Resubmissions
17-09-2024 16:20
240917-ttcpasscrd 417-09-2024 16:08
240917-tlmjja1hrf 617-09-2024 16:03
240917-the1aa1gnc 1017-09-2024 15:53
240917-tbyh2s1fpm 817-09-2024 15:46
240917-s738qs1dqn 1016-09-2024 16:27
240916-tx94zaxgjm 316-09-2024 16:00
240916-tfqc8swerd 1016-09-2024 15:57
240916-td4svawflr 629-08-2024 23:57
240829-3zs3xazamm 3Analysis
-
max time kernel
809s -
max time network
786s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17-09-2024 16:03
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://valkyrieofficial.vercel.app/
Resource
win10v2004-20240802-en
General
-
Target
https://valkyrieofficial.vercel.app/
Malware Config
Extracted
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
Extracted
C:\Users\Admin\Downloads\!Please Read Me!.txt
wannacry
15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1
Signatures
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (626) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation msedge.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 6 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-D1B0B65D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-D1B0B65D.[[email protected]].ncov CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDD484.tmp WannaCry.exe -
Executes dropped EXE 64 IoCs
pid Process 16552 msedge.exe 16840 msedge.exe 11232 msedge.exe 18076 !WannaDecryptor!.exe 20028 !WannaDecryptor!.exe 19908 !WannaDecryptor!.exe 20132 !WannaDecryptor!.exe 20188 !WannaDecryptor!.exe 20260 !WannaDecryptor!.exe 20620 !WannaDecryptor!.exe 20676 !WannaDecryptor!.exe 21040 !WannaDecryptor!.exe 17480 !WannaDecryptor!.exe 21344 !WannaDecryptor!.exe 21408 !WannaDecryptor!.exe 3680 !WannaDecryptor!.exe 5460 !WannaDecryptor!.exe 5556 !WannaDecryptor!.exe 4540 !WannaDecryptor!.exe 11424 !WannaDecryptor!.exe 15116 !WannaDecryptor!.exe 11488 !WannaDecryptor!.exe 2128 !WannaDecryptor!.exe 4708 !WannaDecryptor!.exe 3132 !WannaDecryptor!.exe 5216 !WannaDecryptor!.exe 5180 !WannaDecryptor!.exe 5388 !WannaDecryptor!.exe 5804 !WannaDecryptor!.exe 5876 !WannaDecryptor!.exe 5488 !WannaDecryptor!.exe 6084 !WannaDecryptor!.exe 6268 !WannaDecryptor!.exe 6380 !WannaDecryptor!.exe 7036 !WannaDecryptor!.exe 6872 !WannaDecryptor!.exe 7092 !WannaDecryptor!.exe 6736 !WannaDecryptor!.exe 6520 !WannaDecryptor!.exe 6760 !WannaDecryptor!.exe 7120 !WannaDecryptor!.exe 7292 !WannaDecryptor!.exe 7484 !WannaDecryptor!.exe 7596 !WannaDecryptor!.exe 7892 !WannaDecryptor!.exe 23800 !WannaDecryptor!.exe 23696 !WannaDecryptor!.exe 23648 !WannaDecryptor!.exe 23576 !WannaDecryptor!.exe 23496 !WannaDecryptor!.exe 23444 !WannaDecryptor!.exe 23404 !WannaDecryptor!.exe 23348 !WannaDecryptor!.exe 23260 msedge.exe 23164 !WannaDecryptor!.exe 23124 !WannaDecryptor!.exe 23088 !WannaDecryptor!.exe 23044 !WannaDecryptor!.exe 23008 !WannaDecryptor!.exe 22964 !WannaDecryptor!.exe 22908 !WannaDecryptor!.exe 23684 !WannaDecryptor!.exe 22760 !WannaDecryptor!.exe 22348 !WannaDecryptor!.exe -
Loads dropped DLL 9 IoCs
pid Process 16552 msedge.exe 16552 msedge.exe 16552 msedge.exe 16840 msedge.exe 11232 msedge.exe 16840 msedge.exe 11232 msedge.exe 23260 msedge.exe 23260 msedge.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r" WannaCry.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Music\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Videos\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Searches\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Documents\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Documents\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Downloads\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini CoronaVirus.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-2170637797-568393320-3232933035-1000\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Music\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files (x86)\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-2170637797-568393320-3232933035-1000\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Videos\desktop.ini CoronaVirus.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 187 raw.githubusercontent.com 188 raw.githubusercontent.com 186 raw.githubusercontent.com -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\CoronaVirus.exe CoronaVirus.exe File created C:\Windows\System32\Info.hta CoronaVirus.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp" !WannaDecryptor!.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019VL_MAK_AE-ul-oob.xrm-ms.id-D1B0B65D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\vlc.mo CoronaVirus.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Microsoft.PowerShell.PackageManagement.dll.id-D1B0B65D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationTypes.resources.dll CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\System.Windows.Input.Manipulations.resources.dll.id-D1B0B65D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\close.svg.id-D1B0B65D.