dharma | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/NotPetya[.]exe

Analysis

max time kernel
509s
max time network
515s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
14-04-2024 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/NotPetya.exe

Score

10^/10

dharma mimikatz bootkit persistence ransomware spyware stealer

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (512) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\1D28.tmp	mimikatz

Downloads MZ/PE file

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

CoronaVirus.exeNotPetya.exeNotPetya.exeNotPetya.exeNotPetya.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation	CoronaVirus.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation	NotPetya.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation	NotPetya.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation	NotPetya.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation	NotPetya.exe

Drops startup file 5 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-348ED86E.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-348ED86E.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	CoronaVirus.exe

Executes dropped EXE 8 IoCs

Processes:

NotPetya.exe1D28.tmpNotPetya.exeNotPetya.exeNotPetya.exeCoronaVirus.exeCoronaVirus.exeCoronaVirus.exe

pid process

1292 NotPetya.exe
4108 1D28.tmp
2812 NotPetya.exe
4528 NotPetya.exe
3252 NotPetya.exe
2668 CoronaVirus.exe
1908 CoronaVirus.exe
17368 CoronaVirus.exe
Loads dropped DLL 4 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exe

pid process

4476 rundll32.exe
1740 rundll32.exe
3568 rundll32.exe
1036 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4476	rundll32.exe
1740	rundll32.exe
3568	rundll32.exe
1036	rundll32.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

CoronaVirus.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3198953144-1466794930-246379610-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	CoronaVirus.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

61 raw.githubusercontent.com
60 raw.githubusercontent.com
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

rundll32.exe

description ioc process

File opened for modification \??\PhysicalDrive0 rundll32.exe
Drops file in System32 directory 2 IoCs

Processes:

CoronaVirus.exe

description ioc process

File created C:\Windows\System32\CoronaVirus.exe CoronaVirus.exe
File created C:\Windows\System32\Info.hta CoronaVirus.exe

flow	ioc
61	raw.githubusercontent.com
60	raw.githubusercontent.com

description	ioc	process
File opened for modification	\??\PhysicalDrive0	rundll32.exe

description	ioc	process
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe
File created	C:\Windows\System32\Info.hta	CoronaVirus.exe

Drops file in Program Files directory 64 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt.id-348ED86E.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Extensions\external_extensions.json.id-348ED86E.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\ui-strings.js.id-348ED86E.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\selector.js	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MINSBPROXY.DLL.id-348ED86E.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN108.XML.id-348ED86E.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\hu_get.svg	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-ul-oob.xrm-ms.id-348ED86E.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-oob.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx.id-348ED86E.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN114.XML.id-348ED86E.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\AppTiles\StoreLogo.scale-150.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-100_contrast-white.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-16_altform-unplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusDemoR_BypassTrial180-ppd.xrm-ms.id-348ED86E.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg\msipc.dll.mui	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui	CoronaVirus.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt.id-348ED86E.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sk-sk\ui-strings.js	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-pl.xrm-ms	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ul-oob.xrm-ms.id-348ED86E.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ppd.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\StopwatchLargeTile.contrast-white_scale-200.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\RTC.DLL.id-348ED86E.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-runtime-l1-1-0.dll.id-348ED86E.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\msedgeupdateres_quz.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8_RTL.mp4.id-348ED86E.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.targetsize-24_altform-unplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filterselected-dark-focus_32.svg.id-348ED86E.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-phn.xrm-ms.id-348ED86E.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxml2.md	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveDrop32x32.gif	CoronaVirus.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.IdentityModel.Resources.dll	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\LICENSE.DATA.id-348ED86E.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.DataAnnotations.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-core-file-l1-2-0.dll.id-348ED86E.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.Serialization.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-100.png.id-348ED86E.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-multibyte-l1-1-0.dll.id-348ED86E.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Excel.dll	CoronaVirus.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\ca-Es-VALENCIA.pak.id-348ED86E.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-timezone-l1-1-0.dll.id-348ED86E.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Thread.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Thread.dll.id-348ED86E.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationCore.resources.dll.id-348ED86E.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ApothecaryResume.dotx.id-348ED86E.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-256_altform-lightunplated_devicefamily-colorfulunplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-pl.xrm-ms.id-348ED86E.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libsftp_plugin.dll.id-348ED86E.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\spu\libremoteosd_plugin.dll.id-348ED86E.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Be.ps1	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxManifest.xml	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ca-es\ui-strings.js.id-348ED86E.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\js\plugin.js.id-348ED86E.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ppd.xrm-ms.id-348ED86E.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\ja-JP\MSFT_PackageManagementSource.schema.mfl.id-348ED86E.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\es\Microsoft.PackageManagement.resources.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll.id-348ED86E.[coronavirus@qq.com].ncov	CoronaVirus.exe
File created	C:\Program Files\Java\jre-1.8\lib\deploy\splash@2x.gif.id-348ED86E.[coronavirus@qq.com].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\PeopleSmallTile.scale-125.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-80_altform-unplated.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\mobile_reader_logo.svg.id-348ED86E.[coronavirus@qq.com].ncov	CoronaVirus.exe

