Analysis
-
max time kernel
509s -
max time network
515s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
14-04-2024 23:25
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/NotPetya.exe
Resource
win10v2004-20240412-en
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/NotPetya.exe
Malware Config
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (512) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\1D28.tmp mimikatz -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
CoronaVirus.exeNotPetya.exeNotPetya.exeNotPetya.exeNotPetya.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation CoronaVirus.exe Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation NotPetya.exe Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation NotPetya.exe Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation NotPetya.exe Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation NotPetya.exe -
Drops startup file 5 IoCs
Processes:
CoronaVirus.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-348ED86E.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-348ED86E.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta CoronaVirus.exe -
Executes dropped EXE 8 IoCs
Processes:
NotPetya.exe1D28.tmpNotPetya.exeNotPetya.exeNotPetya.exeCoronaVirus.exeCoronaVirus.exeCoronaVirus.exepid process 1292 NotPetya.exe 4108 1D28.tmp 2812 NotPetya.exe 4528 NotPetya.exe 3252 NotPetya.exe 2668 CoronaVirus.exe 1908 CoronaVirus.exe 17368 CoronaVirus.exe -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exerundll32.exerundll32.exerundll32.exepid process 4476 rundll32.exe 1740 rundll32.exe 3568 rundll32.exe 1036 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
CoronaVirus.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe" CoronaVirus.exe -
Drops desktop.ini file(s) 64 IoCs
Processes:
CoronaVirus.exedescription ioc process File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Documents\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Documents\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Videos\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Music\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Videos\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files (x86)\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Downloads\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3198953144-1466794930-246379610-1000\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Libraries\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini CoronaVirus.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
rundll32.exedescription ioc process File opened for modification \??\PhysicalDrive0 rundll32.exe -
Drops file in System32 directory 2 IoCs
Processes:
CoronaVirus.exedescription ioc process File created C:\Windows\System32\CoronaVirus.exe CoronaVirus.exe File created C:\Windows\System32\Info.hta CoronaVirus.exe -
Drops file in Program Files directory 64 IoCs
Processes:
CoronaVirus.exedescription ioc process File opened for modification C:\Program Files\7-Zip\Lang\it.txt.id-348ED86E.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\Extensions\external_extensions.json.id-348ED86E.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\ui-strings.js.id-348ED86E.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\selector.js CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MINSBPROXY.DLL.id-348ED86E.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN108.XML.id-348ED86E.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\hu_get.svg CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_SubTrial-ul-oob.xrm-ms.id-348ED86E.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioProVL_MAK-ul-oob.xrm-ms CoronaVirus.exe File opened for modification C:\Program Files\7-Zip\7z.sfx.id-348ED86E.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN114.XML.id-348ED86E.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\AppTiles\StoreLogo.scale-150.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\SplashScreen.scale-100_contrast-white.