Analysis
-
max time kernel
276s -
max time network
278s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
25-07-2024 03:07
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://GitHub.com
Resource
win10v2004-20240709-en
General
-
Target
http://GitHub.com
Malware Config
Extracted
C:\Users\Admin\Downloads\!Please Read Me!.txt
wannacry
15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (516) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation CoronaVirus (1).exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 7 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta CoronaVirus (1).exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD4782.tmp WannaCry.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD4789.tmp WannaCry.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus (1).exe CoronaVirus (1).exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini CoronaVirus (1).exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-1AF2191C.[[email protected]].ncov CoronaVirus (1).exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-1AF2191C.[[email protected]].ncov CoronaVirus (1).exe -
Executes dropped EXE 19 IoCs
pid Process 4392 CoronaVirus (1).exe 35444 msedge.exe 35632 msedge.exe 36440 msedge.exe 36848 BadRabbit.exe 33248 47C8.tmp 7388 BadRabbit.exe 9848 BadRabbit.exe 7664 BadRabbit.exe 11584 BadRabbit.exe 10972 msedge.exe 11784 msedge.exe 12268 msedge.exe 11284 WannaCry.exe 11920 !WannaDecryptor!.exe 16480 WannaCry.exe 16672 !WannaDecryptor!.exe 15912 !WannaDecryptor!.exe 18068 !WannaDecryptor!.exe -
Loads dropped DLL 11 IoCs
pid Process 35444 msedge.exe 35632 msedge.exe 36440 msedge.exe 37004 rundll32.exe 22464 rundll32.exe 8788 rundll32.exe 8020 rundll32.exe 9232 rundll32.exe 10972 msedge.exe 11784 msedge.exe 12268 msedge.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus (1).exe = "C:\\Windows\\System32\\CoronaVirus (1).exe" CoronaVirus (1).exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" CoronaVirus (1).exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" CoronaVirus (1).exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r" WannaCry.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini CoronaVirus (1).exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Admin\Documents\desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Admin\Downloads\desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Public\Videos\desktop.ini CoronaVirus (1).exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Admin\Links\desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Public\Music\desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Admin\Searches\desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Public\Documents\desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Admin\Desktop\desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Public\Pictures\desktop.ini CoronaVirus (1).exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Admin\Pictures\desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus (1).exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI CoronaVirus (1).exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Public\desktop.ini CoronaVirus (1).exe File opened for modification C:\Program Files\desktop.ini CoronaVirus (1).exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini CoronaVirus (1).exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus (1).exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus (1).exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Admin\Favorites\desktop.ini CoronaVirus (1).exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1750093773-264148664-1320403265-1000\desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Public\Desktop\desktop.ini CoronaVirus (1).exe File opened for modification C:\Program Files (x86)\desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Admin\Music\desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Admin\Videos\desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus (1).exe File opened for modification C:\$Recycle.Bin\S-1-5-21-1750093773-264148664-1320403265-1000\desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus (1).exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus (1).exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 139 raw.githubusercontent.com 140 raw.githubusercontent.com -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\CoronaVirus (1).exe CoronaVirus (1).exe File created C:\Windows\System32\Info.hta CoronaVirus (1).exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp" !WannaDecryptor!.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_history_18.svg.id-1AF2191C.[[email protected]].ncov CoronaVirus (1).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ko-kr\ui-strings.js CoronaVirus (1).exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\SharePointTeamSite.ico.id-1AF2191C.[[email protected]].ncov CoronaVirus (1).exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.187.41\msedgeupdateres_pl.dll.id-1AF2191C.