AC.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-30_contrast-white.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_4.0.2.0_x64__8wekyb3d8bbwe\Assets\Icons\StickyNotesWideTile.scale-200_contrast-white.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\EmptySearch.scale-100.png CoronaVirus.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\plugin2\msvcp140.dll CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-phn.xrm-ms.id-BF08C0AC.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ExtendScript.dll.id-BF08C0AC.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Collections.NonGeneric.dll.id-BF08C0AC.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp6-ul-phn.xrm-ms.id-BF08C0AC.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice-install.log CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.dll.manifest CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_MAK-ppd.xrm-ms CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationCore.resources.dll.id-BF08C0AC.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-amd\appendFunction.js CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\arrow-right.png.id-BF08C0AC.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\es-es\ui-strings.js.id-BF08C0AC.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\dd_arrow_small.png.id-BF08C0AC.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_Trial2-ul-oob.xrm-ms.id-BF08C0AC.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\CourierStd-Bold.otf CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Reflection.Emit.Lightweight.dll CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STRTEDGE\PREVIEW.GIF.id-BF08C0AC.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_x64__8wekyb3d8bbwe\Assets\contrast-white\GetHelpAppList.targetsize-30_contrast-white.png CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Security.Cryptography.OpenSsl.dll.id-BF08C0AC.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MapsLargeTile.scale-125_contrast-black.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\share_icons2x.png.id-BF08C0AC.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-core-file-l1-2-0.dll CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\proof.en-us.msi.16.en-us.tree.dat CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Dynamic.Runtime.dll.id-BF08C0AC.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\System.Xaml.resources.dll.id-BF08C0AC.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sk-sk\ui-strings.js.id-BF08C0AC.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pl-pl\AppStore_icon.svg CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\Trust Protection Lists\Mu\Cryptomining.id-BF08C0AC.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\javafx\mesa3d.md CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\dark\s_radio_selected_18.svg.id-BF08C0AC.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ppd.xrm-ms.id-BF08C0AC.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\s_filter_18.svg.id-BF08C0AC.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\vlc.mo.id-BF08C0AC.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\WindowsFormsIntegration.resources.dll CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.DATABASECOMPARE.16.1033.hxn.id-BF08C0AC.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATER\WATER.INF.id-BF08C0AC.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Royale.dll CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\root\ui-strings.js.id-BF08C0AC.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\da-dk\ui-strings.js CoronaVirus.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\wsdetect.dll CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_sent.gif.id-BF08C0AC.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\svgCheckboxSelected.svg.id-BF08C0AC.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_remove_18.svg CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\librss_plugin.dll CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\components\GroupedList\GroupHeader.types.js CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-64_altform-lightunplated_contrast-black.png CoronaVirus.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
NetSh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1688 240 WerFault.exe YouAreAnIdiot.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 3 TTPs 5 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 6248 vssadmin.exe 10336 vssadmin.exe 39644 vssadmin.exe 39668 vssadmin.exe 39652 vssadmin.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "249" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe -
Modifies registry class 6 IoCs
Processes:
BackgroundTransferHost.exeMiniSearchHost.exemsedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\MuiCache BackgroundTransferHost.exe Key created \REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3766757357-1293853516-507035944-1000\{46A72A76-2E9B-472B-BD7E-1E8335BFA575} msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" BackgroundTransferHost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3766757357-1293853516-507035944-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" BackgroundTransferHost.exe -
NTFS ADS 24 IoCs
Processes:
msedge.exeWarzoneRAT.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 533961.crdownload:SmartScreen msedge.exe File created C:\Users\Admin\AppData\Roaming\jFvfxe.exe\:Zone.Identifier:$DATA WarzoneRAT.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 151045.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 883095.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\WindowsUpdate.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Time.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 850002.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\MadMan.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\WarzoneRAT.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 548110.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 983539.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 854557.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 430205.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Annabelle.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 379934.crdownload:SmartScreen msedge.exe File created C:\Users\Admin\AppData\Roaming\jFvfxe.exe\:SmartScreen:$DATA WarzoneRAT.exe File opened for modification C:\Users\Admin\Downloads\NoMoreRansom.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\YouAreAnIdiot.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 802091.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 444613.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Launcher.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 878459.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 470749.crdownload:SmartScreen msedge.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4656 schtasks.exe 2180 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exeWindowsUpdate.exemsedge.exemsedge.exemsedge.exemsedge.exeWarzoneRAT.exeWarzoneRAT.exemsedge.exeCoronaVirus.exepid process 1708 msedge.exe 1708 msedge.exe 4720 msedge.exe 4720 msedge.exe 3744 msedge.exe 3744 msedge.exe 4936 identity_helper.exe 4936 identity_helper.exe 2092 msedge.exe 2092 msedge.exe 2092 msedge.exe 2092 msedge.exe 4800 msedge.exe 4800 msedge.exe 236 msedge.exe 236 msedge.exe 4656 msedge.exe 4656 msedge.exe 4664 WindowsUpdate.exe 4664 WindowsUpdate.exe 2812 msedge.exe 2812 msedge.exe 3440 msedge.exe 3440 msedge.exe 440 msedge.exe 440 msedge.exe 3812 msedge.exe 3812 msedge.exe 4752 WarzoneRAT.exe 4752 WarzoneRAT.exe 4752 WarzoneRAT.exe 2208 WarzoneRAT.exe 2208 WarzoneRAT.exe 2208 WarzoneRAT.exe 2088 msedge.exe 2088 msedge.exe 1640 CoronaVirus.exe 1640 CoronaVirus.exe 1640 CoronaVirus.exe 1640 CoronaVirus.exe 1640 CoronaVirus.exe 1640 CoronaVirus.exe 1640 CoronaVirus.exe 1640 CoronaVirus.exe 1640 CoronaVirus.exe 1640 CoronaVirus.exe 1640 CoronaVirus.exe 1640 CoronaVirus.exe 1640 CoronaVirus.exe 1640 CoronaVirus.exe 1640 CoronaVirus.exe 1640 CoronaVirus.exe 1640 CoronaVirus.exe 1640 CoronaVirus.exe 1640 CoronaVirus.exe 1640 CoronaVirus.exe 1640 CoronaVirus.exe 1640 CoronaVirus.exe 1640 CoronaVirus.exe 1640 CoronaVirus.exe 1640 CoronaVirus.exe 1640 CoronaVirus.exe 1640 CoronaVirus.exe 1640 CoronaVirus.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msedge.exepid process 4720 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs
Processes:
msedge.exepid process 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
Time.exeTime.exeWarzoneRAT.exeWarzoneRAT.exevssvc.exevssvc.exeshutdown.exedescription pid process Token: SeSystemtimePrivilege 3408 Time.exe Token: SeSystemtimePrivilege 1392 Time.exe Token: SeSystemtimePrivilege 3408 Time.exe Token: SeSystemtimePrivilege 1392 Time.exe Token: SeSystemtimePrivilege 3408 Time.exe Token: SeSystemtimePrivilege 1392 Time.exe Token: SeSystemtimePrivilege 3408 Time.exe Token: SeSystemtimePrivilege 1392 Time.exe Token: SeSystemtimePrivilege 3408 Time.exe Token: SeSystemtimePrivilege 1392 Time.exe Token: SeSystemtimePrivilege 3408 Time.exe Token: SeSystemtimePrivilege 1392 Time.exe Token: SeDebugPrivilege 4752 WarzoneRAT.exe Token: SeSystemtimePrivilege 3408 Time.exe Token: SeDebugPrivilege 2208 WarzoneRAT.exe Token: SeSystemtimePrivilege 1392 Time.exe Token: SeSystemtimePrivilege 3408 Time.exe Token: SeSystemtimePrivilege 1392 Time.exe Token: SeSystemtimePrivilege 3408 Time.exe Token: SeSystemtimePrivilege 1392 Time.exe Token: SeSystemtimePrivilege 3408 Time.exe Token: SeBackupPrivilege 8088 vssvc.exe Token: SeRestorePrivilege 8088 vssvc.exe Token: SeAuditPrivilege 8088 vssvc.exe Token: SeSystemtimePrivilege 1392 Time.exe Token: SeSystemtimePrivilege 3408 Time.exe Token: SeSystemtimePrivilege 1392 Time.exe Token: SeSystemtimePrivilege 3408 Time.exe Token: SeSystemtimePrivilege 1392 Time.exe Token: SeSystemtimePrivilege 3408 Time.exe Token: SeSystemtimePrivilege 1392 Time.exe Token: SeSystemtimePrivilege 3408 Time.exe Token: SeSystemtimePrivilege 1392 Time.exe Token: SeSystemtimePrivilege 3408 Time.exe Token: SeSystemtimePrivilege 1392 Time.exe Token: SeSystemtimePrivilege 3408 Time.exe Token: SeSystemtimePrivilege 1392 Time.exe Token: SeSystemtimePrivilege 3408 Time.exe Token: SeSystemtimePrivilege 1392 Time.exe Token: SeSystemtimePrivilege 3408 Time.exe Token: SeSystemtimePrivilege 1392 Time.exe Token: SeSystemtimePrivilege 3408 Time.exe Token: SeSystemtimePrivilege 1392 Time.exe Token: SeBackupPrivilege 39840 vssvc.exe Token: SeRestorePrivilege 39840 vssvc.exe Token: SeAuditPrivilege 39840 vssvc.exe Token: SeSystemtimePrivilege 3408 Time.exe Token: SeSystemtimePrivilege 1392 Time.exe Token: SeShutdownPrivilege 13584 shutdown.exe Token: SeRemoteShutdownPrivilege 13584 shutdown.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exeWindowsUpdate.exepid process 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4664 WindowsUpdate.exe 4664 WindowsUpdate.exe 4664 WindowsUpdate.exe 4720 msedge.exe 4720 msedge.exe -
Suspicious use of SendNotifyMessage 40 IoCs
Processes:
msedge.exeWindowsUpdate.exepid process 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4664 WindowsUpdate.exe 4664 WindowsUpdate.exe 4664 WindowsUpdate.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4664 WindowsUpdate.exe 4664 WindowsUpdate.exe 4664 WindowsUpdate.exe 4664 WindowsUpdate.exe 4664 WindowsUpdate.exe 4664 WindowsUpdate.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4720 msedge.exe 4664 WindowsUpdate.exe 4664 WindowsUpdate.exe 4664 WindowsUpdate.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
