Analysis
-
max time kernel
670s -
max time network
673s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
18-07-2024 14:09
Static task
static1
Behavioral task
behavioral1
Sample
S1_E2_animation OG.txt
Resource
win11-20240709-en
Errors
General
-
Target
S1_E2_animation OG.txt
-
Size
3KB
-
MD5
a306a7a50aa416c57cddef28ad6f85e8
-
SHA1
740abe46c4c4fd8ed03942ab76aba8eb7953124b
-
SHA256
cd0f51bb462adbc4295c75acada5f398b8f044ffb04f14796cf3b95a4b94ad8e
-
SHA512
c2f0b9d30a9036d73f6678e7b59daaeaa2395731df34c6ed274261f2a7ca3f0a812d2fb4e08bfd4d98630b5248dd28e87df8daaf5ba391fed51b11dafd4302ec
Malware Config
Signatures
-
CryptoLocker
Ransomware family with multiple variants.
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Annabelle.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Ransomware\\Annabelle.exe" Annabelle.exe -
Processes:
Annabelle.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Annabelle.exe -
Processes:
Annabelle.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Annabelle.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (592) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables RegEdit via registry modification 2 IoCs
Processes:
Annabelle.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Annabelle.exe Set value (int) \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Annabelle.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
Processes:
Annabelle.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\url.dll Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedge.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedge.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpg4dmod.dll\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chkdsk.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rasman.dll Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shellstyle.dll\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns64.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cabinet.dll Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DCIMAN32.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedgecp.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shellstyle.dll Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dllhost.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DBGHELP.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ksuser.dll\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secpol.msc Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webcheck.dll\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmplayer.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\recoverydrive.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DCIMAN32.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yandex.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usbui.dll\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns64.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mydocs.dll Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll32.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\usbui.dll Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\secpol.msc\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.msc\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rundll.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DBGHELP.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspaint.exe Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cabinet.dll\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "RIP" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "RIP" Annabelle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\systemexplorer.exe Annabelle.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
Processes:
NetSh.exepid process 12452 NetSh.exe -
Deletes itself 1 IoCs
Processes:
CoronaVirus.exepid process 2304 CoronaVirus.exe -
Drops startup file 5 IoCs
Processes:
CoronaVirus.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-4CAA856D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-4CAA856D.[[email protected]].ncov CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta CoronaVirus.exe -
Executes dropped EXE 2 IoCs
Processes:
{34184A33-0407-212E-3320-09040709E2C2}.exe{34184A33-0407-212E-3320-09040709E2C2}.exepid process 1908 {34184A33-0407-212E-3320-09040709E2C2}.exe 1948 {34184A33-0407-212E-3320-09040709E2C2}.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 1 IoCs
Processes:
Annabelle.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\MinimalX = "1" Annabelle.exe -
Adds Run key to start application 2 TTPs 7 IoCs
Processes:
CoronaVirus.exeAnnabelle.exe{34184A33-0407-212E-3320-09040709E2C2}.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Ransomware\\Annabelle.exe" Annabelle.exe Set value (str) \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Ransomware\\Annabelle.exe" Annabelle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpdateBackup = "C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Ransomware\\Annabelle.exe" Annabelle.exe Set value (str) \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe" {34184A33-0407-212E-3320-09040709E2C2}.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
CoronaVirus.exedescription ioc process File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files (x86)\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Music\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Libraries\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini CoronaVirus.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-2087971895-212656400-463594913-1000\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Music\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Documents\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Documents\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Videos\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Downloads\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Searches\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe -
Drops file in System32 directory 2 IoCs
Processes:
CoronaVirus.exedescription ioc process File created C:\Windows\System32\CoronaVirus.exe CoronaVirus.exe File created C:\Windows\System32\Info.hta CoronaVirus.exe -
Drops file in Program Files directory 64 IoCs
Processes:
CoronaVirus.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\selection-actions2x.png.id-4CAA856D.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\example_icons2x.png.id-4CAA856D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-fr\ui-strings.js.id-4CAA856D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-200.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.2012.21.0_x64__8wekyb3d8bbwe\Assets\CalculatorAppList.targetsize-16_altform-unplated.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarSmallTile.scale-400.png CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationFramework.resources.dll CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\lib\jvm.lib.id-4CAA856D.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\INDUST.ELM.id-4CAA856D.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\RHP_icons_2x.png.id-4CAA856D.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-localization-l1-2-0.dll.id-4CAA856D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\de-de\ui-strings.js CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-synch-l1-2-0.dll.id-4CAA856D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-commonjs\DelayedRender.js CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\hi\msipc.dll.mui CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml.id-4CAA856D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square44x44Logo.scale-100_contrast-white.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\Modal.js CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_gridview_selected-hover.svg CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\ui-strings.js CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\zh-tw\ui-strings.js.id-4CAA856D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libsftp_plugin.dll.id-4CAA856D.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.Primitives.dll.id-4CAA856D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.dll.id-4CAA856D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PeopleAppList.targetsize-30_altform-unplated.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_neutral_split.scale-100_8wekyb3d8bbwe\Images\contrast-black\PowerAutomateWide310x150Logo.scale-100.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\EntSyncFx.dll CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sw\LC_MESSAGES\vlc.mo.id-4CAA856D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\README.txt.id-4CAA856D.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png.id-4CAA856D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_x64__8wekyb3d8bbwe\Assets\contrast-black\FeedbackHubAppList.targetsize-72_altform-lightunplated.png CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019MSDNR_Retail-ul-phn.xrm-ms.id-4CAA856D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ppd.xrm-ms.id-4CAA856D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\sr-Cyrl-RS\msipc.dll.mui.id-4CAA856D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Cartridges\sql2000.xsl.id-4CAA856D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\powerpointmui.msi.16.en-us.boot.tree.dat CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\WindowsFormsIntegration.resources.dll CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_export_18.svg.id-4CAA856D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\da-dk\ui-strings.js.id-4CAA856D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\microsoft_apis.dll.id-4CAA856D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ko-KR\tipresx.dll.mui CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\WORD_WHATSNEW.XML.id-4CAA856D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\Assets\TipsAppList.targetsize-72_altform-unplated_contrast-black.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hu-hu\ui-strings.js.id-4CAA856D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glow Edge.eftx CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Office16\BORDERS\MSART15.BDR.id-4CAA856D.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL078.XML.id-4CAA856D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\new_icons.png.id-4CAA856D.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_zh_HK.properties.id-4CAA856D.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-ul-phn.xrm-ms.id-4CAA856D.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\VideoLAN\VLC\plugins\demux\libpva_plugin.dll.id-4CAA856D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.Web.Abstractions.dll CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\es-es\ui-strings.js.id-4CAA856D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\7-Zip\Lang\tr.txt.id-4CAA856D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.it-it.dll CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\COMPASS\THMBNAIL.PNG.id-4CAA856D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-white\Logo.scale-200_contrast-white.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-commonjs\customizations\mergeCustomizations.js CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\nl-nl\ui-strings.js CoronaVirus.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\gstreamer-lite.dll.id-4CAA856D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStd2019R_OEM_Perp-pl.xrm-ms.id-4CAA856D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSTYLE.DLL.id-4CAA856D.[[email protected]].ncov CoronaVirus.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