[[email protected]].ncov CoronaVirus (1).exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\de-DE\tipresx.dll.mui CoronaVirus (1).exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosSmallTile.contrast-black_scale-125.png CoronaVirus (1).exe File created C:\Program Files\VideoLAN\VLC\plugins\misc\libxml_plugin.dll.id-1AF2191C.[[email protected]].ncov CoronaVirus (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\LibrarySquare150x150Logo.scale-200_contrast-white.png CoronaVirus (1).exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_Retail-ul-oob.xrm-ms CoronaVirus (1).exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription3-pl.xrm-ms CoronaVirus (1).exe File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\libextract_plugin.dll.id-1AF2191C.[[email protected]].ncov CoronaVirus (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-80.png CoronaVirus (1).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_sortedby_18.svg CoronaVirus (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\ScreenSketchAppService\ReadMe.txt CoronaVirus (1).exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptyView-Dark.scale-200.png CoronaVirus (1).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_browser.gif CoronaVirus (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_gridview_selected.svg.id-1AF2191C.[[email protected]].ncov CoronaVirus (1).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\ui-strings.js CoronaVirus (1).exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\PresentationCore.resources.dll.id-1AF2191C.[[email protected]].ncov CoronaVirus (1).exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Forms.resources.dll.id-1AF2191C.[[email protected]].ncov CoronaVirus (1).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ja-jp\ui-strings.js CoronaVirus (1).exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-oob.xrm-ms.id-1AF2191C.[[email protected]].ncov CoronaVirus (1).exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GADUGI.TTF.id-1AF2191C.[[email protected]].ncov CoronaVirus (1).exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\System\vccorlib140.dll.id-1AF2191C.[[email protected]].ncov CoronaVirus (1).exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\PresentationCore.resources.dll.id-1AF2191C.[[email protected]].ncov CoronaVirus (1).exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_es.properties.id-1AF2191C.[[email protected]].ncov CoronaVirus (1).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sendforsignature_18.svg CoronaVirus (1).exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\THMBNAIL.PNG CoronaVirus (1).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\organize.svg CoronaVirus (1).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\zh-tw\ui-strings.js CoronaVirus (1).exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.SqlServer.Types.dll.id-1AF2191C.[[email protected]].ncov CoronaVirus (1).exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libty_plugin.dll.id-1AF2191C.[[email protected]].ncov CoronaVirus (1).exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationProvider.resources.dll.id-1AF2191C.[[email protected]].ncov CoronaVirus (1).exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\tool-search-2x.png.id-1AF2191C.[[email protected]].ncov CoronaVirus (1).exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.Linq.Resources.dll CoronaVirus (1).exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Controls.Ribbon.resources.dll.id-1AF2191C.[[email protected]].ncov CoronaVirus (1).exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Yahoo-Light.scale-150.png CoronaVirus (1).exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\AppxManifest.xml CoronaVirus (1).exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptySearch-Dark.scale-400.png CoronaVirus (1).exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOADFPS.DLL CoronaVirus (1).exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENES\MSB1ENES.ITS.id-1AF2191C.[[email protected]].ncov CoronaVirus (1).exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\vlc.mo CoronaVirus (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\AppxSignature.p7x CoronaVirus (1).exe File opened for modification C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveDrop32x32.gif CoronaVirus (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\Json\CallAction-AdaptiveCard.json CoronaVirus (1).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\core_icons_retina.png CoronaVirus (1).exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ppd.xrm-ms CoronaVirus (1).exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\MSO.ACL CoronaVirus (1).exe File created C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\vlc.mo.id-1AF2191C.[[email protected]].ncov CoronaVirus (1).exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\PresentationUI.resources.dll CoronaVirus (1).exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusE5R_Subscription-ppd.xrm-ms.id-1AF2191C.[[email protected]].ncov CoronaVirus (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-100_contrast-white.png CoronaVirus (1).