Analysis
-
max time kernel
332s -
max time network
335s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
28-09-2024 04:12
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://bazaar.abuse.ch/sample/6e4030c0c65c90c8e020030b6214a9bc2905be19e9d644d658f027064f067460/
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
https://bazaar.abuse.ch/sample/6e4030c0c65c90c8e020030b6214a9bc2905be19e9d644d658f027064f067460/
Resource
win10v2004-20240802-en
Errors
General
-
Target
https://bazaar.abuse.ch/sample/6e4030c0c65c90c8e020030b6214a9bc2905be19e9d644d658f027064f067460/
Malware Config
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
CryptoLocker
Ransomware family with multiple variants.
-
Dharma
Dharma is a ransomware that uses security software installation to hide malicious activities.
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (518) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
resource yara_rule behavioral2/files/0x0005000000000709-1057.dat mimikatz -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation msedge.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation CoronaVirus.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation msedge.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Drops startup file 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-302D5359.[[email protected]].ncov CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta CoronaVirus.exe File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\info.hta taskmgr.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CoronaVirus.exe CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini CoronaVirus.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.id-302D5359.[[email protected]].ncov CoronaVirus.exe -
Executes dropped EXE 32 IoCs
pid Process 4436 BadRabbit.exe 3860 BD.tmp 4644 BadRabbit.exe 1524 BadRabbit.exe 4532 BadRabbit.exe 4424 BadRabbit.exe 1872 BadRabbit.exe 3352 BadRabbit.exe 3964 BadRabbit.exe 3376 BadRabbit.exe 3128 CoronaVirus.exe 3204 CoronaVirus.exe 2704 CoronaVirus.exe 5024 CoronaVirus.exe 3988 CoronaVirus.exe 4344 CoronaVirus.exe 3700 CoronaVirus.exe 20552 CryptoLocker.exe 20764 {34184A33-0407-212E-3320-09040709E2C2}.exe 21008 {34184A33-0407-212E-3320-09040709E2C2}.exe 11608 msedge.exe 14508 msedge.exe 16808 msedge.exe 16668 msedge.exe 21172 {34184A33-0407-212E-3320-09040709E2C2}.exe 21112 {34184A33-0407-212E-3320-09040709E2C2}.exe 20872 {34184A33-0407-212E-3320-09040709E2C2}.exe 18260 msedge.exe 18080 msedge.exe 17872 msedge.exe 5572 PowerPoint.exe 5416 sys3.exe -
Loads dropped DLL 16 IoCs
pid Process 2012 rundll32.exe 4788 rundll32.exe 3944 rundll32.exe 2704 rundll32.exe 4352 rundll32.exe 3872 rundll32.exe 804 rundll32.exe 3944 rundll32.exe 1384 rundll32.exe 11608 msedge.exe 14508 msedge.exe 16808 msedge.exe 16668 msedge.exe 18260 msedge.exe 18080 msedge.exe 17872 msedge.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CoronaVirus.exe = "C:\\Windows\\System32\\CoronaVirus.exe" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Windows\System32\Info.hta = "mshta.exe \"C:\\Windows\\System32\\Info.hta\"" CoronaVirus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\Info.hta = "mshta.exe \"C:\\Users\\Admin\\AppData\\Roaming\\Info.hta\"" CoronaVirus.exe Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe" {34184A33-0407-212E-3320-09040709E2C2}.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Music\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files (x86)\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Downloads\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Libraries\desktop.ini CoronaVirus.exe File opened for modification C:\Program Files\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Videos\desktop.ini CoronaVirus.exe File opened for modification C:\$Recycle.Bin\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Documents\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Public\Documents\desktop.ini CoronaVirus.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\Music\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini CoronaVirus.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini CoronaVirus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini CoronaVirus.exe File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini LogonUI.exe File opened for modification C:\Users\Admin\Videos\desktop.ini CoronaVirus.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 154 raw.githubusercontent.com 155 raw.githubusercontent.com -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 PowerPoint.exe File opened for modification \??\PHYSICALDRIVE0 sys3.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\CoronaVirus.exe CoronaVirus.exe File created C:\Windows\System32\Info.hta CoronaVirus.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Common Files\System\ado\msadox28.tlb CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\MusicStoreLogo.scale-125_contrast-black.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-60_altform-unplated.png CoronaVirus.exe File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-process-l1-1-0.dll.id-302D5359.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\LibrarySquare150x150Logo.scale-125_contrast-white.png CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-ae\ui-strings.js.id-302D5359.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Office16\MSOCR.DLL.id-302D5359.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe.id-302D5359.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GB.XSL CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.ComponentModel.EventBasedAsync.dll.id-302D5359.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\BadgeLogo.scale-200.png CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\visicon.exe.id-302D5359.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteNewNoteWideTile.scale-100.png CoronaVirus.