NetSh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 3 TTPs 5 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 7772 vssadmin.exe 8360 vssadmin.exe 10856 vssadmin.exe 4520 vssadmin.exe 7336 vssadmin.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
LogonUI.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "8" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe -
Modifies registry class 2 IoCs
Processes:
msedge.execmd.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2087971895-212656400-463594913-1000\{56C0E6D7-6F1D-42EE-ADFC-A2A4BB7AAE17} msedge.exe Key created \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000_Classes\Local Settings cmd.exe -
NTFS ADS 2 IoCs
Processes:
msedge.exeCryptoLocker.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier msedge.exe File created C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe\:Zone.Identifier:$DATA CryptoLocker.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exeCoronaVirus.exepid process 3944 msedge.exe 3944 msedge.exe 248 msedge.exe 248 msedge.exe 4712 msedge.exe 4712 msedge.exe 4944 identity_helper.exe 4944 identity_helper.exe 2276 msedge.exe 2276 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3856 msedge.exe 3420 msedge.exe 3420 msedge.exe 2304 CoronaVirus.exe 2304 CoronaVirus.exe 2304 CoronaVirus.exe 2304 CoronaVirus.exe 2304 CoronaVirus.exe 2304 CoronaVirus.exe 2304 CoronaVirus.exe 2304 CoronaVirus.exe 2304 CoronaVirus.exe 2304 CoronaVirus.exe 2304 CoronaVirus.exe 2304 CoronaVirus.exe 2304 CoronaVirus.exe 2304 CoronaVirus.exe 2304 CoronaVirus.exe 2304 CoronaVirus.exe 2304 CoronaVirus.exe 2304 CoronaVirus.exe 2304 CoronaVirus.exe 2304 CoronaVirus.exe 2304 CoronaVirus.exe 2304 CoronaVirus.exe 2304 CoronaVirus.exe 2304 CoronaVirus.exe 2304 CoronaVirus.exe 2304 CoronaVirus.exe 2304 CoronaVirus.exe 2304 CoronaVirus.exe 2304 CoronaVirus.exe 2304 CoronaVirus.exe 2304 CoronaVirus.exe 2304 CoronaVirus.exe 2304 CoronaVirus.exe 2304 CoronaVirus.exe 2304 CoronaVirus.exe 2304 CoronaVirus.exe 2304 CoronaVirus.exe 2304 CoronaVirus.exe 2304 CoronaVirus.exe 2304 CoronaVirus.exe 2304 CoronaVirus.exe 2304 CoronaVirus.exe 2304 CoronaVirus.exe 2304 CoronaVirus.exe 2304 CoronaVirus.exe 2304 CoronaVirus.exe 2304 CoronaVirus.exe 2304 CoronaVirus.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
Processes:
msedge.exepid process 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Fantom.exevssvc.exeshutdown.exedescription pid process Token: SeDebugPrivilege 1632 Fantom.exe Token: SeBackupPrivilege 7324 vssvc.exe Token: SeRestorePrivilege 7324 vssvc.exe Token: SeAuditPrivilege 7324 vssvc.exe Token: SeShutdownPrivilege 22624 shutdown.exe Token: SeRemoteShutdownPrivilege 22624 shutdown.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepid process 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid process 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe 248 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
LogonUI.exepid process 24440 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exemsedge.exedescription pid process target process PID 5028 wrote to memory of 1008 5028 cmd.exe NOTEPAD.EXE PID 5028 wrote to memory of 1008 5028 cmd.exe NOTEPAD.EXE PID 248 wrote to memory of 3836 248 msedge.exe msedge.exe PID 248 wrote to memory of 3836 248 msedge.exe msedge.exe PID 248 wrote to memory of 1760 248 msedge.exe msedge.exe PID 248 wrote to memory of 1760 248 msedge.exe msedge.exe PID 248 wrote to memory of 1760 248 msedge.exe msedge.exe PID 248 wrote to memory of 1760 248 msedge.exe msedge.exe PID 248 wrote to memory of 1760 248 msedge.exe msedge.exe PID 248 wrote to memory of 1760 248 msedge.exe msedge.exe PID 248 wrote to memory of 1760 248 msedge.exe msedge.exe PID 248 wrote to memory of 1760 248 msedge.exe msedge.exe PID 248 wrote to memory of 1760 248 msedge.exe msedge.exe PID 248 wrote to memory of 1760 248 msedge.exe msedge.exe PID 248 wrote to memory of 1760 248 msedge.exe msedge.exe PID 248 wrote to memory of 1760 248 msedge.exe msedge.exe PID 248 wrote to memory of 1760 248 msedge.exe msedge.exe PID 248 wrote to memory of 1760 248 msedge.exe msedge.exe PID 248 wrote to memory of 1760 248 msedge.exe msedge.exe PID 248 wrote to memory of 1760 248 msedge.exe msedge.exe PID 248 wrote to memory of 1760 248 msedge.exe msedge.exe PID 248 wrote to memory of 1760 248 msedge.exe msedge.exe PID 248 wrote to memory of 1760 248 msedge.exe msedge.exe PID 248 wrote to memory of 1760 248 msedge.exe msedge.exe PID 248 wrote to memory of 1760 248 msedge.exe msedge.exe PID 248 wrote to memory of 1760 248 msedge.exe msedge.exe PID 248 wrote to memory of 1760 248 msedge.exe msedge.exe PID 248 wrote to memory of 1760 248 msedge.exe msedge.exe PID 248 wrote to memory of 1760 248 msedge.exe msedge.exe PID 248 wrote to memory of 1760 248 msedge.exe msedge.exe PID 248 wrote to memory of 1760 248 msedge.exe msedge.exe PID 248 wrote to memory of 1760 248 msedge.exe msedge.exe PID 248 wrote to memory of 1760 248 msedge.exe msedge.exe PID 248 wrote to memory of 1760 248 msedge.exe msedge.exe PID 248 wrote to memory of 1760 