MiniSearchHost.exemsedge.exeLogonUI.exepid process 2872 MiniSearchHost.exe 4720 msedge.exe 8856 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 4720 wrote to memory of 5044 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 5044 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1736 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1736 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1736 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1736 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1736 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1736 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1736 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1736 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1736 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1736 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1736 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1736 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1736 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1736 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1736 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1736 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1736 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1736 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1736 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1736 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1736 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1736 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1736 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1736 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1736 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1736 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1736 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1736 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1736 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1736 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1736 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1736 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1736 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1736 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1736 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1736 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1736 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1736 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1736 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1736 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1708 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1708 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1488 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1488 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1488 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1488 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1488 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1488 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1488 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1488 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1488 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1488 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1488 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1488 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1488 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1488 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1488 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1488 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1488 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1488 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1488 4720 msedge.exe msedge.exe PID 4720 wrote to memory of 1488 4720 msedge.exe msedge.exe -
System policy modification 1 TTPs 9 IoCs
Processes:
Annabelle.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\WindowsDefenderMAJ = "1" Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Annabelle.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Annabelle.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System Annabelle.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" Annabelle.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.com1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa934c3cb8,0x7ffa934c3cc8,0x7ffa934c3cd82⤵PID:5044
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:22⤵PID:1736
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1708 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:82⤵PID:1488
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:12⤵PID:792
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:12⤵PID:2956
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:12⤵PID:1312
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3744 -
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5740 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4936 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:12⤵PID:4876
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:12⤵PID:3856
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1908 /prefetch:12⤵PID:5064
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:12⤵PID:2152
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:12⤵PID:2084
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:12⤵PID:3148
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:12⤵PID:4188
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:12⤵PID:2780
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3340 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2092 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:12⤵PID:4776
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4232 /prefetch:82⤵PID:5004
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5024 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4800 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:12⤵PID:2428
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:12⤵PID:3148
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:12⤵PID:1012
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:12⤵PID:4872
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6856 /prefetch:82⤵PID:3868
