Resubmissions
25/03/2025, 20:32
250325-za94cawjy9 1025/03/2025, 20:27
250325-y8rtzsssax 1025/03/2025, 20:24
250325-y66v5a11hv 1025/03/2025, 20:20
250325-y4nlrs11dy 725/03/2025, 20:16
250325-y2jj2a11bz 725/03/2025, 20:12
250325-yys93a1zfw 625/03/2025, 20:08
250325-ywskravqw6 8Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
25/03/2025, 20:32
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://Google.com
Resource
win10v2004-20250314-en
General
-
Target
http://Google.com
Malware Config
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 4 IoCs
resource yara_rule behavioral1/files/0x0008000000024285-1098.dat family_chaos behavioral1/memory/4920-1101-0x0000000000650000-0x0000000000670000-memory.dmp family_chaos behavioral1/memory/5220-1190-0x0000000000400000-0x00000000005D5000-memory.dmp family_chaos behavioral1/memory/5220-1195-0x0000000000400000-0x00000000005D5000-memory.dmp family_chaos -
Chaos family
-
UAC bypass 3 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 880 bcdedit.exe 2900 bcdedit.exe -
pid Process 1648 wbadmin.exe -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation Cov29Cry.exe Key value queried \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation svchost.exe -
Drops startup file 3 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\covid29-is-here.txt svchost.exe -
Executes dropped EXE 4 IoCs
pid Process 4696 mbr.exe 4920 Cov29Cry.exe 436 svchost.exe 3104 Cov29LockScreen.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 34 IoCs
description ioc Process File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3218366390-1258052702-4267193707-1000\desktop.ini svchost.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 237 raw.githubusercontent.com 238 raw.githubusercontent.com 239 raw.githubusercontent.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 mbr.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gur9ju1pa.jpg" svchost.exe -
resource yara_rule behavioral1/memory/5220-1045-0x0000000000400000-0x00000000005D5000-memory.dmp upx behavioral1/memory/5220-1190-0x0000000000400000-0x00000000005D5000-memory.dmp upx behavioral1/memory/5220-1195-0x0000000000400000-0x00000000005D5000-memory.dmp upx -
Drops file in Program Files directory 17 IoCs
description ioc Process File created C:\Program Files\chrome_Unpacker_BeginUnzipping5800_1954406893\protocols.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5800_80530989\_metadata\verified_contents.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5800_1069800750\manifest.fingerprint msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5800_80530989\LICENSE msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5800_80530989\manifest.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5800_1416488583\manifest.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5800_1954406893\manifest.fingerprint msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5800_1927916418\manifest.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5800_1927916418\manifest.fingerprint msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5800_80530989\sets.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5800_1069800750\office_endpoints_list.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5800_1069800750\smart_switch_list.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5800_1416488583\manifest.fingerprint msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5800_1954406893\manifest.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5800_1927916418\nav_config.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5800_1069800750\manifest.json msedge.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping5800_80530989\manifest.fingerprint msedge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TrojanRansomCovid29.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mbr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language shutdown.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cov29LockScreen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3872 PING.EXE 5720 PING.EXE -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier msedge.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 5132 vssadmin.exe -