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-16_altform-unplated.png CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusDemoR_BypassTrial180-ppd.xrm-ms.id-348ED86E.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg\msipc.dll.mui CoronaVirus.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ar-SA\tipresx.dll.mui CoronaVirus.exe File opened for modification C:\Program Files\7-Zip\Lang\sk.txt.id-348ED86E.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sk-sk\ui-strings.js CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp-pl.xrm-ms CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremDemoR_BypassTrial365-ul-oob.xrm-ms.id-348ED86E.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\PersonalPipcR_OEM_Perp-ppd.xrm-ms CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\StopwatchLargeTile.contrast-white_scale-200.png CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\RTC.DLL.id-348ED86E.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\api-ms-win-crt-runtime-l1-1-0.dll.id-348ED86E.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\msedgeupdateres_quz.dll CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\fre\StartMenu_Win8_RTL.mp4.id-348ED86E.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.targetsize-24_altform-unplated.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_filterselected-dark-focus_32.svg.id-348ED86E.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019VL_MAK_AE-ul-phn.xrm-ms.id-348ED86E.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\libxml2.md CoronaVirus.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveDrop32x32.gif CoronaVirus.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.IdentityModel.Resources.dll CoronaVirus.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\LICENSE.DATA.id-348ED86E.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.DataAnnotations.dll CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-core-file-l1-2-0.dll.id-348ED86E.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.Serialization.dll CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-100.png.id-348ED86E.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-multibyte-l1-1-0.dll.id-348ED86E.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\Microsoft.DataStreamer.Excel.dll CoronaVirus.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\ca-Es-VALENCIA.pak.id-348ED86E.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-timezone-l1-1-0.dll.id-348ED86E.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Thread.dll CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Thread.dll.id-348ED86E.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationCore.resources.dll.id-348ED86E.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ApothecaryResume.dotx.id-348ED86E.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-256_altform-lightunplated_devicefamily-colorfulunplated.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Retail-pl.xrm-ms.id-348ED86E.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libsftp_plugin.dll.id-348ED86E.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\libremoteosd_plugin.dll.id-348ED86E.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\Be.ps1 CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\AppxManifest.xml CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ca-es\ui-strings.js.id-348ED86E.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\js\plugin.js.id-348ED86E.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail-ppd.xrm-ms.id-348ED86E.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\ja-JP\MSFT_PackageManagementSource.schema.mfl.id-348ED86E.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\es\Microsoft.PackageManagement.resources.dll CoronaVirus.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll.id-348ED86E.[coronavirus@qq.com].ncov CoronaVirus.exe File created C:\Program Files\Java\jre-1.8\lib\deploy\splash@2x.gif.id-348ED86E.[coronavirus@qq.com].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\PeopleSmallTile.scale-125.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\GamesXboxHubAppList.targetsize-80_altform-unplated.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\mobile_reader_logo.svg.id-348ED86E.[coronavirus@qq.com].ncov CoronaVirus.exe -
