badrabbit | hxxp://google[.]com

Analysis

max time kernel
510s
max time network
511s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
06-06-2024 14:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://google.com

Score

10^/10

badrabbit wannacry defense_evasion execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Blocklisted process makes network request 7 IoCs

flow	pid	Process
480	5720	rundll32.exe
518	5720	rundll32.exe
560	5720	rundll32.exe
601	5720	rundll32.exe
633	5720	rundll32.exe
657	5720	rundll32.exe
696	5720	rundll32.exe

Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD36B2.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD36B9.tmp	WannaCry.exe

Executes dropped EXE 39 IoCs

pid	Process
3044	WannaCry.exe
4268	WannaCry.exe
3564	!WannaDecryptor!.exe
4396	WannaCry.exe
5268	WannaCry.exe
5380	WannaCry.exe
6052	WannaCry.exe
6068	WannaCry.exe
6040	WannaCry.exe
6076	WannaCry.exe
6084	WannaCry.exe
6060	WannaCry.exe
4644	WannaCry.exe
5548	WannaCry.exe
5760	WannaCry.exe
5892	WannaCry.exe
5728	WannaCry.exe
3024	WannaCry.exe
5616	BadRabbit.exe
5692	BadRabbit.exe
5776	BadRabbit.exe
4520	4F15.tmp
5468	!WannaDecryptor!.exe
5784	WannaCry.exe
5712	!WannaDecryptor!.exe
5796	BadRabbit.exe
2400	!WannaDecryptor!.exe
5704	BadRabbit.exe
5472	BadRabbit.exe
4888	BadRabbit.exe
5208	BadRabbit.exe
5668	BadRabbit.exe
4936	BadRabbit.exe
5360	BadRabbit.exe
1728	BadRabbit.exe
1808	BadRabbit.exe
5624	BadRabbit.exe
4132	BadRabbit.exe
5352	BadRabbit.exe

Loads dropped DLL 15 IoCs

pid	Process
5720	rundll32.exe
5908	rundll32.exe
5996	rundll32.exe
5984	rundll32.exe
1692	rundll32.exe
5860	rundll32.exe
5180	rundll32.exe
4916	rundll32.exe
628	rundll32.exe
5300	rundll32.exe
3580	rundll32.exe
4796	rundll32.exe
5652	rundll32.exe
5232	rundll32.exe
5192	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
124	raw.githubusercontent.com
126	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Drops file in Windows directory 34 IoCs

description	ioc	Process
File created	C:\Windows\cscc.dat	rundll32.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\4F15.tmp	rundll32.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
592	schtasks.exe
5348	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
3236	taskkill.exe
2248	taskkill.exe
1292	taskkill.exe
2036	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3571316656-3665257725-2415531812-1000\{42344FCB-6F78-4181-98A3-286C6C481DDE}	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 265419.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 210858.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 55 IoCs