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-ul-oob.xrm-ms.id-D1B0B65D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\STSUCRES.DLL.id-D1B0B65D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\MinionPro-Regular.otf CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\TelemetryDashboard.xltx CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msql.xsl CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\th_get.svg.id-D1B0B65D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\WideTile.scale-150.png CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-pl.xrm-ms.id-D1B0B65D.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-fr\ui-strings.js.id-D1B0B65D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Process.dll.id-D1B0B65D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LAYERS\LAYERS.ELM.id-D1B0B65D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\prefs_enclave_x64.dll CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_KMS_ClientC2R-ppd.xrm-ms CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.contrast-black_targetsize-64_altform-unplated.png CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\s_checkbox_selected_18.svg.id-D1B0B65D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-heap-l1-1-0.dll.id-D1B0B65D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\vccorlib140.dll CoronaVirus.exe File opened for modification C:\Program Files\Windows Media Player\fr-FR\mpvis.dll.mui CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.DataContractSerialization.dll.id-D1B0B65D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\AppPackageMedTile.scale-100_contrast-black.png CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-80.png.id-D1B0B65D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationFramework.resources.dll CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\BRANDING.XML.id-D1B0B65D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-64_altform-unplated_contrast-white.png CoronaVirus.exe File created C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe.id-D1B0B65D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\ext\meta-index CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.onenotemui.msi.16.en-us.xml.id-D1B0B65D.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\c2rpridslicensefiles_auto.xml.id-D1B0B65D.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ppd.xrm-ms.id-D1B0B65D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\System.Windows.Input.Manipulations.resources.dll.id-D1B0B65D.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\OneNoteVL_MAK-pl.xrm-ms.id-D1B0B65D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\api-ms-win-crt-environment-l1-1-0.dll.id-D1B0B65D.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\VideoLAN\VLC\plugins\demux\libcaf_plugin.dll.id-D1B0B65D.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Windows.dll.id-D1B0B65D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\manifest.xml CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\root\ui-strings.js.id-D1B0B65D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libschroedinger_plugin.dll.id-D1B0B65D.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ppd.xrm-ms.id-D1B0B65D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\telnet.luac.id-D1B0B65D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\QuickTime.mpp.id-D1B0B65D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-crt-heap-l1-1-0.dll.id-D1B0B65D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\client-issuance-stil.xrm-ms.id-D1B0B65D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Locales\bg.pak.id-D1B0B65D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\InModuleScope.Tests.ps1 CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-48_altform-unplated.png CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Excel.DataWarehouse.dll.id-D1B0B65D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\HxA-Advanced-Dark.scale-200.png CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ul-oob.xrm-ms.id-D1B0B65D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_splitter\libpanoramix_plugin.dll CoronaVirus.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\Microsoft.PackageManagement.ArchiverProviders.dll CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected].[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\Doughboy.scale-125.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-256.png CoronaVirus.exe File created C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\vlc.mo.id-D1B0B65D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe.id-D1B0B65D.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Design.dll.id-D1B0B65D.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\rsod\powerpointmui.msi.16.en-us.boot.tree.dat.id-D1B0B65D.[[email protected]].ncov CoronaVirus.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CoronaVirus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WannaCry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WannaCry.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language !WannaDecryptor!.exe -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 15876 vssadmin.exe 30108 vssadmin.exe -