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_2x.gif.id-1AF2191C.[[email protected]].ncov CoronaVirus (1).exe File created C:\Program Files\Microsoft Office\root\Office16\PowerPointInterProviderRanker.bin.id-1AF2191C.[[email protected]].ncov CoronaVirus (1).exe File opened for modification C:\Program Files\Microsoft Office\root\vreg\wordmui.msi.16.en-us.vreg.dat CoronaVirus (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\TinyTile.scale-100_contrast-white.png CoronaVirus (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\InsiderHubAppList.targetsize-48_altform-unplated_devicefamily-colorfulunplated.png CoronaVirus (1).exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_OEM_Perp-ppd.xrm-ms.id-1AF2191C.[[email protected]].ncov CoronaVirus (1).exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Formats.Tar.dll.id-1AF2191C.[[email protected]].ncov CoronaVirus (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\HostConfigDarkMode.json CoronaVirus (1).exe File opened for modification C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\LargeTile.scale-200.png CoronaVirus (1).exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\EmptySearch-Dark.scale-150.png CoronaVirus (1).exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nb-no\ui-strings.js CoronaVirus (1).exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NPSPWRAP.DLL.id-1AF2191C.[[email protected]].ncov CoronaVirus (1).exe -
Drops file in Windows directory 13 IoCs
description ioc Process File created C:\Windows\dispci.exe rundll32.exe File created C:\Windows\infpub.dat BadRabbit.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File opened for modification C:\Windows\47C8.tmp rundll32.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\infpub.dat BadRabbit.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\infpub.dat BadRabbit.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\infpub.dat BadRabbit.exe File created C:\Windows\cscc.dat rundll32.exe File created C:\Windows\infpub.dat BadRabbit.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 32 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BadRabbit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BadRabbit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BadRabbit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WannaCry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WannaCry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CoronaVirus (1).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BadRabbit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WMIC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BadRabbit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 11140 vssadmin.exe 9072 vssadmin.exe -
Kills process with taskkill 4 IoCs
pid Process 12276 taskkill.exe 10744 taskkill.exe 12104 taskkill.exe 12200 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1750093773-264148664-1320403265-1000\{98E5E7FE-E6DF-4CDD-B008-2CDA62853F19} msedge.exe -
NTFS ADS 5 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 938327.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 421864.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 326827.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 942680.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 285713.crdownload:SmartScreen msedge.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 33280 schtasks.exe 34004 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2552 msedge.exe 2552 msedge.exe 2768 msedge.exe 2768 msedge.exe 3816 identity_helper.exe 3816 identity_helper.exe 3344 msedge.exe 3344 msedge.exe 5440 msedge.exe 5440 msedge.exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 36564 msedge.exe 36564 msedge.exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe 4392 CoronaVirus (1).exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs
pid Process 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeBackupPrivilege 17984 vssvc.exe Token: SeRestorePrivilege 17984 vssvc.exe Token: SeAuditPrivilege 17984 vssvc.exe Token: SeShutdownPrivilege 37004 rundll32.exe Token: SeDebugPrivilege 37004 rundll32.exe Token: SeTcbPrivilege 37004 rundll32.exe Token: SeDebugPrivilege 33248 47C8.tmp Token: SeShutdownPrivilege 22464 rundll32.exe Token: SeDebugPrivilege 22464 rundll32.exe Token: SeTcbPrivilege 22464 rundll32.exe Token: SeShutdownPrivilege 8788 rundll32.exe Token: SeDebugPrivilege 8788 rundll32.exe Token: SeTcbPrivilege 8788 rundll32.exe Token: SeShutdownPrivilege 8020 rundll32.exe Token: SeDebugPrivilege 8020 rundll32.exe Token: SeTcbPrivilege 8020 rundll32.exe Token: SeShutdownPrivilege 9232 rundll32.exe Token: SeDebugPrivilege 9232 rundll32.exe Token: SeTcbPrivilege 9232 rundll32.exe Token: SeDebugPrivilege 12200 taskkill.exe Token: SeDebugPrivilege 10744 taskkill.exe Token: SeDebugPrivilege 12104 taskkill.exe Token: SeDebugPrivilege 12276 taskkill.exe Token: SeIncreaseQuotaPrivilege 13788 WMIC.exe Token: SeSecurityPrivilege 13788 WMIC.exe Token: SeTakeOwnershipPrivilege 13788 WMIC.exe Token: SeLoadDriverPrivilege 13788 WMIC.exe Token: SeSystemProfilePrivilege 13788 WMIC.exe Token: SeSystemtimePrivilege 13788 WMIC.exe Token: SeProfSingleProcessPrivilege 13788 WMIC.exe Token: SeIncBasePriorityPrivilege 13788 WMIC.exe Token: SeCreatePagefilePrivilege 13788 WMIC.exe Token: SeBackupPrivilege 13788 WMIC.exe Token: SeRestorePrivilege 13788 WMIC.exe Token: SeShutdownPrivilege 13788 WMIC.exe Token: SeDebugPrivilege 13788 WMIC.exe Token: SeSystemEnvironmentPrivilege 13788 WMIC.exe Token: SeRemoteShutdownPrivilege 13788 WMIC.exe Token: SeUndockPrivilege 13788 WMIC.exe Token: SeManageVolumePrivilege 13788 WMIC.exe Token: 33 13788 WMIC.exe Token: 34 13788 WMIC.exe Token: 35 13788 WMIC.exe Token: 36 13788 WMIC.exe Token: SeIncreaseQuotaPrivilege 13788 WMIC.exe Token: SeSecurityPrivilege 13788 WMIC.exe Token: SeTakeOwnershipPrivilege 13788 WMIC.exe Token: SeLoadDriverPrivilege 13788 WMIC.exe Token: SeSystemProfilePrivilege 13788 WMIC.exe Token: SeSystemtimePrivilege 13788 WMIC.exe Token: SeProfSingleProcessPrivilege 13788 WMIC.exe Token: SeIncBasePriorityPrivilege 13788 WMIC.exe Token: SeCreatePagefilePrivilege 13788 WMIC.exe Token: SeBackupPrivilege 13788 WMIC.exe Token: SeRestorePrivilege 13788 WMIC.exe Token: SeShutdownPrivilege 13788 WMIC.exe Token: SeDebugPrivilege 13788 WMIC.exe Token: SeSystemEnvironmentPrivilege 13788 WMIC.exe Token: SeRemoteShutdownPrivilege 13788 WMIC.exe Token: SeUndockPrivilege 13788 WMIC.exe Token: SeManageVolumePrivilege 13788 WMIC.exe Token: 33 13788 WMIC.exe Token: 34 13788 WMIC.exe Token: 35 13788 WMIC.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe -
Suspicious use of SendNotifyMessage 56 IoCs
pid Process 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe 2768 msedge.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 11920 !WannaDecryptor!.exe 11920 !WannaDecryptor!.exe 16672 !WannaDecryptor!.exe 16672 !WannaDecryptor!.exe 15912 !WannaDecryptor!.exe 15912 !WannaDecryptor!.exe 18068 !WannaDecryptor!.exe 18068 !WannaDecryptor!.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2768 wrote to memory of 3252 2768 msedge.exe 84 PID 2768 wrote to memory of 3252 2768 msedge.exe 84 PID 2768 wrote to memory of 1860 2768 msedge.exe 85 PID 2768 wrote to memory of 1860 2768 msedge.exe 85 PID 2768 wrote to memory of 1860 2768 msedge.exe 85 PID 2768 wrote to memory of 1860 2768 msedge.exe 85 PID 2768 wrote to memory of 1860 2768 msedge.exe 85 PID 2768 wrote to memory of 1860 2768 msedge.exe 85 PID 2768 wrote to memory of 1860 2768 msedge.exe 85 PID 2768 wrote to memory of 1860 2768 msedge.exe 85 PID 2768 wrote to memory of 1860 2768 msedge.exe 85 PID 2768 wrote to memory of 1860 2768 msedge.exe 85 PID 2768 wrote to memory of 1860 2768 msedge.exe 85 PID 2768 wrote to memory of 1860 2768 msedge.exe 85 PID 2768 wrote to memory of 1860 2768 msedge.exe 85 PID 2768 wrote to memory of 1860 2768 msedge.exe 85 PID 2768 wrote to memory of 1860 2768 msedge.exe 85 PID 2768 wrote to memory of 1860 2768 msedge.exe 85 PID 2768 wrote to memory of 1860 2768 msedge.exe 85 PID 2768 wrote to memory of 1860 2768 msedge.exe 85 PID 2768 wrote to memory of 1860 2768 msedge.exe 85 PID 2768 wrote to memory of 1860 2768 msedge.exe 85 PID 2768 wrote to memory of 1860 2768 msedge.exe 85 PID 2768 wrote to memory of 1860 2768 msedge.exe 85 PID 2768 wrote to memory of 1860 2768 msedge.exe 85 PID 2768 wrote to memory of 1860 2768 msedge.exe 85 PID 2768 wrote to memory of 1860 2768 msedge.exe 85 PID 2768 wrote to memory of 1860 2768 msedge.exe 85 PID 2768 wrote to memory of 1860 2768 msedge.exe 85 PID 2768 wrote to memory of 1860 2768 msedge.exe 85 PID 2768 wrote to memory of 1860 2768 msedge.exe 85 PID 2768 wrote to memory of 1860 2768 msedge.exe 85 PID 2768 wrote to memory of 1860 2768 msedge.exe 85 PID 2768 wrote to memory of 1860 2768 msedge.exe 85 PID 2768 wrote to memory of 1860 2768 msedge.exe 85 PID 2768 wrote to memory of 1860 2768 msedge.exe 85 PID 2768 wrote to memory of 1860 2768 msedge.exe 85 PID 2768 wrote to memory of 1860 2768 msedge.exe 85 PID 2768 wrote to memory of 1860 2768 msedge.exe 85 PID 2768 wrote to memory of 1860 2768 msedge.exe 85 PID 2768 wrote to memory of 1860 2768 msedge.exe 85 PID 2768 wrote to memory of 1860 2768 msedge.exe 85 PID 2768 wrote to memory of 2552 2768 msedge.exe 86 PID 2768 wrote to memory of 2552 2768 msedge.exe 86 PID 2768 wrote to memory of 1428 2768 msedge.exe 87 PID 2768 wrote to memory of 1428 2768 msedge.exe 87 PID 2768 wrote to memory of 1428 2768 msedge.exe 87 PID 2768 wrote to memory of 1428 2768 msedge.exe 87 PID 2768 wrote to memory of 1428 2768 msedge.exe 87 PID 2768 wrote to memory of 1428 2768 msedge.exe 87 PID 2768 wrote to memory of 1428 2768 msedge.exe 87 PID 2768 wrote to memory of 1428 2768 msedge.exe 87 PID 2768 wrote to memory of 1428 2768 msedge.exe 87 PID 2768 wrote to memory of 1428 2768 msedge.exe 87 PID 2768 wrote to memory of 1428 2768 msedge.exe 87 PID 2768 wrote to memory of 1428 2768 msedge.exe 87 PID 2768 wrote to memory of 1428 2768 msedge.exe 87 PID 2768 wrote to memory of 1428 2768 msedge.exe 87 PID 2768 wrote to memory of 1428 2768 msedge.exe 87 PID 2768 