248 msedge.exe msedge.exe PID 248 wrote to memory of 1760 248 msedge.exe msedge.exe PID 248 wrote to memory of 1760 248 msedge.exe msedge.exe PID 248 wrote to memory of 1760 248 msedge.exe msedge.exe PID 248 wrote to memory of 1760 248 msedge.exe msedge.exe PID 248 wrote to memory of 1760 248 msedge.exe msedge.exe PID 248 wrote to memory of 1760 248 msedge.exe msedge.exe PID 248 wrote to memory of 1760 248 msedge.exe msedge.exe PID 248 wrote to memory of 1760 248 msedge.exe msedge.exe PID 248 wrote to memory of 1760 248 msedge.exe msedge.exe PID 248 wrote to memory of 3944 248 msedge.exe msedge.exe PID 248 wrote to memory of 3944 248 msedge.exe msedge.exe PID 248 wrote to memory of 2956 248 msedge.exe msedge.exe PID 248 wrote to memory of 2956 248 msedge.exe msedge.exe PID 248 wrote to memory of 2956 248 msedge.exe msedge.exe PID 248 wrote to memory of 2956 248 msedge.exe msedge.exe PID 248 wrote to memory of 2956 248 msedge.exe msedge.exe PID 248 wrote to memory of 2956 248 msedge.exe msedge.exe PID 248 wrote to memory of 2956 248 msedge.exe msedge.exe PID 248 wrote to memory of 2956 248 msedge.exe msedge.exe PID 248 wrote to memory of 2956 248 msedge.exe msedge.exe PID 248 wrote to memory of 2956 248 msedge.exe msedge.exe PID 248 wrote to memory of 2956 248 msedge.exe msedge.exe PID 248 wrote to memory of 2956 248 msedge.exe msedge.exe PID 248 wrote to memory of 2956 248 msedge.exe msedge.exe PID 248 wrote to memory of 2956 248 msedge.exe msedge.exe PID 248 wrote to memory of 2956 248 msedge.exe msedge.exe PID 248 wrote to memory of 2956 248 msedge.exe msedge.exe PID 248 wrote to memory of 2956 248 msedge.exe msedge.exe PID 248 wrote to memory of 2956 248 msedge.exe msedge.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\S1_E2_animation OG.txt"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\S1_E2_animation OG.txt2⤵PID:1008
-
C:\Windows\System32\DataExchangeHost.exeC:\Windows\System32\DataExchangeHost.exe -Embedding1⤵PID:2812
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:248 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc0a3d3cb8,0x7ffc0a3d3cc8,0x7ffc0a3d3cd82⤵PID:3836
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,4526078251504030613,42665735438815149,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:22⤵PID:1760
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,4526078251504030613,42665735438815149,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3944 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,4526078251504030613,42665735438815149,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:82⤵PID:2956
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4526078251504030613,42665735438815149,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵PID:1428
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4526078251504030613,42665735438815149,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:12⤵PID:1408
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4526078251504030613,42665735438815149,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:12⤵PID:3608
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4526078251504030613,42665735438815149,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:12⤵PID:4908
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,4526078251504030613,42665735438815149,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3744 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4712 -
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,4526078251504030613,42665735438815149,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5440 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4944 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4526078251504030613,42665735438815149,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:12⤵PID:4948
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4526078251504030613,42665735438815149,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:12⤵PID:2220
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4526078251504030613,42665735438815149,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:12⤵PID:944
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4526078251504030613,42665735438815149,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:12⤵PID:4924
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4526078251504030613,42665735438815149,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:12⤵PID:5020
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1884,4526078251504030613,42665735438815149,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5732 /prefetch:82⤵PID:3716
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1884,4526078251504030613,42665735438815149,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4688 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2276 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4526078251504030613,42665735438815149,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:12⤵PID:4980
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4526078251504030613,42665735438815149,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2912 /prefetch:12⤵PID:2608
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4526078251504030613,42665735438815149,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:12⤵PID:2112
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,4526078251504030613,42665735438815149,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:12⤵PID:3060