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6716 /prefetch:82⤵PID:4832
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5808 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:236 -
C:\Users\Admin\Downloads\Launcher.exe"C:\Users\Admin\Downloads\Launcher.exe"2⤵
- Executes dropped EXE
PID:1440 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3816 /prefetch:12⤵PID:5052
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7064 /prefetch:82⤵PID:4428
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6476 /prefetch:82⤵PID:4652
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4656 -
C:\Users\Admin\Downloads\WindowsUpdate.exe"C:\Users\Admin\Downloads\WindowsUpdate.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4664 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:12⤵PID:4480
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6572 /prefetch:82⤵PID:2404
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1052 /prefetch:82⤵PID:3352
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3312 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2812 -
C:\Users\Admin\Downloads\YouAreAnIdiot.exe"C:\Users\Admin\Downloads\YouAreAnIdiot.exe"2⤵
- Executes dropped EXE
PID:240 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 240 -s 12323⤵
- Program crash
PID:1688 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4220 /prefetch:12⤵PID:1052
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6692 /prefetch:82⤵PID:1360
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4072 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3440 -
C:\Users\Admin\Downloads\Time.exe"C:\Users\Admin\Downloads\Time.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3408 -
C:\Users\Admin\Downloads\Time.exe"C:\Users\Admin\Downloads\Time.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1392 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6580 /prefetch:12⤵PID:4640
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7008 /prefetch:82⤵PID:1876
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7060 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:440 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:12⤵PID:2648
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5836 /prefetch:82⤵PID:4528
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3812 -
C:\Users\Admin\Downloads\WarzoneRAT.exe"C:\Users\Admin\Downloads\WarzoneRAT.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4752 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDB8F.tmp"3⤵
- Scheduled Task/Job: Scheduled Task
PID:4656 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵PID:5100
-
C:\Users\Admin\Downloads\WarzoneRAT.exe"C:\Users\Admin\Downloads\WarzoneRAT.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2208 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1982.tmp"3⤵
- Scheduled Task/Job: Scheduled Task
PID:2180 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵PID:3568
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:12⤵PID:3892
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6308 /prefetch:82⤵PID:4624
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3236 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2088 -
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1640 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:4932
-
C:\Windows\system32\mode.commode con cp select=12514⤵PID:14232
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:6248 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:17388
-
C:\Windows\system32\mode.commode con cp select=12514⤵PID:6420
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:10336 -
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵PID:6308
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵PID:6344
-
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"2⤵
- Executes dropped EXE
PID:49340 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:12084 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6968 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
PID:11988 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3536 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
- NTFS ADS
PID:10608 -
C:\Users\Admin\Downloads\NoMoreRansom.exe"C:\Users\Admin\Downloads\NoMoreRansom.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:37900 -
C:\Users\Admin\Downloads\NoMoreRansom.exe"C:\Users\Admin\Downloads\NoMoreRansom.exe"2⤵
- Executes dropped EXE
PID:38212 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1960 /prefetch:12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:39056 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5772 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
PID:39160 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4888 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
PID:39216 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,10610404343962724543,3353219684817561084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5980 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
- NTFS ADS
PID:39352 -
C:\Users\Admin\Downloads\Annabelle.exe"C:\Users\Admin\Downloads\Annabelle.exe"2⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- System policy modification
PID:39524 -
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:39644 -
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:39652 -
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:39668 -
C:\Windows\SYSTEM32\NetSh.exeNetSh Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:39684 -
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" -r -t 00 -f3⤵
- Suspicious use of AdjustPrivilegeToken
PID:13584
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2324
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4660
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2872
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 240 -ip 2401⤵PID:3156
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:8088
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\7a53e96d58e94694a310f496c70256c4 /t 6316 /p 63081⤵PID:36436