pid	Process
3124	msedge.exe
3124	msedge.exe
3344	msedge.exe
3344	msedge.exe
772	identity_helper.exe
772	identity_helper.exe
5080	msedge.exe
5080	msedge.exe
4428	msedge.exe
4428	msedge.exe
5596	msedge.exe
5596	msedge.exe
5720	rundll32.exe
5720	rundll32.exe
5720	rundll32.exe
5720	rundll32.exe
5908	rundll32.exe
5908	rundll32.exe
5996	rundll32.exe
5996	rundll32.exe
4520	4F15.tmp
4520	4F15.tmp
4520	4F15.tmp
4520	4F15.tmp
4520	4F15.tmp
4520	4F15.tmp
4520	4F15.tmp
5984	rundll32.exe
5984	rundll32.exe
1692	rundll32.exe
1692	rundll32.exe
5860	rundll32.exe
5860	rundll32.exe
5180	rundll32.exe
5180	rundll32.exe
4916	rundll32.exe
4916	rundll32.exe
628	rundll32.exe
628	rundll32.exe
5300	rundll32.exe
5300	rundll32.exe
3580	rundll32.exe
3580	rundll32.exe
4796	rundll32.exe
4796	rundll32.exe
5652	rundll32.exe
5652	rundll32.exe
5232	rundll32.exe
5232	rundll32.exe
5192	rundll32.exe
5192	rundll32.exe
5608	msedge.exe
5608	msedge.exe
5608	msedge.exe
5608	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3344	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2036	taskkill.exe
Token: SeDebugPrivilege	3236	taskkill.exe
Token: SeDebugPrivilege	1292	taskkill.exe
Token: SeDebugPrivilege	2248	taskkill.exe
Token: SeShutdownPrivilege	5720	rundll32.exe
Token: SeDebugPrivilege	5720	rundll32.exe
Token: SeTcbPrivilege	5720	rundll32.exe
Token: SeShutdownPrivilege	5908	rundll32.exe
Token: SeDebugPrivilege	5908	rundll32.exe
Token: SeTcbPrivilege	5908	rundll32.exe
Token: SeShutdownPrivilege	5996	rundll32.exe
Token: SeDebugPrivilege	5996	rundll32.exe
Token: SeTcbPrivilege	5996	rundll32.exe
Token: SeDebugPrivilege	4520	4F15.tmp
Token: SeShutdownPrivilege	5984	rundll32.exe
Token: SeDebugPrivilege	5984	rundll32.exe
Token: SeTcbPrivilege	5984	rundll32.exe
Token: SeShutdownPrivilege	1692	rundll32.exe
Token: SeDebugPrivilege	1692	rundll32.exe
Token: SeTcbPrivilege	1692	rundll32.exe
Token: SeIncreaseQuotaPrivilege	5444	WMIC.exe
Token: SeSecurityPrivilege	5444	WMIC.exe
Token: SeTakeOwnershipPrivilege	5444	WMIC.exe
Token: SeLoadDriverPrivilege	5444	WMIC.exe
Token: SeSystemProfilePrivilege	5444	WMIC.exe
Token: SeSystemtimePrivilege	5444	WMIC.exe
Token: SeProfSingleProcessPrivilege	5444	WMIC.exe
Token: SeIncBasePriorityPrivilege	5444	WMIC.exe
Token: SeCreatePagefilePrivilege	5444	WMIC.exe
Token: SeBackupPrivilege	5444	WMIC.exe
Token: SeRestorePrivilege	5444	WMIC.exe
Token: SeShutdownPrivilege	5444	WMIC.exe
Token: SeDebugPrivilege	5444	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5444	WMIC.exe
Token: SeRemoteShutdownPrivilege	5444	WMIC.exe
Token: SeUndockPrivilege	5444	WMIC.exe
Token: SeManageVolumePrivilege	5444	WMIC.exe
Token: 33	5444	WMIC.exe
Token: 34	5444	WMIC.exe
Token: 35	5444	WMIC.exe
Token: 36	5444	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5444	WMIC.exe
Token: SeSecurityPrivilege	5444	WMIC.exe
Token: SeTakeOwnershipPrivilege	5444	WMIC.exe
Token: SeLoadDriverPrivilege	5444	WMIC.exe
Token: SeSystemProfilePrivilege	5444	WMIC.exe
Token: SeSystemtimePrivilege	5444	WMIC.exe
Token: SeProfSingleProcessPrivilege	5444	WMIC.exe
Token: SeIncBasePriorityPrivilege	5444	WMIC.exe
Token: SeCreatePagefilePrivilege	5444	WMIC.exe
Token: SeBackupPrivilege	5444	WMIC.exe
Token: SeRestorePrivilege	5444	WMIC.exe
Token: SeShutdownPrivilege	5444	WMIC.exe
Token: SeDebugPrivilege	5444	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5444	WMIC.exe
Token: SeRemoteShutdownPrivilege	5444	WMIC.exe
Token: SeUndockPrivilege	5444	WMIC.exe
Token: SeManageVolumePrivilege	5444	WMIC.exe
Token: 33	5444	WMIC.exe
Token: 34	5444	WMIC.exe
Token: 35	5444	WMIC.exe
Token: 36	5444	WMIC.exe
Token: SeBackupPrivilege	3456	vssvc.exe