Drops file in Windows directory 10 IoCs
Processes:
rundll32.exerundll32.exeNotPetya.exeNotPetya.exerundll32.exeNotPetya.exerundll32.exeNotPetya.exedescription ioc process File opened for modification C:\Windows\perfc.dat rundll32.exe File opened for modification C:\Windows\perfc.dat rundll32.exe File created C:\Windows\perfc.dat NotPetya.exe File created C:\Windows\perfc.dat NotPetya.exe File opened for modification C:\Windows\perfc.dat rundll32.exe File created C:\Windows\perfc.dat NotPetya.exe File opened for modification C:\Windows\perfc.dat rundll32.exe File created C:\Windows\perfc rundll32.exe File created C:\Windows\dllhost.dat rundll32.exe File created C:\Windows\perfc.dat NotPetya.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid process 27960 vssadmin.exe 1280 vssadmin.exe -
Modifies registry class 1 IoCs
Processes:
OpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000_Classes\Local Settings OpenWith.exe -
NTFS ADS 3 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 263914.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 242226.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 127551.crdownload:SmartScreen msedge.exe -
Opens file in notepad (likely ransom note) 1 IoCs
Processes:
NOTEPAD.EXEpid process 25864 NOTEPAD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exerundll32.exe1D28.tmprundll32.exerundll32.exerundll32.exemsedge.exeCoronaVirus.exepid process 3080 msedge.exe 3080 msedge.exe 756 msedge.exe 756 msedge.exe 2832 identity_helper.exe 2832 identity_helper.exe 1812 msedge.exe 1812 msedge.exe 4476 rundll32.exe 4476 rundll32.exe 4108 1D28.tmp 4108 1D28.tmp 4108 1D28.tmp 4108 1D28.tmp 4108 1D28.tmp 4108 1D28.tmp 4108 1D28.tmp 1740 rundll32.exe 1740 rundll32.exe 3568 rundll32.exe 3568 rundll32.exe 1036 rundll32.exe 1036 rundll32.exe 1428 msedge.exe 1428 msedge.exe 2668 CoronaVirus.exe 2668 CoronaVirus.exe 2668 CoronaVirus.exe 2668 CoronaVirus.exe 2668 CoronaVirus.exe 2668 CoronaVirus.exe 2668 CoronaVirus.exe 2668 CoronaVirus.exe 2668 CoronaVirus.exe 2668 CoronaVirus.exe 2668 CoronaVirus.exe 2668 CoronaVirus.exe 2668 CoronaVirus.exe 2668 CoronaVirus.exe 2668 CoronaVirus.exe 2668 CoronaVirus.exe 2668 CoronaVirus.exe 2668 CoronaVirus.exe 2668 CoronaVirus.exe 2668 CoronaVirus.exe 2668 CoronaVirus.exe 2668 CoronaVirus.exe 2668 CoronaVirus.exe 2668 CoronaVirus.exe 2668 CoronaVirus.exe 2668 CoronaVirus.exe 2668 CoronaVirus.exe 2668 CoronaVirus.exe 2668 CoronaVirus.exe 2668 CoronaVirus.exe 2668 CoronaVirus.exe 2668 CoronaVirus.exe 2668 CoronaVirus.exe 2668 CoronaVirus.exe 2668 CoronaVirus.exe 2668 CoronaVirus.exe 2668 CoronaVirus.exe 2668 CoronaVirus.exe 2668 CoronaVirus.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid process 26128 OpenWith.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exepid process 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
rundll32.exe1D28.tmprundll32.exerundll32.exerundll32.exevssvc.exedescription pid process Token: SeShutdownPrivilege 4476 rundll32.exe Token: SeDebugPrivilege 4476 rundll32.exe Token: SeTcbPrivilege 4476 rundll32.exe Token: SeDebugPrivilege 4108 1D28.tmp Token: SeShutdownPrivilege 1740 rundll32.exe Token: SeDebugPrivilege 1740 rundll32.exe Token: SeTcbPrivilege 1740 rundll32.exe Token: SeShutdownPrivilege 3568 rundll32.exe Token: SeDebugPrivilege 3568 rundll32.exe Token: SeTcbPrivilege 3568 rundll32.exe Token: SeShutdownPrivilege 1036 rundll32.exe Token: SeDebugPrivilege 1036 rundll32.exe Token: SeTcbPrivilege 1036 rundll32.exe Token: SeBackupPrivilege 5588 vssvc.exe Token: SeRestorePrivilege 5588 vssvc.exe Token: SeAuditPrivilege 5588 vssvc.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepid process 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe -
Suspicious use of SendNotifyMessage 40 IoCs
Processes:
msedge.exepid process 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe 756 msedge.exe -
Suspicious use of SetWindowsHookEx 19 IoCs