Drops file in Windows directory 10 IoCs

Processes:

rundll32.exerundll32.exeNotPetya.exeNotPetya.exerundll32.exeNotPetya.exerundll32.exeNotPetya.exe

description	ioc	process
File opened for modification	C:\Windows\perfc.dat	rundll32.exe
File opened for modification	C:\Windows\perfc.dat	rundll32.exe
File created	C:\Windows\perfc.dat	NotPetya.exe
File created	C:\Windows\perfc.dat	NotPetya.exe
File opened for modification	C:\Windows\perfc.dat	rundll32.exe
File created	C:\Windows\perfc.dat	NotPetya.exe
File opened for modification	C:\Windows\perfc.dat	rundll32.exe
File created	C:\Windows\perfc	rundll32.exe
File created	C:\Windows\dllhost.dat	rundll32.exe
File created	C:\Windows\perfc.dat	NotPetya.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4788 schtasks.exe

pid	process
4788	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exe

pid process

27960 vssadmin.exe
1280 vssadmin.exe
Modifies registry class 1 IoCs

Processes:

OpenWith.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings OpenWith.exe

pid	process
27960	vssadmin.exe
1280	vssadmin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 3 IoCs

Processes:

msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 263914.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 242226.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 127551.crdownload:SmartScreen	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

25864 NOTEPAD.EXE

pid	process
25864	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exerundll32.exe1D28.tmprundll32.exerundll32.exerundll32.exemsedge.exeCoronaVirus.exe

pid	process
3080	msedge.exe
3080	msedge.exe
756	msedge.exe
756	msedge.exe
2832	identity_helper.exe
2832	identity_helper.exe
1812	msedge.exe
1812	msedge.exe
4476	rundll32.exe
4476	rundll32.exe
4108	1D28.tmp
4108	1D28.tmp
4108	1D28.tmp
4108	1D28.tmp
4108	1D28.tmp
4108	1D28.tmp
4108	1D28.tmp
1740	rundll32.exe
1740	rundll32.exe
3568	rundll32.exe
3568	rundll32.exe
1036	rundll32.exe
1036	rundll32.exe
1428	msedge.exe
1428	msedge.exe
2668	CoronaVirus.exe
2668	CoronaVirus.exe
2668	CoronaVirus.exe
2668	CoronaVirus.exe
2668	CoronaVirus.exe
2668	CoronaVirus.exe
2668	CoronaVirus.exe
2668	CoronaVirus.exe
2668	CoronaVirus.exe
2668	CoronaVirus.exe
2668	CoronaVirus.exe
2668	CoronaVirus.exe
2668	CoronaVirus.exe
2668	CoronaVirus.exe
2668	CoronaVirus.exe
2668	CoronaVirus.exe
2668	CoronaVirus.exe
2668	CoronaVirus.exe
2668	CoronaVirus.exe
2668	CoronaVirus.exe
2668	CoronaVirus.exe
2668	CoronaVirus.exe
2668	CoronaVirus.exe
2668	CoronaVirus.exe
2668	CoronaVirus.exe
2668	CoronaVirus.exe
2668	CoronaVirus.exe
2668	CoronaVirus.exe
2668	CoronaVirus.exe
2668	CoronaVirus.exe
2668	CoronaVirus.exe
2668	CoronaVirus.exe
2668	CoronaVirus.exe
2668	CoronaVirus.exe
2668	CoronaVirus.exe
2668	CoronaVirus.exe
2668	CoronaVirus.exe
2668	CoronaVirus.exe
2668	CoronaVirus.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