Token: SeRestorePrivilege	3456	vssvc.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe
3344	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3564	!WannaDecryptor!.exe
3564	!WannaDecryptor!.exe
5468	!WannaDecryptor!.exe
5468	!WannaDecryptor!.exe
5712	!WannaDecryptor!.exe
5712	!WannaDecryptor!.exe
2400	!WannaDecryptor!.exe
2400	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3344 wrote to memory of 2476	3344	msedge.exe	82
PID 3344 wrote to memory of 2476	3344	msedge.exe	82
PID 3344 wrote to memory of 1888	3344	msedge.exe	83
PID 3344 wrote to memory of 1888	3344	msedge.exe	83
PID 3344 wrote to memory of 1888	3344	msedge.exe	83
PID 3344 wrote to memory of 1888	3344	msedge.exe	83
PID 3344 wrote to memory of 1888	3344	msedge.exe	83
PID 3344 wrote to memory of 1888	3344	msedge.exe	83
PID 3344 wrote to memory of 1888	3344	msedge.exe	83
PID 3344 wrote to memory of 1888	3344	msedge.exe	83
PID 3344 wrote to memory of 1888	3344	msedge.exe	83
PID 3344 wrote to memory of 1888	3344	msedge.exe	83
PID 3344 wrote to memory of 1888	3344	msedge.exe	83
PID 3344 wrote to memory of 1888	3344	msedge.exe	83
PID 3344 wrote to memory of 1888	3344	msedge.exe	83
PID 3344 wrote to memory of 1888	3344	msedge.exe	83
PID 3344 wrote to memory of 1888	3344	msedge.exe	83
PID 3344 wrote to memory of 1888	3344	msedge.exe	83
PID 3344 wrote to memory of 1888	3344	msedge.exe	83
PID 3344 wrote to memory of 1888	3344	msedge.exe	83
PID 3344 wrote to memory of 1888	3344	msedge.exe	83
PID 3344 wrote to memory of 1888	3344	msedge.exe	83
PID 3344 wrote to memory of 1888	3344	msedge.exe	83
PID 3344 wrote to memory of 1888	3344	msedge.exe	83
PID 3344 wrote to memory of 1888	3344	msedge.exe	83
PID 3344 wrote to memory of 1888	3344	msedge.exe	83
PID 3344 wrote to memory of 1888	3344	msedge.exe	83
PID 3344 wrote to memory of 1888	3344	msedge.exe	83
PID 3344 wrote to memory of 1888	3344	msedge.exe	83
PID 3344 wrote to memory of 1888	3344	msedge.exe	83
PID 3344 wrote to memory of 1888	3344	msedge.exe	83
PID 3344 wrote to memory of 1888	3344	msedge.exe	83
PID 3344 wrote to memory of 1888	3344	msedge.exe	83
PID 3344 wrote to memory of 1888	3344	msedge.exe	83
PID 3344 wrote to memory of 1888	3344	msedge.exe	83
PID 3344 wrote to memory of 1888	3344	msedge.exe	83
PID 3344 wrote to memory of 1888	3344	msedge.exe	83
PID 3344 wrote to memory of 1888	3344	msedge.exe	83
PID 3344 wrote to memory of 1888	3344	msedge.exe	83
PID 3344 wrote to memory of 1888	3344	msedge.exe	83
PID 3344 wrote to memory of 1888	3344	msedge.exe	83
PID 3344 wrote to memory of 1888	3344	msedge.exe	83
PID 3344 wrote to memory of 3124	3344	msedge.exe	84
PID 3344 wrote to memory of 3124	3344	msedge.exe	84
PID 3344 wrote to memory of 4856	3344	msedge.exe	85
PID 3344 wrote to memory of 4856	3344	msedge.exe	85
PID 3344 wrote to memory of 4856	3344	msedge.exe	85
PID 3344 wrote to memory of 4856	3344	msedge.exe	85
PID 3344 wrote to memory of 4856	3344	msedge.exe	85
PID 3344 wrote to memory of 4856	3344	msedge.exe	85
PID 3344 wrote to memory of 4856	3344	msedge.exe	85
PID 3344 wrote to memory of 4856	3344	msedge.exe	85
PID 3344 wrote to memory of 4856	3344	msedge.exe	85
PID 3344 wrote to memory of 4856	3344	msedge.exe	85
PID 3344 wrote to memory of 4856	3344	msedge.exe	85
PID 3344 wrote to memory of 4856	3344	msedge.exe	85
PID 3344 wrote to memory of 4856	3344	msedge.exe	85
PID 3344 wrote to memory of 4856	3344	msedge.exe	85
PID 3344 wrote to memory of 4856	3344	msedge.exe	85
PID 3344 wrote to memory of 4856	3344	msedge.exe	85
PID 3344 wrote to memory of 4856	3344	msedge.exe	85
PID 3344 wrote to memory of 4856	3344	msedge.exe	85
PID 3344 wrote to memory of 4856	3344	msedge.exe	85
PID 3344 wrote to memory of 4856	3344	msedge.exe	85