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵
- Modifies registry class
PID:37172
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\10bba92f32fb45248a2386aab64f8577 /t 6372 /p 63441⤵PID:37264
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\FILES ENCRYPTED.txt1⤵PID:46700
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\FILES ENCRYPTED.txt1⤵PID:26244
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:39840
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39f8055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:8856
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
2Safe Mode Boot
1Indicator Removal
2File Deletion
2Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id-BF08C0AC.[[email protected]].ncov
Filesize3.2MB
MD5df61751f9899739bece33ed9515ef8ec
SHA113e30acfc4197329eb98962864b21fcfd74cdc28
SHA25696b5718ccf89ab9dde15a5b6431969d46f9ff8e32b27edf9c11714745ff53e78
SHA512896901438df0ed62ceecaf424b6f8b47b9cb04cdb8e4a4d9e7053c562b218b35284ebfaf6fc67e9f1b3dd359bae072af2a278ff31dc39a43cfbeb3f0b1ef526c
-
Filesize
507B
MD5a0c3e1aca0335d2d3a6c16038a5e1feb
SHA1865132ecfd8bc3781419e10a57ef33686d80f83f
SHA25668e52b0dae9281848730d457702a3fbe0868a0209d2740c9b5435dcf872d1072
SHA5126b5dc7bb61bebea323e806e4eeaac8383621c84be7545af744923445dc4545b9395abcd8f7b82f8b30fddc28872e3f47a010a271f588b5dd725cdd1be2ee4ed8
-
Filesize
152B
MD5f1d33f465a73554cd1c183cbcd0a28a2
SHA1f5c16fc4edff600cb307f762d950500aa29a1e8b
SHA25622d8c228cdcfd3e05431d7377748014035a3488ad3a0d4aecc334e724245a1f9
SHA5127cc94f77f3943143ee86eabbfddcb110ce52c6ff0975842e3a3d06072f51f2c48914ee61f24484a539888ad19a7e6a1becfb029485cd5984bc736434a63cee95
-
Filesize
152B
MD5575466f58c7d9d3224035d23f102d140
SHA12fce4082fa83534b3ddc91e42fb242baee4afa1c
SHA2569da0e657652daa1ef86af7c3db62b0af9cce372a5f765c98c68479922ccf1923
SHA51206503e718fe967076dd8a061b57debdc663b9616b005f8567099a84fc7184880633079335d622c243918efc3356b40e683708fb0583084abeed7db6168a212ab
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\8c20e438-a44c-4d3e-9dd7-fc82d06d52fe.tmp
Filesize1KB
MD563af1c7cd10fc778d40f0c09d40e9760
SHA129df3ab3a70d3fb42073f06c9ed3387b62bbc0c5
SHA25603f3c5a252b5bd2798c8d4e01ab598b9af9f8eeeaf3201c4d7522e4aa2ad7583
SHA512677a1dfd8663b026c72538afbecca6f6c06c35c73d12def2fdf2faabbbd2d98bb52870544de72d75e2b2a5e463b0616969f97a0402a2219d319a204d45641908
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\9dec64b5-c519-45c1-a11c-1bffd29af47e.tmp
Filesize784B
MD56f1428e139b1e1e032f545b527f0e1d6
SHA199ba879668bce410d948032fb9511638afb3b703
SHA256f343c1d04da4e826fc44df8cbfa92cfee2b54d92d8a60fd674597d9fd9d26af1
SHA512fc2bd33dd75f678fa63da913dfefe5c774c2f57c2790b11c1f69de019408ddfd04896f403bc2eead2d4821f912d73e2723d18aca1683a741a7ee9481b49b1ba7
-
Filesize
211KB
MD5151fb811968eaf8efb840908b89dc9d4
SHA17ec811009fd9b0e6d92d12d78b002275f2f1bee1
SHA256043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed
SHA51283aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674
-
Filesize
760KB
MD5515198a8dfa7825f746d5921a4bc4db9
SHA1e1da0b7f046886c1c4ff6993f7f98ee9a1bc90ae
SHA2560fda176b199295f72fafc3bc25cefa27fa44ed7712c3a24ca2409217e430436d
SHA5129e47037fe40b79ebf056a9c6279e318d85da9cd7e633230129d77a1b8637ecbafc60be38dd21ca9077ebfcb9260d87ff7fcc85b8699b3135148fe956972de3e8
-
Filesize
15.9MB
MD50f743287c9911b4b1c726c7c7edcaf7d
SHA19760579e73095455fcbaddfe1e7e98a2bb28bfe0
SHA256716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac
SHA5122a6dd6288303700ef9cb06ae1efeb1e121c89c97708e5ecd15ed9b2a35d0ecff03d8da58b30daeadad89bd38dc4649521ada149fb457408e5a2bdf1512f88677
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize144B
MD51d90c4ea0c9b0a40383ecafb32296d36
SHA1de5ec36b9e3faf949e01c2cc757b21312fd0f5fa
SHA256cabc21459056502730ba909e64eae811185941e4d8ebac98ccd481a5f45cf5e7
SHA512adbc2ab9be2871236c491ad6df8c625e772290a2f7c71e013bf50de9fc2cd5dc7a1d99ae8df9a8fbaa7dac4afe728e80fa6ea6165cfebf6b3de5f79192d10a26
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD56629ddb30d70a25413caecc922624dcc
SHA155acfa2a342ed7e927429d2a422e65d8a917673f
SHA256ff177296a1d6f28689a26afbda1e9bc28f8e66eaef3e0c5322c0fce511397735
SHA512c504bc29a1ce06ab71dc341451c7343295e87c3925d0564bbb860f845a20f3b0ee1452fc438b76db2c16bf1d42a9548edf7979c042deba36ee77befb94ef7679
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD5a1404c1bf11ff886e21193056792d801
SHA10bfa10d69cd16866151e0f338e303dc5b77485db
SHA256f4ef580d2f6919ea811e033875437eedac3f53350e713cb8b0bd7ec5684277c9
SHA51225028772857fc1167aee69ebc3b29884a5f265501fc5c46773e758e0c20b3ff383b94ed9357e153f95a8824ada97da2e89b9dbb305e18715d818b07c54fe69b0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD57c75f524af659155927de346755c524b
SHA1332dca09c8c441a7dd4404165f67f5fae0af84db
SHA2567826b6280c62c62a5cc46ac35b387dc732c9ac7ce00ac4e26b36f8097797d2fe
SHA51225efaec8d1671b43c594a947135e3e66bfea4bee138935c7e124a5f196fe407b0e4f252e6f9cc8423c853e5c87c33ce7fb41b0201fa99951e43bdc2806c912a5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD5b90c8e3230fd64be12fa7f7d0405addf
SHA186331d9691ad57d366f815a784e67ba71bcb4aab
SHA2565654091a7279f2b81b5e188ba9fecf4e0c2f131cb6edb7a52d8314ca96dbafc8
SHA512cfb15a9f5252d39ba36e5adfd0ffca0c25f24a0de53f69886db25bea7f6a1d3625a88d3c1bc31bef38643c32976873d5ce5cb64eacaf392cdb116b212fce5f87
-
Filesize
1KB
MD5e1eab757ab2cb7c259e23d62d7f0c2c4
SHA144f323a72b6a0439bc13b4b9fa67200324664e41
SHA25603945851f54a17073be5cc4ffc2d109c6f12083a61f2de9c1385b5551d6d0c0d
SHA5121ac778e4ba5bab70d9b66cbf88cc7ad14787652974c139bd7cfd67b269e32da54b6edcd31a1360e6aca7cfff58bbeae900b673888d36d50130d21f88928ba1b3
-
Filesize
1KB
MD538f921eb5bb3bb6a5235d086ad8f7764
SHA180c399214e5e28484974b814ecd7024e2ba4483a
SHA2565d90e9850273028bf2124e2ecb80ad9ae57cffc9ae05ea4fe5016f55df0f6e2b
SHA512ea2a57161f23eb8ccf417373c0a7523465c6dd3eb9f0b57302c8ef5f94ae7cf8fb9d0ff5a785db85fcec1429774d9f9e8ee41d883994032103240cabd889c3d6
-
Filesize
5KB
MD51ac9418e2f6c02ec15495e24e74cd402
