dharma | 2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

Analysis

max time kernel
447s
max time network
454s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
27-08-2024 04:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NoMoreRansom.exe
Size

1.4MB
MD5

63210f8f1dde6c40a7f3643ccf0ff313
SHA1

57edd72391d710d71bead504d44389d0462ccec9
SHA256

2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
SHA512

87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11
SSDEEP

12288:WZgSKWk54jeg6lL5assQHtzV2KoLJ+PwXxwuLSJ8slf1zMr6iL/KNDx2PIXe2Q:KgoLetlLS8tz6V+PwD0XVMrXCNDxtK

Score

10^/10

dharma troldesh credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer trojan upx

Malware Config

Signatures

Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
ransomware dharma
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (439) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Drops startup file 5 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-064D5208.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-064D5208.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta	CoronaVirus.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe

Executes dropped EXE 6 IoCs

Processes:

BadRabbit.exeBadRabbit.exeCoronaVirus.exeBadRabbit.exeCoronaVirus.exeCoronaVirus.exe

pid process

3296 BadRabbit.exe
4088 BadRabbit.exe
756 CoronaVirus.exe
30184 BadRabbit.exe
8580 CoronaVirus.exe
29616 CoronaVirus.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3296	BadRabbit.exe
4088	BadRabbit.exe
756	CoronaVirus.exe
30184	BadRabbit.exe
8580	CoronaVirus.exe
29616	CoronaVirus.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1592-1-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1592-2-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1592-3-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1592-6-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1592-4-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1592-9-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1592-10-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1592-11-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1592-12-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1592-132-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1592-151-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1592-156-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1592-167-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1592-503-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1592-651-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1592-712-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1592-727-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1592-736-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1592-771-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1592-789-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1592-813-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1592-860-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1592-873-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

CoronaVirus.exeNoMoreRansom.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\""	CoronaVirus.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	NoMoreRansom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe"	CoronaVirus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\""	CoronaVirus.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Stationery\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1453213197-474736321-1741884505-1000\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Program Files\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	CoronaVirus.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\desktop.ini	CoronaVirus.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	CoronaVirus.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

134 raw.githubusercontent.com
135 raw.githubusercontent.com
136 raw.githubusercontent.com
137 raw.githubusercontent.com
Drops file in System32 directory 2 IoCs

Processes:

CoronaVirus.exe

description ioc process

File created C:\Windows\System32\CoronaVirus.exe CoronaVirus.exe
File created C:\Windows\System32\Info.hta CoronaVirus.exe

flow	ioc
134	raw.githubusercontent.com
135	raw.githubusercontent.com
136	raw.githubusercontent.com
137	raw.githubusercontent.com

description	ioc	process
File created	C:\Windows\System32\CoronaVirus.exe	CoronaVirus.exe
File created	C:\Windows\System32\Info.hta	CoronaVirus.exe

Drops file in Program Files directory 64 IoCs

Processes:

CoronaVirus.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MEDIA\DRUMROLL.WAV.id-064D5208.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11701.1001.87.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreLargeTile.scale-100.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ul-oob.xrm-ms.id-064D5208.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\2_32x32x32.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailBadge.scale-150.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\setup_wm.exe.mui	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2017.125.40.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraMedTile.contrast-white_scale-200.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Audio\Click_G.wav	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\AddressBook.png	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libcdda_plugin.dll.id-064D5208.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\currency.data	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_16.511.8780.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_scale-125.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\HxA-GoogleCloudCache-Light.scale-100.png	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\Toast.svg.id-064D5208.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml.id-064D5208.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_Trial-ul-oob.xrm-ms.id-064D5208.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusiness2019VL_KMS_Client_AE-ul.xrm-ms.id-064D5208.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Assets\Logos\BadgeLogo\PaintApplist.scale-400.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\javafx\gstreamer.md.id-064D5208.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ppd.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\Audio\incoming_contacts.wav	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-core-file-l1-2-0.dll	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\de-de\ui-strings.js.id-064D5208.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\MS.EXCEL.16.1033.hxn	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\MessagingApplication.exe	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_scale-200.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\1937_36x36x32.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-heap-l1-1-0.dll.id-064D5208.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\nb-no\ui-strings.js.id-064D5208.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe.id-064D5208.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-up.gif	CoronaVirus.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\libvdr_plugin.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-string-l1-1-0.dll.id-064D5208.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\WordR_OEM_Perp-ul-oob.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\eula.ini.id-064D5208.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_rename_18.svg	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\icons.png.id-064D5208.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\css\main.css	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sv-se\ui-strings.js.id-064D5208.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STRTEDGE\STRTEDGE.INF.id-064D5208.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\zh-tw\ui-strings.js	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_17.8010.5926.0_x64__8wekyb3d8bbwe\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOIDRES.DLL	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\WindowsBase.resources.dll	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-oob.xrm-ms.id-064D5208.[[email protected]].ncov	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-ppd.xrm-ms.id-064D5208.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AlarmsBadge.contrast-black_scale-100.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\vcruntime140.dll.id-064D5208.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Mozilla Firefox\vcruntime140.dll.id-064D5208.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\Utils.CX.dll	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe.id-064D5208.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\PeopleMedTile.scale-100.png	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SEQCHK10.DLL	CoronaVirus.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\dodeca_and_7channel_3DSL_HRTF.sofa.id-064D5208.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\uk-UA\wmpnssci.dll.mui	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoVL_KMS_Client-ul-oob.xrm-ms.id-064D5208.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_Retail-ppd.xrm-ms	CoronaVirus.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\ui-strings.js	CoronaVirus.exe
File opened for modification	C:\Program Files\Windows Media Player\fr-FR\wmplayer.exe.mui	CoronaVirus.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\jdk\relaxngdatatype.md	CoronaVirus.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_KMS_Automation-ul-oob.xrm-ms.id-064D5208.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\Attribution\foreca.png	CoronaVirus.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\Images\PrintAndShare\Glyph_0xecd2.png	CoronaVirus.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\close.svg.id-064D5208.[[email protected]].ncov	CoronaVirus.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro\msipc.dll.mui.id-064D5208.[[email protected]].ncov	CoronaVirus.exe

Drops file in Windows directory 6 IoCs

Processes:

BadRabbit.exerundll32.exeBadRabbit.exerundll32.exeBadRabbit.exerundll32.exe

description	ioc	process
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

Processes:

firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\BadRabbit.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier	firefox.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

rundll32.exeCoronaVirus.exeCoronaVirus.exeNoMoreRansom.exeBadRabbit.exerundll32.exerundll32.exeBadRabbit.exeBadRabbit.exeCoronaVirus.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoMoreRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BadRabbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BadRabbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BadRabbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CoronaVirus.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exevssadmin.exe

pid process

18864 vssadmin.exe
29644 vssadmin.exe
Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings firefox.exe

pid	process
18864	vssadmin.exe
29644	vssadmin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings	firefox.exe

NTFS ADS 2 IoCs

Processes:

firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\BadRabbit.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

NoMoreRansom.exerundll32.exerundll32.exeCoronaVirus.exe

pid	process
1592	NoMoreRansom.exe
1592	NoMoreRansom.exe
1592	NoMoreRansom.exe
1592	NoMoreRansom.exe
2932	rundll32.exe
2932	rundll32.exe
2932	rundll32.exe
2932	rundll32.exe
1424	rundll32.exe
1424	rundll32.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe
756	CoronaVirus.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

firefox.exerundll32.exerundll32.exerundll32.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	5108	firefox.exe
Token: SeDebugPrivilege	5108	firefox.exe
Token: SeShutdownPrivilege	2932	rundll32.exe
Token: SeDebugPrivilege	2932	rundll32.exe
Token: SeTcbPrivilege	2932	rundll32.exe
Token: SeDebugPrivilege	5108	firefox.exe
Token: SeDebugPrivilege	5108	firefox.exe
Token: SeDebugPrivilege	5108	firefox.exe
Token: SeShutdownPrivilege	1424	rundll32.exe
Token: SeDebugPrivilege	1424	rundll32.exe
Token: SeTcbPrivilege	1424	rundll32.exe
Token: SeShutdownPrivilege	14772	rundll32.exe
Token: SeDebugPrivilege	14772	rundll32.exe
Token: SeTcbPrivilege	14772	rundll32.exe
Token: SeBackupPrivilege	13848	vssvc.exe
Token: SeRestorePrivilege	13848	vssvc.exe
Token: SeAuditPrivilege	13848	vssvc.exe
Token: SeDebugPrivilege	5108	firefox.exe
Token: SeDebugPrivilege	5108	firefox.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

firefox.exe

pid process

5108 firefox.exe
5108 firefox.exe
5108 firefox.exe
5108 firefox.exe
5108 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