Processes:
NotPetya.exeNotPetya.exeNotPetya.exeNotPetya.exeOpenWith.exepid process 1292 NotPetya.exe 2812 NotPetya.exe 4528 NotPetya.exe 3252 NotPetya.exe 26128 OpenWith.exe 26128 OpenWith.exe 26128 OpenWith.exe 26128 OpenWith.exe 26128 OpenWith.exe 26128 OpenWith.exe 26128 OpenWith.exe 26128 OpenWith.exe 26128 OpenWith.exe 26128 OpenWith.exe 26128 OpenWith.exe 26128 OpenWith.exe 26128 OpenWith.exe 26128 OpenWith.exe 26128 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 756 wrote to memory of 4308 756 msedge.exe msedge.exe PID 756 wrote to memory of 4308 756 msedge.exe msedge.exe PID 756 wrote to memory of 1500 756 msedge.exe msedge.exe PID 756 wrote to memory of 1500 756 msedge.exe msedge.exe PID 756 wrote to memory of 1500 756 msedge.exe msedge.exe PID 756 wrote to memory of 1500 756 msedge.exe msedge.exe PID 756 wrote to memory of 1500 756 msedge.exe msedge.exe PID 756 wrote to memory of 1500 756 msedge.exe msedge.exe PID 756 wrote to memory of 1500 756 msedge.exe msedge.exe PID 756 wrote to memory of 1500 756 msedge.exe msedge.exe PID 756 wrote to memory of 1500 756 msedge.exe msedge.exe PID 756 wrote to memory of 1500 756 msedge.exe msedge.exe PID 756 wrote to memory of 1500 756 msedge.exe msedge.exe PID 756 wrote to memory of 1500 756 msedge.exe msedge.exe PID 756 wrote to memory of 1500 756 msedge.exe msedge.exe PID 756 wrote to memory of 1500 756 msedge.exe msedge.exe PID 756 wrote to memory of 1500 756 msedge.exe msedge.exe PID 756 wrote to memory of 1500 756 msedge.exe msedge.exe PID 756 wrote to memory of 1500 756 msedge.exe msedge.exe PID 756 wrote to memory of 1500 756 msedge.exe msedge.exe PID 756 wrote to memory of 1500 756 msedge.exe msedge.exe PID 756 wrote to memory of 1500 756 msedge.exe msedge.exe PID 756 wrote to memory of 1500 756 msedge.exe msedge.exe PID 756 wrote to memory of 1500 756 msedge.exe msedge.exe PID 756 wrote to memory of 1500 756 msedge.exe msedge.exe PID 756 wrote to memory of 1500 756 msedge.exe msedge.exe PID 756 wrote to memory of 1500 756 msedge.exe msedge.exe PID 756 wrote to memory of 1500 756 msedge.exe msedge.exe PID 756 wrote to memory of 1500 756 msedge.exe msedge.exe PID 756 wrote to memory of 1500 756 msedge.exe msedge.exe PID 756 wrote to memory of 1500 756 msedge.exe msedge.exe PID 756 wrote to memory of 1500 756 msedge.exe msedge.exe PID 756 wrote to memory of 1500 756 msedge.exe msedge.exe PID 756 wrote to memory of 1500 756 msedge.exe msedge.exe PID 756 wrote to memory of 1500 756 msedge.exe msedge.exe PID 756 wrote to memory of 1500 756 msedge.exe msedge.exe PID 756 wrote to memory of 1500 756 msedge.exe msedge.exe PID 756 wrote to memory of 1500 756 msedge.exe msedge.exe PID 756 wrote to memory of 1500 756 msedge.exe msedge.exe PID 756 wrote to memory of 1500 756 msedge.exe msedge.exe PID 756 wrote to memory of 1500 756 msedge.exe msedge.exe PID 756 wrote to memory of 1500 756 msedge.exe msedge.exe PID 756 wrote to memory of 3080 756 msedge.exe msedge.exe PID 756 wrote to memory of 3080 756 msedge.exe msedge.exe PID 756 wrote to memory of 1000 756 msedge.exe msedge.exe PID 756 wrote to memory of 1000 756 msedge.exe msedge.exe PID 756 wrote to memory of 1000 756 msedge.exe msedge.exe PID 756 wrote to memory of 1000 756 msedge.exe msedge.exe PID 756 wrote to memory of 1000 756 msedge.exe msedge.exe PID 756 wrote to memory of 1000 756 msedge.exe msedge.exe PID 756 wrote to memory of 1000 756 msedge.exe msedge.exe PID 756 wrote to memory of 1000 756 msedge.exe msedge.exe PID 756 wrote to memory of 1000 756 msedge.exe msedge.exe PID 756 wrote to memory of 1000 756 msedge.exe msedge.exe PID 756 wrote to memory of 1000 756 msedge.exe msedge.exe PID 756 wrote to memory of 1000 756 msedge.exe msedge.exe PID 756 wrote to memory of 1000 756 msedge.exe msedge.exe PID 756 wrote to memory of 1000 756 msedge.exe msedge.exe PID 756 wrote to memory of 1000 756 msedge.exe msedge.exe PID 756 wrote to memory of 1000 756 msedge.exe msedge.exe PID 756 wrote to memory of 1000 756 msedge.exe msedge.exe PID 756 wrote to memory of 1000 756 msedge.exe msedge.exe PID 756 wrote to memory of 1000 756 msedge.exe msedge.exe PID 756 wrote to memory of 1000 756 msedge.exe msedge.