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,4526078251504030613,42665735438815149,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5084 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3856 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,4526078251504030613,42665735438815149,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1244 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3420
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1656
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4188
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2020
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CryptoLocker.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CryptoLocker.exe"1⤵
- NTFS ADS
PID:4944 -
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CryptoLocker.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1908 -
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w000002343⤵
- Executes dropped EXE
PID:1948
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CoronaVirus.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\CoronaVirus.exe"1⤵
- Deletes itself
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2304 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵PID:4980
-
C:\Windows\system32\mode.commode con cp select=12513⤵PID:2060
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:4520 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵PID:4824
-
C:\Windows\system32\mode.commode con cp select=12513⤵PID:6784
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:7336 -
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵PID:5388
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵PID:5128
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Annabelle.exe"1⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
PID:3152 -
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:7772 -
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:8360 -
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:10856 -
C:\Windows\SYSTEM32\NetSh.exeNetSh Advfirewall set allprofiles state off2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:12452 -
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" -r -t 00 -f2⤵
- Suspicious use of AdjustPrivilegeToken
PID:22624
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Fantom.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\Fantom.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1632
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7324
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa39c4855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:24440
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
2Safe Mode Boot
1Indicator Removal
2File Deletion
2Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.id-4CAA856D.[[email protected]].ncovFilesize
2.7MB
MD5554ccb75fa8f6621c7bd297ddf1ec414
SHA1d733222b01d30d3c6652d89cce0f45d81389e934
SHA25697c79ef4c25253164d0ce48d93da11ee9c59d969ba976906270be9e77d57bed5
SHA5125a31d2fd43b4a46b33fa781460da7568da0f26df662a8c7bbaecc4a175bdb650ac67abb7b4bfecf112ef233ced3e2ebb4a8a97b197b1110856f897ef342580a2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5bb87c05bdde5672940b661f7cf6c188e
SHA1476f902e4743e846c500423fb7e195151f22f3b5
SHA2567b7f02109a9d1f4b5b57ca376fcacd34f894d2c80584630c3733f2a41dddf063
SHA512c60d8b260d98ced6fe283ca6fed06e5f4640e9de2609bcfbfa176da1d0744b7f68acabfa66f35455e68cad8be1e2cfc9b5046463e13ae5f33bbbf87a005d1e0b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD55478498cbfa587d1d55a9ca5598bf6b9
SHA182fedfb941371c42f041f891ea8eb9fe4cf7dcc8
SHA256a4e82ce07a482da1a3a3ba11fcceee197c6b2b42608320c4f3e67f1c6a6d6606
SHA5127641a2f3cc7321b1277c58a47dfd71be087f67f8b57dca6e72bd4e1b664f36151cd723e03ea348835581bcb773eb97911f985d5ee770d4d1b8b6f7849ce74b44
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
3KB
MD5d9f717205fb41c3a9e2fa092a720fb59
SHA1343a4ce6251a2c975d6668cfd634ab4851e1fca8
SHA25615da357e216c8a496c0e95867d228cd80b5211ff4cc6ab83b5d1c33f8cd1f535
SHA512856f0e6839f6ef0a817f4b18938b259e4192560b15c3f89d54b88e784a4fd9a2507db1f894af213d1f76c4216be3a17a1c64209291e1a121ebbd880772595341
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
873B
MD5865f8bc2744941840440211f52845151
SHA14597fcecb681c55984c47d5067db224df6a7d57b
SHA25634037a7062d402b0c68facba1a0c0686da1e0acb1c38cac543862913e7ebaef9
SHA512492cdb2d5ae219afde8aac1ed37305c8a5c416f9078f7ac935d368cbef8b9da056fa812b4dceca3c80309c74d4c088f2a4432524568019f02ad2b833aebebc27
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD504cddf3c984be96f9d3ef5f68ee3020b
SHA121bdc116f465852fb84a9c476a51c9631b235948
SHA256ae55be67308f9f8a63c6c4606b11a9f04331151f94a3090eea7df38a58a782ad
SHA512a4afa19737ab98f78b738a02c99f8986247b30807241f89a075191d163c522efbdf6b6bf9272d63c06682455ede0203d73490863f02ee357ea0af07f57d3138d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5c6fb9dd5ff3fb90e3670a448c7db9b2d
SHA1450faa269c2966382bc81dce1644f8bc40a4268b
SHA2564f22b5259ca5da428fa62082a3462f33b22955318020fd43d545b0333d0483cf
SHA51259b5d61bd7e12c23b62625575ac9c2ba4b369290b228d76279a57d1eede114773837cacafeec269a7781bac3fd7f7572c50a7c43a4ed3b4b33c23afd2a0c955a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5c3d16986f6a7f6e8d544a5472ca49955
SHA1969ffc45f8c17b9116bccfedcff6e63816976f85
SHA2560d99ddc72b719f9dd0126c298c195e613c4d14faf8aa9a74bf7fb459243db4e2
SHA51273cb5d498e4fa20d6904c06b392a45df38bb4b9bbe0397b6c4aaddc93b52409b7c6d93c63ce41714284e1fd4ee4a2495d98c758669ad64ad2e2885e8b24a0fbd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD57aeed6e03494b0349048b8d8cfee4fc0
SHA1633e23a3fca8c6d1c95c9b87edbc394ea8a4fef9
SHA25640eae27052d77061c80b9e5832e285efe4aca2d2c2e59784816c90b54ad915b3