5108 firefox.exe
5108 firefox.exe
5108 firefox.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

firefox.exe

pid	process
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe
5108	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 5052 wrote to memory of 5108	5052	firefox.exe	firefox.exe
PID 5052 wrote to memory of 5108	5052	firefox.exe	firefox.exe
PID 5052 wrote to memory of 5108	5052	firefox.exe	firefox.exe
PID 5052 wrote to memory of 5108	5052	firefox.exe	firefox.exe
PID 5052 wrote to memory of 5108	5052	firefox.exe	firefox.exe
PID 5052 wrote to memory of 5108	5052	firefox.exe	firefox.exe
PID 5052 wrote to memory of 5108	5052	firefox.exe	firefox.exe
PID 5052 wrote to memory of 5108	5052	firefox.exe	firefox.exe
PID 5052 wrote to memory of 5108	5052	firefox.exe	firefox.exe
PID 5052 wrote to memory of 5108	5052	firefox.exe	firefox.exe
PID 5052 wrote to memory of 5108	5052	firefox.exe	firefox.exe
PID 5108 wrote to memory of 3576	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 3576	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4524	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4016	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4016	5108	firefox.exe	firefox.exe
PID 5108 wrote to memory of 4016	5108	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\NoMoreRansom.exe
"C:\Users\Admin\AppData\Local\Temp\NoMoreRansom.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1592

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.0.2019633275\1753739323" -parentBuildID 20221007134813 -prefsHandle 1684 -prefMapHandle 1668 -prefsLen 20845 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {97fee6e7-26d3-42b0-b5d1-0aa7190eabf3} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 1764 2be52acd858 gpu
    3⤵
    PID:3576
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.1.1485889392\393957835" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 20926 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a07ca28-74a7-4d8b-81eb-b662319910e3} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 2120 2be47872558 socket
    3⤵
    PID:4524
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.2.1380309156\904751263" -childID 1 -isForBrowser -prefsHandle 2712 -prefMapHandle 2800 -prefsLen 20964 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8453eaed-aaaf-49f8-a040-d3b4b8abddd0} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 2792 2be569bd858 tab
    3⤵
    PID:4016
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.3.905146883\1684339556" -childID 2 -isForBrowser -prefsHandle 3516 -prefMapHandle 3512 -prefsLen 26214 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {634d3890-9fc0-4df9-97d9-94dd3b017d2b} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 3528 2be54e04458 tab
    3⤵
    PID:836
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.4.1164918344\413611729" -childID 3 -isForBrowser -prefsHandle 3920 -prefMapHandle 3516 -prefsLen 26349 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {50f3f09f-6ace-4b93-997b-b51285c85a01} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 4032 2be579e9558 tab
    3⤵
    PID:3156
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.5.1040307323\1008835845" -childID 4 -isForBrowser -prefsHandle 4816 -prefMapHandle 4780 -prefsLen 26354 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {eafa77dd-f7c5-4bbc-8e79-a657f4ce8683} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 4936 2be590c5658 tab
    3⤵
    PID:4172
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.6.403662293\1959611800" -childID 5 -isForBrowser -prefsHandle 5072 -prefMapHandle 5076 -prefsLen 26354 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f1128aa-2a13-43a0-95d9-d5517c3c1fb4} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 4956 2be590c6b58 tab
    3⤵
    PID:4316
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.7.478454477\1909432503" -childID 6 -isForBrowser -prefsHandle 5276 -prefMapHandle 5280 -prefsLen 26354 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa654a26-2aef-4dff-b2be-c810263a3381} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 5264 2be59125658 tab
    3⤵
    PID:548
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.8.469220074\2135095155" -childID 7 -isForBrowser -prefsHandle 4956 -prefMapHandle 5500 -prefsLen 26873 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c60bbe0-a344-44ac-845b-1136a3d05cfc} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 5328 2be52d43458 tab
    3⤵
    PID:3720
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.9.760019422\482124277" -childID 8 -isForBrowser -prefsHandle 5156 -prefMapHandle 4952 -prefsLen 26873 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1de1ad6e-c4b6-40aa-88cc-64d234871717} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 5240 2be47860458 tab
    3⤵
    PID:2732
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5108.10.743185843\1013603095" -childID 9 -isForBrowser -prefsHandle 5972 -prefMapHandle 6024 -prefsLen 26873 -prefMapSize 233444 -jsInitHandle 1300 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f5c8303-d183-4798-bffb-188fe00be1cf} 5108 "\\.\pipe\gecko-crash-server-pipe.5108" 4816 2be5b56d858 tab
    3⤵
    PID:3280
- - C:\Users\Admin\Downloads\BadRabbit.exe
    "C:\Users\Admin\Downloads\BadRabbit.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:3296
  - - C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2932
- - C:\Users\Admin\Downloads\CoronaVirus.exe
    "C:\Users\Admin\Downloads\CoronaVirus.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops desktop.ini file(s)
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:756
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:3472
    - - C:\Windows\system32\mode.com
        