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.th-th.dll.id-302D5359.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_Subscription4-pl.xrm-ms CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE.id-302D5359.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_flac_plugin.dll.id-302D5359.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\KnownGameListRS3.bin CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-64_altform-unplated_contrast-white.png CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_KMS_Client_AE-ul-oob.xrm-ms CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\da-dk\ui-strings.js.id-302D5359.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fa-IR\View3d\3DViewerProductDescription-universal.xml CoronaVirus.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\sound.properties CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\BLENDS.INF CoronaVirus.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\fr-FR\MSFT_PackageManagementSource.schema.mfl.id-302D5359.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Windows NT\TableTextService\TableTextServiceArray.txt CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\OneNoteR_OEM_Perp-ul-oob.xrm-ms.id-302D5359.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\ICE.INF.id-302D5359.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\VideoLAN\VLC\plugins\codec\libtwolame_plugin.dll.id-302D5359.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\System.Reflection.Emit.Lightweight.dll CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\next-arrow-disabled.svg.id-302D5359.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Grace-ul-oob.xrm-ms.id-302D5359.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_Grace-ppd.xrm-ms.id-302D5359.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\people\kennethMarchand.png CoronaVirus.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sk-sk\ui-strings.js.id-302D5359.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp3-ppd.xrm-ms.id-302D5359.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\Identity-V CoronaVirus.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\java.settings.cfg CoronaVirus.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.Build.Engine.dll CoronaVirus.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-process-l1-1-0.dll CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.WebSockets.dll.id-302D5359.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.Emit.dll.id-302D5359.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\it-IT\MSFT_PackageManagement.strings.psd1.id-302D5359.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL096.XML.id-302D5359.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\12.jpg CoronaVirus.exe File created C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\vlc.mo.id-302D5359.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskmenu\oskmenubase.xml CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Dataflow.dll.id-302D5359.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-16_contrast-black.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-black\HxMailSplashLogo.scale-200.png CoronaVirus.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-20_contrast-white.png CoronaVirus.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\goopdateres_es-419.dll CoronaVirus.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt.id-302D5359.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\Xusage.txt.id-302D5359.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebProxy.dll.id-302D5359.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Private.Uri.dll.id-302D5359.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\WORD_WHATSNEW.XML.id-302D5359.[[email protected]].ncov CoronaVirus.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll.id-302D5359.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationProvider.resources.dll.id-302D5359.[[email protected]].ncov CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\move.svg CoronaVirus.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\ui-strings.js CoronaVirus.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ul-oob.xrm-ms CoronaVirus.exe -
Drops file in Windows directory 21 IoCs
description ioc Process File opened for modification C:\Windows\BD.tmp rundll32.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\infpub.dat BadRabbit.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\infpub.dat BadRabbit.exe File created C:\Windows\infpub.dat BadRabbit.exe File created C:\Windows\infpub.dat BadRabbit.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\cscc.dat rundll32.exe File created C:\Windows\infpub.dat BadRabbit.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\infpub.dat BadRabbit.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\infpub.dat BadRabbit.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\dispci.exe rundll32.exe File created C:\Windows\infpub.dat BadRabbit.exe File created C:\Windows\infpub.dat BadRabbit.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File opened for modification C:\Windows\infpub.dat rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 42 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BadRabbit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BadRabbit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CoronaVirus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CoronaVirus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {34184A33-0407-212E-3320-09040709E2C2}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BadRabbit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BadRabbit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CoronaVirus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CoronaVirus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {34184A33-0407-212E-3320-09040709E2C2}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CoronaVirus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CryptoLocker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BadRabbit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mshta.