Kills process with taskkill 1 IoCs
pid Process 680 taskkill.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedge.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133874083411517241" msedge.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3218366390-1258052702-4267193707-1000\{96CAB3A1-389D-402D-9363-E19272C0917E} msedge.exe Key created \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000_Classes\Local Settings cmd.exe -
Modifies registry key 1 TTPs 7 IoCs
pid Process 3420 reg.exe 1092 reg.exe 4088 reg.exe 1912 reg.exe 5316 reg.exe 3816 reg.exe 2484 reg.exe -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 3872 PING.EXE 5720 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 436 svchost.exe -
Suspicious behavior: EnumeratesProcesses 51 IoCs
pid Process 4920 Cov29Cry.exe 4920 Cov29Cry.exe 4920 Cov29Cry.exe 4920 Cov29Cry.exe 4872 msedge.exe 4872 msedge.exe 4920 Cov29Cry.exe 4920 Cov29Cry.exe 4920 Cov29Cry.exe 4920 Cov29Cry.exe 4920 Cov29Cry.exe 4920 Cov29Cry.exe 4920 Cov29Cry.exe 4920 Cov29Cry.exe 4920 Cov29Cry.exe 4920 Cov29Cry.exe 4920 Cov29Cry.exe 4920 Cov29Cry.exe 4920 Cov29Cry.exe 4920 Cov29Cry.exe 4920 Cov29Cry.exe 4920 Cov29Cry.exe 4920 Cov29Cry.exe 4920 Cov29Cry.exe 4920 Cov29Cry.exe 4920 Cov29Cry.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe 436 svchost.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
pid Process 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe -
Suspicious use of AdjustPrivilegeToken 53 IoCs
description pid Process Token: SeShutdownPrivilege 3976 shutdown.exe Token: SeRemoteShutdownPrivilege 3976 shutdown.exe Token: SeDebugPrivilege 4920 Cov29Cry.exe Token: SeDebugPrivilege 436 svchost.exe Token: SeBackupPrivilege 4580 vssvc.exe Token: SeRestorePrivilege 4580 vssvc.exe Token: SeAuditPrivilege 4580 vssvc.exe Token: SeIncreaseQuotaPrivilege 1296 WMIC.exe Token: SeSecurityPrivilege 1296 WMIC.exe Token: SeTakeOwnershipPrivilege 1296 WMIC.exe Token: SeLoadDriverPrivilege 1296 WMIC.exe Token: SeSystemProfilePrivilege 1296 WMIC.exe Token: SeSystemtimePrivilege 1296 WMIC.exe Token: SeProfSingleProcessPrivilege 1296 WMIC.exe Token: SeIncBasePriorityPrivilege 1296 WMIC.exe Token: SeCreatePagefilePrivilege 1296 WMIC.exe Token: SeBackupPrivilege 1296 WMIC.exe Token: SeRestorePrivilege 1296 WMIC.exe Token: SeShutdownPrivilege 1296 WMIC.exe Token: SeDebugPrivilege 1296 WMIC.exe Token: SeSystemEnvironmentPrivilege 1296 WMIC.exe Token: SeRemoteShutdownPrivilege 1296 WMIC.exe Token: SeUndockPrivilege 1296 WMIC.exe Token: SeManageVolumePrivilege 1296 WMIC.exe Token: 33 1296 WMIC.exe Token: 34 1296 WMIC.exe Token: 35 1296 WMIC.exe Token: 36 1296 WMIC.exe Token: SeIncreaseQuotaPrivilege 1296 WMIC.exe Token: SeSecurityPrivilege 1296 WMIC.exe Token: SeTakeOwnershipPrivilege 1296 WMIC.exe Token: SeLoadDriverPrivilege 1296 WMIC.exe Token: SeSystemProfilePrivilege 1296 WMIC.exe Token: SeSystemtimePrivilege 1296 WMIC.exe Token: SeProfSingleProcessPrivilege 1296 WMIC.exe Token: SeIncBasePriorityPrivilege 1296 WMIC.exe Token: SeCreatePagefilePrivilege 1296 WMIC.exe Token: SeBackupPrivilege 1296 WMIC.exe Token: SeRestorePrivilege 1296 WMIC.exe Token: SeShutdownPrivilege 1296 WMIC.exe Token: SeDebugPrivilege 1296 WMIC.exe Token: SeSystemEnvironmentPrivilege 1296 WMIC.exe Token: SeRemoteShutdownPrivilege 1296 WMIC.exe Token: SeUndockPrivilege 1296 WMIC.exe Token: SeManageVolumePrivilege 1296 WMIC.exe Token: 33 1296 WMIC.exe Token: 34 1296 WMIC.exe Token: 35 1296 WMIC.exe Token: 36 1296 WMIC.exe Token: SeDebugPrivilege 680 taskkill.exe Token: SeBackupPrivilege 4428 wbengine.exe Token: SeRestorePrivilege 4428 wbengine.exe Token: SeSecurityPrivilege 4428 wbengine.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe 5800 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3104 Cov29LockScreen.