Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
425s -
max time network
425s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
16/07/2024, 18:25
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://Ransomware.WannaCry.zip
Resource
win10v2004-20240709-en
General
-
Target
http://Ransomware.WannaCry.zip
Malware Config
Extracted
C:\Users\Admin\Downloads\@[email protected]
wannacry
12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Downloads MZ/PE file
-
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD60F4.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD610B.tmp WannaCry.EXE -
Executes dropped EXE 14 IoCs
pid Process 3360 WannaCry.EXE 4980 taskdl.exe 6012 @[email protected] 456 @[email protected] 2992 taskhsvc.exe 3680 taskdl.exe 5588 taskse.exe 1300 @[email protected] 4396 taskdl.exe 4148 taskse.exe 5024 @[email protected] 4708 taskse.exe 3036 @[email protected] 972 taskdl.exe -
Loads dropped DLL 7 IoCs
pid Process 2992 taskhsvc.exe 2992 taskhsvc.exe 2992 taskhsvc.exe 2992 taskhsvc.exe 2992 taskhsvc.exe 2992 taskhsvc.exe 2992 taskhsvc.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 5776 icacls.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jfugzgoryzqa991 = "\"C:\\Users\\Admin\\Downloads\\tasksche.exe\"" reg.exe -
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 169 raw.githubusercontent.com 170 raw.githubusercontent.com 158 camo.githubusercontent.com 159 camo.githubusercontent.com -
Drops file in System32 directory 13 IoCs
description ioc Process File opened for modification C:\Windows\system32\NDF\{05C10880-6E69-4AAB-A135-372480B297B2}-temp-07162024-1828.etl svchost.exe File opened for modification C:\Windows\system32\SRU\SRU.chk svchost.exe File opened for modification C:\Windows\system32\SRU\SRU.log svchost.exe File created C:\Windows\system32\SRU\SRUtmp.log svchost.exe File opened for modification C:\Windows\system32\SRU\SRUDB.dat svchost.exe File opened for modification C:\Windows\system32\SRU\SRUDB.jfm svchost.exe File opened for modification C:\Windows\system32\WDI\BootPerformanceDiagnostics_SystemData.bin svchost.exe File opened for modification C:\Windows\system32\SRU\SRUtmp.log svchost.exe File created C:\Windows\system32\NDF\{05C10880-6E69-4AAB-A135-372480B297B2}-temp-07162024-1828.etl svchost.exe File opened for modification C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{98ce11ff-2348-470d-8b12-df1178dc7b0d}\snapshot.etl svchost.exe File created C:\Windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{98ce11ff-2348-470d-8b12-df1178dc7b0d}\snapshot.etl svchost.exe File created C:\Windows\system32\wdi\LogFiles\StartupInfo\S-1-5-21-1750093773-264148664-1320403265-1000_StartupInfo3.xml svchost.exe File opened for modification C:\Windows\system32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1750093773-264148664-1320403265-1000_UserData.bin svchost.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" WannaCry.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" @[email protected] -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 msinfo32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID msinfo32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs msinfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 msinfo32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID msinfo32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs msinfo32.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString POWERPNT.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString POWERPNT.EXE Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe -
Enumerates system info in registry 2 TTPs 12 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU POWERPNT.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msinfo32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU msinfo32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease msinfo32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily POWERPNT.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU POWERPNT.EXE -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 3796 ipconfig.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1750093773-264148664-1320403265-1000\{0020965D-52F1-419C-A2EE-2AEBD845A3C6} msedge.exe Key created \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Extensions\ContractId\Windows.Protocol\PackageId CastSrv.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 3872 reg.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 295802.crdownload:SmartScreen msedge.exe -
Suspicious behavior: AddClipboardFormatListener 4 IoCs
pid Process 4636 vlc.exe 4088 POWERPNT.EXE 3960 POWERPNT.EXE 5696 vlc.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
pid Process 1832 msedge.exe 1832 msedge.exe 2960 msedge.exe 2960 msedge.exe 4448 identity_helper.exe 4448 identity_helper.exe 5936 sdiagnhost.exe 5936 sdiagnhost.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 4704 msedge.exe 3220 sdiagnhost.exe 3220 sdiagnhost.exe 316 svchost.exe 316 svchost.exe 2380 msedge.exe 2380 msedge.exe 2236 msedge.exe 2236 msedge.exe 4976 msedge.exe 4976 msedge.exe 2992 taskhsvc.exe 2992 taskhsvc.exe 2992 taskhsvc.exe 2992 taskhsvc.exe 2992 taskhsvc.exe 2992 taskhsvc.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 4636 vlc.exe 5320 msinfo32.exe -
Suspicious behavior: LoadsDriver 10 IoCs
pid Process 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 656 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found 4 Process not Found -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs
pid Process 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe -
Suspicious use of AdjustPrivilegeToken 56 IoCs
description pid Process Token: SeDebugPrivilege 5936 sdiagnhost.exe Token: SeManageVolumePrivilege 5048 svchost.exe Token: SeDebugPrivilege 3220 sdiagnhost.exe Token: 33 3996 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3996 AUDIODG.EXE Token: SeBackupPrivilege 2424 vssvc.exe Token: SeRestorePrivilege 2424 vssvc.exe Token: SeAuditPrivilege 2424 vssvc.exe Token: SeIncreaseQuotaPrivilege 5144 WMIC.exe Token: SeSecurityPrivilege 5144 WMIC.exe Token: SeTakeOwnershipPrivilege 5144 WMIC.exe Token: SeLoadDriverPrivilege 5144 WMIC.exe Token: SeSystemProfilePrivilege 5144 WMIC.exe Token: SeSystemtimePrivilege 5144 WMIC.exe Token: SeProfSingleProcessPrivilege 5144 WMIC.exe Token: SeIncBasePriorityPrivilege 5144 WMIC.exe Token: SeCreatePagefilePrivilege 5144 WMIC.exe Token: SeBackupPrivilege 5144 WMIC.exe Token: SeRestorePrivilege 5144 WMIC.exe Token: SeShutdownPrivilege 5144 WMIC.exe Token: SeDebugPrivilege 5144 WMIC.exe Token: SeSystemEnvironmentPrivilege 5144 WMIC.exe Token: SeRemoteShutdownPrivilege 5144 WMIC.exe Token: SeUndockPrivilege 5144 WMIC.exe Token: SeManageVolumePrivilege 5144 WMIC.exe Token: 33 5144 WMIC.exe Token: 34 5144 WMIC.exe Token: 35 5144 WMIC.exe Token: 36 5144 WMIC.exe Token: SeIncreaseQuotaPrivilege 5144 WMIC.exe Token: SeSecurityPrivilege 5144 WMIC.exe Token: SeTakeOwnershipPrivilege 5144 WMIC.exe Token: SeLoadDriverPrivilege 5144 WMIC.exe Token: SeSystemProfilePrivilege 5144 WMIC.exe Token: SeSystemtimePrivilege 5144 WMIC.exe Token: SeProfSingleProcessPrivilege 5144 WMIC.exe Token: SeIncBasePriorityPrivilege 5144 WMIC.exe Token: SeCreatePagefilePrivilege 5144 WMIC.exe Token: SeBackupPrivilege 5144 WMIC.exe Token: SeRestorePrivilege 5144 WMIC.exe Token: SeShutdownPrivilege 5144 WMIC.exe Token: SeDebugPrivilege 5144 WMIC.exe Token: SeSystemEnvironmentPrivilege 5144 WMIC.exe Token: SeRemoteShutdownPrivilege 5144 WMIC.exe Token: SeUndockPrivilege 5144 WMIC.exe Token: SeManageVolumePrivilege 5144 WMIC.exe Token: 33 5144 WMIC.exe Token: 34 5144 WMIC.exe Token: 35 5144 WMIC.exe Token: 36 5144 WMIC.exe Token: SeTcbPrivilege 5588 taskse.exe Token: SeTcbPrivilege 5588 taskse.exe Token: SeTcbPrivilege 4148 taskse.exe Token: SeTcbPrivilege 4148 taskse.exe Token: SeTcbPrivilege 4708 taskse.exe Token: SeTcbPrivilege 4708 taskse.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 3860 msdt.exe 4636 vlc.exe 4636 vlc.exe 4636 vlc.exe 4636 vlc.exe 5696 vlc.exe 5696 vlc.exe 5696 vlc.exe 5696 vlc.exe 5696 vlc.exe 5696 vlc.exe 5696 vlc.exe 5696 vlc.exe 5696 vlc.exe 5696 vlc.exe 5696 vlc.exe 5696 vlc.exe 5696 vlc.exe 5696 vlc.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 1500 msdt.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 1300 @[email protected] -
Suspicious use of SendNotifyMessage 48 IoCs
pid Process 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 4636 vlc.exe 4636 vlc.exe 4636 vlc.exe 5696 vlc.exe 5696 vlc.exe 5696 vlc.exe 5696 vlc.exe 5696 vlc.exe 5696 vlc.exe 5696 vlc.exe 5696 vlc.exe 5696 vlc.exe 5696 vlc.exe 5696 vlc.exe 5696 vlc.exe 5696 vlc.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe 2960 msedge.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
pid Process 4636 vlc.exe 4088 POWERPNT.EXE 4088 POWERPNT.EXE 3960 POWERPNT.EXE 3960 POWERPNT.EXE 3960 POWERPNT.EXE 3960 POWERPNT.EXE 3960 POWERPNT.EXE 5696 vlc.exe 6012 @[email protected] 6012 @[email protected] 456 @[email protected] 456 @[email protected] 1300 @[email protected] 1300 @[email protected] 5024 @[email protected] 3036 @[email protected] -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2960 wrote to memory of 3064 2960 msedge.exe 83 PID 2960 wrote to memory of 3064 2960 msedge.exe 83 PID 2960 wrote to memory of 4404 2960 msedge.exe 84 PID 2960 wrote to memory of 4404 2960 msedge.exe 84 PID 2960 wrote to memory of 4404 2960 msedge.exe 84 PID 2960 wrote to memory of 4404 2960 msedge.exe 84 PID 2960 wrote to memory of 4404 2960 msedge.exe 84 PID 2960 wrote to memory of 4404 2960 msedge.exe 84 PID 2960 wrote to memory of 4404 2960 msedge.exe 84 PID 2960 wrote to memory of 4404 2960 msedge.exe 84 PID 2960 wrote to memory of 4404 2960 msedge.exe 84 PID 2960 wrote to memory of 4404 2960 msedge.exe 84 PID 2960 wrote to memory of 4404 2960 msedge.exe 84 PID 2960 wrote to memory of 4404 2960 msedge.exe 84 PID 2960 wrote to memory of 4404 2960 msedge.exe 84 PID 2960 wrote to memory of 4404 2960 msedge.exe 84 PID 2960 wrote to memory of 4404 2960 msedge.exe 84 PID 2960 wrote to memory of 4404 2960 msedge.exe 84 PID 2960 wrote to memory of 4404 2960 msedge.exe 84 PID 2960 wrote to memory of 4404 2960 msedge.exe 84 PID 2960 wrote to memory of 4404 2960 msedge.exe 84 PID 2960 wrote to memory of 4404 2960 msedge.exe 84 PID 2960 wrote to memory of 4404 2960 msedge.exe 84 PID 2960 wrote to memory of 4404 2960 msedge.exe 84 PID 2960 wrote to memory of 4404 2960 msedge.exe 84 PID 2960 wrote to memory of 4404 2960 msedge.exe 84 PID 2960 wrote to memory of 4404 2960 msedge.exe 84 PID 2960 wrote to memory of 4404 2960 msedge.exe 84 PID 2960 wrote to memory of 4404 2960 msedge.exe 84 PID 2960 wrote to memory of 4404 2960 msedge.exe 84 PID 2960 wrote to memory of 4404 2960 msedge.exe 84 PID 2960 wrote to memory of 4404 2960 msedge.exe 84 PID 2960 wrote to memory of 4404 2960 msedge.exe 84 PID 2960 wrote to memory of 4404 2960 msedge.exe 84 PID 2960 wrote to memory of 4404 2960 msedge.exe 84 PID 2960 wrote to memory of 4404 2960 msedge.exe 84 PID 2960 wrote to memory of 4404 