Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
247s -
max time network
248s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/01/2025, 21:52
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://hg
Resource
win10v2004-20241007-en
Errors
General
Malware Config
Extracted
C:\Users\Admin\Downloads\!Please Read Me!.txt
wannacry
15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1
Extracted
modiloader
https://drive.google.com/u/0/uc?id=1TcSctGVBajYMA7CFDc158wpvqkpxmkhJ&export=download
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Dharma family
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modiloader family
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Wannacry family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
ModiLoader First Stage 2 IoCs
resource yara_rule behavioral1/files/0x0007000000023f25-27497.dat modiloader_stage1 behavioral1/memory/24700-27520-0x0000000010410000-0x000000001047E000-memory.dmp modiloader_stage1 -
Renames multiple (516) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Renames multiple (61) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Krotten.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Krotten.exe -
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation CoronaVirus.exe Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation msedge.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 7 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-3992820B.[[email protected]].ncov CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD319B.tmp WannaCry.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD31B1.tmp WannaCry.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-3992820B.[[email protected]].ncov CoronaVirus.exe -
Executes dropped EXE 16 IoCs
pid Process 1072 WannaCry.exe 3372 !WannaDecryptor!.exe 5788 !WannaDecryptor!.exe 5744 !WannaDecryptor!.exe 4368 !WannaDecryptor!.exe 5800 Krotten.exe 3040 CoronaVirus.exe 2328 CoronaVirus.exe 23064 chrome.exe 16208 msedge.exe 17868 msedge.exe 6156 msedge.exe 24700 NetWire.exe 24748 NetWire.exe 11044 NetWire.exe 11124 NetWire.exe -
Loads dropped DLL 6 IoCs
pid Process 23064 chrome.exe 23064 chrome.exe 23064 chrome.exe 16208 msedge.exe 17868 msedge.exe 6156 msedge.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r" WannaCry.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\WINDOWS\\Web\\rundll32.exe" Krotten.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVPCC = "C:\\WINDOWS\\Cursors\\avp.exe" Krotten.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" CoronaVirus.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Searches\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Documents\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Music\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Documents\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Videos\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Libraries\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Videos\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Music\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-940901362-3608833189-1915618603-1000\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini CoronaVirus.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
flow ioc 154 drive.google.com 155 drive.google.com 87 raw.githubusercontent.com 88 raw.githubusercontent.com -
Modifies WinLogon 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "DANGER" Krotten.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeText = "Äëÿ òîãî ÷òîáû âîññòàíîâèòü íîðìàëüíóþ ðàáîòó ñâîåãî êîìïüþòåðà íå ïîòåðÿâ ÂÑÞ èíôîðìàöèþ! È ñ ýêîíîìèâ äåíüãè, ïðèøëè ìíå íà e-mail [email protected] êîä ïîïîëíåíèÿ ñ÷åòà êèåâñòàð íà 25 ãðèâåíü.  îòâåò â òå÷åíèå äâåíàäöàòè ÷àñîâ íà ñâîé e-mail òû ïîëó÷èøü ôàèë äëÿ óäàëåíèÿ ýòîé ïðîãðàììû." Krotten.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\CoronaVirus.exe CoronaVirus.exe File created C:\Windows\System32\Info.hta CoronaVirus.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp" !WannaDecryptor!.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.ONENOTE.16.1033.hxn.id-3992820B.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\dynalink.md.id-3992820B.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\de-DE\View3d\3DViewerProductDescription-universal.xml CoronaVirus.exe File created C:\Program Files\Java\jre-1.8\lib\security\policy\limited\US_export_policy.jar.id-3992820B.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_download_audit_report_18.svg.id-3992820B.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\msvcp140.dll CoronaVirus.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\en-US\MSFT_PackageManagementSource.strings.psd1 CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.targetsize-40_altform-colorize.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hu-hu\ui-strings.js.id-3992820B.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_MAK_AE-pl.xrm-ms.id-3992820B.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\onenote.x-none.msi.16.x-none.boot.tree.dat.id-3992820B.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Input.Manipulations.resources.dll.id-3992820B.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.targetsize-24_altform-unplated_contrast-white.png CoronaVirus.exe File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-memory-l1-1-0.dll.id-3992820B.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\offsymxl.ttf.id-3992820B.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.Design.resources.dll.id-3992820B.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationClientSideProviders.resources.dll CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\1850_32x32x32.png CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\XML2WORD.XSL.id-3992820B.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-pl.xrm-ms CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-32_altform-unplated.png CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\DBGCORE.DLL CoronaVirus.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\UIAutomationTypes.resources.dll CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Threading.Timer.dll CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_OEM_Perp-ppd.xrm-ms.id-3992820B.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ppd.xrm-ms CoronaVirus.exe File created C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\vlc.mo.id-3992820B.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\es-ES\MSFT_PackageManagement.strings.psd1.id-3992820B.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\pkcs11cryptotoken.md CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Xml.XmlSerializer.dll.id-3992820B.