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sys3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PowerPoint.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BadRabbit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BadRabbit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CoronaVirus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {34184A33-0407-212E-3320-09040709E2C2}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {34184A33-0407-212E-3320-09040709E2C2}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CoronaVirus.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {34184A33-0407-212E-3320-09040709E2C2}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BadRabbit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BadRabbit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 3 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 16876 vssadmin.exe 20592 vssadmin.exe -
Modifies data under HKEY_USERS 52 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31} LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{848480a2-0000-0000-0000-d01200000000}\NukeOnDelete = "0" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language\00000000 = "00000409" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\TIP LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "3" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\LANGUAGE LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\ShowCasing = "1" LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\ASSEMBLYITEM\0X00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31} LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\ShowShiftLock = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US\0409:00000409 = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\KeyboardLayout = "67699721" LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\Profile = "{00000000-0000-0000-0000-000000000000}" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "184" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{848480a2-0000-0000-0000-d01200000000} LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{848480a2-0000-0000-0000-d01200000000}\MaxCapacity = "14116" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\Languages = 65006e002d005500530000000000 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\HiddenDummyLayouts LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload\1 = "00000409" LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US\CachedLanguageName = "@Winlangdb.dll,-1121" LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\CLSID = "{00000000-0000-0000-0000-000000000000}" LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31} LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\shell32.dll,-50176 = "File Operation" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Keyboard Layout\Substitutes LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000 LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{40DD6E20-7C17-11CE-A804-00AA003CA9F6} {000214FC-0000-0000-C000-000000000046} 0xFFFF = 01000000000000009af7746c5d11db01 LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\ASSEMBLYITEM\0X00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-656926755-4116854191-210765258-1000\{B650735F-9EAE-40A4-A64D-DBAEC93F55E1} msedge.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings taskmgr.exe -
NTFS ADS 7 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 576048.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 616920.crdownload:SmartScreen msedge.exe File created C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe\:SmartScreen:$DATA CryptoLocker.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 641726.crdownload:SmartScreen msedge.exe File created C:\Users\Admin\AppData\Local\Temp\sys3.exe\:SmartScreen:$DATA PowerPoint.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 163272.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 357584.crdownload:SmartScreen msedge.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4744 schtasks.exe 2124 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4556 msedge.exe 4556 msedge.exe 3184 msedge.exe 3184 msedge.exe 1000 identity_helper.exe 1000 identity_helper.exe 4208 msedge.exe 4208 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 4432 msedge.exe 2620 msedge.exe 2620 msedge.exe 2012 rundll32.exe 2012 rundll32.exe 2012 rundll32.exe 2012 rundll32.exe 3860 BD.tmp 3860 BD.tmp 3860 BD.tmp 3860 BD.tmp 3860 BD.tmp 3860 BD.tmp 3860 BD.tmp 4788 rundll32.exe 4788 rundll32.exe 3944 rundll32.exe 3944 rundll32.exe 2704 rundll32.exe 2704 rundll32.exe 4352 rundll32.exe 4352 rundll32.exe 3872 rundll32.exe 3872 rundll32.exe 804 rundll32.exe 804 rundll32.exe 3944 rundll32.exe 3944 rundll32.exe 1384 rundll32.exe 1384 rundll32.exe 2612 msedge.exe 2612 msedge.exe 3128 CoronaVirus.exe 3128 CoronaVirus.exe 3128 CoronaVirus.exe 3128 CoronaVirus.exe 3128 CoronaVirus.exe 3128 CoronaVirus.exe 3128 CoronaVirus.exe 3128 CoronaVirus.exe 3128 CoronaVirus.exe 3128 CoronaVirus.exe 3128 CoronaVirus.exe 3128 CoronaVirus.exe 3128 CoronaVirus.exe 3128 CoronaVirus.exe 3128 CoronaVirus.exe 3128 CoronaVirus.exe 3128 CoronaVirus.exe 3128 CoronaVirus.exe 3128 CoronaVirus.exe 3128 CoronaVirus.exe 3128 CoronaVirus.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs
pid Process 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeShutdownPrivilege 2012 rundll32.exe Token: SeDebugPrivilege 2012 rundll32.exe Token: SeTcbPrivilege 2012 rundll32.exe Token: SeDebugPrivilege 3860 BD.tmp Token: SeShutdownPrivilege 4788 rundll32.exe Token: SeDebugPrivilege 4788 rundll32.exe Token: SeTcbPrivilege 4788 rundll32.exe Token: SeShutdownPrivilege 3944 rundll32.exe Token: SeDebugPrivilege 3944 rundll32.exe Token: SeTcbPrivilege 3944 rundll32.exe Token: SeShutdownPrivilege 2704 rundll32.exe Token: SeDebugPrivilege 2704 rundll32.exe Token: SeTcbPrivilege 2704 rundll32.exe Token: SeShutdownPrivilege 4352 rundll32.exe Token: SeDebugPrivilege 4352 rundll32.exe Token: SeTcbPrivilege 4352 rundll32.exe Token: SeShutdownPrivilege 3872 rundll32.exe Token: SeDebugPrivilege 3872 rundll32.exe Token: SeTcbPrivilege 3872 rundll32.exe Token: SeShutdownPrivilege 804 rundll32.exe Token: SeDebugPrivilege 804 rundll32.exe Token: SeTcbPrivilege 804 rundll32.exe Token: SeShutdownPrivilege 3944 rundll32.exe Token: SeDebugPrivilege 3944 rundll32.exe Token: SeTcbPrivilege 3944 rundll32.exe Token: SeShutdownPrivilege 1384 rundll32.exe Token: SeDebugPrivilege 1384 rundll32.exe Token: SeTcbPrivilege 1384 rundll32.exe Token: SeBackupPrivilege 16496 vssvc.exe Token: SeRestorePrivilege 16496 vssvc.exe Token: SeAuditPrivilege 16496 vssvc.exe Token: SeDebugPrivilege 19244 taskmgr.exe Token: SeSystemProfilePrivilege 19244 taskmgr.exe Token: SeCreateGlobalPrivilege 19244 taskmgr.exe Token: SeShutdownPrivilege 5416 sys3.exe Token: SeShutdownPrivilege 5144 LogonUI.exe Token: SeCreatePagefilePrivilege 5144 LogonUI.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 19244 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 3184 msedge.exe 19244 taskmgr.exe 19244 taskmgr.exe 19244 taskmgr.exe 19244 taskmgr.exe 19244 taskmgr.exe 19244 taskmgr.exe 19244 taskmgr.exe 19244 taskmgr.exe 19244 taskmgr.exe 19244 taskmgr.exe 19244 taskmgr.exe 19244 taskmgr.exe 19244 taskmgr.exe 19244 taskmgr.exe 19244 taskmgr.exe 19244 taskmgr.exe 19244 taskmgr.exe 19244 taskmgr.exe 19244 taskmgr.exe 19244 taskmgr.exe 19244 taskmgr.exe 19244 taskmgr.exe 19244 taskmgr.exe 19244 taskmgr.exe 19244 taskmgr.exe 19244 taskmgr.exe 19244 taskmgr.exe 19244 taskmgr.exe 19244 taskmgr.exe 19244 taskmgr.exe 19244 taskmgr.exe 19244 taskmgr.exe 19244 taskmgr.exe 19244 taskmgr.exe 19244 taskmgr.exe 19244 taskmgr.exe 19244 taskmgr.exe 19244 taskmgr.exe 19244 taskmgr.exe 19244 taskmgr.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5144 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3184 wrote to memory of 4756 3184 msedge.exe 83 PID 3184 wrote to memory of 4756 3184 msedge.exe 83 PID 3184 wrote to memory of 4036 3184 msedge.exe 84 PID 3184 wrote to memory of 4036 3184 msedge.exe 84 PID 3184 wrote to memory of 4036 3184 msedge.exe 84 PID 3184 wrote to memory of 4036 3184 msedge.exe 84 PID 3184 wrote to memory of 4036 3184 msedge.exe 84 PID 3184 wrote to memory of 4036 3184 msedge.exe 84 PID 3184 wrote to memory of 4036 3184 msedge.exe 84 PID 3184 wrote to memory of 4036 3184 msedge.exe 84 PID 3184 wrote to memory of 4036 3184 msedge.exe 84 PID 3184 wrote to memory of 4036 3184 msedge.exe 84 PID 3184 wrote to memory of 4036 3184 msedge.exe 84 PID 3184 wrote to memory of 4036 3184 msedge.exe 84 PID 3184 wrote to memory of 4036 3184 msedge.exe 84 PID 3184 wrote to memory of 4036 3184 msedge.exe 84 PID 3184 wrote to memory of 4036 3184 msedge.exe 84 PID 3184 wrote to memory of 4036 3184 msedge.exe 84 PID 3184 wrote to memory of 4036 3184 msedge.exe 84 PID 3184 wrote to memory of 4036 3184 msedge.exe 84 PID 3184 wrote to memory of 4036 3184 msedge.exe 84 PID 3184 wrote to memory of 4036 3184 msedge.exe 84 PID 3184 wrote to memory of 4036 3184 msedge.exe 84 PID 3184 wrote to memory of 4036 3184 msedge.exe 84 PID 3184 wrote to memory of 4036 3184 msedge.exe 84 PID 3184 wrote to memory of 4036 3184 msedge.exe 84 PID 3184 wrote to memory of 4036 3184 msedge.exe 84 PID 3184 wrote to memory of 4036 3184 msedge.exe 84 PID 3184 wrote to memory of 4036 3184 msedge.exe 84 PID 3184 wrote to memory of 4036 3184 msedge.exe 84 PID 3184 wrote to memory of 4036 3184 msedge.exe 84 PID 3184 wrote to memory of 4036 3184 msedge.exe 84 PID 3184 wrote to memory of 4036 3184 msedge.exe 84 PID 3184 wrote to memory of 4036 3184 msedge.exe 84 PID 3184 wrote to memory of 4036 3184 msedge.exe 84 PID 3184 wrote to memory of 4036 3184 msedge.exe 84 PID 3184 wrote to memory of 4036 3184 msedge.exe 84 PID 3184 wrote to memory of 4036 3184 msedge.exe 84 PID 3184 wrote to memory of 4036 3184 msedge.exe 84 PID 3184 wrote to memory of 4036 3184 msedge.exe 84 PID 3184 wrote to memory of 4036 3184 msedge.exe 84 PID 3184 wrote to memory of 4036 3184 msedge.exe 84 PID 3184 wrote to memory of 4556 3184 msedge.exe 85 PID 3184 wrote to memory of 4556 3184 msedge.exe 85 PID 3184 wrote to memory of 2720 3184 msedge.exe 86 PID 3184 wrote to memory of 2720 3184 msedge.exe 86 PID 3184 wrote to memory of 2720 3184 msedge.exe 86 PID 3184 wrote to memory of 2720 3184 msedge.exe 86 PID 3184 wrote to memory of 2720 3184 msedge.exe 86 PID 3184 wrote to memory of 2720 3184 msedge.exe 86 PID 3184 wrote to memory of 2720 3184 msedge.exe 86 PID 3184 wrote to memory of 2720 3184 msedge.exe 86 PID 3184 wrote to memory of 2720 3184 msedge.exe 86 PID 3184 wrote to memory of 2720 3184 msedge.exe 86 PID 3184 wrote to memory of 2720 3184 msedge.exe 86 PID 3184 wrote to memory of 2720 3184 msedge.exe 86 PID 3184 wrote to memory of 2720 3184 msedge.exe 86 PID 3184 wrote to memory of 2720 3184 msedge.exe 86 PID 3184 wrote to memory of 2720 3184 msedge.exe 86 PID 3184 wrote to memory of 2720 3184 msedge.exe 86 PID 3184 wrote to memory of 2720 3184 msedge.exe 86 PID 3184 wrote to memory of 2720 3184 msedge.exe 86 PID 3184 wrote to memory of 2720 3184 msedge.exe 86 PID 3184 wrote to memory of 2720 3184 msedge.exe 86 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://bazaar.abuse.ch/sample/6e4030c0c65c90c8e020030b6214a9bc2905be19e9d644d658f027064f067460/1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9b75546f8,0x7ff9b7554708,0x7ff9b75547182⤵PID:4756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:22⤵PID:4036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:82⤵PID:2720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵PID:1176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:12⤵PID:4032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:12⤵PID:2844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:12⤵PID:4844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:82⤵PID:548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:12⤵PID:4912