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.com
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x40,0x108,0x7ffff2ca46f8,0x7ffff2ca4708,0x7ffff2ca4718
  2⤵
  PID:2476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,16061984941131403522,8581120566706462746,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
  2⤵
  PID:1888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2012,16061984941131403522,8581120566706462746,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2012,16061984941131403522,8581120566706462746,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,16061984941131403522,8581120566706462746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:1872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,16061984941131403522,8581120566706462746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,16061984941131403522,8581120566706462746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:1
  2⤵
  PID:1744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,16061984941131403522,8581120566706462746,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1
  2⤵
  PID:4700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,16061984941131403522,8581120566706462746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
  2⤵
  PID:780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,16061984941131403522,8581120566706462746,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:1192
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,16061984941131403522,8581120566706462746,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5840 /prefetch:8
  2⤵
  PID:3512
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,16061984941131403522,8581120566706462746,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5840 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,16061984941131403522,8581120566706462746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,16061984941131403522,8581120566706462746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:3572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2012,16061984941131403522,8581120566706462746,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5576 /prefetch:8
  2⤵
  PID:3440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2012,16061984941131403522,8581120566706462746,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5016 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,16061984941131403522,8581120566706462746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
  2⤵
  PID:952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,16061984941131403522,8581120566706462746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,16061984941131403522,8581120566706462746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,16061984941131403522,8581120566706462746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:3208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,16061984941131403522,8581120566706462746,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2308 /prefetch:1
  2⤵
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2012,16061984941131403522,8581120566706462746,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4756 /prefetch:8
  2⤵
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,16061984941131403522,8581120566706462746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
  2⤵
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2012,16061984941131403522,8581120566706462746,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6536 /prefetch:8
  2⤵
  PID:2904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,16061984941131403522,8581120566706462746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,16061984941131403522,8581120566706462746,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6472 /prefetch:1
  2⤵
  PID:4108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,16061984941131403522,8581120566706462746,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:1
  2⤵
  PID:1956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2012,16061984941131403522,8581120566706462746,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5520 /prefetch:8
  2⤵
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2012,16061984941131403522,8581120566706462746,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3936 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4428
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 73471717684461.bat
    3⤵
    PID:2400
  - - C:\Windows\SysWOW64\cscript.exe
      cscript //nologo c.vbs
      4⤵
      PID:2312
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe f
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3564
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im MSExchange*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3236
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Microsoft.Exchange.*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2248
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlserver.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2036
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlwriter.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1292
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe c
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5468
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b !WannaDecryptor!.exe v
    3⤵
    PID:5660
  - - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
      !WannaDecryptor!.exe v
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5712
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        
        PID:2248
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5444
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - Suspicious use of SetWindowsHookEx
    PID:2400
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Executes dropped EXE
  PID:4268
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Executes dropped EXE
  PID:4396
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Executes dropped EXE
  PID:5268
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Executes dropped EXE
  PID:5380
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Executes dropped EXE
  PID:6040
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Executes dropped EXE
  PID:6052
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Executes dropped EXE
  PID:6060
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Executes dropped EXE
  PID:6068
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Executes dropped EXE
  PID:6076
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Executes dropped EXE
  PID:6084
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Executes dropped EXE
  PID:4644
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Executes dropped EXE
  PID:5548
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Executes dropped EXE
  PID:5760
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Executes dropped EXE
  PID:5892
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Executes dropped EXE
  PID:5728
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2012,16061984941131403522,8581120566706462746,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5596
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:5616
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5720
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Delete /F /TN rhaegal
      4⤵
      PID:5884
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /F /TN rhaegal
        5⤵
        