2960 msedge.exe 84 PID 2960 wrote to memory of 4404 2960 msedge.exe 84 PID 2960 wrote to memory of 4404 2960 msedge.exe 84 PID 2960 wrote to memory of 4404 2960 msedge.exe 84 PID 2960 wrote to memory of 4404 2960 msedge.exe 84 PID 2960 wrote to memory of 4404 2960 msedge.exe 84 PID 2960 wrote to memory of 1832 2960 msedge.exe 85 PID 2960 wrote to memory of 1832 2960 msedge.exe 85 PID 2960 wrote to memory of 1480 2960 msedge.exe 86 PID 2960 wrote to memory of 1480 2960 msedge.exe 86 PID 2960 wrote to memory of 1480 2960 msedge.exe 86 PID 2960 wrote to memory of 1480 2960 msedge.exe 86 PID 2960 wrote to memory of 1480 2960 msedge.exe 86 PID 2960 wrote to memory of 1480 2960 msedge.exe 86 PID 2960 wrote to memory of 1480 2960 msedge.exe 86 PID 2960 wrote to memory of 1480 2960 msedge.exe 86 PID 2960 wrote to memory of 1480 2960 msedge.exe 86 PID 2960 wrote to memory of 1480 2960 msedge.exe 86 PID 2960 wrote to memory of 1480 2960 msedge.exe 86 PID 2960 wrote to memory of 1480 2960 msedge.exe 86 PID 2960 wrote to memory of 1480 2960 msedge.exe 86 PID 2960 wrote to memory of 1480 2960 msedge.exe 86 PID 2960 wrote to memory of 1480 2960 msedge.exe 86 PID 2960 wrote to memory of 1480 2960 msedge.exe 86 PID 2960 wrote to memory of 1480 2960 msedge.exe 86 PID 2960 wrote to memory of 1480 2960 msedge.exe 86 PID 2960 wrote to memory of 1480 2960 msedge.exe 86 PID 2960 wrote to memory of 1480 2960 msedge.exe 86 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 5760 attrib.exe 2524 attrib.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://Ransomware.WannaCry.zip1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9531446f8,0x7ff953144708,0x7ff9531447182⤵PID:3064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,3833460129067447276,6374149661868176411,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:22⤵PID:4404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,3833460129067447276,6374149661868176411,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2540 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,3833460129067447276,6374149661868176411,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:82⤵PID:1480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,3833460129067447276,6374149661868176411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:12⤵PID:2932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,3833460129067447276,6374149661868176411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:12⤵PID:2404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,3833460129067447276,6374149661868176411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:12⤵PID:952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,3833460129067447276,6374149661868176411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:12⤵PID:2064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,3833460129067447276,6374149661868176411,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:82⤵PID:1476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,3833460129067447276,6374149661868176411,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,3833460129067447276,6374149661868176411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4236 /prefetch:12⤵PID:1836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,3833460129067447276,6374149661868176411,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4324 /prefetch:12⤵PID:1508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,3833460129067447276,6374149661868176411,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:12⤵PID:60
-
-
C:\Windows\system32\msdt.exe-modal "328362" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDF94CE.tmp" -ep "NetworkDiagnosticsWeb"2⤵
- Suspicious use of FindShellTrayWindow
PID:3860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,3833460129067447276,6374149661868176411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:12⤵PID:6052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,3833460129067447276,6374149661868176411,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5060 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4704
-
-
C:\Windows\system32\msdt.exe-modal "328362" -skip TRUE -path "C:\Windows\diagnostics\system\networking" -af "C:\Users\Admin\AppData\Local\Temp\NDFD7C9.tmp" -ep "NetworkDiagnosticsWeb"2⤵
- Suspicious use of FindShellTrayWindow
PID:1500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,3833460129067447276,6374149661868176411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:12⤵PID:4296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,3833460129067447276,6374149661868176411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:12⤵PID:4080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,3833460129067447276,6374149661868176411,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:12⤵PID:2468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,3833460129067447276,6374149661868176411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:12⤵PID:5016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,3833460129067447276,6374149661868176411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:12⤵PID:5400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,3833460129067447276,6374149661868176411,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:12⤵PID:2248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,3833460129067447276,6374149661868176411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:12⤵PID:5232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2036,3833460129067447276,6374149661868176411,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5668 /prefetch:82⤵PID:5696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2036,3833460129067447276,6374149661868176411,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3468 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,3833460129067447276,6374149661868176411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:12⤵PID:5868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,3833460129067447276,6374149661868176411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4224 /prefetch:12⤵PID:5380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,3833460129067447276,6374149661868176411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:12⤵PID:216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2036,3833460129067447276,6374149661868176411,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4936 /prefetch:82⤵PID:3712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,3833460129067447276,6374149661868176411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:12⤵PID:6016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2036,3833460129067447276,6374149661868176411,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6572 /prefetch:82⤵PID:720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,3833460129067447276,6374149661868176411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:12⤵PID:6020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2036,3833460129067447276,6374149661868176411,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3100 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4976
-
-
C:\Users\Admin\Downloads\WannaCry.EXE"C:\Users\Admin\Downloads\WannaCry.EXE"2⤵
- Drops startup file
- Executes dropped EXE
- Sets desktop wallpaper using registry
PID:3360 -
C:\Windows\SysWOW64\attrib.exeattrib +h .3⤵
- Views/modifies file attributes
PID:5760
-
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
PID:5776
-
-
C:\Users\Admin\Downloads\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
PID:4980
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 217161721154681.bat3⤵PID:1236
-
C:\Windows\SysWOW64\cscript.execscript.exe //nologo m.vbs4⤵PID:4428
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s F:\$RECYCLE3⤵
- Views/modifies file attributes
PID:2524
-
-
C:\Users\Admin\Downloads\@[email protected]PID:6012
-
C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exeTaskData\Tor\taskhsvc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2992
-
-
-
C:\Windows\SysWOW64\cmd.exePID:1300
-
C:\Users\Admin\Downloads\@[email protected]PID:456
-
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet5⤵PID:5788
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete6⤵
- Suspicious use of AdjustPrivilegeToken
PID:5144
-
-
-
-
-
C:\Users\Admin\Downloads\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
PID:3680
-
-
C:\Users\Admin\Downloads\taskse.exetaskse.exe C:\Users\Admin\Downloads\@[email protected]3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5588
-
-
C:\Users\Admin\Downloads\@[email protected]3⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1300
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "jfugzgoryzqa991" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f3⤵PID:5848
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "jfugzgoryzqa991" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f4⤵
- Adds Run key to start application
- Modifies registry key
PID:3872
-
-
-
C:\Users\Admin\Downloads\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
PID:4396
-
-
C:\Users\Admin\Downloads\taskse.exetaskse.exe C:\Users\Admin\Downloads\@[email protected]3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4148
-
-
C:\Users\Admin\Downloads\@[email protected]PID:5024
-
-
C:\Users\Admin\Downloads\taskse.exetaskse.exe C:\Users\Admin\Downloads\@[email protected]3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4708
-
-
C:\Users\Admin\Downloads\@[email protected]PID:3036
-
-
C:\Users\Admin\Downloads\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
PID:972
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3436
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1844
-
C:\Windows\System32\sdiagnhost.exeC:\Windows\System32\sdiagnhost.exe -Embedding1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5936 -
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1656
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5200
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5048
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\OpenCompare.mov"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4636
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\Desktop\ImportExport.ppsm" /ou ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4088
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Desktop\LockRemove.pptx" /ou ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3960
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ConfirmRename.WTV"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5696
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\ExportResume.bat" "1⤵PID:6008
-
C:\Windows\system32\msinfo32.exe"C:\Windows\system32\msinfo32.exe" "C:\Users\Admin\Desktop\ResetDismount.nfo"1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious behavior: GetForegroundWindowSpam
PID:5320
-
C:\Windows\System32\sdiagnhost.exeC:\Windows\System32\sdiagnhost.exe -Embedding1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3220 -
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:5968
-
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter2⤵