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:12⤵PID:1796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:12⤵PID:2468
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:12⤵PID:1268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3028 /prefetch:12⤵PID:1436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:12⤵PID:2028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=1676 /prefetch:82⤵PID:3984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=2384 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:12⤵PID:1492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:12⤵PID:1224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:12⤵PID:4004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4688 /prefetch:82⤵PID:4744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4728 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:12⤵PID:2696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5832 /prefetch:82⤵PID:3700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:12⤵PID:4792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6692 /prefetch:82⤵PID:4760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6792 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2620
-
-
C:\Users\Admin\Downloads\BadRabbit.exe"C:\Users\Admin\Downloads\BadRabbit.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4436 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 153⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal4⤵
- System Location Discovery: System Language Discovery
PID:4308 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal5⤵
- System Location Discovery: System Language Discovery
PID:432
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3814544259 && exit"4⤵
- System Location Discovery: System Language Discovery
PID:1600 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3814544259 && exit"5⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4744
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 04:33:004⤵
- System Location Discovery: System Language Discovery
PID:4584 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 04:33:005⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2124
-
-
-
C:\Windows\BD.tmp"C:\Windows\BD.tmp" \\.\pipe\{830EE7F9-E85F-4259-BFAC-82D43630B91A}4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3860
-
-
C:\Windows\SysWOW64\cmd.exe/c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:4⤵PID:16796
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN drogon4⤵
- System Location Discovery: System Language Discovery
PID:16848 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN drogon5⤵
- System Location Discovery: System Language Discovery
PID:17160
-
-
-
-
-
C:\Users\Admin\Downloads\BadRabbit.exe"C:\Users\Admin\Downloads\BadRabbit.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4644 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 153⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4788
-
-
-
C:\Users\Admin\Downloads\BadRabbit.exe"C:\Users\Admin\Downloads\BadRabbit.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1524 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 153⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3944
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:12⤵PID:1172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4060 /prefetch:82⤵PID:1952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6808 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2612
-
-
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3128 -
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:3220
-
C:\Windows\system32\mode.commode con cp select=12514⤵PID:6624
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:16876
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵PID:20212
-
C:\Windows\system32\mode.commode con cp select=12514⤵PID:20288
-
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:20592
-
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵PID:20332
-
-
C:\Windows\System32\mshta.exe"C:\Windows\System32\mshta.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta"3⤵PID:20440
-
-
-
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3204
-
-
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2704
-
-
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5024
-
-
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3988
-
-
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4344
-
-
C:\Users\Admin\Downloads\CoronaVirus.exe"C:\Users\Admin\Downloads\CoronaVirus.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6320 /prefetch:12⤵PID:31892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6456 /prefetch:82⤵PID:16724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6444 /prefetch:82⤵PID:3492
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6560 /prefetch:82⤵PID:28928
-
-
C:\Users\Admin\Downloads\CryptoLocker.exe"C:\Users\Admin\Downloads\CryptoLocker.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:20552 -
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Downloads\CryptoLocker.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:20764 -
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w000002204⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:21008 -
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w000002205⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:21172
-
-
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w000002205⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:21112 -