        mode con cp select=1251
        5⤵
        
        PID:16488
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:18864
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:22688
    - - C:\Windows\system32\mode.com
        
        mode con cp select=1251
        5⤵
        
        PID:28856
    - - C:\Windows\system32\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:29644
  - - C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
      4⤵
      PID:29300
  - - C:\Windows\System32\mshta.exe
      "C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"
      4⤵
      PID:30016

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3948

C:\Users\Admin\Downloads\BadRabbit.exe
"C:\Users\Admin\Downloads\BadRabbit.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4088
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1424

C:\Users\Admin\Downloads\BadRabbit.exe
"C:\Users\Admin\Downloads\BadRabbit.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:30184
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:14772

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:13848

C:\Users\Admin\Downloads\CoronaVirus.exe
"C:\Users\Admin\Downloads\CoronaVirus.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:8580

C:\Users\Admin\Downloads\CoronaVirus.exe
"C:\Users\Admin\Downloads\CoronaVirus.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:29616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.id-064D5208.[[email protected]].ncov

Filesize
2.9MB

MD5
5fc5ceaf5e793003b889dafa664c6025

SHA1
1e3ca6a24191d5398466db7b482da3d05e221379

SHA256
c3758ecde26f4a787c65b661762b84ba34634b08275f00d6c24bdfada4ce516f

SHA512
bd2ed38d1256948776ac924a72681b24837ab7aadd583c9deb8002b183cb0122ae0efcc9ccc74306353c636d65bf3e9c062a829c98fac51986968d91800f916c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\activity-stream.discovery_stream.json.tmp

Filesize
49KB

MD5
3edd218aa4a3a6389bfcc9b0ef3ad9fe

SHA1
66eacc803eb7c9264305dba3d600e5a276c5a192

SHA256
7532dfcce0ff9c0b8943bcf47622722a7fe8fec8a5d2d958bd114bd64e4ff3e7

SHA512
eb395d87375c6de8edd34e118fe4df3b1d4a0d43012138c95bfc597f8e3240164350933682a79b62a7bed7b0d8c53aa919cc4f7b5c977ae72669e325bdddf2b2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\entries\F01874D686FBE92E9DC7C6D88F7E4E9E125FD3BF

Filesize
172KB

MD5
f8af1e94fc1b9b1c6f342513ca3e8cd5

SHA1
3ee26d77f6bb7a240124fe76f7fbe83e941da3c2

SHA256
1cb87f1d9199513e7ecb25c41ab7eeb3ac13ee5ee23c11f56616c38c73d431fa

SHA512
3fa5f23020a83d11e9a754693c860412cb13e786429eefa2d49b9727cb9231bedfe0dcd4a109f6b2d9bf1f477ab09415c8d2115e8d61af1b2cc1bd35be1f0588

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\jumpListCache\XE1Ap3qViB1VFuURUGEIkA==.ico

Filesize
25KB

MD5
6b120367fa9e50d6f91f30601ee58bb3

SHA1
9a32726e2496f78ef54f91954836b31b9a0faa50

SHA256
92c62d192e956e966fd01a0c1f721d241b9b6f256b308a2be06187a7b925f9e0

SHA512
c8d55a2c10a2ef484dedded911b8f3c2f5ecb996be6f6f425c5bd4b4f53eb620a2baccd48bac1915a81da9a792971d95ff36c3f216075d93e5fd7a462ecd784f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
7KB

MD5
c460716b62456449360b23cf5663f275

SHA1
06573a83d88286153066bae7062cc9300e567d92

SHA256
0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0

SHA512
476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\startupCache\scriptCache.bin