Kills process with taskkill 4 IoCs
pid Process 19100 taskkill.exe 19108 taskkill.exe 18004 taskkill.exe 17988 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe 700 CoronaVirus.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
description pid Process Token: SeBackupPrivilege 30596 vssvc.exe Token: SeRestorePrivilege 30596 vssvc.exe Token: SeAuditPrivilege 30596 vssvc.exe Token: SeDebugPrivilege 17988 taskkill.exe Token: SeDebugPrivilege 18004 taskkill.exe Token: SeDebugPrivilege 19108 taskkill.exe Token: SeDebugPrivilege 19100 taskkill.exe Token: SeIncreaseQuotaPrivilege 20532 WMIC.exe Token: SeSecurityPrivilege 20532 WMIC.exe Token: SeTakeOwnershipPrivilege 20532 WMIC.exe Token: SeLoadDriverPrivilege 20532 WMIC.exe Token: SeSystemProfilePrivilege 20532 WMIC.exe Token: SeSystemtimePrivilege 20532 WMIC.exe Token: SeProfSingleProcessPrivilege 20532 WMIC.exe Token: SeIncBasePriorityPrivilege 20532 WMIC.exe Token: SeCreatePagefilePrivilege 20532 WMIC.exe Token: SeBackupPrivilege 20532 WMIC.exe Token: SeRestorePrivilege 20532 WMIC.exe Token: SeShutdownPrivilege 20532 WMIC.exe Token: SeDebugPrivilege 20532 WMIC.exe Token: SeSystemEnvironmentPrivilege 20532 WMIC.exe Token: SeRemoteShutdownPrivilege 20532 WMIC.exe Token: SeUndockPrivilege 20532 WMIC.exe Token: SeManageVolumePrivilege 20532 WMIC.exe Token: 33 20532 WMIC.exe Token: 34 20532 WMIC.exe Token: 35 20532 WMIC.exe Token: 36 20532 WMIC.exe Token: SeIncreaseQuotaPrivilege 20532 WMIC.exe Token: SeSecurityPrivilege 20532 WMIC.exe Token: SeTakeOwnershipPrivilege 20532 WMIC.exe Token: SeLoadDriverPrivilege 20532 WMIC.exe Token: SeSystemProfilePrivilege 20532 WMIC.exe Token: SeSystemtimePrivilege 20532 WMIC.exe Token: SeProfSingleProcessPrivilege 20532 WMIC.exe Token: SeIncBasePriorityPrivilege 20532 WMIC.exe Token: SeCreatePagefilePrivilege 20532 WMIC.exe Token: SeBackupPrivilege 20532 WMIC.exe Token: SeRestorePrivilege 20532 WMIC.exe Token: SeShutdownPrivilege 20532 WMIC.exe Token: SeDebugPrivilege 20532 WMIC.exe Token: SeSystemEnvironmentPrivilege 20532 WMIC.exe Token: SeRemoteShutdownPrivilege 20532 WMIC.exe Token: SeUndockPrivilege 20532 WMIC.exe Token: SeManageVolumePrivilege 20532 WMIC.exe Token: 33 20532 WMIC.exe Token: 34 20532 WMIC.exe Token: 35 20532 WMIC.exe Token: 36 20532 WMIC.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 18076 !WannaDecryptor!.exe 18076 !WannaDecryptor!.exe 20028 !WannaDecryptor!.exe 20028 !WannaDecryptor!.exe 19908 !WannaDecryptor!.exe 19908 !WannaDecryptor!.exe 20132 !WannaDecryptor!.exe 20132 !WannaDecryptor!.exe 20188 !WannaDecryptor!.exe 20260 !WannaDecryptor!.exe 20620 !WannaDecryptor!.exe 20676 !WannaDecryptor!.exe 21040 !WannaDecryptor!.exe 17480 !WannaDecryptor!.exe 21344 !WannaDecryptor!.exe 21408 !WannaDecryptor!.exe 3680 !WannaDecryptor!.exe 5460 !WannaDecryptor!.exe 5556 !WannaDecryptor!.exe 4540 !WannaDecryptor!.exe 11424 !WannaDecryptor!.exe 15116 !WannaDecryptor!.exe 11488 !WannaDecryptor!.exe 2128 !WannaDecryptor!.exe 4708 !WannaDecryptor!.exe 3132 !WannaDecryptor!.exe 5216 !WannaDecryptor!.exe 5180 !WannaDecryptor!.exe 5388 !WannaDecryptor!.exe 5804 !WannaDecryptor!.exe 5876 !WannaDecryptor!.exe 5488 !WannaDecryptor!.exe 6084 !WannaDecryptor!.exe 6268 !WannaDecryptor!.exe 6380 !WannaDecryptor!.exe 7036 !WannaDecryptor!.exe 6872 !WannaDecryptor!.exe 7092 !WannaDecryptor!.exe 6736 !WannaDecryptor!.exe 6520 !WannaDecryptor!.exe 6760 !WannaDecryptor!.exe 7120 !WannaDecryptor!.exe 7292 !WannaDecryptor!.exe 7484 !WannaDecryptor!.exe 7596 !WannaDecryptor!.exe 7892 !WannaDecryptor!.exe 23800 !WannaDecryptor!.exe 23696 !WannaDecryptor!.exe 23648 !WannaDecryptor!.exe 23576 !WannaDecryptor!.exe 23496 !WannaDecryptor!.exe 23444 !WannaDecryptor!.exe 23404 !WannaDecryptor!.exe 23348 !WannaDecryptor!.exe 23164 !WannaDecryptor!.exe 23124 !WannaDecryptor!.exe 23088 !WannaDecryptor!.exe 23044 !WannaDecryptor!.exe 23008 !WannaDecryptor!.exe 22964 !WannaDecryptor!.exe 22908 !WannaDecryptor!.exe 23684 !WannaDecryptor!.exe 22760 !WannaDecryptor!.exe 22348 !WannaDecryptor!.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 700 wrote to memory of 3312 700 CoronaVirus.exe 125 PID 700 wrote to memory of 3312 700 CoronaVirus.exe 125 PID 3312 wrote to memory of 21596 3312 cmd.exe 128 PID 3312 wrote to memory of 21596 3312 cmd.exe 128 PID 3312 wrote to memory of 30108 3312 cmd.exe 130 PID 3312 wrote to memory of 30108 3312 cmd.exe 130 PID 700 wrote to memory of 15616 700 CoronaVirus.exe 133 PID 700 wrote to memory of 15616 700 CoronaVirus.exe 133 PID 700 wrote to memory of 15804 700 CoronaVirus.exe 135 PID 700 wrote to memory of 15804 700 CoronaVirus.exe 135 PID 700 wrote to memory of 16024 700 CoronaVirus.exe 136 PID 700 wrote to memory of 16024 700 CoronaVirus.exe 136 PID 15616 wrote to memory of 15952 15616 cmd.exe 137 PID 15616 wrote to memory of 15952 15616 cmd.exe 137 PID 15616 wrote to memory of 15876 15616 cmd.exe 138 PID 15616 wrote to memory of 15876 