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fi-fi\ui-strings.js.id-3992820B.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Input.Manipulations.resources.dll CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\am_get.svg.id-3992820B.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-crt-multibyte-l1-1-0.dll.id-3992820B.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_base_non_fips.dll.id-3992820B.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\ne.pak CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-80.png CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\System.Windows.Forms.Design.resources.dll.id-3992820B.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\ExchangeSmallTile.scale-400.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\AppCenter_R.aapp CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\javafx\webkit.md.id-3992820B.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\onboarding\landing_page_whats_new_v2.png CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-pl.xrm-ms.id-3992820B.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ul-oob.xrm-ms.id-3992820B.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Retail-pl.xrm-ms CoronaVirus.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe.id-3992820B.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_bg.dll CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmuxmui.msi.16.en-us.xml.id-3992820B.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\excelmui.msi.16.en-us.tree.dat.id-3992820B.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.targetsize-256_altform-unplated.png CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ja-jp\ui-strings.js.id-3992820B.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Grace-ppd.xrm-ms.id-3992820B.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_radio_unselected_18.svg CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.GrayF.png.id-3992820B.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\UIAutomationClient.resources.dll.id-3992820B.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.contrast-white_targetsize-40_altform-unplated.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\SearchEmail2x.png.id-3992820B.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Mozilla Firefox\ipcclientcerts.dll CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\favicon.ico.id-3992820B.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\splash_11-lic.gif CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.json CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationClientSideProviders.resources.dll.id-3992820B.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupSmallTile.scale-200.png CoronaVirus.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\mr.pak.id-3992820B.[[email protected]].ncov CoronaVirus.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\WINDOWS\Web Krotten.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 21 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Krotten.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NetWire.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WannaCry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NetWire.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CoronaVirus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CoronaVirus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NetWire.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NetWire.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 11612 vssadmin.exe 22904 vssadmin.exe -
Kills process with taskkill 4 IoCs
pid Process 5548 taskkill.exe 5564 taskkill.exe 5556 taskkill.exe 5580 taskkill.exe -
Modifies Control Panel 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\WallpaperOriginX = "210" Krotten.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\WallpaperOriginY = "187" Krotten.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\MenuShowDelay = "9999" Krotten.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International Krotten.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\sTimeFormat = "ÕÓÉ" Krotten.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop Krotten.exe -
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main Krotten.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::" Krotten.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main Krotten.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window title = ":::::::::::::::::: ÌÎÉ ÕÓÉ ÏÐÎÒÓÕ À ÏÈÇÄÀ ÃÍÈÅÒ ::::::::::::::::::" Krotten.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/" Krotten.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://poetry.rotten.com/lightning/" Krotten.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "162" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe -
Modifies registry class 29 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" NOTEPAD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295" NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings OpenWith.exe Set value (data) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 NOTEPAD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14" NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1" NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1" NOTEPAD.EXE Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\REGFILE\SHELL\OPEN\COMMAND Krotten.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU NOTEPAD.EXE Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads" NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259} NOTEPAD.EXE Set value (data) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ NOTEPAD.EXE Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg NOTEPAD.EXE Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" NOTEPAD.EXE -
NTFS ADS 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 80809.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 934339.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 405127.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 417914.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 526586.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 927228.crdownload:SmartScreen msedge.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 5488 NOTEPAD.EXE -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 155 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 157 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4464 msedge.exe 4464 msedge.exe 1092 msedge.exe 1092 msedge.exe 2496 identity_helper.exe 2496 identity_helper.exe 2612 msedge.exe 2612 msedge.exe 5824 chrome.exe 5824 chrome.exe 1460 msedge.exe 1460 msedge.exe 4484 msedge.exe 4484 msedge.exe 4484 msedge.exe 4484 msedge.exe 5472 msedge.exe 5472 msedge.exe 2068 msedge.exe 2068 msedge.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe 3040 CoronaVirus.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 6040 OpenWith.exe 1092 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs
pid Process 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 5824 chrome.exe 5824 chrome.exe 5824 chrome.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5548 taskkill.exe Token: SeDebugPrivilege 5556 taskkill.exe Token: SeDebugPrivilege 5580 taskkill.exe Token: SeDebugPrivilege 5564 taskkill.exe Token: SeIncreaseQuotaPrivilege 2728 WMIC.exe Token: SeSecurityPrivilege 2728 WMIC.exe Token: SeTakeOwnershipPrivilege 2728 WMIC.exe Token: SeLoadDriverPrivilege 2728 WMIC.exe Token: SeSystemProfilePrivilege 2728 WMIC.exe Token: SeSystemtimePrivilege 2728 WMIC.exe Token: SeProfSingleProcessPrivilege 2728 WMIC.exe Token: SeIncBasePriorityPrivilege 2728 WMIC.exe Token: SeCreatePagefilePrivilege 2728 WMIC.exe Token: SeBackupPrivilege 2728 WMIC.exe Token: SeRestorePrivilege 2728 WMIC.exe Token: SeShutdownPrivilege 2728 WMIC.exe Token: SeDebugPrivilege 2728 WMIC.exe Token: SeSystemEnvironmentPrivilege 2728 WMIC.exe Token: SeRemoteShutdownPrivilege 2728 WMIC.exe Token: SeUndockPrivilege 2728 WMIC.exe Token: SeManageVolumePrivilege 2728 WMIC.exe Token: 33 2728 WMIC.exe Token: 34 2728 WMIC.exe Token: 35 2728 WMIC.exe Token: 36 2728 WMIC.exe Token: SeIncreaseQuotaPrivilege 2728 WMIC.exe Token: SeSecurityPrivilege 2728 WMIC.exe Token: SeTakeOwnershipPrivilege 2728 WMIC.exe Token: SeLoadDriverPrivilege 2728 WMIC.exe Token: SeSystemProfilePrivilege 2728 WMIC.exe Token: SeSystemtimePrivilege 2728 WMIC.exe Token: SeProfSingleProcessPrivilege 2728 WMIC.exe Token: SeIncBasePriorityPrivilege 2728 WMIC.exe Token: SeCreatePagefilePrivilege 2728 WMIC.exe Token: SeBackupPrivilege 2728 WMIC.exe Token: SeRestorePrivilege 2728 WMIC.exe Token: SeShutdownPrivilege 2728 WMIC.exe Token: SeDebugPrivilege 2728 WMIC.exe Token: SeSystemEnvironmentPrivilege 2728 WMIC.exe Token: SeRemoteShutdownPrivilege 2728 WMIC.exe Token: SeUndockPrivilege 2728 WMIC.exe Token: SeManageVolumePrivilege 2728 WMIC.exe Token: 33 2728 WMIC.exe Token: 34 2728 WMIC.exe Token: 35 2728 WMIC.exe Token: 36 2728 WMIC.exe Token: SeBackupPrivilege 2296 vssvc.exe Token: SeRestorePrivilege 2296 vssvc.exe Token: SeAuditPrivilege 2296 vssvc.exe Token: SeShutdownPrivilege 5824 chrome.exe Token: SeCreatePagefilePrivilege 5824 chrome.exe Token: SeShutdownPrivilege 5824 chrome.exe Token: SeCreatePagefilePrivilege 5824 chrome.exe Token: SeShutdownPrivilege 5824 chrome.exe Token: SeCreatePagefilePrivilege 5824 chrome.exe Token: SeShutdownPrivilege 5824 chrome.exe Token: SeCreatePagefilePrivilege 5824 chrome.exe Token: SeShutdownPrivilege 5824 chrome.exe Token: SeCreatePagefilePrivilege 5824 chrome.exe Token: SeShutdownPrivilege 5824 chrome.exe Token: SeCreatePagefilePrivilege 5824 chrome.exe Token: SeShutdownPrivilege 5824 chrome.exe Token: SeCreatePagefilePrivilege 5824 chrome.exe Token: SeShutdownPrivilege 5824 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 5824 chrome.exe 5824 chrome.exe 5824 chrome.exe 5824 chrome.exe 5824 chrome.exe 5824 chrome.exe 5824 chrome.exe 5824 chrome.exe 5824 chrome.exe 5824 chrome.exe 5824 chrome.exe 5824 chrome.exe 5824 chrome.exe 5824 chrome.exe 5824 chrome.exe 5824 chrome.exe 5824 chrome.exe 5824 chrome.exe 5824 chrome.exe 5824 chrome.exe 5824 chrome.exe 5824 chrome.exe 5824 chrome.exe 5824 chrome.exe 5824 chrome.exe 5824 chrome.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe -
Suspicious use of SendNotifyMessage 56 IoCs
pid Process 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 5824 chrome.exe 5824 chrome.exe 5824 chrome.exe 5824 chrome.exe 5824 chrome.exe 5824 chrome.exe 5824 chrome.exe 5824 chrome.exe 5824 chrome.exe 5824 chrome.exe 5824 chrome.exe 5824 chrome.exe 5824 chrome.exe 5824 chrome.exe 5824 chrome.exe 5824 chrome.exe 5824 chrome.exe 5824 chrome.exe 5824 chrome.exe 5824 chrome.exe 5824 chrome.exe 5824 chrome.exe 5824 chrome.exe 5824 chrome.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe 1092 msedge.exe -
Suspicious use of SetWindowsHookEx 33 IoCs
pid Process 3372 !WannaDecryptor!.exe 3372 !WannaDecryptor!.exe 5788 !WannaDecryptor!.exe 5788 !WannaDecryptor!.exe 5744 !WannaDecryptor!.exe 5744 !WannaDecryptor!.exe 4368 !WannaDecryptor!.exe 4368 !WannaDecryptor!.exe 5200 OpenWith.exe 6040 OpenWith.exe 6040 OpenWith.exe 6040 OpenWith.exe 6040 OpenWith.exe 6040 OpenWith.exe 6040 OpenWith.exe 6040 OpenWith.exe 6040 OpenWith.exe 6040 OpenWith.exe 6040 OpenWith.exe 6040 OpenWith.exe 6040 OpenWith.exe 6040 OpenWith.exe 6040 OpenWith.exe 6040 OpenWith.exe 6040 OpenWith.exe 6040 OpenWith.exe 6040 OpenWith.exe 6040 OpenWith.exe 6040 OpenWith.exe 6040 OpenWith.exe 5488 NOTEPAD.EXE 1092 msedge.exe 11096 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1092 wrote to memory of 3616 1092 msedge.exe 84 PID 1092 wrote to memory of 3616 1092 msedge.exe 84 PID 1092 wrote to memory of 1484 1092 msedge.exe 85 PID 1092 wrote to memory of 1484 1092 msedge.exe 85 PID 1092 wrote to memory of 1484 1092 msedge.exe 85 PID 1092 wrote to memory of 1484 1092 msedge.exe 85 PID 1092 wrote to memory of 1484 1092 msedge.exe 85 PID 1092 wrote to memory of 1484 1092 msedge.exe 85 PID 1092 wrote to memory of 1484 1092 msedge.exe 85 PID 1092 wrote to memory of 1484 1092 msedge.exe 85 PID 1092 wrote to memory of 1484 1092 msedge.exe 85 PID 1092 wrote to memory of 1484 1092 msedge.exe 85 PID 1092 wrote to memory of 1484 1092 msedge.exe 85 PID 1092 wrote to memory of 1484 1092 msedge.exe 85 PID 1092 wrote to memory of 1484 1092 msedge.exe 85 PID 1092 wrote to memory of 1484 1092 msedge.exe 85 PID 1092 wrote to memory of 1484 1092 msedge.exe 85 PID 1092 wrote to memory of 1484 1092 msedge.exe 85 PID 1092 wrote to memory of 1484 1092 msedge.exe 85 PID 1092 wrote to memory of 1484 1092 msedge.exe 85 PID 1092 wrote to memory of 1484 1092 msedge.exe 85 PID 1092 wrote to memory of 1484 1092 msedge.exe 85 PID 1092 wrote to memory of 1484 1092 msedge.exe 85 PID 1092 wrote to memory of 1484 1092 msedge.exe 85 PID 1092 wrote to memory of 1484 1092 msedge.exe 85 PID 1092 wrote to memory of 1484 1092 msedge.exe 85 PID 1092 wrote to memory of 1484 1092 msedge.exe 85 PID 1092 wrote to memory of 1484 1092 msedge.exe 85 PID 1092 wrote to memory of 1484 1092 msedge.exe 85 PID 1092 wrote to memory of 1484 1092 msedge.exe 85 PID 