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/NotPetya.exe1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffecdda46f8,0x7ffecdda4708,0x7ffecdda47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2224,4445713999026370141,18383452663667751546,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2224,4445713999026370141,18383452663667751546,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2224,4445713999026370141,18383452663667751546,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2568 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,4445713999026370141,18383452663667751546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3580 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,4445713999026370141,18383452663667751546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3632 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,4445713999026370141,18383452663667751546,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5628 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,4445713999026370141,18383452663667751546,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5628 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,4445713999026370141,18383452663667751546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,4445713999026370141,18383452663667751546,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2224,4445713999026370141,18383452663667751546,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3672 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,4445713999026370141,18383452663667751546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,4445713999026370141,18383452663667751546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,4445713999026370141,18383452663667751546,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6216 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2224,4445713999026370141,18383452663667751546,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6612 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2224,4445713999026370141,18383452663667751546,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6108 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\NotPetya.exe"C:\Users\Admin\Downloads\NotPetya.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Windows\perfc.dat #13⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 00:294⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 00:295⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\1D28.tmp"C:\Users\Admin\AppData\Local\Temp\1D28.tmp" \\.\pipe\{1A6AE75C-76A6-4A09-9818-2709A6C57F25}4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,4445713999026370141,18383452663667751546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2224,4445713999026370141,18383452663667751546,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5340 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2224,4445713999026370141,18383452663667751546,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
-
C:\Windows\system32\mode.commode con cp select=12514⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
-
C:\Windows\system32\mode.commode con cp select=12514⤵
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2224,4445713999026370141,18383452663667751546,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6356 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,4445713999026370141,18383452663667751546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,4445713999026370141,18383452663667751546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6644 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\NotPetya.exe"C:\Users\Admin\Downloads\NotPetya.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Windows\perfc.dat #12⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\NotPetya.exe"C:\Users\Admin\Downloads\NotPetya.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Windows\perfc.dat #12⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\NotPetya.exe"C:\Users\Admin\Downloads\NotPetya.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Windows\perfc.dat #12⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"1⤵