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5800 wrote to memory of 5020 5800 msedge.exe 86 PID 5800 wrote to memory of 5020 5800 msedge.exe 86 PID 5800 wrote to memory of 4416 5800 msedge.exe 87 PID 5800 wrote to memory of 4416 5800 msedge.exe 87 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 5584 5800 msedge.exe 88 PID 5800 wrote to memory of 3496 5800 msedge.exe 89 PID 5800 wrote to memory of 3496 5800 msedge.exe 89 PID 5800 wrote to memory of 3496 5800 msedge.exe 89 PID 5800 wrote to memory of 3496 5800 msedge.exe 89 PID 5800 wrote to memory of 3496 5800 msedge.exe 89 PID 5800 wrote to memory of 3496 5800 msedge.exe 89 PID 5800 wrote to memory of 3496 5800 msedge.exe 89 PID 5800 wrote to memory of 3496 5800 msedge.exe 89 PID 5800 wrote to memory of 3496 5800 msedge.exe 89 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://Google.com1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5800 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x258,0x7ff989a3f208,0x7ff989a3f214,0x7ff989a3f2202⤵PID:5020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1964,i,4037038034349188908,1299483070651919348,262144 --variations-seed-version --mojo-platform-channel-handle=2256 /prefetch:32⤵PID:4416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2228,i,4037038034349188908,1299483070651919348,262144 --variations-seed-version --mojo-platform-channel-handle=2224 /prefetch:22⤵PID:5584
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2440,i,4037038034349188908,1299483070651919348,262144 --variations-seed-version --mojo-platform-channel-handle=2516 /prefetch:82⤵PID:3496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3464,i,4037038034349188908,1299483070651919348,262144 --variations-seed-version --mojo-platform-channel-handle=3476 /prefetch:12⤵PID:1356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3388,i,4037038034349188908,1299483070651919348,262144 --variations-seed-version --mojo-platform-channel-handle=3548 /prefetch:12⤵PID:5420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4216,i,4037038034349188908,1299483070651919348,262144 --variations-seed-version --mojo-platform-channel-handle=4236 /prefetch:12⤵PID:872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4244,i,4037038034349188908,1299483070651919348,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:22⤵PID:3620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4240,i,4037038034349188908,1299483070651919348,262144 --variations-seed-version --mojo-platform-channel-handle=4260 /prefetch:82⤵PID:2620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5360,i,4037038034349188908,1299483070651919348,262144 --variations-seed-version --mojo-platform-channel-handle=5352 /prefetch:82⤵PID:1860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --always-read-main-dll --field-trial-handle=5176,i,4037038034349188908,1299483070651919348,262144 --variations-seed-version --mojo-platform-channel-handle=5524 /prefetch:12⤵PID:5760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5416,i,4037038034349188908,1299483070651919348,262144 --variations-seed-version --mojo-platform-channel-handle=5320 /prefetch:82⤵PID:1428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5404,i,4037038034349188908,1299483070651919348,262144 --variations-seed-version --mojo-platform-channel-handle=5376 /prefetch:82⤵PID:3116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3588,i,4037038034349188908,1299483070651919348,262144 --variations-seed-version --mojo-platform-channel-handle=6072 /prefetch:82⤵PID:5364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3588,i,4037038034349188908,1299483070651919348,262144 --variations-seed-version --mojo-platform-channel-handle=6072 /prefetch:82⤵PID:3736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3868,i,4037038034349188908,1299483070651919348,262144 --variations-seed-version --mojo-platform-channel-handle=3856 /prefetch:82⤵PID:1340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6224,i,4037038034349188908,1299483070651919348,262144 --variations-seed-version --mojo-platform-channel-handle=6248 /prefetch:82⤵PID:4952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6324,i,4037038034349188908,1299483070651919348,262144 --variations-seed-version --mojo-platform-channel-handle=6320 /prefetch:82⤵PID:6100