1092 wrote to memory of 1484 1092 msedge.exe 85 PID 1092 wrote to memory of 1484 1092 msedge.exe 85 PID 1092 wrote to memory of 1484 1092 msedge.exe 85 PID 1092 wrote to memory of 1484 1092 msedge.exe 85 PID 1092 wrote to memory of 1484 1092 msedge.exe 85 PID 1092 wrote to memory of 1484 1092 msedge.exe 85 PID 1092 wrote to memory of 1484 1092 msedge.exe 85 PID 1092 wrote to memory of 1484 1092 msedge.exe 85 PID 1092 wrote to memory of 1484 1092 msedge.exe 85 PID 1092 wrote to memory of 1484 1092 msedge.exe 85 PID 1092 wrote to memory of 1484 1092 msedge.exe 85 PID 1092 wrote to memory of 1484 1092 msedge.exe 85 PID 1092 wrote to memory of 4464 1092 msedge.exe 86 PID 1092 wrote to memory of 4464 1092 msedge.exe 86 PID 1092 wrote to memory of 3268 1092 msedge.exe 87 PID 1092 wrote to memory of 3268 1092 msedge.exe 87 PID 1092 wrote to memory of 3268 1092 msedge.exe 87 PID 1092 wrote to memory of 3268 1092 msedge.exe 87 PID 1092 wrote to memory of 3268 1092 msedge.exe 87 PID 1092 wrote to memory of 3268 1092 msedge.exe 87 PID 1092 wrote to memory of 3268 1092 msedge.exe 87 PID 1092 wrote to memory of 3268 1092 msedge.exe 87 PID 1092 wrote to memory of 3268 1092 msedge.exe 87 PID 1092 wrote to memory of 3268 1092 msedge.exe 87 PID 1092 wrote to memory of 3268 1092 msedge.exe 87 PID 1092 wrote to memory of 3268 1092 msedge.exe 87 PID 1092 wrote to memory of 3268 1092 msedge.exe 87 PID 1092 wrote to memory of 3268 1092 msedge.exe 87 PID 1092 wrote to memory of 3268 1092 msedge.exe 87 PID 1092 wrote to memory of 3268 1092 msedge.exe 87 PID 1092 wrote to memory of 3268 1092 msedge.exe 87 PID 1092 wrote to memory of 3268 1092 msedge.exe 87 PID 1092 wrote to memory of 3268 1092 msedge.exe 87 PID 1092 wrote to memory of 3268 1092 msedge.exe 87 -
System policy modification 1 TTPs 37 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{20D04FE0-3AEA-1069-A2D8-08002B30309D} = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMFUprogramsList = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuSubFolders = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMyMusic = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinterTabs = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives = "1044" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFavoritesMenu = "1" Krotten.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Krotten.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoCommonGroups = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyPictures = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMMyDocs = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSaveSettings = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize = "1" Krotten.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoViewOnDrive = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoClose = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall\NoAddRemovePrograms = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRecentDocsMenu = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoManageMyComputerVerb = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum\{450D8FBA-AD25-11D0-98A8-0800361B1103} = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoPrinters = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoNetHood = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktop = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoThemesTab = "1" Krotten.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Uninstall Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuPinnedList = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoUserNameInStartMenu = "1" Krotten.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp = "1" Krotten.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://hg1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd450c46f8,0x7ffd450c4708,0x7ffd450c47182⤵PID:3616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,17386394660516285986,7359711545473725503,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:22⤵PID:1484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,17386394660516285986,7359711545473725503,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,17386394660516285986,7359711545473725503,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:82⤵PID:3268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17386394660516285986,7359711545473725503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:12⤵PID:2728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17386394660516285986,7359711545473725503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:12⤵PID:808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17386394660516285986,7359711545473725503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:12⤵PID:2024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17386394660516285986,7359711545473725503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4876 /prefetch:12⤵PID:1328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17386394660516285986,7359711545473725503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:12⤵PID:112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17386394660516285986,7359711545473725503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:12⤵PID:668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17386394660516285986,7359711545473725503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:12⤵PID:3372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17386394660516285986,7359711545473725503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:12⤵PID:2436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17386394660516285986,7359711545473725503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:12⤵PID:2132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,17386394660516285986,7359711545473725503,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5940 /prefetch:82⤵PID:5072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,17386394660516285986,7359711545473725503,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5940 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,17386394660516285986,7359711545473725503,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5264 /prefetch:82⤵PID:2452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17386394660516285986,7359711545473725503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:12⤵PID:3328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2096,17386394660516285986,7359711545473725503,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6272 /prefetch:82⤵PID:1072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,17386394660516285986,7359711545473725503,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6076 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2612