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w000002206⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:20872
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:11608
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:14508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:16808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:16668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3004 /prefetch:12⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:18260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7092 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
PID:18080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2180,16605236371736707639,1074563159077778317,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6204 /prefetch:82⤵
- Executes dropped EXE
- Loads dropped DLL
PID:17872
-
-
C:\Users\Admin\Downloads\PowerPoint.exe"C:\Users\Admin\Downloads\PowerPoint.exe"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:5572 -
C:\Users\Admin\AppData\Local\Temp\sys3.exeC:\Users\Admin\AppData\Local\Temp\\sys3.exe3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5416
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4740
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3204
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x490 0x3841⤵PID:4912
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1664
-
C:\Users\Admin\Downloads\BadRabbit.exe"C:\Users\Admin\Downloads\BadRabbit.exe"1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4532 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2704
-
-
C:\Users\Admin\Downloads\BadRabbit.exe"C:\Users\Admin\Downloads\BadRabbit.exe"1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4424 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4352
-
-
C:\Users\Admin\Downloads\BadRabbit.exe"C:\Users\Admin\Downloads\BadRabbit.exe"1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1872 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3872
-
-
C:\Users\Admin\Downloads\BadRabbit.exe"C:\Users\Admin\Downloads\BadRabbit.exe"1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3352 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:804
-
-
C:\Users\Admin\Downloads\BadRabbit.exe"C:\Users\Admin\Downloads\BadRabbit.exe"1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3964 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3944
-
-
C:\Users\Admin\Downloads\BadRabbit.exe"C:\Users\Admin\Downloads\BadRabbit.exe"1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3376 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:16496
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Drops startup file
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:19244
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\2d716febc7a24520a2c02ea3ceda7af2 /t 20452 /p 204401⤵PID:20200
-
C:\Windows\system32\werfault.exewerfault.exe /h /shared Global\32181f46ad764863a57e96ff38edde15 /t 20344 /p 203321⤵PID:20720
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Roaming\Info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵
- System Location Discovery: System Language Discovery
PID:19340
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3928855 /state1:0x41c64e6d1⤵
- Drops desktop.ini file(s)
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5144
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2Modify Registry
1Pre-OS Boot
1Bootkit
1Credential Access
Credentials from Password Stores
2Credentials from Web Browsers
1Windows Credential Manager
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CDE89F9DCB25D8AC547E3CEFDA4FB6C2_EFB75332C2EEE29C462FC21A350076B8
Filesize5B
MD55bfa51f3a417b98e7443eca90fc94703
SHA18c015d80b8a23f780bdd215dc842b0f5551f63bd
SHA256bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128
SHA5124cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399
-
Filesize
11KB
MD5e4ebae76f03cd05926c14b29289512d0
SHA156437b10fd89cc93e7673cbfb71a18890c53ed7a
SHA256a225254c6521e63b6ff959c4d56e85f43f09a6e70865f0c4b2d3fc214ffcc16c
SHA512c86dff0b1f759dbe950349cc29259e463d4c8957212ef8b14f6f7a6dfbc1c7ce525e1e174c067ab6e03de30947c1e450a7a120f61a48b03e5affc5dd67a9652e
-
Filesize
152B
MD59e3fc58a8fb86c93d19e1500b873ef6f
SHA1c6aae5f4e26f5570db5e14bba8d5061867a33b56
SHA256828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4
SHA512e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e
-
Filesize
152B
MD527304926d60324abe74d7a4b571c35ea
SHA178b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1
SHA2567039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de
SHA512f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd
-
Filesize
213KB
MD5f942900ff0a10f251d338c612c456948
SHA14a283d3c8f3dc491e43c430d97c3489ee7a3d320
SHA25638b76a54655aff71271a9ad376ac17f20187abd581bf5aced69ccde0fe6e2fd6
SHA5129b393ce73598ed1997d28ceeddb23491a4d986c337984878ebb0ae06019e30ea77448d375d3d6563c774856d6bc98ee3ca0e0ba88ea5769a451a5e814f6ddb41
-
Filesize
64KB
MD5d6b36c7d4b06f140f860ddc91a4c659c
SHA1ccf16571637b8d3e4c9423688c5bd06167bfb9e9
SHA25634013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92
SHA5122a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487
-
Filesize
67KB
MD5929b1f88aa0b766609e4ca5b9770dc24
SHA1c1f16f77e4f4aecc80dadd25ea15ed10936cc901
SHA256965eaf004d31e79f7849b404d0b8827323f9fe75b05fe73b1226ccc4deea4074
SHA512fe8d6b94d537ee9cae30de946886bf7893d3755c37dd1662baf1f61e04f47fa66e070210c990c4a956bde70380b7ce11c05ad39f9cbd3ea55b129bb1f573fa07
-
Filesize
41KB
MD53fa3fda65e1e29312e0a0eb8a939d0e8
SHA18d98d28790074ad68d2715d0c323e985b9f3240e
SHA256ee5d25df51e5903841b499f56845b2860e848f9551bb1e9499d71b2719312c1b
SHA5124e63a0659d891b55952b427444c243cb2cb6339de91e60eb133ca783499261e333eaf3d04fb24886c718b1a15b79e52f50ef9e3920d6cfa0b9e6185693372cac
-
Filesize
19KB
MD576a3f1e9a452564e0f8dce6c0ee111e8
SHA111c3d925cbc1a52d53584fd8606f8f713aa59114