SHA512a90e95533465bd067b9390e99b827cdadf4d83beec0b01cdbe834945b1b0fba0dd5b53e8bcd8160b60e3db38e71bfecb7b4434985871a24699d3342c2c15f852
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5ec3a2f40875ce6cf443f0b2c9f1ee806
SHA10e67423185c8a4238153275720b888e997777a41
SHA256b329f6471510f03c3b36ee2d71c71a1e0f35900ced176b57738a3c376920548c
SHA51283c398556629a1dc4cbd93ef3744d93d9b6f77eeef5202cc664fca23a84ad8ab830e53d7c9624f07fc775bf97858041ab210b0d4debbb80700fef4d9ace24676
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD53fd8dd5fc63b6601cc1b7aed3d8d2f59
SHA1ba5bab560a2a34f44594bc83b1247bc23c576c7d
SHA2567efe0cf3af485b0294cbb0217e5b064cb176874548dc08efc451d04c7195ea06
SHA512af67dbdcc1d987c29445bc56c9613bfb2e487838954032b614ac994f3ed43e49b61cb81f3f33166a45e0287eb83a0dafc2b908692de89ad02e6a4699e164c88a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD510267504f4af9a52ec0761d092c72b19
SHA1fb7b5370cf2027d3f2e1959b587311fd8f013623
SHA2565bac1ba611725a9f73a4248ec7e877a54a422ab97c0c7afb7c1ab42df5428c00
SHA5126c40893e136366c4b598ec4a1ecdc1e616b8c8859c87f78bfd3c60febd35ca061f6c0119814e14c8e8e4ee475ccd489403dbecf04facd995a49f95ad7f140820
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD562f89038696c06874609a9bf4ef2cbec
SHA1df5f529f68abfea7d8e8ff94a574b795bbafe43c
SHA2562c7e6931016ecf602fc4f9c079c84690c1f3b3341675c19aa4d066adec3500e8
SHA5124f539e4a43fbaff6c1449ab7ac8ffdea516efa885d5aabff7a0ef4879109d88e92f5b379370640f3a30ec31ef3b95ed7e8e7088192ba4e99c9794f7dc4e5f411
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe593a50.TMPFilesize
536B
MD545130474de07de2ca755b67dcf9ed3b0
SHA10196fcc52501a938438ef7175fe4d5165792a550
SHA2562bab93a012c85f213b3bd853a1a77ac76a0d16f3046961c445c3b94e3532b511
SHA5122fe96f02b8710121c9b62ac28df55b7965861e2f7622d3d9dc87dba66ce94ebd7c0f0d9f8a60969b13226dd490488d9eb9f987fc75ebfc17aa4cc15fa5bbeb24
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.dbFilesize
16KB
MD59a8e0fb6cf4941534771c38bb54a76be
SHA192d45ac2cc921f6733e68b454dc171426ec43c1c
SHA2569ee9211a57c3f6fa211fe0323fa8cd521e7cbffcd8ff0896645a45795dc472be
SHA51212ed22537dcc79d53f6c7d39e92a38f8fea076d793198928f5b7a5dd1234d50a3c0b4815632f3fadf8bc4ef0499773d22bd83f961d2d0ffd8afacf471bd3a5ae
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\previews_opt_out.dbFilesize
16KB
MD5d926f072b41774f50da6b28384e0fed1
SHA1237dfa5fa72af61f8c38a1e46618a4de59bd6f10
SHA2564f7b0e525d4bfc53d5df49589e25a0bccf2fcf6a1a0ca3f94d3285bb9cf0a249
SHA512a140df6ec0d3099ef374e8f3ece09bf91bc896ac4a1d251799a521543fe9bdea796ba09fa47932bd54fa939118495078f9258557b32c31d3d4011b0666a4723f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD507170919b3f17f10bacc6e5aad15b911
SHA1ec3634e3d30f4774877527346a434d93867fc24c
SHA256e95cd6d129718d58da382239ec68dc07bb94ea2ce39123b7f9926e82f3bfc0ad
SHA512fb49bd209b4df1c9f4e87f5e44bd385dbd5d22a2b942b320f914eb87a2adc8136f6a167cfed2a854f1436c9280207da6786ed9e64f2562277ba83329f52662ac
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD596333a8cc0ccf9e0c0082e1ca0e4186f
SHA1ec2ef4e9c18f3185a7fdb82278d199a7759233be
SHA256c2a3548306f2221a6fb3998e9c4753dd624b787e7af642b687137522d927f80e
SHA512c92e70706df57336d0d233df0532d611d85fc9484758adfa7331141eba74208732a0e562d642e26ac215732e2f0660b3851612e34bde8a766fbc5c3816984669
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5f0f15825cb22863c83309cbd5e34d695
SHA16d8c4661bb447f15c96f4eb45bdc4063a9040596
SHA2561ae527a2956bf668edd54899802cbd78d9cffdfc90c69eef19d4afab9b9385f3
SHA512ffc58b4f4a8d329817f57bf3ccc8f19be96394ec245b252a4a2861b5c4dccc391021ae90d559d2fb1fa1fdee14a5d25a2268ad30d85a8244f71a08d8e4af5f9c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5c9241c48c9c1d42c6c05b03747181e18
SHA13e590ed69478bcbc4cdfcbd5fbfd55c78796db7d
SHA25654c8548f7c6398b569d1dba6e6e992169c38c5d30159e4b389e01879349d4bbc
SHA5127b2ef820e121e361bfbc99ea5a5e63ee745645541313af0085b18bc917e930148aa62e7155ef0dc16c4d1eade4307af84cbb2da1566526dd8110b8d518b7e39e
-
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exeFilesize
338KB
MD504fb36199787f2e3e2135611a38321eb
SHA165559245709fe98052eb284577f1fd61c01ad20d
SHA256d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
SHA512533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444
-
C:\Users\Admin\Desktop\ApproveExpand.tifFilesize
533KB
MD55272f9e7ddc92a9a8ea5bd8963ad4293
SHA1544be896f2bdfdda097608dccf76f9f680576457
SHA2565f08ba0b533475416525b5fa1297beff0698e76f75f0a5f7138c9a061ddc1e80
SHA5123f222ae20f2911301422b714c7970b80026b67b5e089f35cf1b6c57e79c343a5386d15d451abf7d6c52f4f053d1f5b7f1430b21789f82805e8776eb32be2c094
-
C:\Users\Admin\Desktop\BlockOut.m3uFilesize
507KB
MD5427dd380dde083e6f05b9ee0d8f58fbd
SHA1e8a68cc3dc701d07ab980a7936718197a8645f43
SHA256e7e871f9da3eb4beb304f57d5f7b18eff5be6e5a12d8694dfe3549f82943b356
SHA51216040a43a8f2ae1e82a7b1214277be7419932188ce21413161001ee0d76290672d5943056dd3815d537488e8f205cefe07418b87aeeebefef9b12c2e86bc91ff
-
C:\Users\Admin\Desktop\BlockRepair.i64Filesize
660KB
MD54901c90c4dd7f571b8cfdce75d7397a5
SHA10a3e1c7cf335caa5a1517bcaf30a4b09369090fe
SHA256ff85d090ace68cad382b75fc925df8fc1c6ac6ddbda843f3228a353bfca0f36b
SHA5126035deba371e2602a023b1b08890f3ebaa6956e42de95427f02ce65a7fbdef60a83b71cf74dd8b34ff2f8f2dc56eab4ad182c447e3160890a48d987737569cb4
-
C:\Users\Admin\Desktop\CompareBlock.odsFilesize
558KB
MD5e2d79aca54fd65b9aea9598764decee0
SHA1d7126fff9d7b88ecfe2a3e685132e45760d09f7a
SHA25649220b905642abfbe0e6a22d40a82b65e02195aa09c50fb7488269ec1d963311
SHA512438274c1d487dccc2ac83429a1e64164dd8faac8b74969bd85518558228f49bf2aa90b2dd2394d6012129ac1f3ce9249b042c30593d0274bb22ab6f1517f19a3