- Event Triggered Execution: Netsh Helper DLL
PID:3760
-
-
C:\Windows\system32\ipconfig.exe"C:\Windows\system32\ipconfig.exe" /all2⤵
- Gathers network information
PID:3796
-
-
C:\Windows\system32\ROUTE.EXE"C:\Windows\system32\ROUTE.EXE" print2⤵PID:5832
-
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" /f NetworkConfiguration.ddf2⤵PID:4556
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:316
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost1⤵
- Drops file in System32 directory
PID:2304 -
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" "C:\Windows\System32\winethc.dll",ForceProxyDetectionOnNextRun2⤵PID:3720
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost1⤵PID:4304
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4f0 0x4601⤵
- Suspicious use of AdjustPrivilegeToken
PID:3996
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultdb47ed32he9feh46f0hbb84h8be1efad84f21⤵PID:2176
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff9531446f8,0x7ff953144708,0x7ff9531447182⤵PID:768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,12576038551349074398,16242397219108881153,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:22⤵PID:3428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,12576038551349074398,16242397219108881153,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:32⤵PID:5728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaulta9514a25h20ebh47acha4d2hdb07bdf054ad1⤵PID:2076
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9531446f8,0x7ff953144708,0x7ff9531447182⤵PID:4916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,1822232395160933154,803378968162127691,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2024 /prefetch:22⤵PID:408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,1822232395160933154,803378968162127691,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2236
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵PID:5312
-
C:\Windows\System32\CastSrv.exeC:\Windows\System32\CastSrv.exe CCastServerControlInteractiveUser -Embedding1⤵
- Modifies registry class
PID:3848
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2424
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
File and Directory Permissions Modification
2Windows File and Directory Permissions Modification
1Hide Artifacts
1Hidden Files and Directories
1Indicator Removal
1File Deletion
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]
Filesize585B
MD533e1fffb020e9815a90be6ea7dabf9b2
SHA14f33b8d5fa773e3977f8dbafa1c24fbe5a80dd06
SHA256a029cd1eee583da03c5233d0aa09081f2f9f945ab25515899fc8651278cd29f2
SHA5126dda8f8baf78bb52ffc1ce6b7c9fd604791417aea1f60c94eef8f2963cdfeed8987221b81568dbeaec5ae962ae196cdcb341640731d00f1b8b7ae883a4eccb11
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
Filesize471B
MD5191b0a78857df676c1d6e155908ef47c
SHA150b38ca16310ce7a50b303a6ad42d175bb6bcd61
SHA2560d05e15c83de4beba56bea89d927b974e647fc02b15630da05f5ea792485350c
SHA5124348178e9a01a6ec7317215e586d3f91d26cd5f0ce8fe72259b1363f60a2a9b08609d8316c887845e44874f999bfea4a3120633d5d671fd85366d83ffb51466a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
Filesize412B
MD5efbdf39a9c8c8f4ea49fa5f0bbb9fcb7
SHA16de159e5b6ccb592d3606d9f08930587b18b03d3
SHA256997d88d5688b7698731ff72e2cb43e72f61d31b71a6117180319758b102dda1d
SHA512f139df27609b18d66fa8e801de98e367f771c63481ecc622142e889d98183454a028cfed6eb319d11251c54b90a553e6560d270b277c0d63ac9ded6b3a79a72f
-
Filesize
16KB
MD5acc1374bef4ed86ce2177dfe4383f65c
SHA118887ccdd4f3b5601ce9d29942e719c715df0d43
SHA256ead1ede66d201a06b3aeec0681d360f430e3960aa1e10c4dc7e3f46c0ca52992
SHA512390a376ed84dad490ad27c93a23412e663727fecbc11f63e1fab031a48efe85b6da3d5d36c67cc29248d06402f4c91da9d8f6b6d3d7778afbf73500a88a15ea4
-
Filesize
47KB
MD5310e1da2344ba6ca96666fb639840ea9
SHA1e8694edf9ee68782aa1de05470b884cc1a0e1ded
SHA25667401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c
SHA51262ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244
-
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024071618.001\NetworkDiagnostics.debugreport.xml
Filesize137KB
MD596567951231aaf42ef37fc9c79717c9d
SHA13345c290248b3094d6d5f7c3a7375ee156c0abc8
SHA25602867f3f14d3c10bc86a7b235513fc1949d7a7fbd2fb7d3db1affe6951a457bd
SHA512be3c4d0ee2673cc9e75cb74c4dfdaa329d23258a7e60203785c1765958d772e175c0c120d74b38658f4d31c664da5b06b5f4d748b7c031da55a4657f0e31c105
-
Filesize
37KB
MD5cc17476abe5838f8a2c224f59b7f8114
SHA1791f01c6580d51772eff354242628f2158c0d1be
SHA256a56696d928b84672760aade2d8e772632174fc453b8b11a9b7c858158463159b
SHA5126688d1c0db5e50d094d079c2e9d58cded76f49d20dd72d90611e32a02b55ce3d15d7d418e3d0adb323efb1c2dd3c048a00ab229203230b692fb1657429f545c6
-
Filesize
11KB
MD5073c1486372c09d5471798a42c4c57e6
SHA1d626cc90fff4633cab4263f83684c5d07b253b4c
SHA256fd5591bc2c87fd736ce170864eebc48ffd721659474cd75d81e7d6c8a72aff83
SHA512ae4ac2fa02eede4ffc5da1ea3036c62ecfbd1e7073f4f0646b11582b742ea06db6ea9c0b447dbc8f026f0abdb323092af59172c16920610ab32afc10d1baae47
-
Filesize
6KB
MD5679b28bad1de1bb248ec8556801eccc7
SHA14273550d091d50e8292cb5d21bc3f93dbda3e68f
SHA256d1f7df2f83a2268748bd0aa48572b469bd19ccd03945fca4c81bfa551c2ef340
SHA5123b45814f4cd60a39a130472fceb982981ce491ed35356c3892d25c8f5e2b878b16ba9d4679b60cf99e226d78c83a1b5d4fd912af0ae4b2e1e75262aa7023c406
-
Filesize
152B
MD5584971c8ba88c824fd51a05dddb45a98
SHA1b7c9489b4427652a9cdd754d1c1b6ac4034be421
SHA256e2d8de6c2323bbb3863ec50843d9b58a22e911fd626d31430658b9ea942cd307
SHA5125dbf1a4631a04d1149d8fab2b8e0e43ccd97b7212de43b961b9128a8bf03329164fdeb480154a8ffea5835f28417a7d2b115b8bf8d578d00b13c3682aa5ca726