        PID:6128
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 4094696677 && exit"
      4⤵
      PID:5136
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 4094696677 && exit"
        5⤵
        Creates scheduled task(s)
        
        PID:592
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 14:52:00
      4⤵
      PID:3172
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 14:52:00
        5⤵
        Creates scheduled task(s)
        
        PID:5348
  - - C:\Windows\4F15.tmp
      "C:\Windows\4F15.tmp" \\.\pipe\{5BF01824-9D09-44B1-B9E1-02C0D59EA4F6}
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4520
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:5692
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5908
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:5776
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5996
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Executes dropped EXE
  PID:5784
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:5796
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5984
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:5704
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1692
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:5472
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:5860
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:4888
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:5180
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:5208
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:4916
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:5668
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:628
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:4936
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:5300
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:5360
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:3580
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:1728
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:4796
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:1808
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:5652
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:5624
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:5232
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:4132
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:5352
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:5192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,16061984941131403522,8581120566706462746,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4784 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5608

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1516

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3440

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\4d220e48-050d-44b9-a763-c1d1e03e4230.tmp

Filesize
10KB

MD5
77c081bcf48d1f277a5c4aac3369deee

SHA1
0f7e3a27e937b7c5e21870c93863c0b5599ed214

SHA256
b6a9d905d28b2718ce471c36b2623f3b93e364ff3bcd279972c07711ff1c8897

SHA512
550b974349b211524bfaf3b2c38e3cd3ff621657fe4fb9efe1dbe12eb6f6c7c3cd2313fbb9a59ee88b956a3001fa8aee776346f0fe41cc2987808c4cbd7765b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c9c4c494f8fba32d95ba2125f00586a3

SHA1
8a600205528aef7953144f1cf6f7a5115e3611de

SHA256
a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b

SHA512
9d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dc6fc5e708279a3310fe55d9c44743d

SHA1
a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2

SHA256
a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8

SHA512
5874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\6244c0c6-5e8c-49a4-b2c1-6c2aeec3f260.tmp

Filesize
1KB

MD5
545141e0123c42cc0430fd12090065b5

SHA1
f10523971cef5ed33d70aecc369f8b6b42bac7a4

SHA256
a8b9a48ae0944557f9be6b5b1e1c9c63f98e010d71b1f427b852762d0ffb1ab8

SHA512
042aa5cb7cf4d54770540e521fdea1389d34900e18890116a56668671ae1328fad03832e1363024f73c2478fc9676c11952b75307f5e13444aa3ff0910d05e3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
ad465462c403ffcbe32326645990b3a4