26128 OpenWith.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

msedge.exe

pid process

756 msedge.exe
756 msedge.exe
756 msedge.exe
756 msedge.exe
756 msedge.exe
756 msedge.exe
756 msedge.exe
756 msedge.exe
756 msedge.exe
756 msedge.exe

pid	process
26128	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

rundll32.exe1D28.tmprundll32.exerundll32.exerundll32.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	4476	rundll32.exe
Token: SeDebugPrivilege	4476	rundll32.exe
Token: SeTcbPrivilege	4476	rundll32.exe
Token: SeDebugPrivilege	4108	1D28.tmp
Token: SeShutdownPrivilege	1740	rundll32.exe
Token: SeDebugPrivilege	1740	rundll32.exe
Token: SeTcbPrivilege	1740	rundll32.exe
Token: SeShutdownPrivilege	3568	rundll32.exe
Token: SeDebugPrivilege	3568	rundll32.exe
Token: SeTcbPrivilege	3568	rundll32.exe
Token: SeShutdownPrivilege	1036	rundll32.exe
Token: SeDebugPrivilege	1036	rundll32.exe
Token: SeTcbPrivilege	1036	rundll32.exe
Token: SeBackupPrivilege	5588	vssvc.exe
Token: SeRestorePrivilege	5588	vssvc.exe
Token: SeAuditPrivilege	5588	vssvc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe

Suspicious use of SendNotifyMessage 40 IoCs

Processes:

msedge.exe

pid	process
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe
756	msedge.exe

Suspicious use of SetWindowsHookEx 19 IoCs

Processes:

NotPetya.exeNotPetya.exeNotPetya.exeNotPetya.exeOpenWith.exe

pid	process
1292	NotPetya.exe
2812	NotPetya.exe
4528	NotPetya.exe
3252	NotPetya.exe
26128	OpenWith.exe
26128	OpenWith.exe
26128	OpenWith.exe
26128	OpenWith.exe
26128	OpenWith.exe
26128	OpenWith.exe
26128	OpenWith.exe
26128	OpenWith.exe
26128	OpenWith.exe
26128	OpenWith.exe
26128	OpenWith.exe
26128	OpenWith.exe
26128	OpenWith.exe
26128	OpenWith.exe
26128	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 756 wrote to memory of 4308	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 4308	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1500	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1500	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1500	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1500	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1500	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1500	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1500	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1500	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1500	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1500	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1500	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1500	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1500	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1500	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1500	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1500	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1500	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1500	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1500	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1500	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1500	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1500	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1500	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1500	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1500	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1500	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1500	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1500	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1500	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1500	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1500	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1500	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1500	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1500	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1500	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1500	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1500	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1500	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1500	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1500	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 3080	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 3080	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1000	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1000	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1000	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1000	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1000	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1000	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1000	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1000	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1000	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1000	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1000	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1000	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1000	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1000	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1000	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1000	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1000	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1000	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1000	756	msedge.exe	msedge.exe
PID 756 wrote to memory of 1000	756	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/NotPetya.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffecdda46f8,0x7ffecdda4708,0x7ffecdda4718
2⤵
PID:4308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2224,4445713999026370141,18383452663667751546,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:2
2⤵
PID:1500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2224,4445713999026370141,18383452663667751546,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2224,4445713999026370141,18383452663667751546,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2568 /prefetch:8
2⤵
PID:1000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,4445713999026370141,18383452663667751546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:1
2⤵
PID:1260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,4445713999026370141,18383452663667751546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3632 /prefetch:1
2⤵
PID:3308