- Executes dropped EXE
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"1⤵
- Executes dropped EXE
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\BlockResolve.AAC.id-348ED86E.[coronavirus@qq.com].ncov2⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\FILES ENCRYPTED.txt1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5e2ece0fcb9f6256efba522462a9a9288
SHA1ccc599f64d30e15833b45c7e52924d4bd2f54acb
SHA2560eff6f3011208a312a1010db0620bb6680fe49d4fa3344930302e950b74ad005
SHA512ead68dd972cfb1eccc194572279ae3e4ac989546bfb9e8d511c6bc178fc12aaebd20b49860d2b70ac1f5d4236b0df1b484a979b926edbe23f281b8139ff1a9ac
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5864aa9768ef47143c455b31fd314d660
SHA109d879e0e77698f28b435ed0e7d8e166e28fafa2
SHA2563118d55d1f04ecdd849971d8c49896b5c874bdbea63e5288547b9812c0640e10
SHA51275dce411fce8166c8905ed8da910adb1dd08ab1c9d7cd5431ef905531f2f0374caf73dedd5d238b457ece61273f6c81e632d23eb8409efbb6bf0d01442008488
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD5cdfb452880b76d6ff2d40b5d1e3d5e9d
SHA1bf26b079c18232aff59530d234ac89fedd2c037a
SHA256f250a492cf00982542013c43656ec7e776fb325fc409ac1c034a095bda37a38b
SHA512943eb605369d6c32549ce8ca1db8c1b0ad6550fba8954ce562012ee86cfc233d6419c097db9152d99c8c90953012a3bb9dd64ca92fc10c0a3221404ef4c86c8d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
579B
MD546fa4f5f7344089589d117bd7599b3a9
SHA1b6cc1fe19e527d4a372c97e4d195ed94eee40030
SHA256223280d95a13f1af6af06459bbf230874500c212a2e16f63914eff3f22e8b57a
SHA5126b680aedde7e806802652aab9ab31cb21438bc8756b063955e6f03bbbdf1273f7d47c40ec1a19fe27537afeb8d6cc219a246d31f7c6822b481649fe296e2a45c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD53ecb62c6629f1014318638ed1979879d
SHA16624a4463dc57f8107a6ee8d812637270e4fb6f6
SHA25678c9a64463bf19d291560c3f56290c7012509cbc4b7b0341dc18934409fdd405
SHA5128a8ccdb500594d710dde032fc9ad7cd6584339e8e9c1eb2871501f694af4ed5dc87702fb0f3a2e567520f81a9ad8ed1c63823ce6ad33090fc2791633e5980294
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5787722550353aa923b637ec406b61b0d
SHA179608563954e08365d13732b55a274ca40b387b0
SHA25653e9fa65d819bbb8ab53760b0357269ad400bff3b194cb964b85f867ba7f771e
SHA512672564ab6b3271cc824402618b48453781e162c3d3d834ff92b5289c17195e371de6d151a51a328f84670b6a800e0242607c95d6b729c18cff2369e70948ead3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD594f6f429d8b5afb060db9bee69ea250c
SHA1905658a40883d74d9f04b531ffe7cc9f9717abae
SHA25617f3379324ad46333025c54fd55ccc17bca25e5242897e6b7d24303bc98d05ba
SHA512362ab05bb78348b841afeb01a2e59208e2a2c02f89f66a4c674b835f6276b5d6122401c1daf77c941cb1677f50b12d7582588ce7754cb6143d474ea62487bf27
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5da8bbcaef0b4c6d764cb08757fd7c209
SHA1e497e9520a054a203c30c848aeafdd229784f76c
SHA256737349660777bd23f0b787453bdb3805a0dc6c5c9b42b4d4ef76cb148e199619
SHA512428a8430e8fe236831893c4a1e5deb423670874f9b20d31c2cd745e1614922f9dbefb4e89aedf5aa6e0186a0792eeb6370a57f514b6be3ec0339cdef4adc90a9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5a06fd20b5d97d3103056ba1c7757ed12
SHA1c67f5cb4cbd0e543fa9a8b7e30f6033b9b5a763e
SHA25649e7c3a09b2f5b216f64d005e5e131169318d8209f6d0b4b76a3107cd2fed037
SHA5128d3ec2607be52c7e6f3ec66c593efe6cab0fff005d15c789d16e05076bd5509b051aa13616eb5fedaa637980ab1b65469834f94559916a521bb28fff0a74f961
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD587784adf425016276a5d8b9e462d7bd8
SHA1be42861e1ff94d22dcfb19c4fc2e7f0232cdcb85
SHA256ad79756f24e648641fcc458303a342b34a37f4f6348178dbe1c3e5b255452e81
SHA512f77f2958fde771348ebbe5b20df261d7107564feceab96e826bde1f549501284921f4ecf17c9c1262f0352b379312559de30edb3593ca385922eabe00a685b70
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5860416e0cbf355d7ec871b36e7db9d98
SHA13a76e86085a0b68960eb5a51f41093a73efd5469
SHA25675c732b5b210d6e7491f55aca1067cfee071c2f52e31facdaad5a14f16ad3b31