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6364,i,4037038034349188908,1299483070651919348,262144 --variations-seed-version --mojo-platform-channel-handle=6328 /prefetch:82⤵PID:920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6512,i,4037038034349188908,1299483070651919348,262144 --variations-seed-version --mojo-platform-channel-handle=6520 /prefetch:82⤵PID:4372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6504,i,4037038034349188908,1299483070651919348,262144 --variations-seed-version --mojo-platform-channel-handle=6668 /prefetch:82⤵PID:3080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6824,i,4037038034349188908,1299483070651919348,262144 --variations-seed-version --mojo-platform-channel-handle=6516 /prefetch:82⤵PID:848
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6980,i,4037038034349188908,1299483070651919348,262144 --variations-seed-version --mojo-platform-channel-handle=6808 /prefetch:82⤵PID:4664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6340,i,4037038034349188908,1299483070651919348,262144 --variations-seed-version --mojo-platform-channel-handle=6244 /prefetch:82⤵PID:5104
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6756,i,4037038034349188908,1299483070651919348,262144 --variations-seed-version --mojo-platform-channel-handle=4980 /prefetch:82⤵PID:3124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6744,i,4037038034349188908,1299483070651919348,262144 --variations-seed-version --mojo-platform-channel-handle=6736 /prefetch:82⤵PID:4620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --always-read-main-dll --field-trial-handle=6660,i,4037038034349188908,1299483070651919348,262144 --variations-seed-version --mojo-platform-channel-handle=4304 /prefetch:12⤵PID:2444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --always-read-main-dll --field-trial-handle=5012,i,4037038034349188908,1299483070651919348,262144 --variations-seed-version --mojo-platform-channel-handle=5212 /prefetch:12⤵PID:444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5300,i,4037038034349188908,1299483070651919348,262144 --variations-seed-version --mojo-platform-channel-handle=5252 /prefetch:82⤵PID:2992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6652,i,4037038034349188908,1299483070651919348,262144 --variations-seed-version --mojo-platform-channel-handle=6692 /prefetch:82⤵PID:3936
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7076,i,4037038034349188908,1299483070651919348,262144 --variations-seed-version --mojo-platform-channel-handle=7064 /prefetch:82⤵PID:4736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6884,i,4037038034349188908,1299483070651919348,262144 --variations-seed-version --mojo-platform-channel-handle=6956 /prefetch:82⤵PID:5868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5388,i,4037038034349188908,1299483070651919348,262144 --variations-seed-version --mojo-platform-channel-handle=7216 /prefetch:82⤵PID:4180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=760,i,4037038034349188908,1299483070651919348,262144 --variations-seed-version --mojo-platform-channel-handle=5088 /prefetch:82⤵PID:1856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5456,i,4037038034349188908,1299483070651919348,262144 --variations-seed-version --mojo-platform-channel-handle=6740 /prefetch:82⤵PID:752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=3988,i,4037038034349188908,1299483070651919348,262144 --variations-seed-version --mojo-platform-channel-handle=6740 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5056,i,4037038034349188908,1299483070651919348,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:82⤵PID:3488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"1⤵PID:4676
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:648
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Covid29 Ransomware.zip\TrojanRansomCovid29.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_Covid29 Ransomware.zip\TrojanRansomCovid29.exe"1⤵
- System Location Discovery: System Language Discovery
PID:5220 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4107.tmp\TrojanRansomCovid29.bat" "2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4168 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4107.tmp\fakeerror.vbs"3⤵
- System Location Discovery: System Language Discovery
PID:4460
-