-
Filesize
152B
MD5dc3ce42f5a495b4083ac12e6db4b9c5b
SHA1b69d25919ada106f8bf3bd4fff492b420794e36a
SHA2563a36b5b9aadf102c9389416f4c618673b3c92064eab0dade1e79f0829a5868b2
SHA5122213be8df9fae82566ac09f3349e2d6d1c6390710ded7c862328e68d88eb4771f409d01e08d7203b88c9546139f2aa975e84fa3c9608b1466b29775c40e269a0
-
Filesize
152B
MD568e91cadf7520486dcca2fb1bb02dc1f
SHA159b471c8d9d866de83f8fca78e2f747f1a6166bd
SHA2563673263377fc42c97ceda0ce8f75c736e6a55aca61b2f678757ac4d789b89876
SHA5121325ae0bf8a88a22fbc4cd2a6b7bce2d470ec760ece60ad0a0b30233f8d0cc97cd34a11aeaf7c7b851d28260f64c7cf1137e8f68b1ea44c9dba915d77444241f
-
Filesize
152B
MD5b28ef7d9f6d74f055cc49876767c886c
SHA1d6b3267f36c340979f8fc3e012fdd02c468740bf
SHA256fa6804456884789f4bdf9c3f5a4a8f29e0ededde149c4384072f3d8cc85bcc37
SHA512491f893c8f765e5d629bce8dd5067cef4e2ebc558d43bfb05e358bca43e1a66ee1285519bc266fd0ff5b5e09769a56077b62ac55fa8797c1edf6205843356e75
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD5f16d8e6f0cc77fd8fc47e356f19b2c8d
SHA1ad9205e0fbc81850a38dcfb83d2ef9847395db4e
SHA256dba8c451cb08343107c22024893792a64a539572abc11259b6efc94ac3bb8c7b
SHA5129ddcbb685e09a31b2131c1054a917d13acda3ffc25008b02ca6c51f0bfe9fc20e7784888f4ce6fd8a77a0e7411cda569549efcf929062d3f64a5adc577cf6317
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
1KB
MD512a5db7d2591753f4af349e77ee20fb0
SHA1bdb866251025f129ccc2b1233a35adf64403ece8
SHA25670c16fdeba959b280a5f6b7088883534de861280da275c305b3154183a2d7101
SHA512958257e6100bd9cd4456f29b61cd25cb16f294caf27bc7ee73d70e7759c8ee5817fe8f53e3fac4e3c071931e245cc420e5f055e767fff102d7c6f72d8b9dd67c
-
Filesize
1KB
MD54d4bd4d8bb62fd5569e6ed4952cbcff7
SHA104bc52c19568699a3f8083e406612d79216a3083
SHA2560068c5069e0eb6c60429749e1f5af7622ac612adfdc558a07ba9c14a1b5612bf
SHA512eecf942cb05acf8770ffb0c3d835da843204195bae45eac9ef794871eff662ff29f467d78774f9a16b769c3d47595c305c2ff8828c2d56f2154513c06778f493
-
Filesize
6KB
MD537375b7007d7b21e9f59f3a31fcb78f3
SHA155714f4c1c76b1f678b9cdc7180ed4e6411b57ad
SHA2561e8dad090b3da13e6183ee7edb54af597c9f49d8c20aa7f9941dd5b9bde6b897
SHA512d425a3dcff05d9ca029cede4c78b08b2aecf4cf3595345818bdcf85d4cc069b4291bc602258651b6ff7dba18ca65de66b9b0c249196ae31df79ff4bbcda7a86e
-
Filesize
6KB
MD52225143ff29e96951262321651fa63a3
SHA166a8ac717c9e0fe90a8d719e27150c192e111880
SHA256f9e9e6c95adb4d9a1e87fc1d6b663c36ca60abf4265c1fea4ab4cb0645099200
SHA512c9315cad9459046c686f2822a1787fa87e8c4969ea3f2e6a452d3073758e7ba8ac9d4c54e029b0ffa19c33b5c44fcbad616d3a5f8a9a71357e7dd742c99ed9cf
-
Filesize
7KB
MD55bf843f8062232ef1d25fab43e2893fc
SHA1f4708910bfd5ab17339da95539f21ecc8801cfc0
SHA2565a7dc719bc1f619d2f9d6ddf0280adedcb51bc1db303e6eef614b27830561ae6
SHA512635d99894843bb611ee830bd4b584a803d13e2d04fdf1058343c6c8dab8fa80e90fdbf8f56d60971aa6db9ec4184c78965af9be9a208a2a7193c4f216e525afe
-
Filesize
7KB
MD56c2ae3e2b4c713929714713f0d286d9e
SHA19be4516f80b03a7c405b6f0880a4703c2cb145f3
SHA2560fe452b507b7ae845d2a1012a197cf7af079abc7c5cb71e28e75ecf96d972349
SHA512851dbc763d277fe59ca9673c57f14a48343cbdd48dd4a30f34214109248f76ddb288c35165a0d9303a95015002fdfff88bd9b5abb393fba78f49387f2b1ac384
-
Filesize
7KB
MD52e1bd8dc0ab229c202e41e6b96a84293
SHA1c8c9c74feb002c919515b482970e68034ec46996
SHA256134028b2bdd336c78d263ffafc4d3f4a00bb9207bcd5dbd0f3fe5c3e4d7b9dbe
SHA512932c1946bbe6eb0cd2635be2ec099820fe0cd1bb6102b7e9fa89d9e9a36d8f7a9a7b7ddbacc9807af2657c874e51b15e703ed6732f62dc61fb097760bf6beb36
-
Filesize
6KB
MD50004ba0910d248f341e040fca1ae493a
SHA1f8f48da5e831bc09f1923ce8d773dd221030e7b3
SHA2566913aba761e4a8639016a6100428716984256d20eb4d05493596a880eb40c839
SHA51231c9532acb6e0ae0fd8aed06e7b9bb27df0f4eae91f9ef1bed8889d8a1b83dc2c58de365791f473f151303fc427ec88b1f7fd6d40c14d554e4e63ba5506fa59f
-
Filesize
1KB
MD5fcb2e32bdde4ed49b57204f9d384f670
SHA1eb4bc6f2b9e0fd35a4f66912a45cf49f56396ca6
SHA256b9355d54e300ce251c33de6fad49f2fbc01f0bcad154a96cfd0e20bac24e915e
SHA5127833204045d0889569121cfd64231df4b63ea1e0fa56527a2a1c3fe7936815e9a163d9224c7a5e8be62085c14cd677bee1be17b2958841c45a7957f387fcc0fa
-
Filesize
1KB
MD51f7a5a60bbded2e62c351489a482f61a
SHA1e44c18be688ea8e3942746bc2f9699348a10f15c
SHA25674b2ebe8eb241ee310d2e95f697e8e3d718b6f01686718a11eff64d3ac3f785e
SHA5120171919a3c8ceef3b129e8e5f6851406d6ed9d426252750f8d500c75b3b81a8085ca855c3e15b692c453ce42747a789ccd460a57db9d30e843ea7865af980a8e
-
Filesize
1KB
MD59a6466afd9f2aefcf952513e1bcac34a
SHA18ca7658e808463b78714294e41670dd4e6dfa4df
SHA256065139033cac2ab9aa600db70553db5d507d195cc5cadc7cabd96a7bfd9e5ed9
SHA512f4f395ad9ef16102e6c1f71425af555fceed91672e9507670a54da536415e6b2c8aad15229400cc3177b3f18181ffc7675af8898e2c09d706e93f8e1f7c85367
-
Filesize
532B
MD5f249c4a3bbb9f08bd9d2ac2dfe608b5e
SHA1c3253f9ee8193c6de2118da4fcfdbd2bded1af77
SHA256dc0601366c2ac811427278b3e579e7ad4e52e0c879576f34ee1e57977e86cbaf
SHA5120da89ec321f4ac718e81ec8b36b83b3ea485bab845c32faeb77509b45ff475ef0570c4929b3ef6bd824e4a2dc620532e1a814addd624ebb5eb3277b969855b39
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD51e7a766414f58ffc481621d3b4a46088
SHA1397aa60e1b61772d7b75482de58a40e089bea192
SHA2566d74267938b7754560cb20b653d140bfc690aed1b1afe2f9fc469dac86226f3e
SHA51290f50548f2876677c0020d7e4dff4b152b7120d01244416543b3069c145806aa992a71794551c9c29c6d00bebec36f3908f9095d9cb5292200a44c45cee8d256
-
Filesize
12KB
MD591a1e74a7930e67769654ec3a3983cc5
SHA1ad80d04082ff8723da22f0d5220711b4455a7512
SHA256b1370d1a4c861ffd95361b1fe654878e08877d9262150a95636a4e7892d74533
SHA5129d220bcc8b5bc407a97b840a13de2258bf9400cfeab8bf16ddeeaf965ba934e0adae6bd397904ddbdb8ddadf10c0a52d3e7b4c2dbffa9cb6e65e9785b4c8c3ee