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,4445713999026370141,18383452663667751546,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5628 /prefetch:8
2⤵
PID:4760

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,4445713999026370141,18383452663667751546,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5628 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,4445713999026370141,18383452663667751546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1
2⤵
PID:2640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,4445713999026370141,18383452663667751546,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
2⤵
PID:2624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2224,4445713999026370141,18383452663667751546,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3672 /prefetch:8
2⤵
PID:1684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,4445713999026370141,18383452663667751546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:1
2⤵
PID:1632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,4445713999026370141,18383452663667751546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:1
2⤵
PID:784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,4445713999026370141,18383452663667751546,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:1
2⤵
PID:3964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2224,4445713999026370141,18383452663667751546,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6612 /prefetch:8
2⤵
PID:1272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2224,4445713999026370141,18383452663667751546,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6108 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1812

C:\Users\Admin\Downloads\NotPetya.exe
"C:\Users\Admin\Downloads\NotPetya.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1292

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\perfc.dat #1
3⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4476

C:\Windows\SysWOW64\cmd.exe
/c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 00:29
4⤵
PID:4584

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 00:29
5⤵
- Creates scheduled task(s)
PID:4788

C:\Users\Admin\AppData\Local\Temp\1D28.tmp
"C:\Users\Admin\AppData\Local\Temp\1D28.tmp" \\.\pipe\{1A6AE75C-76A6-4A09-9818-2709A6C57F25}
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,4445713999026370141,18383452663667751546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
2⤵
PID:2724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2224,4445713999026370141,18383452663667751546,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5340 /prefetch:8
2⤵
PID:4000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2224,4445713999026370141,18383452663667751546,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1428

C:\Users\Admin\Downloads\CoronaVirus.exe
"C:\Users\Admin\Downloads\CoronaVirus.exe"
2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2668

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
PID:764

C:\Windows\system32\mode.com
mode con cp select=1251
4⤵
PID:22200

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:1280

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
3⤵
PID:28216

C:\Windows\system32\mode.com
mode con cp select=1251
4⤵
PID:28024

C:\Windows\system32\vssadmin.exe
vssadmin delete shadows /all /quiet
4⤵
- Interacts with shadow copies
PID:27960

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
3⤵
PID:27832

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
3⤵
PID:27596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2224,4445713999026370141,18383452663667751546,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6356 /prefetch:2
2⤵
PID:17276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,4445713999026370141,18383452663667751546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
2⤵
PID:29080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,4445713999026370141,18383452663667751546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6644 /prefetch:1
2⤵
PID:20068

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3340

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1908

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2600

C:\Users\Admin\Downloads\NotPetya.exe
"C:\Users\Admin\Downloads\NotPetya.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2812

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\perfc.dat #1
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Users\Admin\Downloads\NotPetya.exe
"C:\Users\Admin\Downloads\NotPetya.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4528

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\perfc.dat #1
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3568

C:\Users\Admin\Downloads\NotPetya.exe
"C:\Users\Admin\Downloads\NotPetya.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3252

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\perfc.dat #1
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1036

C:\Users\Admin\Downloads\CoronaVirus.exe
"C:\Users\Admin\Downloads\CoronaVirus.exe"
1⤵
- Executes dropped EXE
PID:1908

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5588

C:\Users\Admin\Downloads\CoronaVirus.exe
"C:\Users\Admin\Downloads\CoronaVirus.exe"
1⤵
- Executes dropped EXE
PID:17368

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:26128

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\BlockResolve.AAC.id-348ED86E.[coronavirus@qq.com].ncov
2⤵
- Opens file in notepad (likely ransom note)
PID:25864