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3872
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2484
-
-
C:\Windows\SysWOW64\reg.exereg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3420
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1092
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4088
-
-
C:\Windows\SysWOW64\reg.exereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f3⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:1912
-
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:5316
-
-
C:\Windows\SysWOW64\reg.exereg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3816
-
-
C:\Users\Admin\AppData\Local\Temp\4107.tmp\mbr.exembr.exe3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:4696
-
-
C:\Users\Admin\AppData\Local\Temp\4107.tmp\Cov29Cry.exeCov29Cry.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4920 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"4⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:436 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete5⤵PID:3740
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet6⤵
- Interacts with shadow copies
PID:5132
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1296
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no5⤵PID:4112
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures6⤵
- Modifies boot configuration data using bcdedit
PID:880
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no6⤵
- Modifies boot configuration data using bcdedit
PID:2900
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet5⤵PID:1944
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet6⤵
- Deletes backup catalog
PID:1648
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\covid29-is-here.txt5⤵PID:2480
-
-
-
-
C:\Windows\SysWOW64\shutdown.exeshutdown /r /t 300 /c "5 minutes to pay until you lose your data and system forever"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3976
-
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 93⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5720
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im explorer.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:680
-
-
C:\Users\Admin\AppData\Local\Temp\4107.tmp\Cov29LockScreen.exeCov29LockScreen.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3104
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4580
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4428
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:5592
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:1912
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Impair Defenses
1Disable or Modify Tools
1Indicator Removal
3File Deletion
3Modify Registry
3Pre-OS Boot
1Bootkit
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Discovery
Browser Information Discovery
1Peripheral Device Discovery
1Query Registry
5Remote System Discovery
1System Information Discovery
5System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
160B
MD5a24a1941bbb8d90784f5ef76712002f5
SHA15c2b6323c7ed8913b5d0d65a4d21062c96df24eb
SHA2562a7fe18a087d8e8be847d9569420b6e8907917ff6ca0fa42be15d4e3653c8747
SHA512fd7dfec3d46b2af0bddb5aaeae79467507e0c29bab814007a39ea61231e76123659f18a453ed3feb25f16652a0c63c33545e2a0d419fafea89f563fca6a07ce2
-
Filesize
43B
MD5af3a9104ca46f35bb5f6123d89c25966
SHA11ffb1b0aa9f44bdbc57bdf4b98d26d3be0207ee8
SHA25681bd82ac27612a58be30a72dd8956b13f883e32ffb54a58076bd6a42b8afaeea
SHA5126a7a543fa2d1ead3574b4897d2fc714bb218c60a04a70a7e92ecfd2ea59d67028f91b6a2094313f606560087336c619093f1d38d66a3c63a1d1d235ca03d36d1
-
Filesize
160B
MD5c3911ceb35539db42e5654bdd60ac956
SHA171be0751e5fc583b119730dbceb2c723f2389f6c
SHA25631952875f8bb2e71f49231c95349945ffc0c1dd975f06309a0d138f002cfd23d
SHA512d8b2c7c5b7105a6f0c4bc9c79c05b1202bc8deb90e60a037fec59429c04fc688a745ee1a0d06a8311466b4d14e2921dfb4476104432178c01df1e99deb48b331
-
Filesize
85B
MD5c3419069a1c30140b77045aba38f12cf
SHA111920f0c1e55cadc7d2893d1eebb268b3459762a
SHA256db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f
SHA512c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1
-
Filesize
280B
MD54013ebc7b496bf70ecf9f6824832d4ae
SHA1cfdcdac5d8c939976c11525cf5e79c6a491c272a