wrote to memory of 1428 2768 msedge.exe 87 PID 2768 wrote to memory of 1428 2768 msedge.exe 87 PID 2768 wrote to memory of 1428 2768 msedge.exe 87 PID 2768 wrote to memory of 1428 2768 msedge.exe 87 PID 2768 wrote to memory of 1428 2768 msedge.exe 87 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://GitHub.com1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcbc3746f8,0x7ffcbc374708,0x7ffcbc3747182⤵PID:3252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:22⤵PID:1860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:82⤵PID:1428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:12⤵PID:2064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:12⤵PID:1976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:12⤵PID:1540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:12⤵PID:2716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:12⤵PID:1408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:12⤵PID:2620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6052 /prefetch:82⤵PID:2184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6052 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:12⤵PID:2564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:12⤵PID:2716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3480 /prefetch:82⤵PID:748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5124 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:12⤵PID:4604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2220 /prefetch:12⤵PID:4976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1748 /prefetch:12⤵PID:4768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:12⤵PID:2060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:12⤵PID:5440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1924 /prefetch:12⤵PID:5448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1940 /prefetch:12⤵PID:5864
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6644 /prefetch:82⤵PID:6128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6624 /prefetch:12⤵PID:6076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6304 /prefetch:82⤵PID:1808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6292 /prefetch:82⤵PID:4436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6080 /prefetch:82⤵PID:5416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6976 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5440
-
-
C:\Users\Admin\Downloads\CoronaVirus (1).exe"C:\Users\Admin\Downloads\CoronaVirus (1).exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4392 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:6004
-
C:\Windows\system32\mode.commode con cp select=12514⤵PID:9916
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:11140
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:9804
-
C:\Windows\system32\mode.commode con cp select=12514⤵PID:9428
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:9072
-
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵PID:9412
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵PID:9316
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7084 /prefetch:12⤵PID:21604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6624 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:36564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6864 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:35444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7036 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
PID:35632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6432 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
PID:36440
-
-
C:\Users\Admin\Downloads\BadRabbit.exe"C:\Users\Admin\Downloads\BadRabbit.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:36848 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 153⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:37004 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal4⤵
- System Location Discovery: System Language Discovery
PID:36364 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal5⤵
- System Location Discovery: System Language Discovery
PID:36700
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 374095387 && exit"4⤵
- System Location Discovery: System Language Discovery
PID:36576 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 374095387 && exit"5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:33280
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 03:29:004⤵
- System Location Discovery: System Language Discovery
PID:36800 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 03:29:005⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:34004
-
-
-
C:\Windows\47C8.tmp"C:\Windows\47C8.tmp" \\.\pipe\{12F56AD9-BFDC-4220-B5C1-13A60E23BC59}4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:33248
-
-
-
-
C:\Users\Admin\Downloads\BadRabbit.exe"C:\Users\Admin\Downloads\BadRabbit.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:7388 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 153⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:22464
-
-
-