Filesize
8.6MB

MD5
60a5aaa8190d8a1a279e661286bddb6f

SHA1
81b62053042d30b229c13480955d3a1b1a0f15d7

SHA256
a916aac0270e86d0b39832cb07b984532492d8df2ac227fed93f7c99cc10e9c9

SHA512
b83f348293ff1ce5b0afdb6764f03d6e8659bd14b076a1d76b1212dfe4a5c18128df6895c06e311850d2ffcecf3fc5e07a35d97cce22a4a9272f8cc55517d004

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Filesize
1.0MB

MD5
055d1462f66a350d9886542d4d79bc2b

SHA1
f1086d2f667d807dbb1aa362a7a809ea119f2565

SHA256
dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0

SHA512
2c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\F99AUB2EVKYDCAA77CLJ.temp

Filesize
5KB

MD5
c3fa98233e54f46c2bfeb9311184ca16

SHA1
c7178bad1edad2314aaa6b058591886a7ae361c4

SHA256
470db3d57da9ab4b02c9ae79a9f9894a3fceb6d39edeef0a5da21324b6a53e9f

SHA512
6ad7f5bf00a300d30e5cf19ea853ecf140fb08bfff1d17e44dba832bc4184c60c96d81119781411137646ed33aa9ee90223fb024fe166d68472e56b59ee74199

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
e905c9c545cc148a5f3a3a007eb2d868

SHA1
000e7da1807d0cc8c3cfcb219e3e4cc47a831899

SHA256
096bef22c073798e65a1874660e9574da31369e31364917ddca3370c7add0206

SHA512
081647d24a766b2d6bb3cf3910befe5dc11c44a0aacf7b2271121a3c391fb675885e8ca7cbf38b795b0dbb0da189fa4b208c70ee590c807d622c81b2e0ac8da1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\a6514402-7863-43aa-8c7c-57f5c080cd78

Filesize
746B

MD5
2d777c295996280069d1694adf6ebd51

SHA1
c9de2c2f4a7ef35419287c56f2f115c3fa7ce500

SHA256
9ffa08c968a370593a78ebca252736247245fad4cf78eccdaa8eb3713580b04c

SHA512
bec31688d8f96c2bdf665aebc41b005e0d1ba3fd0effc80cccd95c5422dc99b6e82a895f04897158d7b4d9f32de6320d330239a1048c051ca1b3dbf41b46befd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\da2b5501-5cfe-4d82-bc6e-3dc482d5f710

Filesize
11KB

MD5
2f55d81fcef91cffc45e8f1dc49c7a07

SHA1
9f1ebd54c67bb0e05b5c3938de9b2e7bc012218e

SHA256
626f4582ef0061eb946fc64d522c45e3f36d3ae316a576f4cede95611cc5da35

SHA512
3b5cb15039f3b213438b10149a69f2e9cb52cea3df81960beda3b0606787f13695d451b9aa374c64028e3eae5f68219be5faf491b8140c939e97afb525b9abca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js

Filesize
6KB

MD5
bd91f137cfebad37d214c3846edcce54

SHA1
847cfd598e49a5e75cf6f96ea8e16b8f40a52662

SHA256
84032831faf7acbc1db1ff97781588491dfbf1e425d4bca20001e5eddc00f11f

SHA512
21f5d3100873e164cab46e8e6697a683443051456c8b9d3300cbf9d428f40fc98a013fc1ff9143321c3d335dc307e3ce7cc05733a6875d8e2a77662f73966bb0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js

Filesize
7KB

MD5
19146ec676868257a59ee9fa6a15f35a

SHA1
1efdfd3bfa363fef82de612373a2812ea85d7089

SHA256
de9d153b6163a280efd94485055864c27f2647b930a425c489b3e76578a1ef77

SHA512
3926efc4ce1b47c92d449be00939c422eaa3e9cfbfefafe98db7f47f4c9fb652965d8e47e88b5130443677d46bc612caa5af0456fba94387739c84a62793a20d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs.js

Filesize
6KB

MD5
36f5cce16a60760269dae0d036bd5abe

SHA1
2c213ae76ce28f5be1dee32ec452ed2b5d72f973

SHA256
3cf2b73a05232245d61cd6f021afae1f4b3554fe0b338675eb59788636010814

SHA512
16605782ff489a0644ae4885d29de9934d70391c1cf199db66337ec101b1cd07f09d1281f37eed19352d34460d8f7a256f56c3e75a3f2f1bef13d910ae828c64