15616 cmd.exe 138 PID 17296 wrote to memory of 17352 17296 WannaCry.exe 146 PID 17296 wrote to memory of 17352 17296 WannaCry.exe 146 PID 17296 wrote to memory of 17352 17296 WannaCry.exe 146 PID 17352 wrote to memory of 17636 17352 cmd.exe 148 PID 17352 wrote to memory of 17636 17352 cmd.exe 148 PID 17352 wrote to memory of 17636 17352 cmd.exe 148 PID 17296 wrote to memory of 18076 17296 WannaCry.exe 149 PID 17296 wrote to memory of 18076 17296 WannaCry.exe 149 PID 17296 wrote to memory of 18076 17296 WannaCry.exe 149 PID 17296 wrote to memory of 17988 17296 WannaCry.exe 150 PID 17296 wrote to memory of 17988 17296 WannaCry.exe 150 PID 17296 wrote to memory of 17988 17296 WannaCry.exe 150 PID 17296 wrote to memory of 18004 17296 WannaCry.exe 151 PID 17296 wrote to memory of 18004 17296 WannaCry.exe 151 PID 17296 wrote to memory of 18004 17296 WannaCry.exe 151 PID 17296 wrote to memory of 19108 17296 WannaCry.exe 152 PID 17296 wrote to memory of 19108 17296 WannaCry.exe 152 PID 17296 wrote to memory of 19108 17296 WannaCry.exe 152 PID 17296 wrote to memory of 19100 17296 WannaCry.exe 153 PID 17296 wrote to memory of 19100 17296 WannaCry.exe 153 PID 17296 wrote to memory of 19100 17296 WannaCry.exe 153 PID 17296 wrote to memory of 20028 17296 WannaCry.exe 160 PID 17296 wrote to memory of 20028 17296 WannaCry.exe 160 PID 17296 wrote to memory of 20028 17296 WannaCry.exe 160 PID 17296 wrote to memory of 20012 17296 WannaCry.exe 161 PID 17296 wrote to memory of 20012 17296 WannaCry.exe 161 PID 17296 wrote to memory of 20012 17296 WannaCry.exe 161 PID 20012 wrote to memory of 19908 20012 cmd.exe 163 PID 20012 wrote to memory of 19908 20012 cmd.exe 163 PID 20012 wrote to memory of 19908 20012 cmd.exe 163 PID 17296 wrote to memory of 20188 17296 WannaCry.exe 165 PID 17296 wrote to memory of 20188 17296 WannaCry.exe 165 PID 17296 wrote to memory of 20188 17296 WannaCry.exe 165 PID 17296 wrote to memory of 20260 17296 WannaCry.exe 166 PID 17296 wrote to memory of 20260 17296 WannaCry.exe 166 PID 17296 wrote to memory of 20260 17296 WannaCry.exe 166 PID 19908 wrote to memory of 20332 19908 !WannaDecryptor!.exe 167 PID 19908 wrote to memory of 20332 19908 !WannaDecryptor!.exe 167 PID 19908 wrote to memory of 20332 19908 !WannaDecryptor!.exe 167 PID 20332 wrote to memory of 20532 20332 cmd.exe 169 PID 20332 wrote to memory of 20532 20332 cmd.exe 169 PID 20332 wrote to memory of 20532 20332 cmd.exe 169 PID 17296 wrote to memory of 20620 17296 WannaCry.exe 171 PID 17296 wrote to memory of 20620 17296 WannaCry.exe 171 PID 17296 wrote to memory of 20620 17296 WannaCry.exe 171 PID 17296 wrote to memory of 20676 17296 WannaCry.exe 172 PID 17296 wrote to memory of 20676 17296 WannaCry.exe 172 PID 17296 wrote to memory of 20676 17296 WannaCry.exe 172 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://valkyrieofficial.vercel.app/1⤵PID:1448
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4020,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=4392 /prefetch:11⤵PID:4964
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4920,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=4660 /prefetch:11⤵PID:3348
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5352,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=5400 /prefetch:11⤵PID:2936
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5536,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=5552 /prefetch:81⤵PID:4400
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5556,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=5628 /prefetch:81⤵PID:744
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6080,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=6076 /prefetch:81⤵PID:520
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=6072,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=6060 /prefetch:11⤵PID:668
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=3688,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=4856 /prefetch:11⤵PID:3520
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=6536,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=6552 /prefetch:11⤵PID:2504
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=6596,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=6700 /prefetch:11⤵PID:1336
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6436,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=6040 /prefetch:81⤵PID:3984
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --field-trial-handle=6484,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=6524 /prefetch:11⤵PID:1848
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --field-trial-handle=3996,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=6568 /prefetch:11⤵PID:4444
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --field-trial-handle=6772,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=6576 /prefetch:11⤵PID:2512
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=6428,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=4376 /prefetch:81⤵PID:2444