SHA256fb1a67bdc2761f1f9e72bbc41b6fc0bf89c068205ffd0689e4f7e2c34264b22a
SHA51296822252f121fb358aa43d490bb5f5ce3a81c65c8de773c170f1d0e91da1e6beb83cb1fb9d4d656230344cd31c3dca51a6c421fda8e55598c364092232e0ad22
-
Filesize
280B
MD5fed4ab68611c6ce720965bcb5dfbf546
SHA1af33fc71721625645993be6fcba5c5852e210864
SHA256c41acdf5d0a01d5e9720ef9f6d503099950791b6f975ba698ccd013c4defa8c4
SHA512f9ab23b3b4052f7fda6c9a3e8cd68056f21da5d0fcf28061331900cac6f31ef081705804d9a9d4103ee7d9c9bdb6aa4237987b7e821d2d96cd52da24219e55ee
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\93302a42-b395-4446-a21c-d5aea5af7e5a.tmp
Filesize14KB
MD5831fa454d2ae369ce26628a77e3c51a5
SHA1303d59d4c20ea107f09c2b9b3c58aa2e4e3f521c
SHA256a79a637f46e7316ec9d8a26018a50ba2df234bd845d3218dd6a14d131719e363
SHA51259b3f77046d3898c1554bfd34608ecea2918c1bbdd156fd5015a32dc1b9ec997bf8fc36b19bc016cd341b8b263f46de9d1c22cfc2fce2bbff7860d79177e3075
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize5KB
MD5596c325d77fe6491b39a1b1715fb78b7
SHA185ed2a06c52210f2a380f206ecd5c773d4173b01
SHA2564610b18555ede911335c6d925397a0f096216029c1dd56cf3125acb47dadbc4e
SHA5122a29db217fac90fe8cca92137643970d9012425f8373f174603c6e054313192139b4299cf6cfd788c7e4e759a599a26b35df74be1bb66e5cc63032bd57abb1fe
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5891bc.TMP
Filesize3KB
MD527597cf9b17666317f0b6ab9a40628e9
SHA12ab5597f4c06c98b91bdb79176fd6c3d7ccd843c
SHA25688120b951e2f5a00cd0b3a51467b6ba68900633beb7585565467e8f1ea55d304
SHA5124077e51393d90e4629137f0f3ac8566dd0c6d0cabb2a5254fa88f57e946964f8d6ebcfa92b33ae32e6aad7295f17a19f37e449fa0ad7e30d69d1584272fae10a
-
Filesize
69KB
MD5164a788f50529fc93a6077e50675c617
SHA1c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48
SHA256b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17
SHA512ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_0\content.js
Filesize9KB
MD53d20584f7f6c8eac79e17cca4207fb79
SHA13c16dcc27ae52431c8cdd92fbaab0341524d3092
SHA2560d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643
SHA512315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59
-
Filesize
107KB
MD540e2018187b61af5be8caf035fb72882
SHA172a0b7bcb454b6b727bf90da35879b3e9a70621e
SHA256b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5
SHA512a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\8b336f20-2c29-42cb-823d-60be8dbb19c4.tmp
Filesize6KB
MD565919f62dbe036d6461602d13d117bbf
SHA150313b4f4969ad56be590f086618e55d885ec224
SHA25637e9b08c37ef340dcbfa964427e83b384a8db3438683eb42c33307340c5f8bab
SHA51293b0f580e923e7c7611b08fa1ce53357dbd568ed0d5abec391883622c26a52f7012c2630bb028206abeedeb85816b4fb69507b5f7c42842cc92d6fda13aaaeca
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
16KB
MD5eb5f1699575b301acc3f235769233f84
SHA10eb2b6d3093bc325c28281c0634033d482a0ed98
SHA2566590243ec3b874da3fedf904b4208eb0be60dce8618f26ba4a64bb60fc40a3cc
SHA512c52bfc0ff9521a78121ec6f86984229eedc891912ff702408ebc08aff6ab6735a9d6ffeb9bf2b33579f9d7eb99f5b691b521e5b0b34128c3b4035f41eefccddf
-
Filesize
15KB
MD516f551d83d12dd883b46e88873888521
SHA191627f6b5944f0825f4be29380b81c0015d69976
SHA25610f095b2695e2ee0e0194eb68df90789a19268b46bcf562823293c1cfca4ad0b
SHA51294d8aa7bb24773d47878ffdacb06d2bfdfe8b8b13a704505c08c41f6933f1028946bd7b059f5e74974a1a843cb52b3d5f8ba4df53c107df5510b1e981b2a4709
-
Filesize
16KB
MD57d6065fe4cbe0b121a2bf0faeca99e8c
SHA1763b74d7c78e8971d2ed477a0d8f58a9f69518ef
SHA256c4e886ab0ce4fad5b90905d065062283c2ab447ae2f7ad863e739e3ede73dcf2
SHA51244804979080e53385e657031357529ce0c00dbe0bcaa69152611d07f868f45f27e32ce07aa3558d9b058687a38f2609a347405e59e75033c69abd0090fe74eea
-
Filesize
16KB
MD58871a3410873cd12c27511acbadc959f
SHA10a75d7149f4c1a854b97a0e838177a01c240ad37
SHA256f098182bdc390658fd9de0831e914aecad6a72507f1535e3711c835a6eb2ae42
SHA512fd80e9db004a2fdf1256278a12b6acadd9164a76e160688f91afe54abbd2075aeb8966084993d7d832654ca1ff00bb2cdbdd9a1f01c898f30c21b4adf0dc53c2
-
Filesize
4KB
MD5cc2f1c914759f50092cc7d90e59d08e4
SHA1e219f07f242449191d8b62b79638634435e50b87
SHA2568788feeeb450081b8e115d30e8c505ab9d5ce2d93aba885cb285de1fae8483ad