C:\Users\Admin\Downloads\BadRabbit.exe"C:\Users\Admin\Downloads\BadRabbit.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:9848 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 153⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:8788
-
-
-
C:\Users\Admin\Downloads\BadRabbit.exe"C:\Users\Admin\Downloads\BadRabbit.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:7664 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 153⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:8020
-
-
-
C:\Users\Admin\Downloads\BadRabbit.exe"C:\Users\Admin\Downloads\BadRabbit.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:11584 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 153⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:9232
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6956 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:10972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6528 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
PID:11784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,6356444687994046439,15688343590332267923,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4148 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
PID:12268
-
-
C:\Users\Admin\Downloads\WannaCry.exe"C:\Users\Admin\Downloads\WannaCry.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:11284 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 162771721877139.bat3⤵
- System Location Discovery: System Language Discovery
PID:10596 -
C:\Windows\SysWOW64\cscript.execscript //nologo c.vbs4⤵
- System Location Discovery: System Language Discovery
PID:11916
-
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe f3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:11920
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im MSExchange*3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:10744
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Microsoft.Exchange.*3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:12104
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlserver.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:12200
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlwriter.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:12276
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe c3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:16672
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /b !WannaDecryptor!.exe v3⤵
- System Location Discovery: System Language Discovery
PID:17428 -
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe v4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:15912 -
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet5⤵
- System Location Discovery: System Language Discovery
PID:8932 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:13788
-
-
-
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe3⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:18068
-
-
-
C:\Users\Admin\Downloads\WannaCry.exe"C:\Users\Admin\Downloads\WannaCry.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:16480
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3224
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5020
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:17984
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
2Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
590B
MD5c8bb864ffc8bf1fff0f04764a5a39b75
SHA191a3e640f6445bc264b05a94da9b6e2a56ba8070
SHA256e4723e5e818edce076ff4aac1021370787f65ae6e84fc5d3e784d40c9dca8489
SHA512f8129632e72e5bbbb53c68c8b4420dadc38b39c2b393ab623ff20e6d6eee24f390dfea3cafa0cc95fa4d228d34fc9b12b12a1289acc5f4187160c4e0a03ae473
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.id-1AF2191C.[[email protected]].ncov
Filesize3.2MB
MD57d258b9ce38175cd6eb5f8c59f554401
SHA1f500979b6b302aab27f6f907601ca1790531cb77
SHA256f847c5932e9fd7f7f2fb94446507961d2cbda5d436d92dae7ca50c5424cff5d2
SHA51235a9b83d66f7c57c220953dfdcb6968b0a958e995f93cd7623b0b477cdaf7a5bbf31a9ca16ef9063722241ad8744f75acf2260826f3d867c403cd9fad182fdc0
-
Filesize
152B
MD5584971c8ba88c824fd51a05dddb45a98
SHA1b7c9489b4427652a9cdd754d1c1b6ac4034be421
SHA256e2d8de6c2323bbb3863ec50843d9b58a22e911fd626d31430658b9ea942cd307
SHA5125dbf1a4631a04d1149d8fab2b8e0e43ccd97b7212de43b961b9128a8bf03329164fdeb480154a8ffea5835f28417a7d2b115b8bf8d578d00b13c3682aa5ca726
-
Filesize
152B
MD5b28ef7d9f6d74f055cc49876767c886c
SHA1d6b3267f36c340979f8fc3e012fdd02c468740bf
SHA256fa6804456884789f4bdf9c3f5a4a8f29e0ededde149c4384072f3d8cc85bcc37
SHA512491f893c8f765e5d629bce8dd5067cef4e2ebc558d43bfb05e358bca43e1a66ee1285519bc266fd0ff5b5e09769a56077b62ac55fa8797c1edf6205843356e75
-
Filesize
1.0MB
MD5055d1462f66a350d9886542d4d79bc2b
SHA1f1086d2f667d807dbb1aa362a7a809ea119f2565
SHA256dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
SHA5122c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD57f36672916bf854120b471ef84575a46
SHA182389be5b79c090a560eb0344cd65c4b46bd6b11
SHA256a3fc9a8ba357bbe5f0aeb4280da0fa1f53c09182632538303ad094684b208a2a
SHA51262040f05a9f37d27bd32d26ebcf8bba244b51c8f7192799a6119c4efa576a2c47050291c3c40b030a7153bbf4d667c454924de6f34db183a702e0dbf6d1403f2