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --field-trial-handle=6356,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=5848 /prefetch:11⤵PID:336
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --field-trial-handle=6724,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=6720 /prefetch:11⤵PID:1596
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --field-trial-handle=7352,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=7296 /prefetch:81⤵PID:3924
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --field-trial-handle=7360,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=7368 /prefetch:11⤵PID:4716
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=7856,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=7876 /prefetch:81⤵PID:2628
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=5564,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=5736 /prefetch:81⤵PID:3280
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1892
-
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\system32\mode.commode con cp select=12513⤵PID:21596
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:30108
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:15616 -
C:\Windows\system32\mode.commode con cp select=12513⤵PID:15952
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet3⤵
- Interacts with shadow copies
PID:15876
-
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵PID:15804
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"2⤵PID:16024
-
-
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"1⤵
- System Location Discovery: System Language Discovery
PID:1960
-
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"1⤵PID:21116
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:30596
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --field-trial-handle=6540,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=6344 /prefetch:11⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:16552
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=6048,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=7980 /prefetch:81⤵
- Executes dropped EXE
- Loads dropped DLL
PID:16840
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --field-trial-handle=7884,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=7940 /prefetch:81⤵
- Executes dropped EXE
- Loads dropped DLL
PID:11232
-
C:\Users\Admin\Downloads\WannaCry.exe"C:\Users\Admin\Downloads\WannaCry.exe"1⤵
- System Location Discovery: System Language Discovery
PID:17256
-
C:\Users\Admin\Downloads\WannaCry.exe"C:\Users\Admin\Downloads\WannaCry.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:17296 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 108831726589189.bat2⤵
- Suspicious use of WriteProcessMemory
PID:17352 -
C:\Windows\SysWOW64\cscript.execscript //nologo c.vbs3⤵PID:17636
-
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe f2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:18076
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im MSExchange*2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:17988
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Microsoft.Exchange.*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:18004
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlserver.exe2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:19108
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlwriter.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:19100
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe c2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:20028
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /b !WannaDecryptor!.exe v2⤵
- Suspicious use of WriteProcessMemory
PID:20012 -
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe v3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:19908 -
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:20332 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
PID:20532
-
-
-
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:20188
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:20260
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:20620
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:20676
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:21040
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:17480
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:21344
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:21408
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3680
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5460
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5556
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4540
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:11424
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:15116
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:11488
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2128
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4708
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3132