SHA1
6a3daa26c8c93db4265325f6f1adfb65c9c63863

SHA256
5adf58e1e997cd148b6d9bde01debd657a9fbd04ca75cf0bd5a9e51b0f7b14e1

SHA512
ef37b96f51004663f0d253a09e032038cc552bbfa583f083f1e173c794c645e1810fa60ffb47992173a36e5e0c91b422096fbc83dc2dbdd71ba1532a3b5980d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
e2c2109097ac2dd8e6ac0dca30c7afa1

SHA1
ca60af9d8509620676794b4ce34dcb6a5c355e0f

SHA256
bb7c60d033946d4b1ca64e12dcb9b882c4b8573f443a139de209975f6d33557f

SHA512
89d3a85d801516a5a58003107182d516f69d39efb8fd01357bdecdbac36ca90c50c5ea04fb533b7d8365ddeb8e56d6504b95b7fdf4bddee78142cc05b970719a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
af055c0af4d85dcbe2f7c738e3b00926

SHA1
022a0a5239e126352606684a90317a73a58ed5f4

SHA256
ae37a13a851692129cf8fea9cd445e225fd6eda48b6fe64af0dd02bf0884280c

SHA512
63037ce639c536863cc888ca6b2b1d3431d4a942f4e595d040a9c213a5dbf702de80bc4a78bebd6489e7f90550268b51d194fea8ea5c74a5ac0a0fae310f44fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
36f29ed8b66a37a8e7f9f825ac58eb79

SHA1
b76127c546ecb03a37c0e568d2b409a8eb6b544a

SHA256
ac62bd842b2c2667bbdc22276ff36cf8789810ea72a9e231135e66f73f2589d7

SHA512
c9113b0e12f992c1424b65df6efefb6cb5dc0c3eb3356513ef7cec3d6c1778521011f25dbd20b3406210096e1f8ea97bef7a65a9dd32701d8f9aaa6714a21c10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
31f9f261bed8003c600ffede7dfb898b

SHA1
71aaef13a9bb6c452c82e859af94c40eb67548dd

SHA256
dc047ab4f4c61c4c76f2801158813edbe2517845e0a56419c4fb842756fd3133

SHA512
9b10dedb853917e9805ca570a3406820ae05bf4260620bdf1ede9f507784aa7361d6b2fe850d7ad7ad05ba6cdd05915d1f6bf781fbf71b69db1e882e30628ba7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
fdc175c2da711dd391887325f0c01fb2

SHA1
552c372d4e7bb50207c7c7d9de6a6bba066e41c8

SHA256
da7a450046d4ed8292019d7b122da6c00cefaa5ca56461ba4a52380f608bef6c

SHA512
39fb5615d30b2f5ab65f2a5c43daedc6ee1caa548882030f7ea5e9c2c16cc68438b675eed0be5cee869963e1cc8dec258a1faa7a8dd1defba965a4106fe38ef4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
be60a9f2d7e9d95271afbc2de0977da7

SHA1
e58578b114f9ad2a411abaaa69503e3334aea488

SHA256
2de791ad935c17171f54a28e662a7050a21ff3944c2ee5c5cc0a726a83b66e24

SHA512
3b78ac82fcb7eea0a912c13864f76d5b1ddebd8aa397435b57704a7672f70f70081c123878a091ae2ff0ccb3fa582c3d24e0ac57b0b5c0c400aa74d69aa69d57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
afd40d13d38fec4b738773569ed1faef

SHA1
ddc04cdb3ee151f9a692aea7f7d21ec7c402abbb

SHA256
c451b90edd48a6baac71e1cb89b1066cf967fbf89bfa955b785ce4c0dfd0bfb2

SHA512
acf4d0f159433f818e5c5813f37d53dc544c77e110cae6ae58270dd93e0a1ed7f55f03b892074b18af60519e47e7a4c94c1c4ee5011515214eb6a0d27b968134