-
Filesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
Filesize
1KB
MD586c53555c8779b976d7b387e7ecea48f
SHA12ae8b1729dbb8235a8e37747c9d9072a7e597066
SHA256f1e96d782a025ef809847d3cf3a243c81d70717dbd7fdde4a5b59dc072b63ebd
SHA512ebb71444f96507e5ab0f9d8ba625d4bf6347a367a502d3f6039b96a52675716f0512dd036fac35180f8f3d92c12a6402313ab1b82111e85bd07940f16717a493
-
Filesize
1KB
MD5566e4308dcfd84cdaa8e1c9ad3a78278
SHA1911a5be397674dbfa4338fda0be3491bb092959d
SHA25636854342e7813eabc5c5bd0ae232a0dbfaec15d01fe695c3e490e3cab639d321
SHA51269f38c91edccb022bc5b74065ca0c6b8166c7ad7ba1eeb979ccd915a647ea3afd9d720360f02de6799f658d4c406f87d1e4ed32ea8f4a9de9515dba2e233b432
-
Filesize
1KB
MD53a90d6101560ee815f6843ad7fe4211c
SHA1fd8726c9044651a33fe07134b62780c8b904fa48
SHA256fa3eb328a3b1a46b164df0c3949bbd60c4bae5acd0966cd065d454ad2cf82268
SHA51297e4e567d6bc9aae6673884b949f838e574c7f4452995dc5b1aa8f006c6f91f9b124c00ac20ed183210b087e24a002cc94ff274f8e311f5d68ac884e59f89ef5
-
Filesize
1KB
MD594be25ce6c1c27248262552d44f74b4a
SHA1fe0ce315bc62194dfd8ea463809ef8357826098c
SHA256e96a6287a994b9030a726f5d8a261e178ca77f4c35740c91b658d33ee5c6c32b
SHA51218b087da52d04996b4e0203c4439c0427145c3cbe14ac5f5ca4de34e107fde4c7d55043a7ac334980a81113f067d3be8b3e4e67bf7c62deae32a36eed5b17f8f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe59f217.TMP
Filesize1KB
MD506704cfd0ca52b92403d085da74c1ab6
SHA198742c8e83f228f3b6d5c2479312055df92348f5
SHA256915850f82d3cd8490d254d29e78bd464c08fb9673106217e17800f76405a710e
SHA512ffd13d3ca9d520e2b0da6442f52741c2be94487526cafc2e7d613e4e1048e92863bd1841bf516b8595f2716dd0fa436561c0781874409a9a7acf84f0c3ca8709
-
Filesize
7KB
MD51e4cb7dc352538173a531554d9957392
SHA19e68ec2cc04102cd8a7c77184bce0f07fe5d3f42
SHA256da219a23b481abf6ad934e257455294ffe5ca41681dc541d2e1f717ca9bd68c0
SHA512c849d51264c4081154cb31516d427e40505826c38073e42623916c4cc99e11238d47b4f098fa2236623b136b594ece79c60debc1022ba85c5a9a1fe88c00eafb
-
Filesize
5KB
MD5ae90a4efd565a98925e275c528fc047b
SHA13b7884775c35cac353a51dbb508b4346575aadc7
SHA256cefe8ca1f540bad66be871bbd9037b7b9a6c495259ae68de59ec371f98c6bd4e
SHA51222076df7a6fb82fa085279a53797162fdce5ee74a422b9122ecb5cd423211d14dfee6cd86b47e53313b9ae47f8616db57a8d57920cb99bcf5bf018315b973d4d
-
Filesize
7KB
MD5ac40a13a51767cb0b05460121ba63bdc
SHA1f8b91ebe4a74f5dec0b294520297907c40aa9aec
SHA256acad05da01de170937bf531b84855b36513bc5c42f9e07e871b8fdbb575b9e7e
SHA5124a9689389dca184c5750d5943bf6169b283e69d1b2f2e7637e66a5a52a837f4b8610cba158c1af39332a6d6dc19f6a56775341fc3acb1fa15e79f5f167852389
-
Filesize
7KB
MD526f5e52a0db6edfcbaeac205dda8d47a
SHA17151eb32de5d039733d9cf87544fa9192b9ca314
SHA256937beec0a08ee258d0d191a46d3baff79bf8aa1392850d5833f4bb8f7e754548
SHA51234043ce3ff6054bc2e34aeebe613ce1e9f150c0dd88078b6cf869b8bd1587e32f37c59db2127384155f1a18235693ae91aa2aa12ec3dfe5369cb5b5011d90758
-
Filesize
7KB
MD5ce367ed7c4917f1004f9c1b8a5bebd37
SHA1df3f047063a7dace48640efa9eed7be024521daf
SHA256530630b270dc8ca0d3adeed9cfa1d0b80fe3b2c4f7df3d4654a2e8e03b76ef0b
SHA512d13ac51cbdd0f64afe258c51e08b741f7ce026ed06a1ae392ae4b36440f01c43dca07f17ef80236e0c0d357beecc365cf6caf2a668b3b46c5cbd8d687ae05eee
-
Filesize
6KB
MD50b90ecd52134764fc3aeb24eccd335a2
SHA1d5a065a30360d70cdb87bd8e1ffcf0d588775ad0
SHA256debae94e3becfc41d46f5fdadb6a8c167e5dfe8beae6edcf9d19f994458fbcc6
SHA51273f6a0150eb039eeea675e7d187c583b2e7a0122a698bf2ccae54d55dc9db0c3323b748e9565ef881e0deda8b9db6bc8e8e5117df58f7cf2b33ea77b8e666a2e
-
Filesize
1KB
MD55fdc01abedb7a4a5631541ab7c105bc0
SHA1e47c2a3de83b54cac89cbd5a336d23e1bcc7fc34
SHA2562fc902f57c495c79a540a8ebbda806756b28fbbb7accd7dba9636349ef1fcc6a
SHA512e47f0da5cdcb003705d00d83dc219ef733b6a11183e50a0d2add8e2714e142d978566191c542a6436649bd38d82005c41ba4c5e7c81a82545e73e57cb6d3de62
-
Filesize
701B
MD560bec04327f93548d1348eae2fa2baa5
SHA11d46ceedaede8675ddd13a3e68ca2240422be257
SHA256879434601dc5051f60f6bd77474c299f68c00baccd10ed55ed34240c32386da2
SHA512fada5eb623953b89583755f3d693e77a4fcb975ea21fc61ce79924a44a284b936f9252a209da50a0a71c1a4af0f393ed3c4257c4b0e827c59e79a0486e891ae5
-
Filesize
1KB
MD5f7ed0953aac01d764c63ee58767be4a1
SHA17dec9e52e559ec14a38b718fb59ad614226ef0ba
SHA256e1e7e66a0b8cca7ba80a26783a6a23ad9253cacf93f538a1fe44b193839d07be
SHA5120c41b2a98211bd1559ffce24adab06ca524c1fcb88d356f3e0f2b164566e8b9a80bdaac822520038e4dc732fc404e89f306be40bd4b79f116e6806f7d4cff2bc
-
Filesize
1KB
MD5217481daa5910240683474a9d6f2b436
SHA166adbe82cdd104eae88367d2c2b13c1f1176135a
SHA25616cd0b0c5d8fb643bce05a24f5b3fca977810a38c6898c4d5cd841c27a6f6982
SHA512aa087f6f187bfcce35de34a0ae408460662cc4c19a744ded7032ce6441e837b5206e337a3c51a72c382bd7e1d5fa4417d72766e6af070bb1d098351e4366c499
-
Filesize
1KB
MD56a4d10b0e9c1447aaacbf2ea1a8e8159
SHA1bc35fa48d3c95991795a64af9a0fe76cf5709a5e
SHA2564abca8682d0c5c2f6344f70a2b02af07d7193a3040de0fc028374a825fcd8862
SHA51260e417a37a49c7d6a3d047af9a85c8c22392b09ac0111dc1378b80b44f379eef194a52e2569c8063d3ed4e2d39c187ef728147e2655c3ae7eaaae291736f35ea
-
Filesize
1KB
MD5956b9b7f9ba6c11114683f2326283fc8
SHA1d6d0b381afd92e425a925a3b5ba2ef20ad442569