-
C:\Users\Admin\Desktop\CompareStop.wmxFilesize
1.1MB
MD5415faaea335cb1674cbd5ed806eed8b4
SHA13dff600ad2439b9f22b3c1c3d9a6490f85f94a5d
SHA2565a593ef0bbcbf01385a8da19670a5941d00e8e71afad793888b2cd3cb6f933c8
SHA5120fca29a2b7e7025dea5ad5fcf12e5b353856dc377c6b67bb6f6f21df36a0d146cd3529e912c64639af6a11dbb828846fb925ff38f274816bfd1540c5c626be37
-
C:\Users\Admin\Desktop\CompleteSearch.bmpFilesize
330KB
MD5a018d1444fc2ce38c97dfd5dae3d0a15
SHA1ef28127e24f2d3b0c3890ccfd736ac0f3f3b19d2
SHA256e7a199d12448a359e4fc630dbafaea9ba28329ca5019da17050d3ae8625cdcd0
SHA512489f86ca5abc0d653043b2ae4d08f8ff7fb4116b11b7ac7b2afd1bbbde03bbc4457af5767cbe3621f129b4c367f88b20bc92411dbc677a2fe289438c62416a37
-
C:\Users\Admin\Desktop\ConnectEnable.MODFilesize
736KB
MD5ce25608dd694fd08f46e73a5523195e6
SHA17562779b2d928acd08a0213817c0bf64fed4c05c
SHA25699f257f06418a244c38cb5df036d000d5a1b8745abb9016b6e4015345933f39c
SHA512418349bcfdd1c76133ac8c39af897b696b64f434662c44ee661db6ef71d39809eb9c7e8acd957b1db2a6eaba663392dc650c2620b105dea98fc62dd4139117fa
-
C:\Users\Admin\Desktop\ConvertToUnprotect.mp4Filesize
710KB
MD53579942eef3f58c42719ee8fd17d98f6
SHA15e3d9282dbf635dcb7a7f0940e73ba1242ce3b13
SHA25658343174cbf193fe8c1f1c60f2832c0485c023c23fb6b00e765cb474ee85ff93
SHA512535d961ef88af22e46e8531abe3570c45d4eb8619ffff2519d0188f62394e84083175ec1d5d7b336cad9288e30be90095f4a1cad90e05b3a6433411d11f76709
-
C:\Users\Admin\Desktop\CopyRestart.mpeg3Filesize
634KB
MD5f9970c2f088119b64a456c282cbc4ec6
SHA1f8e2ca8df0a62a0a54362c5c1f0b01823a6a10dd
SHA2560c27b00c09b8406d4733b4d82404b66deeec049ee473510d1ee76def8d96088c
SHA512e49321cb75e37647412d4b4cb3a480c91738c970c1148d494be6e66becdbc7f035c63dc0cff524c04b0b45f1d0dd19292ee6a9f14d8e87358d1e03764e64f6e9
-
C:\Users\Admin\Desktop\ExitUnpublish.htmlFilesize
685KB
MD5e85f6bdf9a896fdc55e7995d414f845b
SHA1251b7da75f4c0e2e1e9a3b539ba10026a78c99f7
SHA2562ebc111e738eca9c91e47cc08e5dfea8d9fd4e4f5f7c82b4c8f3db8441464582
SHA512618428f398287d00315d7983a558a8a579ceb1b5dc658774a196002da35c76657c41846b02c208229b8c56e3a4ce21ac4f072e96ab90b491a50464a991cb7cf9
-
C:\Users\Admin\Desktop\FindGroup.wmxFilesize
355KB
MD5a369fa95e2655806914c828ecab24e94
SHA17d42aa32305888ee750d45eb3b8d83ad4d58716e
SHA2563a1022318924734c19a0aefe60bcad5dfb85dfa1f1ccdcb64376c1579b289a62
SHA512ae9340f3393eaf97f3491719a4aa89cf82fa11ac9ddca11e4cf0e92b9b3cd8157ee82f1c00ee4ba309bab05b0ab2cbe947540f987d38e6f53dff96b8d6af689e
-
C:\Users\Admin\Desktop\FormatInstall.xlsxFilesize
9KB
MD5a0046db775223500a8de0f1827dc4e40
SHA1ed86483fa185f77445d1d4f0e0f40fea3be89a47
SHA25615d6a58a9b188e5e9f9654e6f140412647f76ea2130819e354ff4b74e6216ad2
SHA512dd98fc617e2cacadf6272b7c2bc353482a78b96b4858eddf2112f69ceffc9aa734700c919b7a30bf0f4556d56070c40aaea77fc9472e2b8a77debaa7064ef9c7
-
C:\Users\Admin\Desktop\Microsoft Edge.lnkFilesize
2KB
MD52f313410ab283de6e6bb13f5497e7c42
SHA108b8baac5fc96d29abd0542af901125a97300b63
SHA25650281de11c2aea4ebd91c49e55cf288ee65158f9f9105b8c80c31c80d4f87760
SHA512c4c60b915a8d99320b50c1d00ff2439379d976f54d971e8f1e917c4b904277e3e48de878f0b904474c27620acf41006bfca44e06f1af1777b05eb38c46b49059
-
C:\Users\Admin\Desktop\MountMove.pngFilesize
279KB
MD56163631b6b7b8711a55b18cf81152914
SHA12c718271b82f1b32f3e7ee1dc9209fa3eabd0642
SHA256458c3aa02f71b2ae520e97a8e5977dec172b12919e71c85f18f8eb848622599b
SHA512a8ae76525d3bfdf0a7f5ec96a121863143faa77578193bf72fae6cd82bb38f09ec4958bd26158d0f55b3b8e7bb58cb7eea15d74c6b053d0d470c8cd9a4b8dbed
-
C:\Users\Admin\Desktop\NewUndo.asxFilesize
380KB
MD57d240675f0c92ae89448cd1b08cc1179
SHA11be000857d41b4d5d0c157753ae9f7eacdb5a4d5
SHA256fb61cb21dbee5342abb228946c043b811f2f372a594bc211246677b0e56c354e
SHA512ec94b117cffa512fbb91e31f22c50c732d1e0ea2ef82aefb15c864a6013deab2a01c81cc423e7b3bdcf2b22d949855bbcafe60a2f0ee0f08b8249043f7864c12
-
C:\Users\Admin\Desktop\PopDisconnect.rmFilesize
456KB
MD501b57dfab776c5b62e84d108225aae83
SHA1bcde7243509841b6e5b447dcee8894adbf1afcf6
SHA2560668049b867cf9b2f488ed4623bf2b8582493520269c7c456c7b71c929668b5a
SHA5126c227016e82281f4105566d76c8b021f8afd79177bb80d9b088190451744ad6508898abac3eb0f4266d01fe243b56e0aa26e5a5f2bfa7dc3fd15cba090a58c63
-
C:\Users\Admin\Desktop\ResolveUnprotect.vsdmFilesize
304KB
MD5de8c00c73eaeb3ab877ed4a1fd43d053
SHA146b865107b8949002505336c73c9e979008c536c
SHA256c55ed75762f00446f30a753aa96a8f1adb547893eee140bcdff35712e06a0d9d
SHA512f13a3725ab41e75c9228dcc83d50bf4fb79523cf7a28a7fc6abc07b429273a1be366242beb5cc0d5f58cadfe78bc4828298a8275892770e9274209df1a7d36aa
-
C:\Users\Admin\Desktop\RestoreBackup.svgFilesize
609KB
MD5c300f65175595da799615194b1322593
SHA11fcad03f94d5b8f933d867a239dc9e9e24fbf13e
SHA25637af2480bb03ea0c541ae7bed443622adab9c34dc28ad153cf1bec6f1305a1a5
SHA5123e3f0cc610c5f5cfd467a80a1670fb5e092e81458f335099e28e45c9073a62a199324ca4a62f581f09e82fe944ef956425b26233d91a2ce4bd2e0cda95682eca
-
C:\Users\Admin\Desktop\SetMove.isoFilesize
431KB
MD5d27b4a57a0a00e54daf3ab560289ada0
SHA1d533610fc52464dd25439c509bc3385f38aae333
SHA2560567c8a29d8e47a55c92bb73292066ff7d2b9abe99486eee3c281ff10333db48
SHA51213b7e49b217c560de220ee9c3a4a1ce085fcf7b841adb2a93c29d3ef48751deafc20a7038b873ddca790f2f590b38cb7bfcdfc7bb205ac1c0f6fd3920b911101
-
C:\Users\Admin\Desktop\ShowExit.iniFilesize
406KB
MD507d867d0cb67710ff17d6bb587ce8b27
SHA19e0913ab363d7b8ca21c0ce9578f2e5a42940372
SHA256716ddfc0dca90e6f50ad65d010aebc0e0999b81cf6fc6ee7a180913b85535193
SHA5128c15c2e34ee1ea673ff7985083f21a66c004c73ae6cd8896017c870b6d6871a4d31b18667a7cd44ffd516e6009bee88a05c0c50482b42aed00882dc19ffabd8c
-
C:\Users\Admin\Desktop\SkipResume.DVR-MSFilesize