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
393b62bb957ea3ab1122586f5bac71c7

SHA1
6e16e84f3ae0f458edc580c27967dea98f98c15b

SHA256
7bebff02091a9cd858b17d087e2f6ea3381f1c93b28d8b264efc9f4522a56ca5

SHA512
4987af8b7c01abaa9b255be9abce7ad47bc6b7af09b884874efdd1ed0155adef28918ca3559b98a031ebd57efacb05d44310e262d12e295440e28c5875826c67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9499a4fa4ea6bde1e149c7c401c857c9

SHA1
5a0cad2385268cdc183d2caeb9a5764db44b3da2

SHA256
c64d6ebbba7286136b9de922abe6fe0b2464ef4a90c2ae8c70d229360bd5688a

SHA512
d7845742e7441d2aba1e17a404ce285c176b22b3830180ac7e1b89cc17b0bba483f28dc86e027fd55adb1ed37608d09b85a5e5c9bc3a2ef206de69e385b817d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
933565343483a85cb8224872e4b8544b

SHA1
7943e16763573d60c2ed25871d9ccf2fb0ad59be

SHA256
cd90c93be03241c437728d08754c7571d53f25bd254a3ac7a6c16507f7c2de24

SHA512
77730db6d262bc72e28c8c65366303bad69af62eac028ab9e8a1e24b2103e4670ad8f37c7cf363c362117bf02ed124dbd27a86812cc58c5717267527c020465f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6565cafe72446078fd07a0bc5f66bbc0

SHA1
4993fe265c6772bf23d88e3660a6a8a375d08093

SHA256
2db705ec9a44126db33a1b22c3e57d1ea826e12d2bf6f7f0a538b79b7f18e3e2

SHA512
8e6253ba4ebc3164ed0d04f50bfb9d4f67b7084680776947c8550187cbd9a21925f570f58a2120cbed1b62b873de7f857aac70b0da13d13f4ea7ce29633cc7b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57a345.TMP

Filesize
372B

MD5
128b616b3d7978bdf0f904fb254c610f

SHA1
3f4be7a54fac04ed7210a2291b26d14c10ded6df

SHA256
a0fc3cfdf413e9597ae579cbfb1a2011055253108cef364c3d315880a414b332

SHA512
acee01b8b75ff618a9906b028db0276672cf263b899d8084c3dc0ca2b69256e91f4c98294fac030873d03397d0c4e12ba158b1173d2640ccd26df747bfc25b57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
9dd67034eab8f8ab513336820058e75d

SHA1
8c3ed05984edb2324f7eeac405495edb55366760

SHA256
9e4bfb8282ed655caf364923661943da92f4a75d9d0328db3aefc58ecfea235e

SHA512
dd55ab6f527594e4cbf251360aa307a724ecfea735f750c60be30e1136131d378ddc855d250c138ef46d3e97d4aaf5e0fbb68233e8a060e8577d04a30bd077fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a4bdb2746cfc99c2f1c361a0336fa3f7

SHA1
993d54b95ac2866c9844c2af3764609a0594c047

SHA256
5f5bdfa7bea84f05b27a8a008b0ac60bddc73b46b72a9568a8a4710271b6c19c

SHA512
841ad558b5f7ce4b9ec581fcff0407dc102bcc244e5c4f7d8e9b90e7a9dbcf9ef78558f152681fac100b09f745793d6a02f78cfe7cb406a7be224522c6df0537

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
05bb65deed47102256e37f1266dae66c

SHA1
c77a4eb6fb09f3348b716c0587384012eceb10c9

SHA256
866157339a93a97a124dd96316ab53af832647a29272cf50251fb589dfb2dc0a

SHA512
0fd54d61c30d12bfa9bea0248ee0cd4941a292807b45534daa5bdc5204a6a12c31431efa7f7c0ca6d4554baa9c17549431b5f9e22fa932926a4061e86b73d6e2