SHA256381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c
SHA512a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274
-
Filesize
65KB
MD556d57bc655526551f217536f19195495
SHA128b430886d1220855a805d78dc5d6414aeee6995
SHA256f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4
SHA5127814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb
-
Filesize
84KB
MD574e33b4b54f4d1f3da06ab47c5936a13
SHA16e5976d593b6ee3dca3c4dbbb90071b76e1cd85c
SHA256535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287
SHA51279218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2
-
Filesize
1.2MB
MD553e6452a21197c8f83c7c9dcb93e60a9
SHA10c88935ff99f6e5e2da6d889f64322fd659e389c
SHA2565015ce8f2a610052ec08f1ebe5ac5f41e6fd623fd6c74b0cd79d0eb6882626e9
SHA51278f0550ca40752b3ef8943bf23ec2089e5f0136040ca3af2b7ca8ae6a28d64f8d97ac32ef82b18bdc4d19d6cedc4ad1970157791a7c55649374b290780750a16
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize5KB
MD51686793baa4a02171b24b096204c7c29
SHA123d83145ce882cffa910e79e6c575a2f561d0787
SHA2560a12fba57c09947dab5ef9fe202a5ecd0baeb94599c54de572a47dab3a524c87
SHA51284ac4bb5a2a8539fd94cb68f40385cb44b89557bccae240c5e6b240aaee4a9c2788c0d134e993674ff6073dc29a1b46f538ce07421252c8185cd1027cc73caeb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5fab9e84a46d56b2ebcc66375b379e1a1
SHA13c711888a7e522e43dc72676733a2a7955da251e
SHA2562c0b7e32a8dd4a7df46615d8c6fdaff9ad43bfb6f6d82237755b118e9747ef0a
SHA5122c635a6c6d892b48a45a707331314b5f0c55c4ae9e184a2e69ca5d6254aaa4b5d3d8d329a0f902f33ea1de3950a2e0a77b2bde3db1e2c4162c5e762429bccdd8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize216B
MD5b2ff289943d83802e3988c18e70f1c7b
SHA1728967493224a2482e08b5c12b0c8f39a3c51935
SHA256a63b51f677ff90c72e9d2c4dc3a8504bdbd92aee789dd57b5a5b604e722046c2
SHA512eadf62604363fd04ebe1c6acbfd5b6ab7bd7577510613b28f731f03da83acba6314a159fa6e207951cf5854b3b364115a091b12ce21ba2e1dfe342649a3a6401
-
Filesize
2KB
MD5bbad42461bdce9c2789acc8b0bc9e015
SHA108f49f2c9fc415f8159a14d7b9912dee6f5b4ed5
SHA256f2e4cf6001dd1fcc0175edab4dd6a9c75e456f65f62b3b0b883e53bd09a745cb
SHA512b951195dacdf6edfd8fd022a65356d609f18f5beb7c12cf3120cc1c170c2340de08804950d48eb39f514d1ee293e62c323d8adb00fcdb7bdd89dbd29ca3b5a0c
-
Filesize
1KB
MD51843f7da3f9a3057a6d3f5c0c74a17e9
SHA1d8ec1e856d0de171e919998fb72fca0e6579e172
SHA256debf1c7d87ac18b0c9943427234d37824450b5565b384e589a1be79e7391c8bd
SHA5128af6dc38cb0d54bacbf829124468dfdc6488e2dbff6818639e3624ee7cdd4b1f178e50055f03cb9ba92e37b6996e89c6fcafb254ec61c2004f77b4e3b50923dc
-
Filesize
1KB
MD5d739d86bf795222fa4e620d7782f3178
SHA17f825e6bdf3427e8ebd6d9ccb60eef23bca477c8
SHA256e5c900d530304860e88cdf8066098916c098fd1eb9febc0495f29030d79cb5c0
SHA5124cb98840e49fb8664f4510bd501e10bf6018574ced121bfebdfa96d89eeb6cf98fbdc8dba1e2ac57194ef883f26031fd398fb4e26c461fe0f5aa3d5dbd355924
-
Filesize
8KB
MD597958ab5344bf00331be55707d73d96a
SHA1e7fd9b7c497beb3e9fb5afda50606ae8c2dd9b84
SHA2568f6b137b3d16f74f899f7bb568820e038267f13fb5b4050b81b293194b0758b2
SHA51282ff701129c986f385ab00cf707e28a3b0ad1eac78f9f6776416b88b3ee9527814f22598e404bc01fab66a4571c4680a66c69e337c1134c3278a514fab35f0e8
-
Filesize
7KB
MD5e13dd4307f79df65a83c8995be67e165
SHA1f3063d54cc5da9120580b8c6252fab7a66d8f997
SHA2567781d1e485614f5103f7e24ba68e74e6a4c94615cdde0361e9e952b7acf07e8c
SHA51205f5a84b207739c15f68a42e4ebc865d3f161a56531774f980122c5877803abea8137239339d339835130eccba0077995e91bfba8c2873fc588e4eda3ae06abc
-
Filesize
8KB
MD5abbe51cb6918d271b2101e1c6436215d
SHA1ac6440399f28076bb7a3c4de709d4740bd51b7bf
SHA25676a5b33117fb65846b33668235b9fdc8eae6cd9d1620df71b8831b2f3d741bc6
SHA5126cf38f9f7d4a03ce9148138eea1b623f19dda15296f1a7f03591e5668bf8b18b5bca7994afb609be4e0e62d478e76f329d45aab2999b92a11c1585af92af9be3
-
Filesize
8KB
MD50845ca3748c373cee20b85c51482f1d0
SHA1314744ccf190dc55cd4b77a20a4972af0c6c84bf
SHA2563e8791eb45cecd62b5601792bb48763215e91c6ae69de4f7f17428df2bf76140
SHA5125fed9f1656af48d88a6da038232f2bbc0049c3ff063c0ee263568f0d2832ec38b4f40e08f9785c1fe1ebc1e820f23c583381813037d38f6877b9a00dd9b75477
-
Filesize
6KB
MD5fa7c53991814da64411ed59c6d06edf5
SHA127367833de5ee2d67c089ae1ee6319ebc4fca861
SHA25655d167fdc7a13554b1a295dcf71d8cf1b7c3b95ba905517a03e06b00d4dc9597
SHA51234e12b76192a68601948f0546b2ea20bdbdb85386a7ba4f3342cfc15020223f4907643f73ca448649e18ae94099c4413ee049c051b80d2e85fb6f09271f46962
-
Filesize
7KB
MD533bb291aa224222412340cf88e0238f0
SHA13a3e29d647aeb966468a022d7a99137556bdce2b
SHA2566fb1cb5237641dd7dfaa3818edd6f0e56d3654faf9ac3dd7a35a035da0ae8504
SHA51225361a07a5b6b222d8db22a865c95b9ab7982bca172df46183d11f8ef983716325a974a54e793254e71127f7b1e3d90440db8dda1b754ba9fc453f3ba9d56445
-
Filesize
7KB
MD50acefa24065f21570cc96f839d80664e
SHA19ca8f7e97cd8608e411e53db40af43d30b86f8c3
SHA2562460d4ad2de5d5faad59489b6c3e48ca6aa3301d4af67df866233f1493074097
SHA5128680c6c6c2baf7106b681472fca60917d77413d23e69ddf8ddd4ddcef3557d6425a641e2631b12ba6eadc2ce84360ba9f721e2908b8956b5704af879188b2924
-
Filesize
2KB
MD58360213b6f588d5303a3309cc173ce60
SHA1c3dfc65cd4e65ce4dd9da939693748464db841df
SHA256ddf30d49a9e85b748045f859cf4eca1cfd1058657ae7c8a74c208b9067af6faa
SHA512fc2b47b39582618fc9f320af97998a1813060e398e1f47211ecace3a4c122f3b99058c3849ebac289c72cec5d062ffa3070a6448e5c0e28061cf459df3dcd073
-
Filesize
2KB
MD5a8a595473d5b6688d90428a7b7b5d28b
SHA1fa5885ed6c25b25f1c8ac43efc326b490cd47ffb
SHA256a7dbec5e3f406a748870b2481c2f649b8c416a04d5707e79a912dcc536dcfba3
SHA5125209c26d03915beef1ed96460f205b4cb5b1c8756203cef2213e1a4ea90a5bec4704d6863a8bfba9360a1db3e88a2584d483d38e3cd8348367179af620d77587
-
Filesize
2KB
MD50abec2ccbe7041c799c2a67f3bd1c36f
SHA11c3646b39c917705d7244d2140decfb3d53eb415
SHA2566f78fdc8c98f61c9e20f2b088f04dc1be23fb49bd0f52f7b6ef35395799332a8
SHA5122930c525ae682a93f1c0fa23539c172384153cf59f50437fc5cb1e635c7a42986f7356547c76d07a0dab5306314db98a8f55d1a575e919a71c95782710e38749
-
Filesize
2KB
MD51af8c8383f0f0e919f1be69c93b2fda9