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5216
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5180
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5388
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5804
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5876
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5488
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6084
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6268
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6380
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:7036
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6872
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:7092
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6736
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6520
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6760
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:7120
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:7292
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:7484
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:7596
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:7892
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:23800
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:23696
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:23648
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:23576
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:23496
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:23444
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:23404
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:23348
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:23164
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:23124
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:23088
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:23044
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:23008
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:22964
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:22908
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:23684
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:22760
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:22348
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵PID:22288
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵PID:22244
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- System Location Discovery: System Language Discovery
PID:22200
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- System Location Discovery: System Language Discovery
PID:21000
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵PID:5188
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- System Location Discovery: System Language Discovery
PID:5324
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵PID:2980
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- System Location Discovery: System Language Discovery
PID:924
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵PID:7028
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- System Location Discovery: System Language Discovery
PID:21492
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵PID:5236
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- System Location Discovery: System Language Discovery
PID:18548
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- System Location Discovery: System Language Discovery
PID:18764
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵PID:20288
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵PID:8060
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵PID:7668
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- System Location Discovery: System Language Discovery
PID:18876
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- System Location Discovery: System Language Discovery
PID:17616
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- System Location Discovery: System Language Discovery
PID:17656
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- System Location Discovery: System Language Discovery
PID:17700
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- System Location Discovery: System Language Discovery
PID:7464
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- System Location Discovery: System Language Discovery
PID:22444
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵PID:22408
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- System Location Discovery: System Language Discovery
PID:22312
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵PID:22256
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵PID:6684
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵PID:22556
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵PID:22628
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵PID:22660
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- System Location Discovery: System Language Discovery
PID:22716
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- System Location Discovery: System Language Discovery