SHA51202b416854a8b51e4f3be3e782a3840f50b3dcc4980b8c07a199e78e7cf10a8e85ce977adb2111d4a2a3b979b0478a1afb08352e56987b6cd80cb5cbe3fda82e6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e6dd018f-ec21-43b0-a281-116b11e7a96e.tmp
Filesize36KB
MD5445fa93666221d4b2de1496e754754a6
SHA183dc0f38d3ce70eadf7f6e551aa9a9efe220e5f0
SHA256bb83af7a405572df2cccda3b4ff92eb21cdfd2db8a0a09b20215f9339e317623
SHA5124ab07cb0880769ec0d41476477cb09f0d977e1a21090a435253fcc2174134c4f1fe649a91b3b87b410886eb56ee17346f51d7c5f728d71ed1997383d08898db3
-
Filesize
880B
MD51a0f435c728d41f9342212814fad2b41
SHA1a3a98f47445934187fc59077a298444b0ba71d53
SHA256c23135cef13964dc4cc663bb84e28a8f6a1c95c7caf4a5533e43ee86436c7291
SHA51234ffd44005bbaeb77614816729c648162773fe8194511eda4a22af2ef20d6b5a17681c7e9c923a97eae0d283d9ad566e6294773e06138ceca3830be6092b4894
-
Filesize
23KB
MD51fc1e30047d11e09f14dc5ed7d7afa71
SHA188a6e7a8a929bb1b63a1c9374edba800a34a39fe
SHA256fd7f80f77080f38e0ac52d12c89bfdcf2f5d80697ded24848e113813e348202b
SHA5120017d5fca640f39e00c36b6200bfd8fc945602abe2eb6f17734d8bd6d57babe8fa115bf0d907d178592b879ab3aa623f69d6f24e81ebe08051b494328775a374
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog~RFe5862bc.TMP
Filesize469B
MD5f39fb7394c51c6500bd0e6fc7fb2fb2d
SHA10f7b31f53cbb13f458f62e0611dc8956d5b7a74a
SHA2565aa9f1537017f72d61be09288f5a92e010d57de454bad6c01230a2c319540ccc
SHA51224dfa9a8beefea93423eadc09bd0a44fc655e66a1c59d0724bc93351e35ff3ebad67e7132061de76950b204a1c6b04a90b3ec56c3cf10c361075947e641a9086
-
Filesize
21KB
MD597ffbea42e9a0795865f12dedaa14292
SHA182b1a9a09d849ca8e55914ceb05677991729de10
SHA25684db83a7515ea99283ea322d6ae8a7e806287e7e98771a53a5d0e3ff362ecd16
SHA512884e56e3e7419a5ce22725d8b39b6d9424c882185762fe6ebb3a5c67d65e87b846ecce8a26491019acd3ba79641f489a32e20e2c7b99576315352cca1f5a13a4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig~RFe5863a7.TMP
Filesize3KB
MD5c7569efb2fa9fe93c0ea2f0896f54036
SHA1e231c700b778b624f6065b035e5803fdd8b4db4b
SHA2562422f055fd21adce7a027c3eaab1bbc474345a26cb1b9762b3d7572ebde67d3f
SHA512c394da9a75cca87f6e20cb2abbc2e087d3e374b613bbc960f255ebfc8f01d4349fc8a487ec56ff8141f47566cf021dc33196e42b6295ce5399ff78e5ce4b066f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Data Protection Lists\2.0.0.0\office_endpoints_list.json
Filesize3KB
MD594406cdd51b55c0f006cfea05745effb
SHA1a15dc50ca0fd54d6f54fbc6e0788f6dcfc876cc9
SHA2568480f3d58faa017896ba8239f3395e3551325d7a6466497a9a69bf182647b25e
SHA512d4e621f57454fea7049cffc9cc3adfb0d8016360912e6a580f6fe16677e7dd7aa2ee0671cb3c5092a9435708a817f497c3b2cc7aba237d32dbdaae82f10591c3
-
Filesize
30KB
MD53449939153587ec4d3693484097fbe4f
SHA17690c0919df2c0dd553c2083cf12edeeef11eb30
SHA256d86501ae3327511404f1ab7a426b660e6427d99d8d3442e8ef4e1539f67a1485
SHA512e1e9ee4b53b47b7cd499a7bde16fdc43b4827a3b7aa963d7f9d237318092aa25d4335440db199bd23443d02c519f7c3f560c9a9d5049431a3940ba5ec8165944
-
Filesize
6KB
MD5cae3778d7f38e9ffde6120408498037a
SHA124e63c5cef3de0841f09648bbf83828e9c5d8561
SHA25658406ff8c9af2a7008a280eda26d1261d0139c9696fc65e627c24db68a90f404
SHA512be453c9e455f6bd3f761e2f306ed6c763c579c48d57abea4007d57c166e664fb79ac9e0d7b1b8d60b2eaf22638abf7e2d9d59d994276ec5094f7e71865ee2935
-
Filesize
40KB
MD55e52aa9b0922b6d0d5d6c99d1c4f06e0
SHA1ef799c02cea4d53d22c977f8209ed41ccb782668
SHA256f27df3bd160399f5e4549377b0803649194b40e58a1bf4505c6f2b787cb8f02e
SHA5121bc76ac5ff5a2fa522345fecdcdd65c74760e8d779c4d774ba14012c53d9711bdd10c198b0af7b22561c86acef92c307fcb30eaaf1592845c18b0c784e1a65db
-
Filesize
39KB
MD5cfd3d01252f27175169788e21fb514b7
SHA10257fb38a94b78b3d66df4b9eb1c68d42894195e
SHA25623bfe9e13bb3341ede555853b35245d7d8138f7d23d1c1c7c735b2142c443bbd
SHA512f8231580783e344a52d2155bee7176774376dcbb893c49d26b654c82eb51cfebb8a12733720f7ba242db7805fc695c713eb7baeb9089dfea7c198b8b4d3b27ae
-
Filesize
7KB
MD51227bc31878c0b69a9330066cac19f14
SHA18130a892624d51cf2c66290dca003729ab736566
SHA256ce0d440cbe0cbcea4d9f07ae8488a38b07fa32167f07660b1d327920a8994512
SHA512e51c87223d73ca76270d045f130b12c9e3c5996fafa4a9619e129f2eb5fbcc186361e3bf786a71ccfba3032c32ec454ff02703a771ef30a8f54f489e37faa8b9
-
Filesize
30KB
MD5ed0e4ee1e72d89e5f4d96da0be4d4523
SHA127648fdf7b0dad4fab3c46872575759937411833
SHA2568a8d728eb61f06e4e2e8d5d8b8c56e4c8b9dc08fb208e2196d46cdb3333dee2a