SHA1df240015f68e19930bd6e7425e92431c9c447f61
SHA256002b40e3ad066e0f6f5140ee804fbc17f4c6f12d330439c5b2bc56e05414d6b2
SHA51271ee490a4b01efe8dc52c3e0b164831fbfb19369719683b6a6036d920ff69e7af454654c6078d760778e997b30746f9608749479f255bd85505944d445b40999
-
Filesize
7KB
MD5b35c55c31d914089b9943533cc0d8aed
SHA1975c86461b5561defa6f4123f338e815577ecdad
SHA2566745d5b6227de88fd1a3d78453719c405aa6b76071884ec798a2e44fa7b6d23c
SHA512ca245759ac00286d2e21c7f879a99d16730a7b0b94a433ca1bd62796c94ffc427942edb40da23f25c7b270d7f38debb61b5ae23d6f48a64ca42ec3da22cc4e04
-
Filesize
7KB
MD56b7a20118c39acb64f576a5491e84fcd
SHA1e8b722ca90e8cb0513f7288742958f2cc6f3c8fd
SHA256ce9cba33e08df5fff67d9eb6b7286a2a6873c760832066edbb1c5d35470e0c96
SHA512e82ac2f92c8cce7e10cd6fb8d6c3f47283ea85d37eac9c9238b5b2d40cfed47873ed726b4077505fb9aad85e89056b13ea264e9417e4fa94ca761060bec1e96e
-
Filesize
6KB
MD5a9195ffc14c184b98b72a9a5dfa36dcc
SHA13c69110d4e41ebbf4a59b00e35096fd9164efb74
SHA256a862985c01ef13edf5068b7aaa392f8fccf09d9ee36230ae810a60d5d275de59
SHA5124ed6f6e44d22cc2cba41881e5ce4b46918b3575f77f853f4919ed79751726fda7dbcaeb4c3534f11d2e0e084e9ba7d7a88b6bb88c68c4cf0c6dd9228626f05a7
-
Filesize
7KB
MD5a6fc1363ddf95f95b9bee950796636fa
SHA1a4327e72a5a7e62401c6b897599df0ee6f30565c
SHA256cc63114d403d3ff7c3cac37ef13c91565be35a3abe1d1a3e70a9b1b62294db06
SHA512baba994ba234a086ce598d0618bbf054b495721c2a8b80848ba5646fe0b0e7a9d77884f3daa9043abba62098a962fd2a0d34214ae5c82ad878ab7f4a9beb000a
-
Filesize
1KB
MD519881306125b794a5307f2f08c8f8e60
SHA12102fd79ce35d9ed3f091144daacca27842f2070
SHA256b2419e133c29527707ab3f687b5d26ff14214755d2a85b02bbd754a36c90889d
SHA512f80ab2104e648a1337a6552d7f2dadd93d483f5e6f90175f34bb758b173ea689712f2cdca65c6c515d3028bb203f2cce24a373f0c2dd50a53b455f132d2c17e0
-
Filesize
1KB
MD568e2abad48c692ce2c0f88e333bc3d24
SHA181576193d41388e9bfacf534d16329b363c29e12
SHA256d3c09cc6855152ede02218877735e573396857a2c6e29c0159a76c95ba932d17
SHA5123589f51f6e650a3f3a6ef347a99ca8e0d68a2373ec6bcacedea6fb32807e8d2066c731e4f3aa765b3fac4c45bf4d8e39c5398bd64db4de72c0e35f04feed309d
-
Filesize
1KB
MD586a5e3710f97171bd97a0bf516354864
SHA1c7e9fc62f05b64b6532f278063d5aaee66f986a9
SHA256a5eded427c9da0575c8ff9411035c6ed78eaf74c75c4b9765532064c9fb7ca1d
SHA512ac4f913c25ccd8cc6f79ad5c7e22e11935c5523802fc411a8514c35d59c4817a8d0aa10944b6277ca7e886604463682cc24cb3479d0607ae9029d4e3b5a9d66b
-
Filesize
1KB
MD5bf58a4c4e4349027099c917775544a3e
SHA1266be22071097e82387300500f6cf0c55de0b19e
SHA25674ad43d18ea84343ea7912968e2995785463e36569a22c6f72b75e516f361609
SHA512e40f34e509fa5ed31a3c8ba1e5edef3e7a5ac015d5b8351dafbe80cbb4de9ca8466d26c9349baacb75090cf29cfa24fdb56632fd439bf7facb98401764f96ff8
-
Filesize
1KB
MD5d9b9e7e1d5081a95dbe68ef40f70feab
SHA1740fd7b884b733abaa9753f68f0f0e507e35c8e3
SHA256ca72bc333e9ad9223ec8c3cd77ea574e91acb95fec044a59a8e60a3560ada532
SHA512ef71491403bc276ad6bd3eb15dc6bb945cb5e837003ca643bf65c69825d249bbec385904a9ab6cee63e8a96dfcb5abcf52cd0cc4e72d104b8223ba830cb65651
-
Filesize
1KB
MD50eb439c49273f937361ff220377b7f25
SHA16fc92b7435ed7b421246aefae2b988c5efb04e23
SHA256fbbfd0aa2e84d87b076052775c6310379c753e9a2de3faf1d959760fd14341f4
SHA51289bf45a3199ab6845052ba80e6d17910754965d1842081179fb43c2bd722313d0dffee5f4ba0a91d832fa897fffc6f1ae96b3087f9a3e950f730c95f4eadb931
-
Filesize
1KB
MD55d759e15d803924f4487e40030102744
SHA1c2bfabd899bb1cc0538643ae7d2cbd9d0cee20e3
SHA256874b262c5b5aeb6a97bb695ac0e723ca707ebfef719adba52ecc0730e37c20a7
SHA5128c4a10bf7356887476bbf27d7af0bdf1024cc07f384f8bbb9160bcceee5209edf15b91b67c4cf3eb9e3e9e41e5059f81186695bc64c55739974b701bd73c1591
-
Filesize
1KB
MD589ebcd80064042df557c9b0ee5f8005c
SHA11a92871b76cf217c25cbee4b4cfa60defb52d393
SHA256a67e899376817c94476c96bce53feaf19bcb4945740d9805846a85c59641630f
SHA5125fe63f348f08fd0781fa5515b44b8c4fd2cb387404e70e1a8f98d80845a2aaf826d4ec547775bb8bfb598666477c80a728cf0adc560aba00790d3aec3933a568
-
Filesize
1KB
MD5daecded666d160462d7f1ee02415ba46
SHA12adda9b67836fa38897e945940109d93cd696030
SHA2564a0d08dd63548aee06aa769eb6c11a9256579baf27fb14018bc20d83115e6032
SHA512aaa46a3a261bfd06e276f507fcac06f2adacb68311c000183364bb0524e81d43a2a3eb93057ecd7c8541385e62b0aa9f19d26d8dc6672dbdf6d1f2d39cf241ed
-
Filesize
1KB
MD586c99bdeb5fa1951f148001a1b19e3d7
SHA1aefb7734865773298c67eb875890e2a0e808cf5d
SHA25673a9692d4945691eb3c9212d342faa6c0ebff0538554d72e215ce2af5cd37614
SHA512a06bc0aed4f132148d2e464758bc284aa28bbedf52592f3b8e33853ff0372ed7ee5a57cee9cc09bf64e5b2f4b777564b3cefe9c94ac66e8e3aa933279f20e86b
-
Filesize
1KB
MD5772dab36f6b9878e42bf8cfd654f0145
SHA12e11aec48cb0a656fa522a1b9008a53f383e8cc3
SHA256e08d020fb06ab65d7f4450a1d63039b423c9b085d8634571fdae02c8aca282e6
SHA512d3717b65170aaf3246ce48ddcd62e7e9905fa5b30e06c3f2f553c8f162a570b155c88d1625e1688a581f99a3698a460b0a502985cae6f686760fddf5f6748f59
-
Filesize
1KB
MD5700cb0ee75f9ac6f1e569c8b994b9507
SHA192d73729cd6570bedddf1c3caf1be500b909365b
SHA256af6f6af702e567cddb7590ae050b7bf2fb4df8d4392527aace080db9180bc13c
SHA512b9fd792886cc462d695dd4edda726734c7192bb76708e6307e9baea00d07bd5de9b1fd1aaf6f03f000635079126e69a391da865e4aad1e23c9edbf255ef83c6f
-
Filesize
1KB
MD5279039972f9b965cb7cb864ca6b54c36
SHA1d06378a45306ee90e825ea460eb3410ec81d5669
SHA256f3219d0c14975ef169ac94fd300a4adfc412994cdaabbafcd6108484f7145b79
SHA51254ee40011da7e0441eb6b06d77dcf596972b109919a2a1249915dee034245b9c1a76acec23686428c80cc85892af3aea36cedfc03654b5cc0d5e7d71a53ed6a5
-
Filesize
1KB
MD558777c07e827c33d77ce9a8c8fe20bd5
SHA11bf9770f08b2348429fb6d014eecc45c25d68dff
SHA2564331da940b34fed18db6e07236241e67122864cfd43158cdf084f215c37e0b9f
SHA512c1b64847745332977dc55fa0be0e10d0ba079271e4ccb3e374941b5bdc218b7a431afbe23fa2fc366dff6d613abcdce9571c9a37d30939c73482225db5d7444a
-
Filesize
1KB
MD5e7bc61b2c54333e023da55f11b78a0b3
SHA12fa9770f9efd47804b29a07a656a785bd52fb3cd
SHA256d4262a764929e407ee3e2a571d03a0da3424085620f5fe4f4c72aafcb95ca6df
SHA51284f95a0c54a1961f0477761461618c28796a16306c309fdc40606f36f6084a4bde4b1d73bcd9add2be7beb7f69e11ce6a9c4135c64612a94e3a5cc77c7eb49a0