PID:22740
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- System Location Discovery: System Language Discovery
PID:22804
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- System Location Discovery: System Language Discovery
PID:22968
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- System Location Discovery: System Language Discovery
PID:22904
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵PID:22872
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵PID:22836
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- System Location Discovery: System Language Discovery
PID:21088
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- System Location Discovery: System Language Discovery
PID:21236
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵PID:21356
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵PID:21400
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- System Location Discovery: System Language Discovery
PID:5432
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- System Location Discovery: System Language Discovery
PID:11548
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵PID:15080
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵PID:2496
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- System Location Discovery: System Language Discovery
PID:6480
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵PID:15164
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵PID:5604
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵PID:5540
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- System Location Discovery: System Language Discovery
PID:5912
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵PID:6028
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- System Location Discovery: System Language Discovery
PID:6088
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- System Location Discovery: System Language Discovery
PID:6300
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵PID:6372
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵PID:6848
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵PID:7136
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵PID:6792
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵PID:7076
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- System Location Discovery: System Language Discovery
PID:7212
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- System Location Discovery: System Language Discovery
PID:7408
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- System Location Discovery: System Language Discovery
PID:7524
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- System Location Discovery: System Language Discovery
PID:8012
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵PID:7636
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- System Location Discovery: System Language Discovery
PID:23580
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵PID:23688
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵PID:23544
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- System Location Discovery: System Language Discovery
PID:23512
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe"C:\Users\Admin\Downloads\!WannaDecryptor!.exe"1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:20132
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=6040,i,5469445176230119590,7931734017267321834,262144 --variations-seed-version --mojo-platform-channel-handle=5968 /prefetch:81⤵
- Executes dropped EXE
- Loads dropped DLL
PID:23260
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
2Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD520599c926a3041486652fb79a23911f5
SHA1755b2f00bf816a71cf7342b026ff7b131780307d
SHA256a9bd3b51c718e3211fe505017e148729b592e79b87e6561750a67e484663520c
SHA512c41cabbc72a036416e505404ef9dc9bd8c2d1b0b200d4d835142d2339584352526ae4761b233cfc73d3564b4a63af7029a93a73849e6ecb13e3606725403c679
-
Filesize
3.7MB
MD5307b7b81bf6090cebec587432c0c6e32
SHA1070cc2dd11e5a2c161b459e1ac79c5c87b6116ee
SHA256097f9e543480fadd1cd285d9f1a939924d91c08226915bce4284d27af1d13c89
SHA51278071fb50ec72fdd89da0df2e3e26f7e1d6624a8f48195bb5795dfd773ba47c568dad410c428fe28b60b9994957ce8feccc13f2d4b339ca13e104536f286295e
-
Filesize
3.6MB
MD53640aac842e24c750d5a3fc4b5681b64
SHA1b5daa0e1faeb7836b4d988186ee3e2188699552a
SHA2560d5bb995aa25eb3efcc1bd548e54b959ef96469cbea1e4e77b042d972ca347fe
SHA512e019302bf0dd0137a162f2dfa2fc230cf5f5e65dea3d030a1199626ae34d537e260db2defb9c465dc84389013267fd33749de4b0f1ac9e1520a8e2702fc04c34
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.id-D1B0B65D.[[email protected]].ncov
Filesize2.7MB
MD5258bfcebdda9fd40b26a3af73d3715bc
SHA1cd4dbe9e3b6a4a66babb05b41c8b472e2bbb3d46
SHA2566c2b6883655cd219dccc29b3ea8dc3b9d7910907664aa5fda5d11ea341931b24
SHA512bd284d9270a994b36405f60832074a4a771e618e4f16b903ab8b230396c4a816e7d61027693e1cd5d1811ce5fb8e876b0cadf575422d219c267a6848f20cdc21
-
Filesize
13KB
MD56b26dbfee2b0b69a5c2d0ceed62a48e6