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
017e878ea9e178fb573bd3e9d3bb7b3e

SHA1
edac5dd7e2996008bb6d570f1d74050341abf375

SHA256
32dca8eb78a6e9a821021967a04419168f56052a1606e399d2c67469b3551055

SHA512
8b25e7a84619db842bac92b7cde27e3f90cd003a16cae9fc478f4a6b09d9e9a3e9c0a7380118f5b83c03371f3e2ca687d8cf9e42609e4bd3b33ee26596faab8e

Download Submit
C:\Users\Admin\Downloads\73471717684461.bat

Filesize
318B

MD5
a261428b490a45438c0d55781a9c6e75

SHA1
e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e

SHA256
4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44

SHA512
304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 210858.crdownload

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 265419.crdownload

Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Users\Admin\Downloads\c.vbs

Filesize
201B

MD5
02b937ceef5da308c5689fcdb3fb12e9

SHA1
fa5490ea513c1b0ee01038c18cb641a51f459507

SHA256
5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1

SHA512
843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

Download Submit
C:\Users\Admin\Downloads\c.wry

Filesize
628B

MD5
663e55df21852bc8870b86bc38e58262

SHA1
1c691bf030ecfce78a9476fbdef3afe61724e6a9

SHA256
bf22e8e18db1638673f47591a13d18ee58d8c6019314bab5a90be82ae3dc9538

SHA512
6a54be1fa549633a2fd888c559207437b8f6efda98bb18d491c8749f39e9754f1e680fa8e2d623777b5f665b2c04d19385c75ce4e61fb251db16018963a9a6f9

Download Submit
C:\Users\Admin\Downloads\c.wry

Filesize
628B

MD5
124f00dc2c33519eae71f6235a7acfb3

SHA1
0471cabc1434c2a182e7552901a28b6699408c09

SHA256
9c2cae67dedcdd412397e89c6ca792233915f67d4cc8fd378c57c7b06abd2f33

SHA512
f04c1d3bf033fa23f3ccd8f2cf4488684908d68af9b5fff7d45ead543b64e1165cb435ddc242b5f22d60294204cefe5cb15d50593dfd9212979c95dce21f4dd4

Download Submit
C:\Users\Admin\Downloads\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Downloads\r.wry

Filesize
729B

MD5
880e6a619106b3def7e1255f67cb8099

SHA1
8b3a90b2103a92d9facbfb1f64cb0841d97b4de7

SHA256
c9e9dc06f500ae39bfeb4671233cc97bb6dab58d97bb94aba4a2e0e509418d35

SHA512
c35ca30e0131ae4ee3429610ce4914a36b681d2c406f67816f725aa336969c2996347268cb3d19c22abaa4e2740ae86f4210b872610a38b4fa09ee80fcf36243

Download Submit
C:\Users\Admin\Downloads\t.wry

Filesize
68KB

MD5
5557ee73699322602d9ae8294e64ce10

SHA1
1759643cf8bfd0fb8447fd31c5b616397c27be96

SHA256
a7dd727b4e0707026186fcab24ff922da50368e1a4825350bd9c4828c739a825

SHA512
77740de21603fe5dbb0d9971e18ec438a9df7aaa5cea6bd6ef5410e0ab38a06ce77fbaeb8fc68e0177323e6f21d0cee9410e21b7e77e8d60cc17f7d93fdb3d5e

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
c4f26ed277b51ef45fa180be597d96e8

SHA1
e9efc622924fb965d4a14bdb6223834d9a9007e7

SHA256
14d82a676b63ab046ae94fa5e41f9f69a65dc7946826cb3d74cea6c030c2f958

SHA512
afc2a8466f106e81d423065b07aed2529cbf690ab4c3e019334f1bedfb42dc0e0957be83d860a84b7285bd49285503bfe95a1cf571a678dbc9bdb07789da928e

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/3044-501-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download