SHA5128d8b6128e2f724d878ebe2ad0d358689a2bd73bca23a12333caedad890dba6aec472d25c9c0dfcf2f0e56bb8b5602df33be51b280a0f362dd70307bd408038a2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5b836d712e2b42decb2a2b2859c66b22d
SHA1cbd01384df8fe1b07a9c4111483d7764bc21c346
SHA25642f65c92609cfc67b71902bb2236f2157f7cab441bb453aa9b99ada922371106
SHA512adf31cb890c172dd16ce8b71dac07247c51107063224f91ac7e1995e0ebe3b4f7433dbc4d299b0a1cbe20f3441e22159b2870a9b5ec4e299619128ebfc60b295
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD559f6efbdd8431b2539955576db111a6f
SHA10a7edf11c57d4146f589bbba09af4518850b55c2
SHA256405cc2b132acf3ba3873190c87a2a423ec5f639d4dac192fa10c54e8dbce4184
SHA5122e47d853fe6caa286be9a80715fa2b79ac8dba2a8990543fd03b7ddf748a94fbbda79d42e3ea31b67685b3e5b8db74829b0b20581f40812c19ca683a409dc328
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5662e0acde2e94ee7b4d3f01da385a2f6
SHA14ee64daf37b5ae37da6993301b8c13b9afab0710
SHA2562cd1843aea68f35d7f1e113c695ed63f841c59f583aa1b933d83fa52ae42b12e
SHA51290727ae7d0bbcc5368937629bfb4ae3ad01f1e73b5e13e205885616236b560b2de84b62e93baf761805bf6eaab465dd96390a250838428cd1051cbb6ef9cb140
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5fb34f19386f1ed25e4868c83eb59754f
SHA115d8672443787ee9211f30a6d74854f4c2963383
SHA256eae874be50db76a9af3afb36a763fab4c9aeebf6ebb70b5e52caad7c7d4046bd
SHA51265fdd4661302295369f06f701c3d75491c17c7009b21ba67c34820a1355abca84856a628bf017e44d8ad6142e6f00385468f8487ed6c86c446579a1edffba1e2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5d0cfd251b853839bb4119a15bdda9c89
SHA167a8837f3ad11eafa77a705c528f6217da9d82e9
SHA2567853ceb44c04b6d5ef5d1b44f475e0c51285292f22afbdfcb4877399ff323a49
SHA51237c1faff8a25935225427b8a6001f8ef1a0d7ff3d7a9aa597d17fc00c1d2be03ea4fc674c2528195711600383dd596824a2e88af29d4906c0a64ed203a2a5e9a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5e3e29db482c0408bd780561fb6d49154
SHA1e4be446abce59d65eff65d56974b742f4ba52724
SHA256cb9e790f5f44d8cffd55d748023905258a7b1be8b809572cf2537925d7b52594
SHA512a66f0c633bc7b4f6b8f49457149466f2742182ce38b350445666cab1719f1f8e7947028cda19f59d2e7d2be300782017ce278602abe0050e1f31c13d273648a1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5de923b9af764dd057ebe39040057bdcc
SHA1ccca2856538fd1d28799e341f6f3615b0327105c
SHA2567fa24704077a14b7c3e2d9676fbcd6100324c4095ec531ccadce852d06821d6f
SHA512106179c68a7b2a176591793c09b70612f159c88edefa53d6c1d47323f29da4b6474c439a6ac9e60ec9ae6aaff96a7bfb24467c4fad3ebdcb18d01253dbd26189
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58607a.TMPFilesize
1KB
MD54337590e12a8cba7a738a66144b45b32
SHA1240f6626f62ea23145eb260738d4b519a4759ac6
SHA256c0ee2969b6f41734ff6b32db07bfe48d732c9d2dec8f4e6995ff16e812753357
SHA5128f4e90d166021988b5a9aa86a7a2849812bfbf2cba54c9fdff0222a5cdba7e937c7ed4c5da2eec134d4d2ef34fd14ff4eda2b858959d611055bac07ed7ce135d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.dbFilesize
16KB
MD59e02552124890dc7e040ce55841d75a4
SHA1f4179e9e3c00378fa4ad61c94527602c70aa0ad9
SHA2567b6e4ce73ddd8b5e7a7c4a94374ac2815d0048a5296879d7659a92ee0b425c77
SHA5123e10237b1bff73f3bb031f108b8de18f1b3c3396d63dfee8eb2401ce650392b9417143a9ef5234831d8386fc12e232b583dd45eada3f2828b3a0a818123dd5cd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5a8057eb2a1d66bfa28e9996e432f720c
SHA10e601b8954f8adc97441b11c5222344c976383b8
SHA256d8cae16870572c5dbf7c3c6300c01cb37fa2f39a920d805ad79f10011558e659
SHA51232e0813633211468975d9ff9f14765993b8b4e656e2abb6a48aa7eb503d4263ee21e63337fb13f5468bd0b808c969ec69d2a6c53ed84b5ebcad7e8b7d6955eb1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5b2f992ff426244744ec7967e69b9e79d
SHA16ce05add747e9ea097a7d4865367fe7c2b30bb68
SHA256b73886cbb60606dfe8cc2d51c480a34871f6e82fde64949fd8b08e98ca88768b
SHA5123bc1879da5ed3aa1ee924545b562ba0cc1f6ee25bcdd309c8f7220ff318994c8ca271138042cec82d0a9698be2d6932e7a9a915f5a1fc05d48272f94edf0cb3c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD519baaf8f09b4e303153e111c0ae2d380
SHA1b354c03d726278bb8f2e84fc3ef5783b9bb3d68b
SHA25633f1ab7d2267ba3506f84d75daa035eba1d568ae195c92d98e88e5cdc27bce81