-
-
C:\Users\Admin\Downloads\WannaCry.exe"C:\Users\Admin\Downloads\WannaCry.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1072 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 57141736286777.bat3⤵
- System Location Discovery: System Language Discovery
PID:4588 -
C:\Windows\SysWOW64\cscript.execscript //nologo c.vbs4⤵
- System Location Discovery: System Language Discovery
PID:4616
-
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe f3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3372
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im MSExchange*3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5548
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Microsoft.Exchange.*3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5556
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlserver.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5564
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlwriter.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5580
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe c3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5788
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /b !WannaDecryptor!.exe v3⤵
- System Location Discovery: System Language Discovery
PID:5764 -
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe v4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5744 -
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet5⤵
- System Location Discovery: System Language Discovery
PID:2892 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2728
-
-
-
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe3⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4368
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17386394660516285986,7359711545473725503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:12⤵PID:4712
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17386394660516285986,7359711545473725503,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:12⤵PID:2288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17386394660516285986,7359711545473725503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6704 /prefetch:12⤵PID:1084
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17386394660516285986,7359711545473725503,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:12⤵PID:452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17386394660516285986,7359711545473725503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:12⤵PID:5380
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2096,17386394660516285986,7359711545473725503,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3516 /prefetch:82⤵PID:5064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17386394660516285986,7359711545473725503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6416 /prefetch:12⤵PID:5400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,17386394660516285986,7359711545473725503,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5792 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1460
-
-
C:\Users\Admin\Downloads\Krotten.exe"C:\Users\Admin\Downloads\Krotten.exe"2⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- System policy modification
PID:5800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,17386394660516285986,7359711545473725503,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6828 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17386394660516285986,7359711545473725503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:12⤵PID:2244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2096,17386394660516285986,7359711545473725503,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6900 /prefetch:82⤵PID:6088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,17386394660516285986,7359711545473725503,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6840 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17386394660516285986,7359711545473725503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6944 /prefetch:12⤵PID:5704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2096,17386394660516285986,7359711545473725503,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1824 /prefetch:82⤵PID:2636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17386394660516285986,7359711545473725503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6916 /prefetch:12⤵PID:700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2096,17386394660516285986,7359711545473725503,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6408 /prefetch:82⤵PID:3044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,17386394660516285986,7359711545473725503,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5132 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2068
-
-
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3040 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:5768
-
C:\Windows\system32\mode.commode con cp select=12514⤵PID:27568
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:11612
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:23380
-
C:\Windows\system32\mode.commode con cp select=12514⤵PID:23252
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:22904
-
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵PID:23272
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵PID:23260
-
-
-
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,17386394660516285986,7359711545473725503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:16208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2096,17386394660516285986,7359711545473725503,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6584 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
PID:17868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,17386394660516285986,7359711545473725503,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6176 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
PID:6156
-
-
C:\Users\Admin\Downloads\NetWire.exe"C:\Users\Admin\Downloads\NetWire.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:24700 -
C:\Users\Admin\Downloads\NetWire.exe"C:\Users\Admin\Downloads\NetWire.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:24748
-
-
-
C:\Users\Admin\Downloads\NetWire.exe"C:\Users\Admin\Downloads\NetWire.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:11044 -
C:\Users\Admin\Downloads\NetWire.exe"C:\Users\Admin\Downloads\NetWire.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:11124