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\FILES ENCRYPTED.txt
1⤵
PID:25500

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e2ece0fcb9f6256efba522462a9a9288

SHA1
ccc599f64d30e15833b45c7e52924d4bd2f54acb

SHA256
0eff6f3011208a312a1010db0620bb6680fe49d4fa3344930302e950b74ad005

SHA512
ead68dd972cfb1eccc194572279ae3e4ac989546bfb9e8d511c6bc178fc12aaebd20b49860d2b70ac1f5d4236b0df1b484a979b926edbe23f281b8139ff1a9ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
864aa9768ef47143c455b31fd314d660

SHA1
09d879e0e77698f28b435ed0e7d8e166e28fafa2

SHA256
3118d55d1f04ecdd849971d8c49896b5c874bdbea63e5288547b9812c0640e10

SHA512
75dce411fce8166c8905ed8da910adb1dd08ab1c9d7cd5431ef905531f2f0374caf73dedd5d238b457ece61273f6c81e632d23eb8409efbb6bf0d01442008488

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
cdfb452880b76d6ff2d40b5d1e3d5e9d

SHA1
bf26b079c18232aff59530d234ac89fedd2c037a

SHA256
f250a492cf00982542013c43656ec7e776fb325fc409ac1c034a095bda37a38b

SHA512
943eb605369d6c32549ce8ca1db8c1b0ad6550fba8954ce562012ee86cfc233d6419c097db9152d99c8c90953012a3bb9dd64ca92fc10c0a3221404ef4c86c8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
579B

MD5
46fa4f5f7344089589d117bd7599b3a9

SHA1
b6cc1fe19e527d4a372c97e4d195ed94eee40030

SHA256
223280d95a13f1af6af06459bbf230874500c212a2e16f63914eff3f22e8b57a

SHA512
6b680aedde7e806802652aab9ab31cb21438bc8756b063955e6f03bbbdf1273f7d47c40ec1a19fe27537afeb8d6cc219a246d31f7c6822b481649fe296e2a45c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
3ecb62c6629f1014318638ed1979879d

SHA1
6624a4463dc57f8107a6ee8d812637270e4fb6f6

SHA256
78c9a64463bf19d291560c3f56290c7012509cbc4b7b0341dc18934409fdd405

SHA512
8a8ccdb500594d710dde032fc9ad7cd6584339e8e9c1eb2871501f694af4ed5dc87702fb0f3a2e567520f81a9ad8ed1c63823ce6ad33090fc2791633e5980294

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
787722550353aa923b637ec406b61b0d

SHA1
79608563954e08365d13732b55a274ca40b387b0

SHA256
53e9fa65d819bbb8ab53760b0357269ad400bff3b194cb964b85f867ba7f771e

SHA512
672564ab6b3271cc824402618b48453781e162c3d3d834ff92b5289c17195e371de6d151a51a328f84670b6a800e0242607c95d6b729c18cff2369e70948ead3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
94f6f429d8b5afb060db9bee69ea250c

SHA1
905658a40883d74d9f04b531ffe7cc9f9717abae

SHA256
17f3379324ad46333025c54fd55ccc17bca25e5242897e6b7d24303bc98d05ba

SHA512
362ab05bb78348b841afeb01a2e59208e2a2c02f89f66a4c674b835f6276b5d6122401c1daf77c941cb1677f50b12d7582588ce7754cb6143d474ea62487bf27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
da8bbcaef0b4c6d764cb08757fd7c209

SHA1
e497e9520a054a203c30c848aeafdd229784f76c

SHA256
737349660777bd23f0b787453bdb3805a0dc6c5c9b42b4d4ef76cb148e199619

SHA512
428a8430e8fe236831893c4a1e5deb423670874f9b20d31c2cd745e1614922f9dbefb4e89aedf5aa6e0186a0792eeb6370a57f514b6be3ec0339cdef4adc90a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
a06fd20b5d97d3103056ba1c7757ed12