-
Filesize
1KB
MD54c8f51799e6d053ebd03791c38eceee1
SHA135b275bd959c217cd1453482d4c9c60a27685db2
SHA25621bb1cd4595a4b65385a1b74c8c6b85078e2e8a133cb977532a6bac086bd7d49
SHA512a81f34c101796fb842116fc959df2e541644b58d91cb6569c526085424541ef85a7210cea6ea61bdc06a1b206299538e94c80b36eeec906b6934ed43bb4029ae
-
Filesize
1KB
MD5f10b33856e0abeb094ef94fff4b93d49
SHA1daf7ea78f6f8939caf83ba5a31d7ee070085bfd3
SHA2562402d5b4ac6ddd5ce04a79074ad596e40614875af1c08bceffaf0ffba9ddb51e
SHA512e4308dc695f5d10b29fc574063d1aa731a6830bbfc9d9ac7c5ebb97577dce79140d53fba96137f60ee799d2bebe480c1785ca855ff820510f654193cc1a83f04
-
Filesize
1KB
MD5fb999f00d3a500a207c384d06ef42458
SHA1aff0ee6c886d843d77aa97ede17f3e3ed8c8c321
SHA2560e58ca5034f6e74f1647f6dbaa3da3e4ab193e1e6fa6121463693838a4ffaaf7
SHA51208ee2ea7113dc77ff68d82f3578a687a368ea68d4f09fa38df04700605743c1ef23b979ee16ebbb32b94088ce4d80f5e09a604de3623e6b62e4110e3a91ae5ba
-
Filesize
1KB
MD5206f902732362c64a0edef63c741b8a9
SHA194560222a70a601efaa572f7d2732d33c9b78366
SHA25661b6f453cafb96a7e9805dc67c92d79a5907abd3b462a257edab2d2dd124e5c7
SHA512d58ac73d82aea57ea67f6479a72efb948f4b968e3d5690971c63fd7fa300c76c55fdfbe79c74a5ebde90d6a023c7b22758373ce2c881860ad34fa8a9ce447731
-
Filesize
1KB
MD53884e37226fd81e6ed097835d7745e93
SHA14b65a2f8a58e73ad9f37a9c35f396aafe660f572
SHA2569a62656dea99313191caca68c6ac82d99ebde2345b4a784f623df6eac7452e40
SHA5122465a6028787101f9cda93171d0206d854bb3a34b071aede3e7821f77cb833d3741ddfe84d67930a1f3572f8c2673b5b27df1d21c1668f90651adf0b638527ac
-
Filesize
1KB
MD56982ea3de91a8554b90c9617cf55b9ad
SHA1a5a056cbc824c264c7fb7ef30ac5fdcd22c7c674
SHA256c9fd52f818f577b9c3320072ac0251900d7aed276ee3de4f491fa6b2143e352d
SHA512fecb4787ccaa8cd8931aae5e292bd0d4dd71824cb7114911a7fc22d971af0295a0e53056ff268b44be7d9e69d3954438f61ee508b69fd2abb209364a29624661
-
Filesize
1KB
MD570220937b60184f6ebf4b73e60de73e7
SHA140dd0296be0d9f043f2793bd2cdd0470b289462b
SHA256cd239df42c0eb05ca1e47a08c83f9bf1095ceb835b39bc7218527d832a3b3431
SHA512015e2673b9d9da8525187e747cdf7b643b69af02c6af118c868faecef6835454576598305461aa130a71009d52e59c6fecac12a8effb2db3db98f9f612ac1974
-
Filesize
1KB
MD5abe32b665e90773a324e3f002e5d84a2
SHA1f1cca003928c79e1558cc0b0b01707586993e5e4
SHA25651ea44ef8a70a992776a6751154fec5b14e82c9545f38364533999f8991726c4
SHA51210d9615c79cc6beff7b08ca5058e14be0300f1d9840db1712c351ed6ca09c97343b4fb14d2755b5f53bcc5b7c95d4259d43c626997622d49c56aee8d49d9e221
-
Filesize
1KB
MD59ab6cc7a4ff170ebf5da78905b8e2285
SHA1cd38fbfa8c7ced29bd2dd269d507e6be3febddb6
SHA25619cffa4515f991a525d46696dfe8fd657354ccb37a6df69f07639c3372ce3e98
SHA51255aa32a4cd598eef4fe7481ce4a6438e16793f3e2644db14b97c9782ee8b082006bd537cddc4a2db776fe17ec24280f7d46f3c0d0be0ad64cb18632243d94901
-
Filesize
1KB
MD579b11f1778fbd40e40197ec663a11685
SHA165c18b55cc68c6727de351951ae5ceba8bd72869
SHA25684b74acc4f5412d0eefdc37d6d23fbaf255d6c4d06a38a8b788a4ee84b880438
SHA51209ef9dd04bfc07d18246082a66fcde424a70de672f636ae6b64a86680c572337615e22b0325755379fe6c04b65c71018c5f9cd344c08572928c61d547fe66d63
-
Filesize
1KB
MD5bfd4bba958d79f4c7ae2b6248108eaea
SHA1cff9d7ce91e4ccc509bf0aabc0afdf7d8c0c5e11
SHA25615fd10ec70640f576f750bd521061bd1a18ef05d483790f29b8ebc161c064004
SHA512f3f5f09ae6960812722dd80f6991415de537d35370dc18586270cecc9313956d6f4586857e67b185baf8239252e7536374bec3c3cdb46123a418dc9d05956ce0
-
Filesize
538B
MD55e92e295a04dddcf05c280e6f20102e5
SHA1787503969d904f1eced7f484b0dc832cd4eafcd4
SHA256cc1954d8d582c9986e6d339794c952714f3cbddf85d34b22dfe9cf7b9e9c4d34
SHA51292448c63d2938023859b986980990d1bd7beaf4196dedaeffd910070459beb948b1414f3baba81096393a7f6ac9b51108aa92539da656bab427584ffbdb1bce4
-
Filesize
1KB
MD5c700a1d7bce4d4f4235fb40f18d1c1de
SHA1797be070361b0cc87f0948a0fba8e876aeccac38
SHA2569785c5f6ab6ba1ce0ab8e8b624fe8dd938e99282de3a5f6d839ff91be7011784
SHA512d7d1e02554e4418ec7a6ad898bc7dbe0ac248c1f62014724a31b1c5f5215b76497525ec0117607c1474be4575359cc4ce2a8d1865ba6222f7dc9c34c9e71cf84
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\9dbdad81-28cf-43eb-a608-aa048b11598d\1
Filesize10.9MB
MD5c2c4450dd9dd82f2214c555cead43118
SHA1af8f5b2955f2f1976128d08045b35d6c939495f5
SHA256838fa0b08fba45c99233254dd2e1b02840c6f2c842a3848ee1fd343d0f3dc6b7
SHA5126e30efbaab63f33776e263a72a42a52fa15cf145edee80b129b50ac80be97411285dc1263cb4609896be6150ba49ba59fae3f906e9cdf55f8539da0d79837de9
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD54498c63a54aeae74393ac8b763211df1
SHA1e95f1838ee1a1ab0acc50e6f288c95ab3622465a
SHA256f28d7f3e36a0e6572c785ff6431cda0d7ce881a24a0886a988660532479dbbc2
SHA5128edb8b3992e8576fb955167c67b822e809c4de9de1a1cb06efa5b2098deb3d38d4cdc0be890d0d17ba48635ef2abfa47ef8af3ff4a578a8ab53e5b3500098918
-
Filesize
11KB
MD5620b4eb18a5f9894ad47edefc252d937
SHA1258a97308e5f5ce3f99d92c19e4a563489894503
SHA256210b68bb1793958b257930170e365caffc7c8a8ab64eca2dedbff2614f4f69e6
SHA512d68b9cb82cb040d8174332afba3e74ddb1bbacc01b8293175fc4614026b602041c96c456dae5aaaaee8440ec26cd22874d0e527bddb551ba35d63d99ecc35a90
-
Filesize
12KB
MD558c0d8a6e458d02cabc6d84e69ace003
SHA11ad99543567c5315b48b4b3ee250237d914981f8
SHA25681701f98f7556314193f1e126c1963874825b3b582c54c340c11f24fb20f5fc0
SHA512de320488997a0866a80d3745a6c53a606ee0a161a71529b7994df7fbff746744880959e5b2311c44d674f52c6d1e992689584d3f59b587511edc1ce281114fd9
-
Filesize
12KB
MD5fd7cc7b6c7f6f710882aa8c381bfb022
SHA18fe3a5cb9f8bc1c0280217cf0398d10ffabd0429
SHA2565583caf7a4a83b22a0f44aa02a4ef7ff30d951ebb7b9d3d193bde873510c67c7
SHA512696d8ba6a71c12c81dae8b1f78e3b580b656eaa5cc31998b29411d0311278f3883019c2f29fa01c7ba3b55a0ec0f75a6b174f9727c148c6e8469f2993dd86ca3
-
Filesize
12KB
MD54c129acc29876b8f01386857f3152179
SHA1b497f8a353289ce277f9595bc6b9e854e7834e5e
SHA256b79700c1593e5ccb5e4eccb8139374a7ccdf0cae529a78feb34654982ab0fa2b
SHA5120e1d68cb647f589f0f030c6b9b4b07ec960aade53b3d6ff93e9c6a9fea882eaf44571b1822f6bf7cc1676e1ea7d9509b642dead154c8389bedd87800b6d47b6c
-
Filesize
12KB
MD5f664357b196d1bbb043017f86ce65a66