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:380
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3304
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2296
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:5392
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5200
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:6040 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\00000000.eky2⤵
- Modifies registry class
- Opens file in notepad (likely ransom note)
- Suspicious use of SetWindowsHookEx
PID:5488
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5824 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffd34e8cc40,0x7ffd34e8cc4c,0x7ffd34e8cc582⤵PID:5764
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1876,i,17668092781844796301,6677062947278145979,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1872 /prefetch:22⤵PID:6076
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2144,i,17668092781844796301,6677062947278145979,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2180 /prefetch:32⤵PID:5972
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,17668092781844796301,6677062947278145979,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2432 /prefetch:82⤵PID:4348
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3132,i,17668092781844796301,6677062947278145979,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3152 /prefetch:12⤵PID:5296
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3252,i,17668092781844796301,6677062947278145979,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3352 /prefetch:12⤵PID:5324
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4528,i,17668092781844796301,6677062947278145979,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4560 /prefetch:12⤵PID:3608
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=240,i,17668092781844796301,6677062947278145979,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4956 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
PID:23064
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:1216
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4a8 0x5041⤵PID:10660
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3849055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:11096
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
6Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-3992820B.[[email protected]].ncov
Filesize2.7MB
MD529205339a298e9194f758cbc8fd2cd0f
SHA10854cace402c09f8afa38392f9ae396dfe22b0ba
SHA256ffa59625beb92bc6785102ff72c0838105290c52c6c713fe402fcce85967f747
SHA512fdbfa298fbafb5b887a6609b829fb788684ebdcf7a0b9d071d2daa856678c7c87cef8b6463490dc86d92afddfd41f1d5e901bf709797a7f319c91d299eccce86
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\5c37ea2a-346e-42dc-a664-b0958c9c055e.tmp
Filesize9KB
MD50e861dd7197a52f237d1bc48544b10af
SHA11e3aa3b0bb7f06970e3635ebd64ec4cfaa902d83
SHA256c5352b264493c5830b69ea59aabaad6022a2c74b240d7809bfc547e518fbab4b
SHA512d5f982f0caa47f2af1341ce5d245169e7f2a7db6102ddb80476374725df62915ec8735b0ffd8a52a5fc48c17ba83b5b1d42b542f7b843fc65c9f27635637695f
-
Filesize
1KB
MD5083134d2e53e0e55de803b3e3de47bc0
SHA17db1c74e5813fe55ec403c7da140a323acda3a52
SHA256c5eda4c50b04dd32348430342fa867ff95d03b5ffde774ebf047be88da618060
SHA512725e313481d74f3a39fce619ba6749101a00736e85363b4b49b46b6666bfc7f90b60a3956e5dc659389611a1cf250ccda7c04a22a3932a162e19a73ad881fdff
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD5122c6834da5c361725a24a316b0f25b2
SHA151344191750f086db715e9a29e3af803cb9b1a6b
SHA256175df6de1d2e5348d366a6822c563cedd8b7f41c617e8a9af96ea65894c0bcfb
SHA512b34e457b93c2d4677e311cf8e0490f79d70500b422b732de42d8a69c8f1a74e0bbcb0b47647d7c0fde1c74964fb6e155f05978535d52a22892e2cae7e0b01d8c
-
Filesize
9KB
MD524875857c1d453bb51535f712d9d29ce
SHA18f1442e481ec13f61df3fea9162efb95f751d69e
SHA2563c98126f0b77ad917ca3fdfd7d030b8669801509015c7107a16ed5a281a99b81
SHA512ed5f5db2c592d0f1545beecdad0ee9a6bf4f60bf28fcbe5fa603333bfb3cf981fe99014cd2322c1323f7d18d1376b977328d2046307c45edf9c013a17e8e7ec4
-
Filesize
9KB
MD5eca003b0b97cd7c906f0af73667f092b
SHA11e1f1ce4eb74766650b03474f2c10fc06aca9f5e
SHA2566abe11fe120a1f1f2d184bd98c3ba93aeef3d1d3ea9e559bd8e55049b64e94f6
SHA5129b6e03d36228c57c16190f7b91c10fe3128725f5510fcba91c23a05e272a369baa5dd7f55a9709d4571a83a06ba9ea5c61099d14d1349d100279ed1aa6c9cecf
-
Filesize
9KB
MD5d88fefb780d285c99e4342060ef6ce95
SHA167282ec002bb0309517232680aa8ff6d58b86ddb
SHA256c72b59d92677f139161c4c7eca676dc4075c825b46db46b578ee9094983e600e
SHA5129bb506ff3f95908cb7fd39a8dfc464bd94e21da7fe03f22860c35d5910b635b19198558dc81e6135d95c0a678dfce0bbdc232195e63de27da78df5d839fc84bd
-
Filesize
9KB
MD5e6359dd3e92557db6017e09e15b86a1b
SHA1438d347074313ca0c842af09376abfc164ead73d
SHA25635cb808f2db2c5214a0d689b6318004e5ba7777ef65e53bea35e66b272c69bfc
SHA512fd2feca6b3fe658afa36102791c4cb4c2d81382d32782c400e8dd82121119b6d17812d3a6ea03a7016e6f8a395a130e2059c39be39dc582b69387763161ecdf6
-
Filesize
9KB
MD5cece43b14e1be37d26f73186b5b0d503
SHA187dcf0edaad0d831565eccb9aaf4735f74a95169
SHA25657c62a1620ee1a5a86cd3a211d96f93aa6c12ac19870e4023331d39047a08d29
SHA5129e7d869db755e973b0e2c1e409c51484c5a0e7ca4fa082d243be105db9561d3e1167ec02554745fa2b8159272292982f601883b1567e29b2c7200791e7d94fc5
-
Filesize
9KB
MD573890462bc586334d6f52ac7a6f24e6c
SHA1c367a2f3d07ad7f70eaacf8fb6800c062639051b
SHA2568c73441c7af0715e67bc81ffe2ed0a5c3e2ba5c0e807eb07ba643a6796e01684
SHA512b7a0daae0d60f6d59dadb9795d989e08d456bcf02c197a3e4a7e84ea1c7969c7e5c246f15e0b8264cd388f70a941903551f34ec567d7a596a684a928fc41b839
-
Filesize
9KB
MD5e0a68b228482e140abf1cf7e916f2230
SHA1d40f0905743cda9afcfa4dc4854ccb28f812b1c4
SHA256faddfda3a20c4a5e20ce8e3983b084ed64c22555fd3fb041273fa5083657a036
SHA5129ebc39541f8b993d66a97169fce0f8ffe4f2f4a022f9afe1f023347c1f31a24a3ebd30a1ef203273d8d0e7d14994d7afb4b974e3cf0de09ed383765d12bb3adb
-
Filesize
9KB
MD57865d61032526daac3c080bc20ae6ad1
SHA17636f55ed89c927d82f8a2fbab654344b1f3f3b4
SHA256e78c52d6510c92674c29a9f3e2cab75327164c17f81ffbba1f1dff2dab417dc0
SHA512dc8fc2dc3a75be1cf7f831a78569e0a85acfbe5fd4150b21abd3cf2ab1b5c7006d5dbabf359cb08c0899c19409251f5c57cec5f149e87190b3188a9b43cbfd0e
-
Filesize
9KB
MD5d99eab5ed06576267879912b4bd2dbb7
SHA19ffb8fc81ab8842e018750825012e12704f8f5b5
SHA2563b1dee38e2e61549ceb86002e8cb932099aaba0af53c24c7160332866cd07cf5
SHA5129e70ba3d00a2878f7848e35ac2d0eb7a0fcb6df3b507f7622fec9b512e4cb469dd35e6c1730bd19267b5b868740d6938950b443492c2d9d7b85f28a7fa58e576
-
Filesize
116KB
MD5f78f9060efb3c48beaf8518156267d43
SHA1340aefec30476afd923b3edb3470c52e63c4241e
SHA25652865ba480232af5d53636fbf96d4842e774a9e15982a8493744bda15fb36e08