SHA17645c7f57f3c1183a8f269d44732d1ffe3dbfa6f
SHA256e9e0907670a172c8e5d10045b129c3d551542b9cb034cec58f65bae47a9873fa
SHA512aa2b058b9198e747007855c656c8aa0a3e3b563d0b867027354ed124930964792b25dcddea8f7b44d11a6cdc414c069ac671b55c534ac91a7bd399aaab0fefab
-
Filesize
170B
MD5dd49f58752b6d256c44cde97a28fae55
SHA14471c86a029d67d52ab342a94ca01b6274893a5b
SHA256a091250a7d9805a80a8fcdabd03dc11cc900b008d4bf8947e75626a51c9e038d
SHA512296a777244a5bdf91b19ceac5bdb6bdf6fd3725cea2590abd005974a6dff8684b95f153a2d8c47f1fc47ed4018e55812b558998ee702a8c1012e160697f3a4d6
-
Filesize
797B
MD5afa18cf4aa2660392111763fb93a8c3d
SHA1c219a3654a5f41ce535a09f2a188a464c3f5baf5
SHA256227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0
SHA5124161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b
-
Filesize
590B
MD5d8a14217b4610bc61138b3d4ca3aef3a
SHA14f7e960194a80851ae25a87dfca69495ef1bb77c
SHA2565199c85fc7da094aa93e88be1308f402d6d0a0f66be41831c8a616896e775f4e
SHA51216a0d3340d2bdfc5e01d7328b098660c3cae99e2b1dda6310bd1e3f41169bdc1d73a69831b3958bd259c2c31932ed5d022478abee807ab4afeb25593a49d9993
-
Filesize
1KB
MD53ce35c2a951a960c7c68a385e96790e6
SHA115a5ea9c235a5d5ea589f23c0a688fdd23f4187f
SHA256bcb7630c6d31028039bad9a01dc77b7547bc93f05cfe65f42d465d34c1d5d07c
SHA5125297bd234efa0279517ecf91a6150b637bbc75366a07b510d79a34b50b0cfc8b289425747b227bc63dcc6ee9b7030bdf3f3e84f7321c995f63189edd837ecac2
-
Filesize
136B
MD55a885cb0c12d362b92ad4e058a49e8c2
SHA12678046d6e970af08e56e7a4b5759b8235a36d9c
SHA256b1f42ceaab2aa8842eae513409c2d9dde7280a70da355ad46e97c3852c3fbbe8
SHA5126f22ea8ba5a67700de7b4a37f48b1d1e1ec81ddc56c620d36768e59f5b49e2c66bfc0d16f8534694dc0bfd9400cabcf197ed3c91e4bb0015bd7f842a6ec3ce03
-
Filesize
136B
MD59955e48c767fd1cab2abc18848663df3
SHA101cce879b21d361b6e06ad5b218cdfe8b4923f0c
SHA256e51580b11f5e2c8e3fcec649de2cd4019dfa8fd67b3c8ff141d057391d774fc1
SHA512535d28d813dbee9253d3de7fad864af1b3929f2d9d990a4058621b0837ef485bf7f5e64751d19ae28a1d2e192d0bdcc70f660b057d9781cf99f24f844568e1f1
-
Filesize
136B
MD5cb2f38bd148edef65328b4460a8e4773
SHA1f4faccb820d46d48244043bbb6c702db80526d84
SHA256237a43b5f5c15375e9590878e199ae7f8fa7fa32455d275969803f01d1c13491
SHA512387165ac40c275c21ce6fd099711fc8936151d52f3ff78c570b54fbce3d1078ee29bc5e23417cdb9cc86986fb8864e28ca66b8e17304fac0f3fbe58778836751
-
Filesize
318B
MD5a261428b490a45438c0d55781a9c6e75
SHA1e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e
SHA2564288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44
SHA512304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40
-
Filesize
201B
MD502b937ceef5da308c5689fcdb3fb12e9
SHA1fa5490ea513c1b0ee01038c18cb641a51f459507
SHA2565d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1
SHA512843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653
-
Filesize
628B
MD5663e55df21852bc8870b86bc38e58262
SHA11c691bf030ecfce78a9476fbdef3afe61724e6a9
SHA256bf22e8e18db1638673f47591a13d18ee58d8c6019314bab5a90be82ae3dc9538
SHA5126a54be1fa549633a2fd888c559207437b8f6efda98bb18d491c8749f39e9754f1e680fa8e2d623777b5f665b2c04d19385c75ce4e61fb251db16018963a9a6f9
-
Filesize
628B
MD57addf97f09d7183f96e7f84e0789cfcd
SHA1290229620b2aa3db26a835e372bc6c7826b13b08
SHA25642e06cb0f265f88b09dc7096f7cfb69e09d55cf481e3f4d02a8ed9edca3cf5dc
SHA512961345d860cd9084cf5ab05f40496ea62925c216a60f5be5763baa93b6ba51ff91563e0b23906f1a2c5bc0e2bda87c360992de427374e07929ddcf5e00ad9c22
-
Filesize
42KB
MD5980b08bac152aff3f9b0136b616affa5
SHA12a9c9601ea038f790cc29379c79407356a3d25a3
SHA256402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9
SHA512100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496
-
Filesize
729B
MD5880e6a619106b3def7e1255f67cb8099
SHA18b3a90b2103a92d9facbfb1f64cb0841d97b4de7
SHA256c9e9dc06f500ae39bfeb4671233cc97bb6dab58d97bb94aba4a2e0e509418d35
SHA512c35ca30e0131ae4ee3429610ce4914a36b681d2c406f67816f725aa336969c2996347268cb3d19c22abaa4e2740ae86f4210b872610a38b4fa09ee80fcf36243
-
Filesize
68KB
MD55557ee73699322602d9ae8294e64ce10
SHA11759643cf8bfd0fb8447fd31c5b616397c27be96
SHA256a7dd727b4e0707026186fcab24ff922da50368e1a4825350bd9c4828c739a825
SHA51277740de21603fe5dbb0d9971e18ec438a9df7aaa5cea6bd6ef5410e0ab38a06ce77fbaeb8fc68e0177323e6f21d0cee9410e21b7e77e8d60cc17f7d93fdb3d5e
-
Filesize
236KB
MD5cf1416074cd7791ab80a18f9e7e219d9
SHA1276d2ec82c518d887a8a3608e51c56fa28716ded
SHA25678e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA5120bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5
-
Filesize
170B
MD5307c9ad44ae614c25efa460f583d5a7e
SHA1758ec7cc15351db1273a5223d1113e45e56b6893
SHA2566123dc79eba7b25037ebfed986e09faa94982992a3aa10ccdf49bff9be9b34f8
SHA5125ba6359626223209d69cda69884bb485648ca1859717020bf33ebc83ec1fa47606cdd06bb73a7838aed6f27fc78400372e22b119e5ee558380e480dcabc435c4
-
Filesize
170B
MD521539971cae3b6278ce678b16b3f2643
SHA1f4357280ca6838b0b62e610c6ffc24d1ab615e37
SHA256b386715edcdb5fbb762f2308d588c5a67bfe65745105b87228596885e4715045
SHA51243f07a7df1bf14f76f60424219f00c051f4097f222f3b453cd208449f30e4915745300ad89f45a738bd828c7691fe97c0a16fa58115057d4ccf0e1784b46a7db