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs.js

Filesize
6KB

MD5
39e948f9939a821c2c697712c6c9acbe

SHA1
bfa106f56c3559be10f2eaf23c5ebc28b94cfe44

SHA256
798e4aa0550bc4717403211f315a5e9b70f18ee5b0e7960fb3c72cf65169aa67

SHA512
3cd792710968d280dc2dcb7a28433f89866260fc7022f16b7fee197f09959adc3b03584815ada19f27ba9f602b7aa72f1aa29692209b9d1c256fc20cf9259ceb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs.js

Filesize
7KB

MD5
ceb65e8a02b2fa607c16f2b223be8d31

SHA1
2cbb6681535154284c7a1c1f55078919e117cc83

SHA256
1128cf059e76b3ab65f0fb5e8fbc87de5c7e515369758fb16e960aec8ec10e6e

SHA512
0fb98f26f284f224ae5bda1e66449f2aa0391f81360b6e82ad47ad5b642bd6b650cef14cb8117a91c756eb04fb4ee4e82671e9acb52ad1eefd4a3c726d089f53

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
570e3dc47cdd3e9ec56da6eb1b31dde4

SHA1
df336bb26d0b4e92fdb35bb6198e537d6c4596fd

SHA256
13124f4953b1e49a023b7f14a617355fe9cbfe4951b62ddcd311e27467707ad6

SHA512
44bc473df576df826ea614fc7810bdd389204d0b36ab25303c2cccf2214d82823250e473f9e54fe6f99bcbdd3869319183628adf893ec8a204be99fc68ac8caf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
7a9350a316cdb05af1aa72d6bb650e54

SHA1
5fb17ed02a17f61114d851f4e05d0b82521567b9

SHA256
afb3f883115d08b0f397971749ca45a7b9176191c76fad997f775e031b91095c

SHA512
ce0a276778e0be9fb202a9ad453c148ba86bd3cadab5304bb39b5f70044d3dffa3c8427052bc84ac5dd114dc531b470bcecbbc2ccabf1dea6140c3c3b045ff66

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
415cc738aa38fb82f80bd7ad180c7667

SHA1
ec1d048fbf86d9b948afbf18bb4471212084739f

SHA256
fde1555c3217a5ba8e73572943a1bc259db39ef89aacb3fed0917d6fdbd790a2

SHA512
8fa27ed5175dbffbfc017ff55722c544ae26dd8ea918749053efc0658bbe953f2748f04efebca655c599b01e28f5bcf5420c7dd7f40e8dc3f09a6246c0efc997

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
3b74e6f25482fe190b515d957070869f

SHA1
57c5c72b769c281f2ae6257393ab4665790f62eb

SHA256
a5af6c388753cc437b79a8655b157489d960eae60bdfa5b7180bb1479b0e08d2

SHA512
44c36d12669e6fe0f1f35fa96da56aed0466d35676f1938772102acac65f0964c59be93045f6d8c8eb0add118c15cc6add52bafe64969af91f8a259e55608be9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
4903cd2a68703fad5a4a9b50d5412a5d

SHA1
9d0bcae6cf782df2c3bf80d532bbc13ba7b782be

SHA256
7871de5f3fc8aaf3f7c6482c7aafe203342f734f3b37e469109e081e25ccf9b1

SHA512
77c12e4951794804d9dbafce07a6c5b4f15d873453dc25a4ee4870de51cd8343335d4bd0e9f3cfb19be332b111f02f8f75c587b0a6ede9e6e5cdd279f84ac2be

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
348e3e14bd68f1a3c881fe7148de81ed

SHA1
afae40cd3282ae612e87f0fb7c4087e375d8d76d

SHA256
386d965ad7cd298a785e8ccd7e3ef568c7ac43b96d784557d05c37223d627931

SHA512
05ec7fd93a3b61dba058d0ae7f7c86a90b7fe6de486424c4f6f04cd3dcace69c2ca897b5bbc6694271282c0f9c7c0b881979286bf8012a01ffba67a1f6a74a3e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
c018ed9d9d930aae5d047ed1e9b4b1d4

SHA1
86d13b1e4c7fdb25efd43105094a5cf5dd46b997

SHA256
775b2ec05dace672432940581ab0fb251f5ee1fe19c821b789d36e66e54a32ec

SHA512
bb8dc601ad63b46aefc443aa019be09c2cd8130cd320d06ddf6f29f3848c2d4185da0bdc40f7f6454bdfdda0c478c091bd8ac88195e469ca78740adc0ae79420

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
3339905981838e49dd8f7ceb87ac314f