SHA5123619c616af71eb70326fa4914673369340cb9bfb8ab1ffad5a20ad65f2b34ae648a4e3fdb910209a013760d61a8ea4cc64cc47409adf376fc674813dafba676b
-
Filesize
116KB
MD5d4dfd91a5bb155c7384e88701015ce03
SHA184fd7e626f38ba80530812d225e0950434dc6c1f
SHA25684c846c13be4915c94482079ca320931254f2101e013650946be4a8406dc202f
SHA5123f1dfe7c177f8694a05456bc70fc6b8f962bae71bc983c9cde92ae32b6a26b0ddda433591a71fd62c335994c87cb1827391c9657920a26e95dd16efaf1e7f285
-
Filesize
152B
MD5e55832d7cd7e868a2c087c4c73678018
SHA1ed7a2f6d6437e907218ffba9128802eaf414a0eb
SHA256a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574
SHA512897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f
-
Filesize
152B
MD5c2d9eeb3fdd75834f0ac3f9767de8d6f
SHA14d16a7e82190f8490a00008bd53d85fb92e379b0
SHA2561e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66
SHA512d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd
-
Filesize
62KB
MD5c813a1b87f1651d642cdcad5fca7a7d8
SHA10e6628997674a7dfbeb321b59a6e829d0c2f4478
SHA256df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3
SHA512af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b
-
Filesize
67KB
MD569df804d05f8b29a88278b7d582dd279
SHA1d9560905612cf656d5dd0e741172fb4cd9c60688
SHA256b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608
SHA5120ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e
-
Filesize
19KB
MD52e86a72f4e82614cd4842950d2e0a716
SHA1d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA5127a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1
-
Filesize
65KB
MD556d57bc655526551f217536f19195495
SHA128b430886d1220855a805d78dc5d6414aeee6995
SHA256f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4
SHA5127814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD502657687444b6615523c9864b1e38a9b
SHA1af877819ed4dccbbaae28c8520fb8b7f95f2ec0f
SHA256fe2a1ce19bc6dbe5dfd07e1fe91b31ae3831c0181edade451c57be96d7c2ecde
SHA512fcb0adc982d1eca384416da0c0e85d8a8107029fd0e1c29b1a2a013b7b9f21e75c2e5f8e4a57239a92716af2c8a0b772848bbed4409ddc583874de9b793e334b
-
Filesize
940B
MD50cab4e8f64c695a3c10d94960964afc8
SHA106ec9be8ac834227a4fcf2097a96b8fd03bda666
SHA256966d02a34256cd861be8f84c34711605f184db2e2aab707cbfd4162940513d17
SHA512be26af9ef7bb9f8da44967397a851f42de0431f01b32363da82a6256c43b249db84d4bcc59688b077529dca23ec9f749b6a791ba60f44f9befdf519ba2c14c8a
-
Filesize
6KB
MD5edbba43078731e221a35538adc85ee21
SHA18ba5ebe3f14ce84c14e4180e22168fa308afd10f
SHA256d5ac83f7477a9eb7c83d958704affd628e60a5549b8b51882fc6b08ce07b9cee
SHA5128df622322f6b1e9e249c3ed0615189edf1c9a9fb6e35eb9cd598eeacfbf1b93194f1f0c2cae62a2f42d3929cdc7d802b495002d58637893621c1683ee803225b
-
Filesize
7KB
MD5b6ad78c03467554f2e2de4098273047e
SHA1e08e23317db1e7a603a2aa1f4cbd0405b7f95932
SHA256e1728bb51ac9477daf1732a599a4a858a3c48d3eeee9ded7ef3e1eab8c34cb69
SHA512a774b48249a69f475de29593adde36e2bf3aa8f114df410d8ad830049d0159a7bab5ec72f5b5f7090382111c0513bdbf958c5d77974f9e0fd9aaccae3d25800a
-
Filesize
7KB
MD52b7e2078933119a008df823c24a7a615
SHA188b37107c5915c99b42ef0c56d1b603b53024622
SHA256f1aec38a13ec53583cf2aa19228f5e43e15980f3468687ac8a58c6f96dce8902
SHA5121f2375387b96bae3515734d606651664db443f29e581333d45a7059241095aaf2adec1558da028fbb886aba68cb9a4ce8f3c59418eb88dc76b89ec90fc9cea65
-
Filesize
6KB
MD5e0b7d68c7a08b44185f2a72acb10cd83
SHA105db4dad2cacc76bdda1f9e2b3d6f7f6638fe49c
SHA25645b2ea3896f56d961f63f6c7e54218f302d7f43fb457cac625755bdecdec5f44
SHA512283f01e7a7c787180ad3c602cbd5b13e7b30af38baf2e855b955ffcc2a1e8804475101348c75cf2366d241b4fee357739e2c4d5ad24918d8b9ca6b9e21538484
-
Filesize
6KB
MD5c7e3582216808314649c833b7020ca5c
SHA1436b73de69d9323971a2f6bd4eceb63705c45c3b
SHA256c4a5bddf884c42383333dad4b09563d39cdb65b87f34dd9484f3b96a4a9aefd9
SHA51253a20aced9d6b64705d4a02c16bbd34e583ea507a2865680733ce8be0ec71d39ed16921424f1d02961ad1ae34e68dad86ade9e4984bd74339113980782aae706
-
Filesize
5KB
MD5aa72d30840005c1ecdd171ab8e2e3fe4
SHA1b8e86f91b4dc2203cfc30a49e0440ba5ee7dee26
SHA2561facb41b228766de1f6e8a6caa3961ca52ca108c567ce60420f53798184c5183
SHA5125b292d353c9c62dbf42923b446cfffd22e8756cd6d390d4d71d8def58b1b56bb50d3a1178e653ce9e3bffeee59577a20a65d53dcbfd3fea2b13280e96e35c497
-
Filesize
1KB
MD55920721f454d6db3b34e04cd89b7dd29
SHA162cff9b2674c751f073b9d704f8a1ab53704fdc6
SHA25659e0c8cdcbe7141e32cea6e07df331867d6389f4670070c561ef458e6eff0af6
SHA51296f66799b9a3584aece9a9b166fa3a0953dce9dca85a8b0523dd981b718734a9bb3e9de7a9cea6ba4183857cc85651fdadadf2745c00638481265adbb5e25b81
-
Filesize
1KB
MD50879f1c3eb906611b38df7addeb7a970
SHA15081df2846b0269daaa5a7c164a3b9afe20079c1
SHA256f1e330f12a34ae9c6b893dcba3c7f245ab73ed35b23a4897d8b2f41e0518d845
SHA512f180f9fdd10a4ced1dcc0a9376fc2e5f50c21d8c8affb6b78445a1bb7e7953b42f17164cd1b9272a5386e38f5691a3b5ea6f84c59bee02686944e049dbb9626a
-
Filesize
1KB
MD5c88b5f988a11976368e23e08f165a4bd
SHA182a2d6451a0ef583ff8ed5878f209665170d0959
SHA256a6f8cebe71c63c09e2e7055ec5e914e8cd07aa1f88894f428e9205420c202d6d
SHA512f5a3ce5ea95b1372406fa6f5a8ca9091125404d106b4158196d0b2a86063af4b43a44f506e3d9bb4f35baf7180a4cdacd11e9c9d63cef3d1fdb9591658a769ee
-
Filesize
1KB
MD5381e0f5e4502cb03225b2c142bebb1d2
SHA1a270d947108c43e698c683aada8022faff48b316
SHA2567af722046bbf010c3df5b3b164fbefdbae51f89baec45dc8185e51d39dd6b723
SHA512a4fe7d599b7380f2010ac467c55220b653c311e86cc12f25924056a4547b1d39f1f6af103c9a9481ecf8a5f256e2020bf3a56c9a75ad71cc28d8095f838d8dea
-
Filesize
1KB
MD5f3f0ea5477ceb61991fcecf2a2597293
SHA147b1cbfbfa799d4cb0cba67169d66c6fa6039a32
SHA256cf0a10cfafdbae8cb27937eddab325cdb8f8dbd3b60c26fc5ee443efe9c6cdcb
SHA512a30bb8b7be9c27a239f7f87724a75009fe308c81ab2860bcaac62a5c2a698b97524e5e7c55a5473128ce75e98baec0c205fb55c9276309285d57b12f15e5f75a
-
Filesize
1KB
MD5c4e51d0467d5762541a91c9dc4fc20fd
SHA1cca428fd0e47935407443d7f4f1df319a067a503
SHA2565014421328f4eb8b51c38c48a49fba07a9c64540cfa6ebe87afb7264918158be
SHA512e6f146448b1be21c09aec4e8c0177e2ecedabd0f159c5aec4ded33c13c35ac0b7fdd32238334ecd96ba753aaa5ca1dc15458a7dd63dc15c2f06157b6f2ed24a1
-
Filesize
1KB
MD5e59ec93de68ce6293b3c3bac0e2993d8
SHA10847e66af58abe3d50e53a432a6a1058eba53fa1
SHA256ae990ac9fecd97ef0e5f2e2d10dc3438ff83c21e021ff3bcc8563dbc188496d0
SHA512347c2518c02d9e47c9153fb98aa4a19b606a2427bedb79cecf7a304e7495e103ebffa393c2ef43c0b08dcb01decd15595b97b72bf473e46d4b203d1aefa80d5b
-
Filesize
1KB
MD5f529f9edee2790177cd42ab5eee2b823
SHA1b75b8635c51f481936cf09596dac6514f7b15078
SHA2567eb13d751970d4b1a3c8acda27d368ffbc01f5a9108423f8a8286d12f4db9e65
SHA512ca28c3f1862c87400100405796549666bb82a3abf54235c468c070c6ee1930cf2985b292ab8c39d9a3a71df938851f388ba975e5196529d43f5100f95726e73d
-
Filesize
1KB
MD52ec2575bb14f4e32c44a465ee9673d21
SHA1fa4d7754b633b1f296ecee98b2e700326cd81f0a