SHA25680aeb59902560bfe5f10f0bebb69efc0492560007a4915b66361151067cf8ddc
SHA512ac255aaa14b8aa9e8827ba69dc858dacb4b42d562642ea514f819c244f6995441792d22dad16d64675ee52c02dc7a71b9d086bfc316edcad81cd50bd52d8194c
-
Filesize
1KB
MD573abda65d13e58ba54e774f01283b11a
SHA1e3542ca069bd54651673baa6f2d0540c3db2e967
SHA256213352678ffb1794ab7eaef9f3195c46fbdc97abd34c87617be15bdd72764074
SHA51237e005de695494700b4fe1f99574d4a0041d91341e781c06b54f43cb6cb20faf2c7213cc3e84aac4f4d159b38f131c597bf19d8c107376e30eec41ea9bf87aeb
-
Filesize
1KB
MD5ee20c271bc5f56d483b9b746567802a8
SHA1ae48af09d5a20349252b0fef13cbf96adabf6e54
SHA2564e49ab9e828a62b1964cf95de23651be5cbf57241ac2aba5735721606f0554e2
SHA512b5d05dd3c92988f96a536b66f084ec01dc3fe8e57980caa8d78eea8d25373aa344fd095107757123e7fff71c562bdeb3479a07e7cbd4b1971763b0dff764dc86
-
Filesize
1KB
MD54cef8e3e63be369db7fdba51bc0cce2f
SHA1207ee2c5a076fa4ca6bd9e3b3acf45b3bf421f7f
SHA2566abf6fea494e71670dbcab15b8dc0933169b83cae923b449ca6b36ec6cefdbc4
SHA51257fb21f2643c1ed96e904f5c498fe3ec856ea63c5bb41193ad2ba39f0ed03bc5da3ab28febaf6859dd82ba30471c1e05cac1413456f05ed5a44cc22464c11f85
-
Filesize
1KB
MD5b4a35a8cfcae02e581fd40f045d6cb43
SHA146e514bf10bb10cf2419e9e9c62b39d59e1d01f0
SHA256e6d2dde025572a86c74a86f9983703d4ff3a7c390d2bff2cb802633c8a9e9560
SHA51274b4800272a53a6cda17523171e2242e5ab5b4418f85126f270c64c2360bb2f8171141b7451d086422beb44d7a72894c8a5673002968f6cb7337ae4933422e9b
-
Filesize
1KB
MD5dd6071ea9878ed4293f1339214a6716e
SHA15d06ba1638cbbcd5e8075782fdfe994092eaee19
SHA25639c27d090ba52b5dbaa679084a6fd2fea8c2001a6c928d5f1e5c910835a9d8e9
SHA5128a01230ff470d1383421e4f5e6b215501abeb279acd8d8c602c7b0091efaf78b9f521846c405acc75d54b024a535336d9235bf1fcf03567f70ff146320b14d94
-
Filesize
367B
MD5559b75e0cfd9dc19231244a342dfc496
SHA1f100a20e548f77be70183de68f8ffaaf33022319
SHA256eeb0d40c62111fcf23bd41f66f85cecfb0633ddf39989137fd679feea8c63259
SHA512eb3efe23f59573af20565853b11c98029f75f2804fc7a5588b3af85c7d94bff9250a509735a8e68d1049677e784c188e3bfab5503c0962f7abc571186508aca5
-
Filesize
1KB
MD5843d5be90ae0fe2960a385d58af6c81e
SHA1d16964ba07b95e3ea0416935ef24d450cf9db909
SHA25650ee1852acaaa67d00dd79ea1df9a8827771efc4fadae0268bf5130644ae2abc
SHA512c92ca4192be6de1929440d5bac92f07a1eee52cd5dea7ca6beccb0361c8ed14e1f1ecefb4b3fd11878c0f8d2ebc1d43ac921ad19be2e38c36e10e970465170a8
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
12KB
MD5088f4c393feddceb891f5f11517d0087
SHA1da5ff31c7bf803e2d3b4f5f531c9ce9e5e28de59
SHA256530ac4d4ce2632c720ce52294cbcb121b4f7ecff79e4173670a10deca83e5163
SHA51243cba800450a58189105862ff2894cd16286228a366ac05ff8667509bec7ea6c1642dea9353c0f93f8bdd369e458c9f3d32193abdeb98be420e0e1cb0423c743
-
Filesize
12KB
MD5eb45942655ca832f3f373709410b5a2c
SHA126a7130ab55cf314b99e9b02071de4035b3c3f46
SHA25662c531380667e624f669d96b4019cab82ddb815a272ba341959cc4d57a69c692
SHA5124e7e37ec1c3b1d041931899088a5e1567256abed264d786afcc86460b0e43aaa551569eda5b692d7737c6ac565e90f1f6d2a07e50205515bbdb0ce0335afdc08
-
Filesize
12KB
MD5c731f186b8038e225386b4df4a84211c
SHA17e14265c7b053c941b444b5f54cc4ce138c4e585
SHA2569f72b3f505e2aca23e2e01b6cfde12f7c1e366faf6299b33c339cb33d921d844
SHA51251583dc726c4ed3204cda23a1ae4bef5333015494f40260b46e4db31c6a445453e25dbef8e5e93881e43d4df20034adea1ad20420d121626dd32087bd6576775
-
Filesize
12KB
MD5ae1e9860dc34804cffe805b7ec8fb3c7
SHA1e16e47bbdf4328b1fc8198f90a63024e06113e95
SHA2569a8c9e7c0c0bc03d31a68490bf45cd02579c5e2ebdb956e7b62176f228fd15b1
SHA51296e24278e6cb1a475a4d6a670dc200be99fedb36df41d77d317b95022f8c96e5e1d0ce16e102b2d1ef069fe689fc01d53c5e1696af83ce431c6183deb61fe440
-
Filesize
11KB
MD5e154ecd1410ab4a65ba92ed28ff9bb14
SHA1a4654597cada9c83c8bd24088e17e16609c83982
SHA2568a50b9aa9fb465e7bbdc425f0351fe6f86fb6557b29c68cd5f55f583d54d39ef
SHA5123c7710e4c8ffedbccecd81369a30d957a8b5857cb1934255786f579efde7632dbaea51a6f70cdb88ac7f0d257483a60554048eb884178540224f64eeef4b9736
-
Filesize
797B
MD5afa18cf4aa2660392111763fb93a8c3d
SHA1c219a3654a5f41ce535a09f2a188a464c3f5baf5
SHA256227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0
SHA5124161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b
-
Filesize
224KB
MD55c7fb0927db37372da25f270708103a2
SHA1120ed9279d85cbfa56e5b7779ffa7162074f7a29
SHA256be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
SHA512a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
-
Filesize
7B
MD54047530ecbc0170039e76fe1657bdb01
SHA132db7d5e662ebccdd1d71de285f907e3a1c68ac5
SHA25682254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750
SHA5128f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e
-
Filesize
431KB
MD5fbbdc39af1139aebba4da004475e8839
SHA1de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA51274eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
-
Filesize
236KB
MD5cf1416074cd7791ab80a18f9e7e219d9
SHA1276d2ec82c518d887a8a3608e51c56fa28716ded
SHA25678e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA5120bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5
-
Filesize
401KB
MD51d724f95c61f1055f0d02c2154bbccd3
SHA179116fe99f2b421c52ef64097f0f39b815b20907
SHA256579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113