SHA1041de86f77f989cce0724631d33141f24b7b6f08
SHA25651f11775dbac65dca02f5435ad22513a34619c9886613f2fadd7acbdc824802b
SHA51239f7ff941c58ef13b886555310e2e48626770ab630b3999ed789161e19ea1d5b036c0f4ab6a6ae9420a7992a74ba5e0d97ecc17a6d03ed0d63a44628afd58748
-
Filesize
2KB
MD555d5154f8b2ffdb095372657eb2fd0f6
SHA14afad36b232af162aad00d3701389f87b7b89138
SHA2569e6377103cabab7aa85112bb085e824ffc76040b99b90a1920afb3ec890654c8
SHA5120aa706d8689014f31f244739d3afc25562866542f1f24d08bf81d5cb1441a81098bf33a60bb368fc9bd5af6ae684180e8a0d21c778cfc6ad7ac4bdd2071d23ce
-
Filesize
2KB
MD5a3b16c70da86d1e61f9308563712d232
SHA18353e396a2b5e86fbc2e6f91c7466992b2965a0c
SHA2560a0ba1fa2661e63181527051498bf36e94d1a0e41dccaff3eb7d5d0acc3cd3f0
SHA5121018d66502acec4b836b3905cf72dbcc5a3c1e639ae62df8b526c08923a952be85a8f75f1b9341889f8829f78f07ecd49eb4ea56a77a18646c337df456843a79
-
Filesize
1KB
MD585ba731aa4c28c80cf37096f4fd43319
SHA198c4c0297bd4ff3561a58bef316dcb964bf5d915
SHA256cc792af64c4328254d03b1c3096824914cbd8906fdab2ee63a0235e744bb8713
SHA5128c4910b4020ccba831e96c4f29cf4acd107ff239f0afae9682b3d9b1232a12180bd857a664dbaa3cfe8c6d8e43b28549b7e8f890863c3ba3bc5de8714806b0f4
-
Filesize
872B
MD52cf57f80e0e57d4db93a76f73f8697ef
SHA1db878b21735d7f3041e19439b756325a86628429
SHA256cbaabaa2f327bbc179ca2981604805d47f269dd020677cc788c702b03120c0ca
SHA51243c7703073f5019f19d528e1b4470e714af1b67b4d9de8bd9b1494a69c18e57dad6f29d9edc794ee602eb2b2e49f856e3f068af23346d646d80f0debfb08bc91
-
Filesize
872B
MD57c973a9d38e6d8711d0bf1069ea929f0
SHA10c69f39a03ffa33fb23f0c82cd0fafa7e31efde9
SHA256416aa329cf68f9022b8b793b4a8a9a6f67d6814e8c9fd4c33ebaf2d7400de3e6
SHA512d81712b3c4555eaad4e0901ed8b7259ca20de6b529f22d7d17078def4d8cf59e0306a86c9f7a6ba014376d25ea0f704b875ac3ef80f4454f7694669f0e55bf2f
-
Filesize
2KB
MD55d85cc10384c0a88df3a1b9bf86ff5cb
SHA1563c99a62ed5ced9b21a5d6bc25b6f590812784e
SHA2563a57c9ce694728423223f61e8e2d835c5aef41dd98780e5230dd94f085ddd046
SHA5127feaf75d9da6a6e837b8759d19afc8677549a72b18b9c4d33439be1b66c399a5f67c8906e65829e617f0b980ebe88a2d8a74aff796b3b441d9d12fdbf0347ca9
-
Filesize
370B
MD5e50c6a5d8954833953066450cfa6c62f
SHA17bc70b1716557495840951f13444e722c381d8b8
SHA25672ccd09cad04cdfa12bf926dd35d4799d87e64ff9d1478056faf6569bf5f4ff5
SHA5124b62a428228416b0d5be92d2b23a270add03d76a52585b0683ede9e2ae69d2be6fd27c700acfc4216e53b88390e38e46958932e181781e6a220f7da674ced3b8
-
Filesize
2KB
MD5452985016e6852b01c08b93763b82e65
SHA169bfd7eb330d593ae4cf1e7fbda84b0103efe474
SHA256f78a59f3408659835ec666da55b5c62d663808d1442151d50f8f30b7081444eb
SHA512ffcd9366d13aebda8358db439508ac473a5e6903a8377df901ccc4a2efb2e9037460fae5d7d7e66d5e057bd6d2624d4bde7a2c7cd41335f29b2f5e4c9d05f9c1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\cf75b305-41ae-4e49-85a5-7019a1182fc0.tmp
Filesize5KB
MD5462917ca39c8660b14c515f0fe2c94af
SHA1d4d74c0a0893ecfcec9a1c8e9278e284c3fc61c1
SHA2562c631f388bc34f2b33ff3fa611f7933cd8b2ee11fceec12885f7d31343e01691
SHA512f33b937cabdb45121ab96beaa4981213652a648bd81eeccb5f53c3a567c4e4a2c1d0af4fc8df9feaac22ae3a6dd1896f0845294309844ce96dcab967675a1651
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD54dde836fc80081b838a1eb52edb0782e
SHA1f5b76107189e79916a0ef659108f3683928ea951
SHA256e330fe22cc984f3974a15c2ace22f4e1ca1f09baf280653dff7cd0ad15225cb8
SHA5123b9585e430604d493c3edf4280364beba48b7d665d1c7d9fd2a4f51a37f91849a3960a60f6c32f5e9393ec8df52441acc4f087962cbc8bfd28670798f0410b5c
-
Filesize
10KB
MD571c84b903e8e9c67d3505e9b15eed828
SHA1c36af9e7b94b9b74010a143156c7884c83425d52
SHA256ef844694ec28f1e683c8fc5ee67752d9ca765bd702fe9b9b2b46d3b834691c69
SHA5122ee27c456dc79fb21c357a221c92251bf4cfa1c81e24100e74c1d3f0ab4c7ebec30ebff3999e08e73dbaceb38d38af4af0727e9a1f1220c63f12f940bebf6581
-
Filesize
11KB
MD59180b5ffb4de483a53501366649ee658
SHA1a5499e943659e608dd87019c60421eb6d674f278
SHA25671d7523909b020024be930cd21af563dbe1826e4788bc0980966d467cdc664d8
SHA5123e1061c5cbdc04a9979835043bae7c0c2ef2c465899e920772ba1fec163b8c29f4433d9ad64159fd8d2d381033dfd2733c8d83ae61e1258c620887d5b85ab60b
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
7B
MD54047530ecbc0170039e76fe1657bdb01
SHA132db7d5e662ebccdd1d71de285f907e3a1c68ac5
SHA25682254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750
SHA5128f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e
-
Filesize
338KB
MD504fb36199787f2e3e2135611a38321eb
SHA165559245709fe98052eb284577f1fd61c01ad20d
SHA256d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9
SHA512533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444
-
Filesize
431KB
MD5fbbdc39af1139aebba4da004475e8839
SHA1de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA51274eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
-
Filesize
1.0MB
MD5055d1462f66a350d9886542d4d79bc2b
SHA1f1086d2f667d807dbb1aa362a7a809ea119f2565
SHA256dddf7894b2e6aafa1903384759d68455c3a4a8348a7e2da3bd272555eba9bec0
SHA5122c5e570226252bdb2104c90d5b75f11493af8ed1be8cb0fd14e3f324311a82138753064731b80ce8e8b120b3fe7009b21a50e9f4583d534080e28ab84b83fee1
-
Filesize
136KB
MD570108103a53123201ceb2e921fcfe83c
SHA1c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3
SHA2569c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d
SHA512996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b
-
Filesize
60KB
MD5347ac3b6b791054de3e5720a7144a977
SHA1413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA5129a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787
-
Filesize
401KB
MD51d724f95c61f1055f0d02c2154bbccd3
SHA179116fe99f2b421c52ef64097f0f39b815b20907
SHA256579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113
-
Filesize
401KB
MD5c4f26ed277b51ef45fa180be597d96e8
SHA1e9efc622924fb965d4a14bdb6223834d9a9007e7
SHA25614d82a676b63ab046ae94fa5e41f9f69a65dc7946826cb3d74cea6c030c2f958
SHA512afc2a8466f106e81d423065b07aed2529cbf690ab4c3e019334f1bedfb42dc0e0957be83d860a84b7285bd49285503bfe95a1cf571a678dbc9bdb07789da928e