SHA25690c32517f9c6e01be74581566c16a170cfe14b5cde1f470353072a9e9105d3d8
SHA5127b1a29e262105ef39b501a3eb52cad8d7ac2912dc257bac2e9be5f6f7d37e0fe11a9c67da386c8eb7cee5aae06fc433cf02b8182d6f76d1d44baacb6ca0c7074
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD53cc7003619ac27fa858711133deb629f
SHA1a919623ac2fea3cebb251d123bc718e8419d9198
SHA256f813be1558c1ccd4eac0b51a37b5ac23d6293d928ba956bd543b5e32e602a45c
SHA512e3315fb21060ce0d2a2e7fc0f40ff5c0a03371ab00d53bcceede578ca5b1f15a6ba1ab4208fe968009852b8eec6df51b89549b617ef75346f467166f2e1372ff
-
Filesize
11KB
MD57378123668d75a8dab1341197a87e8fb
SHA1be958e36230c814771d86ff6c480f7e459ecfd6b
SHA2567cf370688ef9d5d0703b13578dbae57723b9b3a7bd4c2a14ecd7de7f38a76416
SHA512262d40e00a8196463a572e7295b6d20a15b7fb1daab03fe6211cbb26bcd2f06a055f990376c72ed0ebc0cc55d2c5d82ad0bc00564eb4b5cd9987ddd5692b8b9d
-
Filesize
11KB
MD502b90b196de94079330043ba5785394c
SHA1e6d9eb943cb2bd65f8c493d8b29388df187e8ccf
SHA25648ce238d4caabb206259e212fcdc1e2ff456f20b4dc8ea4fd12597850aacf65b
SHA5124d7f69f50d2372f13c31ccdb7ed73ce2ae7413e560975e07a1a4f5d9819687f4e4072d95c81ae33fdd8fa909c3c4897a755eb5a42e94166374e2ccd9ebb1e8d2
-
Filesize
10KB
MD51908a917f4452c80b06796dc9617ffae
SHA17bbf394ee283dd129be2d879157effe5bbbddbcf
SHA25648799eb3f8f88ea4299676fd9661f074c2b39b9d3aea4ef4bec700e37c73111d
SHA512b7c2c8aac74415fd62e65b2837e73d39d11ac699de21d8778e53107305d3c85e39afe9f59708052898ba67ffd5ac562815b307114a5137f9c91bcc68148d9195
-
Filesize
11KB
MD506ec4d43a9b8f941fde3f45a329a0017
SHA14951ae365083e24f32049957762f5f3133f111f8
SHA256cc7da56b880452ab7dcc6f57be8c66703adba879a501a748a0cc100d0d514ade
SHA512efcf326501f5806b228a30a36d54f2e54d70fc8dae2a567fe03ae36e769796b1031fefd8ad0e41c5c9fbe098ff4dfcfafaed3f6bed4d4c78d5f79dd63fbc3329
-
Filesize
797B
MD5afa18cf4aa2660392111763fb93a8c3d
SHA1c219a3654a5f41ce535a09f2a188a464c3f5baf5
SHA256227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0
SHA5124161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b
-
Filesize
590B
MD5b3f3f5efd71e3c2dff59e750b9c4c478
SHA127dffddcc6055a690d0731b6297c17099243269b
SHA256d6a0cd31fad46411ba3865be3400bda8c50cb95da3c230b992c764aeb7e7a0b7
SHA51252b0bfc182634286e499effc302edbc8904918131d25464d4009114d11e06f788da7129d8fd88d988e0817e49b53bae3ffecf52ef41d5c6625244a2c01f062c1
-
Filesize
1KB
MD58e4bcd83ce0516620dd529dd0ed65378
SHA1b82ef694c7cb85e22d1e3aa42b1e10197d0f5140
SHA256efce5980a6434cd6e5a6fe3758b4acc6f3edecb8084ee07f059d535344edc855
SHA5120b04761a57b0b7ff7de80b3634cdcb5d9b2329f56a912163c7ad0bd508a9177a42ba45854a70d8943d50758bd5cbe43f88e5fa51a5f4af4bbfa07795f812fcb9
-
Filesize
136B
MD524aaccd193b865b4b26eb74de1affba3
SHA1a229bf56ef07d67427d9bf7db7f37503ebfc8843
SHA25609e7eeb9ccced2289c752b54daa28216c0fade621756af5a70b207858aabad59
SHA512fef17cf56b2bc61d4af2ad7f2a0cf70722bb1988beb49aa74f9f97c7060904f666ca3216f7a8be3c60a44367b3bf6ff58790230a44dc9ffc2822313a7cb3c119
-
Filesize
136B
MD50ada2fdd106d23a198bd69b89169d26e
SHA15cab52f6f5dcc89834c1e621cbbc987cadf7586a
SHA256296fe55d8ee3c456b39244141b6794537fd806ad7eb279f3b96ae9e99a564a34
SHA512b0ac2600d3e9df22161d7d67af9726cb8dc7cf746b9ed864317c497f749fd7ca2729c5d2e9098d9aa278e0a35b522e4f75be089d7937e9d094ff560f3a31069f
-
Filesize
136B
MD57a2866cc7b0846e26989325c2fbf5a0c
SHA1662573de2e4f5391747ae009423e540af851c0e4
SHA2562ac70f2d40c3135727590c777008c9cde36ad7c20085e913a3647ac06e3e9a1f
SHA51219b293faac35af59bd4fea7cd45aebe4debb65d4e34ea1aa0acffcc0bd3705c3d71f2fa896dca43401c10c4a762b8543d53802e893dbf97f3b398c069ceab0ae
-
Filesize
136B
MD5cb4e2039459241feb5f04211de48591e
SHA1b1d2055240b05fad97bc9b0386241d22ff804812
SHA25640f45f785eef5d761248d885ce1c59a768fcd428ee0f0cdba7783206313a489c
SHA5129b3effdee1bc43e5499732033e57be424752c09b1e3adcac1e231598f3fff58fe4d5e85228bc206f4322ea916c36382eb9c89c00db20c3c5ccbacc8f88866a38
-
Filesize
318B
MD5a261428b490a45438c0d55781a9c6e75
SHA1e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e
SHA2564288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44
SHA512304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40
-
Filesize
1.2MB
MD57621f79a7f66c25ad6c636d5248abeb9
SHA198304e41f82c3aee82213a286abdee9abf79bcce
SHA256086d35f26bd2fd886e99744960b394d94e74133c40145a3e2bc6b3877b91ec5d
SHA51259ffcf6eeac00c089e9c77192663d0dc97b2e62cedb6d64fe7dc2e67499abc34e33977e05113c9d39ca6d3e37e8b5c3e6aa926c8526215808b147c0152f7dbfd
-
Filesize
224KB
MD55c7fb0927db37372da25f270708103a2
SHA1120ed9279d85cbfa56e5b7779ffa7162074f7a29
SHA256be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
SHA512a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
-
Filesize
53KB
MD587ccd6f4ec0e6b706d65550f90b0e3c7
SHA1213e6624bff6064c016b9cdc15d5365823c01f5f
SHA256e79f164ccc75a5d5c032b4c5a96d6ad7604faffb28afe77bc29b9173fa3543e4
SHA512a72403d462e2e2e181dbdabfcc02889f001387943571391befed491aaecba830b0869bdd4d82bca137bd4061bbbfb692871b1b4622c4a7d9f16792c60999c990
-
Filesize
1.0MB
MD5055d1462f66a350d9886542d4d79bc2b
SHA1f1086d2f667d807dbb1aa362a7a809ea119f2565
SHA256dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
SHA5122c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
-
Filesize
181KB
MD50826df3aaa157edff9c0325f298850c2
SHA1ed35b02fa029f1e724ed65c2de5de6e5c04f7042
SHA2562e4319ff62c03a539b2b2f71768a0cfc0adcaedbcca69dbf235081fe2816248b
SHA512af6c5734fd02b9ad3f202e95f9ff4368cf0dfdaffe0d9a88b781b196a0a3c44eef3d8f7c329ec6e3cbcd3e6ab7c49df7d715489539e631506ca1ae476007a6a6
-
Filesize
7B
MD54047530ecbc0170039e76fe1657bdb01
SHA132db7d5e662ebccdd1d71de285f907e3a1c68ac5
SHA25682254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750
SHA5128f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e
-
Filesize
201B
MD502b937ceef5da308c5689fcdb3fb12e9
SHA1fa5490ea513c1b0ee01038c18cb641a51f459507
SHA2565d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1
SHA512843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653
-
Filesize
628B
MD54f39471200d5b498b7d3a88820fb6ce3
SHA1e257ac1366afd2a8331e4508a029ecbfbcefbc50
SHA256a1ac4f3ea1f1c17bd0aaebc6c5bd539c20f1ba68c43f1f2b135ac0801b0ed08b
SHA512c2fbb6f67ad641133ff85843ae07058b0b6f20ca98e640451f0d116dd47202804ac724b6bc851f3ed72422d3928d07d5d8ed410927cbf1f9c214f8b74e533982
-
Filesize
42KB
MD5980b08bac152aff3f9b0136b616affa5
SHA12a9c9601ea038f790cc29379c79407356a3d25a3
SHA256402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9
SHA512100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496
-
Filesize
236KB
MD5cf1416074cd7791ab80a18f9e7e219d9
SHA1276d2ec82c518d887a8a3608e51c56fa28716ded
SHA25678e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA5120bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5