SHA1
c67f5cb4cbd0e543fa9a8b7e30f6033b9b5a763e

SHA256
49e7c3a09b2f5b216f64d005e5e131169318d8209f6d0b4b76a3107cd2fed037

SHA512
8d3ec2607be52c7e6f3ec66c593efe6cab0fff005d15c789d16e05076bd5509b051aa13616eb5fedaa637980ab1b65469834f94559916a521bb28fff0a74f961

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
87784adf425016276a5d8b9e462d7bd8

SHA1
be42861e1ff94d22dcfb19c4fc2e7f0232cdcb85

SHA256
ad79756f24e648641fcc458303a342b34a37f4f6348178dbe1c3e5b255452e81

SHA512
f77f2958fde771348ebbe5b20df261d7107564feceab96e826bde1f549501284921f4ecf17c9c1262f0352b379312559de30edb3593ca385922eabe00a685b70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
860416e0cbf355d7ec871b36e7db9d98

SHA1
3a76e86085a0b68960eb5a51f41093a73efd5469

SHA256
75c732b5b210d6e7491f55aca1067cfee071c2f52e31facdaad5a14f16ad3b31

SHA512
8d8b6128e2f724d878ebe2ad0d358689a2bd73bca23a12333caedad890dba6aec472d25c9c0dfcf2f0e56bb8b5602df33be51b280a0f362dd70307bd408038a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
b836d712e2b42decb2a2b2859c66b22d

SHA1
cbd01384df8fe1b07a9c4111483d7764bc21c346

SHA256
42f65c92609cfc67b71902bb2236f2157f7cab441bb453aa9b99ada922371106

SHA512
adf31cb890c172dd16ce8b71dac07247c51107063224f91ac7e1995e0ebe3b4f7433dbc4d299b0a1cbe20f3441e22159b2870a9b5ec4e299619128ebfc60b295

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
59f6efbdd8431b2539955576db111a6f

SHA1
0a7edf11c57d4146f589bbba09af4518850b55c2

SHA256
405cc2b132acf3ba3873190c87a2a423ec5f639d4dac192fa10c54e8dbce4184

SHA512
2e47d853fe6caa286be9a80715fa2b79ac8dba2a8990543fd03b7ddf748a94fbbda79d42e3ea31b67685b3e5b8db74829b0b20581f40812c19ca683a409dc328

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
662e0acde2e94ee7b4d3f01da385a2f6

SHA1
4ee64daf37b5ae37da6993301b8c13b9afab0710

SHA256
2cd1843aea68f35d7f1e113c695ed63f841c59f583aa1b933d83fa52ae42b12e

SHA512
90727ae7d0bbcc5368937629bfb4ae3ad01f1e73b5e13e205885616236b560b2de84b62e93baf761805bf6eaab465dd96390a250838428cd1051cbb6ef9cb140

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
fb34f19386f1ed25e4868c83eb59754f

SHA1
15d8672443787ee9211f30a6d74854f4c2963383

SHA256
eae874be50db76a9af3afb36a763fab4c9aeebf6ebb70b5e52caad7c7d4046bd

SHA512
65fdd4661302295369f06f701c3d75491c17c7009b21ba67c34820a1355abca84856a628bf017e44d8ad6142e6f00385468f8487ed6c86c446579a1edffba1e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
d0cfd251b853839bb4119a15bdda9c89

SHA1
67a8837f3ad11eafa77a705c528f6217da9d82e9

SHA256
7853ceb44c04b6d5ef5d1b44f475e0c51285292f22afbdfcb4877399ff323a49

SHA512
37c1faff8a25935225427b8a6001f8ef1a0d7ff3d7a9aa597d17fc00c1d2be03ea4fc674c2528195711600383dd596824a2e88af29d4906c0a64ed203a2a5e9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
e3e29db482c0408bd780561fb6d49154