-
Filesize
12KB
MD51788cfa8fd5502cafdccf4345d24fae7
SHA1b2a3016d0f66601fc2674c9a9ec144811170299a
SHA2565e5de00ee6972635a5e59e520215a12d93a3f6a0bb3e0ee2989576edf2a8c6bf
SHA512f5a3c2b73e0b4b3bcece39231fa6dc1fe6e7eec50972a1c36cc436fe445944c3dd14722b727b6abd71572bf32d48642282040369dcf9ba87ec7a96589f010c90
-
Filesize
11KB
MD5c47423ba3025c83ab8d46686f3624926
SHA10f15bffb5b3b56d935c6181fd0618603a4db981b
SHA25634ec816252e3c114a928d94d12937ee47beaa99b5bf5792404c2710d3cbe257e
SHA51294745a3b4967f6d880fcb6c2b6189c35a08e4660a9a182abe6e5c31269b35e021d9032dca8acdf5c80d19ddf8c0cb05269851f83df98aa7bbd56f19cf0b30506
-
Filesize
12KB
MD5ccbf71d8994fe6e8483d041c29197e4d
SHA197db4ed2efbcf8abaaf90a94a772f51996b1c6ad
SHA25652b5aae1138adbd4fdb3d1f30478d6ab507fadf5e64969ef8ce81f895b78d509
SHA51260b268284260d30b1439a2d6a6b68c08fe035c4edb9d28320be8f2cce3c24f373f5dd3694e411699d6fb183b612ea1d23e56f9c0f24bcbd52670ee08363c4bf1
-
Filesize
12KB
MD5c3211faf9c8a4128756d376a5c39dda4
SHA1969bab920bbc64aa1d9919f35674b173dae0f213
SHA2563308f5b68e24cfc6511b7498fbd4698b79b2ee50209739ca98d7b90f03146eea
SHA51288ac9895614c9445a8806636e99f962348e7b680e48752159a3cd1368d00063214feb916a6726b77dcf6273a349eb9ea11385e5d3981cff83e5fc5be27e8e8ac
-
Filesize
192KB
MD5a59379ef677e009d46824c32205a534a
SHA1c3f81b6aa72808a30c91c8ad2cea8f687258159c
SHA256e9668cf230ec7a75947d912be1a60771e97c9f8fd69bfb9ca0724c15e30357a8
SHA512acd20cde461b6c7299898d308ebbb6c5e3d392764fd32662e36a59d5696eeed2b7a86acb989d402d12fd4f6a28a82a6a4c97c1231e37cd345fe9be130a000ea6
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\714FC5E1-997D-4960-B392-9201433ACAF4
Filesize168KB
MD51254f09628c6e1cf87e80bec82ffc3f9
SHA1143d0f07877b35d6f65abc2c5758b00f79ec40af
SHA2563841d1d2201066aa98682c6e3b77369e8ac3d610fb957438824bc5b1b2b8f1d5
SHA512641853b95ac208b57bf64dec4c4fe9ef0559858a33fb6d5b883f60fb80252ef30eaa5bb26554284f85e512ef276d6c7626e326ea98e4fcc9fd648498463b574a
-
Filesize
372KB
MD570b5473b312fd9668a64a5c6884f8b49
SHA1f853e17c23ff03ac98e08b215fbd7f038548c3bc
SHA256666459ed16a451d55482fac8108ee0e2dd81029ae4fd4d3d399d23c237aaff02
SHA512493d126a1f5cb8e2c83c8afb99f2d8c5f4dfc91b4c03fa6b27d627aa25a1afd3574273e7ec146854d3b718ef67eb2a8cea658d7ed354270e3487c59b7a44726a
-
Filesize
24KB
MD5a6064fc9ce640751e063d9af443990da
SHA1367a3a7d57bfb3e9a6ec356dfc411a5f14dfde2a
SHA2565f72c11fd2fa88d8b8bfae1214551f8d5ee07b8895df824fa717ebbcec118a6c
SHA5120e42dd8e341e2334eda1e19e1a344475ed3a0539a21c70ba2247f480c706ab8e2ff6dbeb790614cbde9fb547699b24e69c85c54e99ed77a08fe7e1d1b4b488d0
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD5cb99971711337adfd9fcebe170028aa9
SHA1c6e7ebfc4d7a37988e31d4c432a131ccf50da0c0
SHA256b98a4af75c99a74821f257e8d38be73e3afda1d98b1151ecaf38d2f59dabb7d5
SHA5128c69bd16b84f00db7603cd3537a4df35bd8d1ae13b0f669b116b684a7c976c83742403f7bf4889c4bc9a984c2df0bd7d1d16af6e79b817bcd6e31347d0a2d330
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres
Filesize4KB
MD5889f7dd41f8ba326ed384bfaecf620b4
SHA106d3e159a00e5368dc9e610c0f7e13887eadad13
SHA25693caac145f05bb1295a9e4f7d19d7ab92b38e3b49a9952aa5ee31280fba8ae67
SHA512909d94cd6dff4f434019728c3a9efd8c6b8654a22d18917edfd22b54cd2776216f38d730bba37d94363b366a03c24d7dc35048f079541851c4b203f17be74b6b
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\f3df91c436730d7a37c58d5f25d9bf4a56fa3a34.tbres
Filesize4KB
MD512485d08b08ecf526b7f4f637b6f1515
SHA1dbebe6a941037b4fa9b7fc9165a5e04c992052af
SHA256b7c608256e3e351d13a85166c6f2b9a23f1903987980785952ecf424f3911dde
SHA512de9817d250787ec23fb640d7946284463ecec9098c80c9c56f708e1d90c3419e6cae04abf3fa4df39c5ae5ca1a8ff2148396166fe514e73ca824eab0c5eb965e
-
Filesize
3KB
MD5d02de115fb6ec8b2c1663e5f098de10d
SHA16565458a34881340ecf9cd4141c93803735e34bc
SHA256a41812c36f3c0c598fce30b4588cf26aa6da95b5c69bfe08453dcfe96bb4d9db
SHA512fd349c7e7f7cebd480f162437044a1d61d91d2670879183a53eaec939f55a5604d72018758af2fa4b35c45e01bd26264793efc43111bf068162a9c3bf27cfa08
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5fac1c510b6da263abf93b19e16d36618
SHA1354c6d7b73f5d383a0acc1d35e7b6491ae243d67
SHA25693cb62dbd9997b9cf0524db45960903fc8ee08f18f32af122c176c03ab08dfcd
SHA512614f2846ed6e00dd512b4d875a7e497229886f3504e66fefd8ffe33b5bbe74e969a380e7da98fe233dcac5ff4618fcbd088690ca8c612e08543b8c1afc24e7f9
-
Filesize
231B
MD500848049d4218c485d9e9d7a54aa3b5f
SHA1d1d5f388221417985c365e8acaec127b971c40d0
SHA256ffeafbb8e7163fd7ec9abc029076796c73cd7b4eddaeeda9ba394c547419769e
SHA5123a4874a5289682e2b32108740feea586cb9ccdad9ca08bf30f67c9742370c081ad943ea714f08dbf722f9f98f3b0bb307619a8ba47f96b24301c68b0fd1086d9
-
Filesize
1KB
MD5ed8e148e6142e420c9c2e595063b682d
SHA14b7f3750a89e6e7b9a814bf9aeb3d280c801bf3d
SHA256f469b9ae80947ff0ace3e3b5b9a2a12454b0742561cccc2b602b4404ba643b26
SHA512d8b3a130662b10dac5454cd3f421e802ad0620fcab24ad668d8d0a081bba0fd4175398b9e26314b8d8ab4b5bb1b9462bbec54f9178c8c72b409195016d16371c
-
Filesize
4KB
MD5d6010ff55c2c7c7a91984413ac4eaa0a
SHA1bd7e4f6aad9aa40b656846e98c7a1c7424786475
SHA256a4343e59e69b59f9f60015c63407b6b112ebcde4f16819b64bee035ee13b1774
SHA512d39be605eee44b1a9f1f44d44b28765702be04a17a40eef300aebb0930c3496ff95a73ad3d866671020fee8598155a56ce4aa15cdb07b836490e2be7cfc4039a
-
Filesize
978B
MD5099d3236c299bdee7d36e146a96e1d27
SHA16af25e853ba305eea38e392404718a806e0c7cea
SHA256d0808e46fa15efea9f268088e06eb8456913578c3d03bcd56581538990a5a1e1
SHA512b3356b7066f20a238bc3e46c94076fb3b5a9755786b392b5057abe674cc489adb36118b080fdb6d3f88ddf98ccf040905a037de87b8ba938616975c5fe917aa6
-
Filesize
283B