583KB
MD5cdb3d6eedb42a4931de33eba75366bb9
SHA18ecc95bed24219608f3babce701b08ba9f8290b5
SHA256eae64fd70c3353453c91a69ac11052550d3e455ead1ed5068baaafd1dc5e0b5b
SHA512c68a09022974cb28ddb7448f52ec3aaee42d817965d8eb4668e2303f86086ddc5b437f84fa14163361d9e186da00af674d08c5be9174970233b3d0c55ec4c0a3
-
C:\Users\Admin\Desktop\SplitTest.vstxFilesize
761KB
MD5170ac4de3e4cdc1f3400acc230749906
SHA1338f950537b5bf61503025492e9076fb58fbcaff
SHA256ba8fe31e7a9e8c699dd4d81ee093fdb291cc76630aaee21d64d5821568416d01
SHA512be19a67b8a308ea0f7e9d6df235389032eab12f3095ab356f584ac3583fe7201ce42b4463ee051ecbb64d6b71544729db459e069d67d18af7ae2c1553fef793c
-
C:\Users\Admin\Desktop\SuspendStart.dotFilesize
787KB
MD562b985ddd5e95df05cfa971c9ac0d425
SHA16af5bb03e46c7c36cc2db4bb377e7d6897b2286d
SHA25669e62987c5ed0ed9060e5ad93e65164a488ac21946ff3b0b1503c4c39bb16e4c
SHA51298dc9b59603d035ecee9cb19575e87445276f7bd2abb30db06889fcf68a5b042fb34c04f2b41a0af9a9b279a412cbfa57d35a601eb3d55d07f18ef7ebf8b41c2
-
C:\Users\Admin\Desktop\UnpublishOpen.xlsxFilesize
11KB
MD5fc8cd52e7cdda0b5ed86610c4ac7e86a
SHA148e4b189eebfe3ba26abfae7663159ea1881c6e1
SHA256f9409196794a51643f4d6fcdbf2c8bc780a97d04aca1b4260382efd3dc856ab6
SHA512d47e4642dc218ab560f5b222ff1353850c48e0234ff31727ff984b0f070c8ce14c205317fb2b05df11386b96ee3986dad1ea0856fb5099e5fcf92eabcb9081f6
-
C:\Users\Admin\Desktop\UpdateConvertFrom.mpgFilesize
482KB
MD5b10d8ad12ae77106a8085071899f85de
SHA14e2e1be629b3781aa39522c95e9077bb3c0a4fb6
SHA256092ed4f3e0242b344589ae2e1287cb1cbef22f1f6b3d7074314fe1a511c06332
SHA5128174bec9a253bfb78eb039a71cc7a22ae64040ecdee22c7279a40131810774c984b2d6fe9e0083ed908c694fe6437cb868d5f953e59136421155317ad93b8520
-
C:\Users\Admin\Desktop\WatchRegister.docxFilesize
20KB
MD50e6c77794df6a4e6f517f3f91e6dc392
SHA1d51ac614336f09a7eb9faff939f95071647bf81e
SHA2563bbab30aa2e29bf643ea622d565db720aaef65c89154966803da72a4aff6839c
SHA5122aa598d34562a393e4e5f6a30541fb223e9594685e0707c278441e0fef1a48667ed2a79583cf7f09c76975d68396f2b43fc582a5be005096be5fc16dbad52638
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.IdentifierFilesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
\??\pipe\LOCAL\crashpad_248_IMSDHZPIOLHNXNKRMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1632-25904-0x0000000002510000-0x000000000253B000-memory.dmpFilesize
172KB
-
memory/1632-25850-0x0000000002510000-0x000000000253B000-memory.dmpFilesize
172KB
-
memory/1632-25816-0x0000000002510000-0x000000000253B000-memory.dmpFilesize
172KB
-
memory/1632-25884-0x0000000002510000-0x000000000253B000-memory.dmpFilesize
172KB
-
memory/1632-25601-0x0000000002220000-0x0000000002252000-memory.dmpFilesize
200KB
-
memory/1632-25876-0x0000000002510000-0x000000000253B000-memory.dmpFilesize
172KB
-
memory/1632-25896-0x0000000002510000-0x000000000253B000-memory.dmpFilesize
172KB
-
memory/1632-25878-0x0000000002510000-0x000000000253B000-memory.dmpFilesize
172KB
-
memory/1632-25813-0x0000000002510000-0x000000000253B000-memory.dmpFilesize
172KB
-
memory/1632-25918-0x0000000002510000-0x000000000253B000-memory.dmpFilesize
172KB
-
memory/1632-25916-0x0000000002510000-0x000000000253B000-memory.dmpFilesize
172KB
-
memory/1632-26221-0x00000000050B0000-0x0000000005142000-memory.dmpFilesize
584KB
-
memory/1632-26220-0x0000000004AB0000-0x0000000005056000-memory.dmpFilesize
5.6MB
-
memory/1632-25914-0x0000000002510000-0x000000000253B000-memory.dmpFilesize
172KB
-
memory/1632-25912-0x0000000002510000-0x000000000253B000-memory.dmpFilesize
172KB
-
memory/1632-26222-0x00000000052D0000-0x00000000052DA000-memory.dmpFilesize
40KB
-
memory/1632-25910-0x0000000002510000-0x000000000253B000-memory.dmpFilesize
172KB
-
memory/1632-25908-0x0000000002510000-0x000000000253B000-memory.dmpFilesize
172KB
-
memory/1632-25906-0x0000000002510000-0x000000000253B000-memory.dmpFilesize
172KB
-
memory/1632-25824-0x0000000002510000-0x000000000253B000-memory.dmpFilesize
172KB
-
memory/1632-25826-0x0000000002510000-0x000000000253B000-memory.dmpFilesize
172KB
-
memory/1632-25828-0x0000000002510000-0x000000000253B000-memory.dmpFilesize
172KB
-
memory/1632-25602-0x0000000002510000-0x0000000002542000-memory.dmpFilesize
200KB
-
memory/1632-25858-0x0000000002510000-0x000000000253B000-memory.dmpFilesize
172KB
-
memory/1632-25856-0x0000000002510000-0x000000000253B000-memory.dmpFilesize
172KB
-
memory/1632-25854-0x0000000002510000-0x000000000253B000-memory.dmpFilesize
172KB
-
memory/1632-25852-0x0000000002510000-0x000000000253B000-memory.dmpFilesize
172KB
-
memory/1632-25848-0x0000000002510000-0x000000000253B000-memory.dmpFilesize
172KB
-
memory/1632-25846-0x0000000002510000-0x000000000253B000-memory.dmpFilesize
172KB
-
memory/1632-25844-0x0000000002510000-0x000000000253B000-memory.dmpFilesize
172KB
-
memory/1632-25843-0x0000000002510000-0x000000000253B000-memory.dmpFilesize
172KB
-
memory/1632-25840-0x0000000002510000-0x000000000253B000-memory.dmpFilesize
172KB
-
memory/1632-25838-0x0000000002510000-0x000000000253B000-memory.dmpFilesize
172KB
-
memory/1632-25837-0x0000000002510000-0x000000000253B000-memory.dmpFilesize
172KB
-
memory/1632-25832-0x0000000002510000-0x000000000253B000-memory.dmpFilesize
172KB
-
memory/1632-25830-0x0000000002510000-0x000000000253B000-memory.dmpFilesize
172KB
-
memory/2304-5270-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/2304-538-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/2304-540-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/3152-539-0x000001EA2EC50000-0x000001EA2FC44000-memory.dmpFilesize
16.0MB
-
memory/3152-26229-0x000001EA4A2E0000-0x000001EA4B86E000-memory.dmpFilesize
21.6MB