SHA1
e4be446abce59d65eff65d56974b742f4ba52724

SHA256
cb9e790f5f44d8cffd55d748023905258a7b1be8b809572cf2537925d7b52594

SHA512
a66f0c633bc7b4f6b8f49457149466f2742182ce38b350445666cab1719f1f8e7947028cda19f59d2e7d2be300782017ce278602abe0050e1f31c13d273648a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
de923b9af764dd057ebe39040057bdcc

SHA1
ccca2856538fd1d28799e341f6f3615b0327105c

SHA256
7fa24704077a14b7c3e2d9676fbcd6100324c4095ec531ccadce852d06821d6f

SHA512
106179c68a7b2a176591793c09b70612f159c88edefa53d6c1d47323f29da4b6474c439a6ac9e60ec9ae6aaff96a7bfb24467c4fad3ebdcb18d01253dbd26189

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58607a.TMP
Filesize
1KB

MD5
4337590e12a8cba7a738a66144b45b32

SHA1
240f6626f62ea23145eb260738d4b519a4759ac6

SHA256
c0ee2969b6f41734ff6b32db07bfe48d732c9d2dec8f4e6995ff16e812753357

SHA512
8f4e90d166021988b5a9aa86a7a2849812bfbf2cba54c9fdff0222a5cdba7e937c7ed4c5da2eec134d4d2ef34fd14ff4eda2b858959d611055bac07ed7ce135d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db
Filesize
16KB

MD5
9e02552124890dc7e040ce55841d75a4

SHA1
f4179e9e3c00378fa4ad61c94527602c70aa0ad9

SHA256
7b6e4ce73ddd8b5e7a7c4a94374ac2815d0048a5296879d7659a92ee0b425c77

SHA512
3e10237b1bff73f3bb031f108b8de18f1b3c3396d63dfee8eb2401ce650392b9417143a9ef5234831d8386fc12e232b583dd45eada3f2828b3a0a818123dd5cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
a8057eb2a1d66bfa28e9996e432f720c

SHA1
0e601b8954f8adc97441b11c5222344c976383b8

SHA256
d8cae16870572c5dbf7c3c6300c01cb37fa2f39a920d805ad79f10011558e659

SHA512
32e0813633211468975d9ff9f14765993b8b4e656e2abb6a48aa7eb503d4263ee21e63337fb13f5468bd0b808c969ec69d2a6c53ed84b5ebcad7e8b7d6955eb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
b2f992ff426244744ec7967e69b9e79d

SHA1
6ce05add747e9ea097a7d4865367fe7c2b30bb68

SHA256
b73886cbb60606dfe8cc2d51c480a34871f6e82fde64949fd8b08e98ca88768b

SHA512
3bc1879da5ed3aa1ee924545b562ba0cc1f6ee25bcdd309c8f7220ff318994c8ca271138042cec82d0a9698be2d6932e7a9a915f5a1fc05d48272f94edf0cb3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
19baaf8f09b4e303153e111c0ae2d380

SHA1
b354c03d726278bb8f2e84fc3ef5783b9bb3d68b

SHA256
33f1ab7d2267ba3506f84d75daa035eba1d568ae195c92d98e88e5cdc27bce81

SHA512
06794d84aac0b092430ecb0aea24f8832ea6ab796d8ed2f1594af43d3509b62997aee7c9380ee642e7d715d1d82f1f9fecd129340028f65bf53188b2dc11071a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
1411114dfa686e1eeb3c49113a7c6547

SHA1
1d0c8127fa2a9a382bfffd7c5d2c23e14e00c0a7

SHA256
e62be01e5473769513d83f65a320b89c8af3c186464057362071689fb730e90d

SHA512
3d8c998d43ee14227ef2d667c761b6815de850adcc07cf63bf72071de2a21f47bc962b0699247fe392bd2977c31083951131bff5a8518ca2f15d0d393df431b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1D28.tmp
Filesize
55KB