SHA1
668b227e53e4bccaa11d939666ac991ef727d8fe

SHA256
49a28ceb8585948c49e864a10aed8a827cbaafbded1b2d36556330cbc04fded1

SHA512
ff4ecdbbf80651acd1efe8d6f0fa27162bf2a8106842c76a1fc4cd2e4bcc025f4e3ab5b330cc1ce44a49d08fa0beced1b878dc0d51b0dab75d34c10f9b2ad668

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
6251098519b775f43118d1c4cfe4851e

SHA1
21e0cc32e64a7486ad5493e5db1a4a18b48291ae

SHA256
45646f29a599b963df64ce762387760c985f963bbe9a46f0959f64f643cc98ee

SHA512
75b6628cee3fadc57a527423c843984a1521cb3369e061021b495772f52f1757c504869772825dc6a87a88ac47f803ec421397099e8ada318a21d63c007c2640

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
91d53a2626460edaa7219a17342d13da

SHA1
ae4db72c2b9bd0280f4f66a5434f98c4940a96a5

SHA256
d045e4182e6bd75c27530d44535b364c0078b4f2b2a02413c2614801d9161944

SHA512
7ea8a2ed8c3abb3e3dde0739f2292dfd6f962e5b99e57f8f5c2eb2ed64ca19fefd86b79583e2eb3dc2a1ef4333dc0474e39d8b578723d9440d57776cd266a339

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
6fb529a6040edced72255baf206751b3

SHA1
d86a9e27b28d30d06bf0134fc1f1dbe1c8eddde2

SHA256
0854a410ae1d03645fb10f650df8a76657332b00ebb80a86b3a2167e305fa970

SHA512
b62f30ad4cd0801c044258e0c16ffce4a945f4f94b1352caa03aa5639c0d7efc971e6b32bdac81eeb79d02715dfa4deec490f2e385f00b40008edaa6addc4020

Download Submit
C:\Users\Admin\Downloads\BadRabbit.exe

Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Users\Admin\Downloads\CoronaVirus.exe:Zone.Identifier

Filesize
50B

MD5
dce5191790621b5e424478ca69c47f55

SHA1
ae356a67d337afa5933e3e679e84854deeace048

SHA256
86a3e68762720abe870d1396794850220935115d3ccc8bb134ffa521244e3ef8

SHA512
a669e10b173fce667d5b369d230d5b1e89e366b05ba4e65919a7e67545dd0b1eca8bcb927f67b12fe47cbe22b0c54c54f1e03beed06379240b05b7b990c5a641

Download Submit
C:\Windows\infpub.dat

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
7f13c57aed1c74fb2273d3e30ecdb5ef

SHA1
b2a3054cdd6f5636e9d6386d3abdf9f6fbeb8333

SHA256
0812d9df3caf0071c8753c3d4abcb7b5650b21d4de23ad77fba406fcceae2348

SHA512
a55af49432e2730dbea7d54f6fe12993de3037a5d6b70c889407df672ed8ddf5d68309d2ad2a2a46fc3f5cf15a7812595aa57b588ec0a96459ec5001b1b9e263

Download Submit
memory/756-23626-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/756-973-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/1424-895-0x0000000004E20000-0x0000000004E88000-memory.dmp

Filesize
416KB

Download
memory/1424-887-0x0000000004E20000-0x0000000004E88000-memory.dmp

Filesize
416KB

Download
memory/1592-156-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1592-1-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1592-167-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1592-727-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1592-789-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1592-2-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1592-3-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1592-860-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1592-712-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1592-873-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1592-651-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1592-0-0x0000000000870000-0x000000000093E000-memory.dmp

Filesize
824KB

Download
memory/1592-771-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1592-503-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1592-813-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1592-151-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1592-736-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1592-132-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1592-12-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1592-11-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1592-10-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1592-6-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1592-9-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1592-4-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2932-831-0x0000000004E90000-0x0000000004EF8000-memory.dmp

Filesize
416KB

Download
memory/2932-830-0x0000000004E90000-0x0000000004EF8000-memory.dmp

Filesize
416KB

Download
memory/2932-822-0x0000000004E90000-0x0000000004EF8000-memory.dmp

Filesize
416KB

Download
memory/8580-22136-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/8580-14585-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/29616-19872-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download
memory/29616-23607-0x0000000000400000-0x000000000056F000-memory.dmp

Filesize
1.4MB

Download