MD50865b635e8f700d55551136539ae466f
SHA1dd647d5963c2ea90a758dd62cf51fb28e2ad41fb
SHA256acf9801adae17b185ba75741ab7101a61d91f05b521a5e823ca69cc32ab4ca52
SHA512f301e013a0c2bd7e7d4bbd911c6a37b655141fca28408bbfcc7a7c1b362b190a6c2a702ab7c6eea1b1c5896432b348b90534fbf258a28429881756e30bc10670
-
Filesize
9.4MB
MD56450e55fec9ab6fd5abd293059765617
SHA1c786b2d7b7e5bef55abf110c19a49945ac5ce5f2
SHA256fed73aee20b8b545cc9821021f0acd5b05e70ac7dcf33aaabc2cc042db44913b
SHA5121087ae9d08fe847ca145333edb25617b3258728f4d5efcfc3bab6d292f0b82b31173590978b3d5d5a89f66f3f676a50fb661b7d5d0996e1ed78d5cdd3b6be106
-
Filesize
304B
MD5781602441469750c3219c8c38b515ed4
SHA1e885acd1cbd0b897ebcedbb145bef1c330f80595
SHA25681970dbe581373d14fbd451ac4b3f96e5f69b79645f1ee1ca715cff3af0bf20d
SHA5122b0a1717d96edb47bdf0ffeb250a5ec11f7d0638d3e0a62fbe48c064379b473ca88ffbececb32a72129d06c040b107834f1004ccda5f0f35b8c3588034786461
-
Filesize
504B
MD56a320314e722ced036114daf8e077201
SHA13d3a6a37f3c6836c65aa93ab2e1abcfcf4405ef6
SHA256a155fd48274646664f573990392b666dd4dbb3ae89f9208e10ca5a0bfdf542fa
SHA51297220c3b7fb21385f6f852e7950e103f4706f6d0d67ed08622edd83f14eeee8b6e7145650036545618fba4ea0be9cca723963dff3a39cb9f36c115d4808d8ec1
-
Filesize
94KB
MD57b37c4f352a44c8246bf685258f75045
SHA1817dacb245334f10de0297e69c98b4c9470f083e
SHA256ec45f6e952b43eddc214dba703cf7f31398f3c9f535aad37f42237c56b9b778e
SHA5121e8d675b3c6c9ba257b616da268cac7f1c7a9db12ffb831ed5f8d43c0887d711c197ebc9daf735e3da9a0355bf21c2b29a2fb38a46482a2c5c8cd5628fea4c02
-
C:\Users\Admin\Downloads\@[email protected]
Filesize933B
MD57a2726bb6e6a79fb1d092b7f2b688af0
SHA1b3effadce8b76aee8cd6ce2eccbb8701797468a2
SHA256840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5
SHA5124e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54
-
C:\Users\Admin\Downloads\@[email protected]
Filesize240KB
MD57bf2b57f2a205768755c07f238fb32cc
SHA145356a9dd616ed7161a3b9192e2f318d0ab5ad10
SHA256b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
SHA51291a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9
-
Filesize
3.0MB
MD5fe7eb54691ad6e6af77f8a9a0b6de26d
SHA153912d33bec3375153b7e4e68b78d66dab62671a
SHA256e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb
SHA5128ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f
-
Filesize
3.4MB
MD584c82835a5d21bbcf75a61706d8ab549
SHA15ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA51290723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
-
Filesize
37KB
MD535c2f97eea8819b1caebd23fee732d8f
SHA1e354d1cc43d6a39d9732adea5d3b0f57284255d2
SHA2561adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e
SHA512908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf
-
C:\Users\Default\Desktop\@[email protected]
Filesize1.4MB
MD5c17170262312f3be7027bc2ca825bf0c
SHA1f19eceda82973239a1fdc5826bce7691e5dcb4fb
SHA256d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa
SHA512c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c
-
Filesize
567B
MD5a660422059d953c6d681b53a6977100e
SHA10c95dd05514d062354c0eecc9ae8d437123305bb
SHA256d19677234127c38a52aec23686775a8eb3f4e3a406f4a11804d97602d6c31813
SHA51226f8cf9ac95ff649ecc2ed349bc6c7c3a04b188594d5c3289af8f2768ab59672bc95ffefcc83ed3ffa44edd0afeb16a4c2490e633a89fce7965843674d94b523
-
Filesize
25KB
MD5d0cfc204ca3968b891f7ce0dccfb2eda
SHA156dad1716554d8dc573d0ea391f808e7857b2206
SHA256e3940266b4368c04333db89804246cb89bf2073626f22b8de72bea27c522282a
SHA5124d2225b599ad8af8ba8516f12cfddca5ec0ce69c5c80b133a6a323e9aaf5e0312efbcfa54d2e4462a5095f9a7c42b9d5b39f3204e0be72c3b1992cf33b22087c
-
Filesize
53KB
MD5c912faa190464ce7dec867464c35a8dc
SHA1d1c6482dad37720db6bdc594c4757914d1b1dd70
SHA2563891846307aa9e83bca66b13198455af72af45bf721a2fbd41840d47e2a91201
SHA5125c34352d36459fd8fcda5b459a2e48601a033af31d802a90ed82c443a5a346b9480880d30c64db7ad0e4a8c35b98c98f69eceedad72f2a70d9c6cca74dce826a
-
Filesize
2KB
MD50c75ae5e75c3e181d13768909c8240ba
SHA1288403fc4bedaacebccf4f74d3073f082ef70eb9
SHA256de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f
SHA5128fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b
-
Filesize
5KB
MD5380768979618b7097b0476179ec494ed
SHA1af2a03a17c546e4eeb896b230e4f2a52720545ab
SHA2560637af30fc3b3544b1f516f6196a8f821ffbfa5d36d65a8798aeeadbf2e8a7c2
SHA512b9ef59e9bfdbd49052a4e754ead8cd54b77e79cc428e7aee2b80055ff5f0b038584af519bd2d66258cf3c01f8cc71384f6959ee32111eac4399c47e1c2352302
-
Filesize
163KB
MD50606098a37089bdc9d644dee1cc1cd78
SHA1cadae9623a27bd22771bab9d26b97226e8f2318b
SHA256284a7a8525b1777bdbc194fa38d28cd9ee91c2cbc7856f5968e79667c6b62a9d
SHA5120711e2fef9fde17b87f3f6af1442bd46b4c86bb61c8519548b89c7a61dfcf734196ddf2d90e586d486a3b33f672a99379e8205c240bd4bcb23625ffb22936443
-
Filesize
478KB
MD5580dc3658fa3fe42c41c99c52a9ce6b0
SHA13c4be12c6e3679a6c2267f88363bbd0e6e00cac5
SHA2565b7aa413e4a64679c550c77e6599a1c940ee947cbdf77d310e142a07a237aad2
SHA51268c52cd7b762b8f5d2f546092ed9c4316924fa04bd3ab748ab99541a8b4e7d9aec70acf5c9594d1457ad3a2f207d0c189ec58421d4352ddbc7eae453324d13f2
-
Filesize
17KB
MD544c4385447d4fa46b407fc47c8a467d0
SHA141e4e0e83b74943f5c41648f263b832419c05256
SHA2568be175e8fbdae0dade54830fece6c6980d1345dbeb4a06c07f7efdb1152743f4
SHA512191cd534e85323a4cd9649a1fc372312ed4a600f6252dffc4435793650f9dd40d0c0e615ba5eb9aa437a58af334146aac7c0ba08e0a1bf24ec4837a40f966005
-
Filesize
6KB
MD59158b8074ec2142574cc0ad05025eb1e
SHA11f6cc2b002b25babf13292315054d0b85c3642e6
SHA2561f6326ba87a62953e8be07b8c4b0b9ee2186daf020619ed5bc5f5313c59403ad
SHA512be652f4ce76944bb10e47f221b4495c890df29033e560e5cfddcc1e8af23a40b0e3b63840617e2e5859f8d698fea09951df20f9948a697d9111027c4556e467c