SHA17eacc0867428088939e194196701d36174880cee
SHA25681aebe2f8504fd21eacbe29478c1ead3993db516e7f6f1c6b2c8983892470cd8
SHA5127c7d10c4b0d7862d956158b3f9cc9bca0e2487a883b64438a57695e5bad2e7014b7312c9ae1ccd7278ec4df27090bd28f7911cb93ccce4b5e1c4c67f5b517dc5
-
Filesize
12KB
MD5d55b46a8a0a038187083e9ec2d33c9a9
SHA15caec56acd20d9212e05479b74e732e2388a2b2e
SHA25685464657ca7c3ebef911469b332717f3b9c31eabb2fc5c24b3b15712a283f162
SHA51210a30e3478c02457a01f291708e3c205b19562a5cf838fd6a891b92358fcf946cb4dd4eaf5fce781004613c00a70f66d5fcd09019ae2507f53d5a6f059c64915
-
Filesize
12KB
MD57e3f61d9e1ba6734bc137f8304515afe
SHA1758c110320797450e89de04ed2ec3b686f62bd21
SHA2564d528c08b31fde13c8f08f03590df405c1fe957f5eb94d471f8ce3265121717c
SHA512ae5647f6e8dcbb0a070d4cc20126f8ef590aed462d7424e62809498940127765aae9b811ea3fc175523acb52a6c388e0b44b920ceef0fe8f8326d1c3bde051a4
-
Filesize
12KB
MD57fbf2a3230470ec3cdc30c347bf9971b
SHA179a349debcc483b5b5a4fbcfdd8ccb0eb4be8c64
SHA256484edff62b6e1b102187fb7fb472494133c0ebc56d046623fa48751c3909f078
SHA512114cee3d6aacd3306c218bc2d104e65aa406f726ce219a9404c069433ec3d8df7ea8ec893801bebc0f9ba578bd2f37eac9979e601a3161f423e01a28aa78c902
-
Filesize
12KB
MD5d084e4184da632cf65f31c52901ff646
SHA1e5eb62462be7c6e902560074be5a3d4e5e9ff281
SHA2564a62660573b96ba7dab84066492ed23a4fdee947b16c2edb89be0cf0892c552c
SHA5123eb92aed6e7c24a11822b3a239a37ef0409105ebdc6e114c92acaa2413ee465a476153eb1e52f5c7705f7ac1e2ae66d52cebadb9d5c752c0f0cb6717d4418db7
-
Filesize
12KB
MD59db70e4f8fcdb534483de92179903ca2
SHA108e67f4d7376cfed912c273f67b7d7122631eafa
SHA256c923244201f35ac72d0361aac08afdbde9fe2da04a814c179c95da471fe9b722
SHA512d1767c0a3032156437c92cec50cbb8ff7d041caf4f4eddaeca986858421d8ddf70c8bd042e81d55666ae13ffb3bba32b839048ab8f54f4cc33e00e1ae36a9083
-
Filesize
12KB
MD5292c075fd35be614c67bfb84414d424c
SHA1eac6875ee7bbf3faf4ed4af7a6ca53d556851ab3
SHA256f79bb3c98d843fa3a1e5626517d58e616551c94127dc9cb3dcb97d6af06ea8e9
SHA5123949969eef6cac63acad5b151d5945b1baa818ac146d70fa5f12140980820304f30120d5e1db2f94c72da6f14fd925de69ca0dba6564d5c8d2a7efcac207f0c1
-
Filesize
12KB
MD5dbd432fe4f3c222bceac63332a64d4ee
SHA156879cb71ef2b2207af08072332be3e72d019d72
SHA25684c832749ba50f5a0b5d9adfc0101da1a70b1bf4ef7c22f8f38a03bfdb3e3f95
SHA512e7d5b746f172c46f3d8abe5dcbebf2ab09bf6715cb77b454d52b22fded55033c43e058e7502d0ee0ed7eea3386fce7d1f7df6332e5046128706110bbd44c74b0
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\8e125aea-4639-44de-b4fb-1ccc82f51d50.down_data
Filesize555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize11KB
MD5f14d35e09a6dc5894408e3e4d2b71cdc
SHA1df29ec121d401c6894fa1abd4ccc73b164b2beff
SHA2568880a0b04af6e95fed9d68f98585fa976416a373ced4706c535bb37a8820d984
SHA512e5ec58fc970dafb685f6990b213447e9fb4e40a14c25a79567f619d68be5b05061ef736110026d389c343573e30fe134d0de442b53593af54dd29b3c446d306c
-
Filesize
1KB
MD536664cc7a3e3d4d6cbf9ab635e7af726
SHA1a6b3daf73a75d1b1320122a5a30c758a15c3e7f6
SHA256dd0421578f01ffcc13981443aa21bc18005ff4f9118e2cc938122169510f9dd8
SHA5125884347cc7ae58a26dfdf4d987d29dbb6af317fc67ffe077e2f193eabc78b0cc0dddc2529ee4e52f455d7e52e0e460efc8718896386abc513c54feacb988b033
-
C:\Users\Admin\Documents\ResizeDisconnect.xlsm.id-BF08C0AC.[[email protected]].ncov.ANNABELLE
Filesize2.5MB
MD53902ca2aafdeb67f4f3517cadad2aa5d
SHA1ec52fc77519440efa1efafa17dc56951ff1f4df8
SHA2562bc8754a94b6139f91e0e2aebd35a0eb5b1f542a57d02f1de6f97c78bd9b28b9
SHA5120b137b3ed53667a3477f408229343500d9eb372affb9d89931dc5c7a58af3a5d3d2efe98603216a94ebbedd72a829dcc2cfa13dac7c39ecc1c9e3aff2ffee916
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
321KB
MD5600e0dbaefc03f7bf50abb0def3fb465
SHA11b5f0ac48e06edc4ed8243be61d71077f770f2b4
SHA25661e6a93f43049712b5f2d949fd233fa8015fe4bef01b9e1285d3d87b12f894f2
SHA512151eebac8f8f6e72d130114f030f048dff5bce0f99ff8d3a22e8fed7616155b3e87d29acf79f488d6b53ed2c5c9b05b57f76f1f91a568c21fe9bca228efb23d9
-
Filesize
424KB
MD5e263c5b306480143855655233f76dc5a
SHA1e7dcd6c23c72209ee5aa0890372de1ce52045815
SHA2561f69810b8fe71e30a8738278adf09dd982f7de0ab9891d296ce7ea61b3fa4f69
SHA512e95981eae02d0a8bf44493c64cca8b7e50023332e91d75164735a1d0e38138f358100c93633ff3a0652e1c12a5155cba77d81e01027422d7d5f71000eafb4113
-
Filesize
7B
MD54047530ecbc0170039e76fe1657bdb01
SHA132db7d5e662ebccdd1d71de285f907e3a1c68ac5
SHA25682254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750
SHA5128f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e
-
Filesize
2KB
MD5a56d479405b23976f162f3a4a74e48aa
SHA1f4f433b3f56315e1d469148bdfd835469526262f
SHA25617d81134a5957fb758b9d69a90b033477a991c8b0f107d9864dc790ca37e6a23
SHA512f5594cde50ca5235f7759c9350d4054d7a61b5e61a197dffc04eb8cdef368572e99d212dd406ad296484b5f0f880bdc5ec9e155781101d15083c1564738a900a
-
Filesize
1.4MB
MD563210f8f1dde6c40a7f3643ccf0ff313
SHA157edd72391d710d71bead504d44389d0462ccec9
SHA2562aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
SHA51287a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11
-
Filesize
1.0MB
MD5055d1462f66a350d9886542d4d79bc2b
SHA1f1086d2f667d807dbb1aa362a7a809ea119f2565
SHA256dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
SHA5122c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
-
Filesize
111KB
MD59d0d2fcb45b1ff9555711b47e0cd65e5
SHA1958f29a99cbb135c92c5d1cdffb9462be35ee9fd
SHA256dc476ae39effdd80399b6e36f1fde92c216a5bbdb6b8b2a7ecbe753e91e4c993
SHA5128fd4ce4674cd52a3c925149945a7a50a139302be17f6ee3f30271ebe1aa6d92bcb15a017dca989cd837a5d23cd56eaacc6344dc7730234a4629186976c857ca9
-
Filesize
197KB
MD57506eb94c661522aff09a5c96d6f182b
SHA1329bbdb1f877942d55b53b1d48db56a458eb2310
SHA256d5b962dfe37671b5134f0b741a662610b568c2b5374010ee92b5b7857d87872c
SHA512d815a9391ef3d508b89fc221506b95f4c92d586ec38f26aec0f239750f34cf398eed3d818fa439f6aa6ed3b30f555a1903d93eeeec133b80849a4aa6685ec070
-
Filesize
55B
MD50f98a5550abe0fb880568b1480c96a1c
SHA1d2ce9f7057b201d31f79f3aee2225d89f36be07d
SHA2562dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1
SHA512dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e