SHA51206794d84aac0b092430ecb0aea24f8832ea6ab796d8ed2f1594af43d3509b62997aee7c9380ee642e7d715d1d82f1f9fecd129340028f65bf53188b2dc11071a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD51411114dfa686e1eeb3c49113a7c6547
SHA11d0c8127fa2a9a382bfffd7c5d2c23e14e00c0a7
SHA256e62be01e5473769513d83f65a320b89c8af3c186464057362071689fb730e90d
SHA5123d8c998d43ee14227ef2d667c761b6815de850adcc07cf63bf72071de2a21f47bc962b0699247fe392bd2977c31083951131bff5a8518ca2f15d0d393df431b2
-
C:\Users\Admin\AppData\Local\Temp\1D28.tmpFilesize
55KB
MD57e37ab34ecdcc3e77e24522ddfd4852d
SHA138e2855e11e353cedf9a8a4f2f2747f1c5c07fcf
SHA25602ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f
SHA5121b037a2aa8bf951d2ffe2f724aa0b2fbb39c2173215806ba0327bda7b096301d887f9bb7db46f9e04584b16aa6b1aaeaf67f0ecf5f20eb02ceac27c8753ca587
-
C:\Users\Admin\Downloads\Unconfirmed 127551.crdownloadFilesize
184KB
MD5c9c341eaf04c89933ed28cbc2739d325
SHA1c5b7d47aef3bd33a24293138fcba3a5ff286c2a8
SHA2561a0a2fd546e3c05e15b2db3b531cb8e8755641f5f1c17910ce2fb7bbce2a05b7
SHA5127cfa6ec0be0f5ae80404c6c709a6fd00ca10a18b6def5ca746611d0d32a9552f7961ab0ebf8a336b27f7058d700205be7fcc859a30d7d185aa9457267090f99b
-
C:\Users\Admin\Downloads\Unconfirmed 242226.crdownloadFilesize
1.0MB
MD5055d1462f66a350d9886542d4d79bc2b
SHA1f1086d2f667d807dbb1aa362a7a809ea119f2565
SHA256dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
SHA5122c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
-
C:\Users\Admin\Downloads\Unconfirmed 263914.crdownloadFilesize
390KB
MD55b7e6e352bacc93f7b80bc968b6ea493
SHA1e686139d5ed8528117ba6ca68fe415e4fb02f2be
SHA25663545fa195488ff51955f09833332b9660d18f8afb16bdf579134661962e548a
SHA5129d24af0cb00fb8a5e61e9d19cd603b5541a22ae6229c2acf498447e0e7d4145fee25c8ab9d5d5f18f554e6cbf8ca56b7ca3144e726d7dfd64076a42a25b3dfb6
-
C:\Windows\perfc.datFilesize
353KB
MD59a7ffe65e0912f9379ba6e8e0b079fde
SHA1532bea84179e2336caed26e31805ceaa7eec53dd
SHA2564b336c3cc9b6c691fe581077e3dd9ea7df3bf48f79e35b05cf87e079ec8e0651
SHA512e8ebf30488b9475529d3345a00c002fe44336718af8bc99879018982bbc1172fc77f9fee12c541bab9665690092709ef5f847b40201782732c717c331bb77c31
-
C:\Windows\perfc.datFilesize
353KB
MD571b6a493388e7d0b40c83ce903bc6b04
SHA134f917aaba5684fbe56d3c57d48ef2a1aa7cf06d
SHA256027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
SHA512072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f
-
\??\pipe\LOCAL\crashpad_756_DUDAJNDRAINKRGORMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1036-337-0x0000000002230000-0x000000000228E000-memory.dmpFilesize
376KB
-
memory/1036-345-0x0000000002230000-0x000000000228E000-memory.dmpFilesize
376KB
-
memory/1740-283-0x0000000000C40000-0x0000000000C9E000-memory.dmpFilesize
376KB
-
memory/1740-275-0x0000000000C40000-0x0000000000C9E000-memory.dmpFilesize
376KB
-
memory/1908-4953-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/1908-455-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/1908-5046-0x000000000AC70000-0x000000000ACA4000-memory.dmpFilesize
208KB
-
memory/1908-5238-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/2668-456-0x000000000ADB0000-0x000000000ADE4000-memory.dmpFilesize
208KB
-
memory/2668-457-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/2668-431-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/2668-4986-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/3568-316-0x0000000000A00000-0x0000000000A5E000-memory.dmpFilesize
376KB
-
memory/3568-324-0x0000000000A00000-0x0000000000A5E000-memory.dmpFilesize
376KB
-
memory/4476-230-0x0000000002200000-0x000000000225E000-memory.dmpFilesize
376KB
-
memory/4476-218-0x0000000002200000-0x000000000225E000-memory.dmpFilesize
376KB
-
memory/4476-216-0x0000000002200000-0x000000000225E000-memory.dmpFilesize
376KB
-
memory/4476-215-0x0000000002200000-0x000000000225E000-memory.dmpFilesize
376KB
-
memory/4476-207-0x0000000002200000-0x000000000225E000-memory.dmpFilesize
376KB
-
memory/17368-8594-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB
-
memory/17368-8319-0x0000000000400000-0x000000000056F000-memory.dmpFilesize
1.4MB