MD5
7e37ab34ecdcc3e77e24522ddfd4852d

SHA1
38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf

SHA256
02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f

SHA512
1b037a2aa8bf951d2ffe2f724aa0b2fbb39c2173215806ba0327bda7b096301d887f9bb7db46f9e04584b16aa6b1aaeaf67f0ecf5f20eb02ceac27c8753ca587

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 127551.crdownload
Filesize
184KB

MD5
c9c341eaf04c89933ed28cbc2739d325

SHA1
c5b7d47aef3bd33a24293138fcba3a5ff286c2a8

SHA256
1a0a2fd546e3c05e15b2db3b531cb8e8755641f5f1c17910ce2fb7bbce2a05b7

SHA512
7cfa6ec0be0f5ae80404c6c709a6fd00ca10a18b6def5ca746611d0d32a9552f7961ab0ebf8a336b27f7058d700205be7fcc859a30d7d185aa9457267090f99b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 242226.crdownload
Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 263914.crdownload
Filesize
390KB

MD5
5b7e6e352bacc93f7b80bc968b6ea493

SHA1
e686139d5ed8528117ba6ca68fe415e4fb02f2be

SHA256
63545fa195488ff51955f09833332b9660d18f8afb16bdf579134661962e548a

SHA512
9d24af0cb00fb8a5e61e9d19cd603b5541a22ae6229c2acf498447e0e7d4145fee25c8ab9d5d5f18f554e6cbf8ca56b7ca3144e726d7dfd64076a42a25b3dfb6

Download Submit
C:\Windows\perfc.dat
Filesize
353KB

MD5
9a7ffe65e0912f9379ba6e8e0b079fde

SHA1
532bea84179e2336caed26e31805ceaa7eec53dd

SHA256
4b336c3cc9b6c691fe581077e3dd9ea7df3bf48f79e35b05cf87e079ec8e0651

SHA512
e8ebf30488b9475529d3345a00c002fe44336718af8bc99879018982bbc1172fc77f9fee12c541bab9665690092709ef5f847b40201782732c717c331bb77c31

Download Submit
C:\Windows\perfc.dat
Filesize
353KB

MD5
71b6a493388e7d0b40c83ce903bc6b04

SHA1
34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d

SHA256
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745

SHA512
072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f

Download Submit
\??\pipe\LOCAL\crashpad_756_DUDAJNDRAINKRGOR
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1036-337-0x0000000002230000-0x000000000228E000-memory.dmp

Filesize
376KB

Download
memory/1036-345-0x0000000002230000-0x000000000228E000-memory.dmp

Filesize
376KB

Download
memory/1740-283-0x0000000000C40000-0x0000000000C9E000-memory.dmp

Filesize
376KB

Download
memory/1740-275-0x0000000000C40000-0x0000000000C9E000-memory.dmp

Filesize
376KB

Download
memory/1908-4953-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1908-455-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1908-5046-0x000000000AC70000-0x000000000ACA4000-memory.dmp

Filesize
208KB

Download
memory/1908-5238-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2668-456-0x000000000ADB0000-0x000000000ADE4000-memory.dmp

Filesize
208KB

Download
memory/2668-457-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2668-431-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/2668-4986-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/3568-316-0x0000000000A00000-0x0000000000A5E000-memory.dmp

Filesize
376KB

Download
memory/3568-324-0x0000000000A00000-0x0000000000A5E000-memory.dmp

Filesize
376KB

Download
memory/4476-230-0x0000000002200000-0x000000000225E000-memory.dmp

Filesize
376KB

Download
memory/4476-218-0x0000000002200000-0x000000000225E000-memory.dmp

Filesize
376KB

Download
memory/4476-216-0x0000000002200000-0x000000000225E000-memory.dmp

Filesize
376KB

Download
memory/4476-215-0x0000000002200000-0x000000000225E000-memory.dmp

Filesize
376KB

Download
memory/4476-207-0x0000000002200000-0x000000000225E000-memory.dmp

Filesize
376KB

Download
memory/17368-8594-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/17368-8319-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download