SHA512a1de605b0ecc005e01a762f210db251fb4e4103e3ade2b645be4dcc56bdaf9157bc246632937a2abf4185ac08eb428902750d60cc25117ad0a9db5c0c7bbd69f
-
Filesize
392B
MD5a24128f6117cd59058643c9201aef22b
SHA116ab6a9b5ddb01c97a93c70b8c26c8f4c9b66f03
SHA2563336e639618d2fa8e5c4065c7410c5184a2d2e930a3fb720476eb78dbdb62eb8
SHA5127ff2fae3ce8ab038dc8ea1b0185ddf975b9b5b04b2fdea954e185107c94696db1fa9abadd3603019b6d85eaec85067814aa579eaeb322faacf419d3a38679475
-
Filesize
392B
MD5fe8ecac148a70352225a5d00c75afe8f
SHA18cf9e1e5c4ce96b84365ba10197c8bfeabc5b7ed
SHA2565599f1403564dc57423e8bd05d6f29924da1b6fce2a51e3b04c5a3c3edd14bec
SHA51295518a916594774edcdcabde14dd82f64faba318aac7ed112eb68862ac9f4a7458dfb3082fd919c8f5f5de333259f8e102fc2384f9abf593bf85b6fa91034aef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\WorkspacesNavigationComponent\1.0.0.5\nav_config.json
Filesize2KB
MD5499d9e568b96e759959dc69635470211
SHA12462a315342e0c09fd6c5fbd7f1e7ff6914c17e6
SHA25698252dc9f9e81167e893f2c32f08ee60e9a6c43fadb454400ed3bff3a68fbf0d
SHA5123a5922697b5356fd29ccf8dcc2e5e0e8c1fd955046a5bacf11b8ac5b7c147625d31ade6ff17be86e79c2c613104b2d2aebb11557399084d422e304f287d8b905
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
Filesize2KB
MD5a06a322fb7ffd615c90f1d8573089dc7
SHA1442a83bf9631e51767230c98539ca96a6ebb3958
SHA2568f4244561d3153e204fbb8b68d5a91e0e20019c866d28d8a1151e5ae47ae6f9a
SHA51266381f868b0ff7b9a0b4bfa8b1e163faf4a8548709c460e9eeefc928fbd9bac58b96ee412fa87806217da3b8ac419fadcb00867febf2954fe531ea6bc782e767
-
Filesize
1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
103KB
MD58bcd083e16af6c15e14520d5a0bd7e6a
SHA1c4d2f35d1fdb295db887f31bbc9237ac9263d782
SHA256b4f78ff66dc3f5f8ddd694166e6b596d533830792f9b5f1634d3f5f17d6a884a
SHA51235999577be0626b50eeab65b493d48af2ab42b699f7241d2780647bf7d72069216d99f5f708337a109e79b9c9229613b8341f44c6d96245fd1f3ac9f05814d6a
-
Filesize
48KB
MD5f724c6da46dc54e6737db821f9b62d77
SHA1e35d5587326c61f4d7abd75f2f0fc1251b961977
SHA2566cde4a9f109ae5473703c4f5962f43024d71d2138cbd889223283e7b71e5911c
SHA5126f83dd7821828771a9cae34881c611522f6b5a567f5832f9e4b9b4b59bf495f40ad78678bd86cba59d32ea8644b4aa5f052552774fea142b9d6da625b55b6afc
-
Filesize
1KB
MD557f0432c8e31d4ff4da7962db27ef4e8
SHA1d5023b3123c0b7fae683588ac0480cd2731a0c5e
SHA256b82e64e533789c639d8e193b78e06fc028ea227f55d7568865120be080179afc
SHA512bc082486503a95f8e2ce7689d31423386a03054c5e8e20e61250ca7b7a701e98489f5932eba4837e05ec935057f18633798a10f6f84573a95fcf086ee7cabcbf
-
Filesize
144B
MD5c0437fe3a53e181c5e904f2d13431718
SHA144f9547e7259a7fb4fe718e42e499371aa188ab6
SHA256f2571f03eb9d5ee4dca29a8fec1317ded02973c5dd233d582f56cebe98544f22
SHA512a6b488fc74dc69fc4227f92a06deb297d19cd54b0e07659f9c9a76ce15d1ef1d8fa4d607acdd03d30d3e2be2a0f59503e27fc95f03f3006e137fa2f92825e7e3
-
Filesize
1.3MB
MD535af6068d91ba1cc6ce21b461f242f94
SHA1cb054789ff03aa1617a6f5741ad53e4598184ffa
SHA2569ac99df89c676a55b48de00384506f4c232c75956b1e465f7fe437266002655e
SHA512136e3066c6e44af30691bcd76d9af304af0edf69f350211cf74d6713c4c952817a551757194b71c3b49ac3f87a6f0aa88fb80eb1e770d0f0dd82b29bfce80169
-
Filesize
152KB
MD5dd9bf8448d3ddcfd067967f01e8bf6d7
SHA1d7829475b2bd6a3baa8fabfaf39af57c6439b35e
SHA256fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72
SHA51265347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de
-
Filesize
10KB
MD578e47dda17341bed7be45dccfd89ac87
SHA11afde30e46997452d11e4a2adbbf35cce7a1404f
SHA25667d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550
SHA5129574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5
-
Filesize
861B
MD5c53dee51c26d1d759667c25918d3ed10
SHA1da194c2de15b232811ba9d43a46194d9729507f0
SHA256dd5b3d185ae1809407e7822de4fced945115b48cc33b2950a8da9ebd77a68c52
SHA512da41cef03f1b5f21a1fca2cfbf1b2b180c261a75d391be3a1ba36e8d4d4aefab8db024391bbee06b99de0cb0b8eb8c89f2a304c27e20c0af171b77db33b2d12c
-
Filesize
1.7MB
MD5272d3e458250acd2ea839eb24b427ce5
SHA1fae7194da5c969f2d8220ed9250aa1de7bf56609
SHA256bbb5c6b4f85c81a323d11d34629776e99ca40e983c5ce0d0a3d540addb1c2fe3
SHA512d05bb280775515b6eedf717f88d63ed11edbaae01321ec593ecc0725b348e9a0caacf7ebcd2c25a6e0dc79b2cdae127df5aa380b48480332a6f5cd2b32d4e55c