Analysis
-
max time kernel
235s -
max time network
236s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-11-2024 09:04
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://google.com
Resource
win10v2004-20241007-en
Errors
General
-
Target
http://google.com
Malware Config
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Badrabbit family
-
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
-
Mimikatz family
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection RedEye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" RedEye.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" RedEye.exe -
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
mimikatz is an open source tool to dump credentials on Windows 1 IoCs
resource yara_rule behavioral1/files/0x0003000000000709-886.dat mimikatz -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" RedEye.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" RedEye.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.msc RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.msc\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RKill64.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZAM.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2start.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedgecp.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bcdedit.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill.com\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mb3-setup-1878.1878-3.3.1.2183.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwCleaner.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HitmanPro.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yandex.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\recoverydrive.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iExplore64.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RKill64.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedgecp.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\yandex.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RKill.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill64.com\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill.scr RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HitmanPro_x64.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rkill-unsigned64.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mb3-setup-1878.1878-3.3.1.2183.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\microsoftedge.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\attrib.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\recoverydrive.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rkill-unsigned.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Autoruns.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad++.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\control.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill64.com RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill.scr\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill64.scr\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "RIP" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logoff.exe\Debugger = "RIP" RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rkill64.scr RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe RedEye.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCuiL.exe RedEye.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 5712 NetSh.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 4 IoCs
pid Process 5480 7z2408-x64.exe 5380 AB98.tmp 3224 OneDriveSetup.exe 1648 OneDriveSetup.exe -
Loads dropped DLL 5 IoCs
pid Process 3540 Process not Found 2488 rundll32.exe 5292 rundll32.exe 1292 rundll32.exe 3540 Process not Found -
Modifies system executable filetype association 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx\ = "{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}" OneDrive.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Ransomware\\RedEye.exe" RedEye.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Ransomware\\RedEye.exe" RedEye.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\Downloads\\The-MALWARE-Repo-master\\The-MALWARE-Repo-master\\Ransomware\\RedEye.exe" RedEye.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks system information in the registry 2 TTPs 2 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName OneDriveSetup.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer OneDriveSetup.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\autorun.inf RedEye.exe File opened for modification C:\autorun.inf RedEye.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\WallPaper = "C:\\redeyebmp.bmp" RedEye.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\Lang\fi.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\History.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ga.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\7z.dll 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\co.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\he.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\id.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\tr.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ku.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\mn.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\uz-cyrl.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\is.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sk.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sl.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\da.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\fa.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\gl.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\uz.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ky.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\nn.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sr-spl.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\tk.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\fy.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\hu.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\pa-in.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\pt-br.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sw.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\tg.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\7z.exe 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ba.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\fur.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\kaa.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ru.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-tw.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\gu.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ka.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\si.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sq.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ca.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\sv.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\zh-cn.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\af.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ar.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ja.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ko.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\7zCon.sfx 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\fr.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\ku-ckb.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\uk.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\es.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\7-zip.chm 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\bg.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\bn.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\br.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\vi.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\descript.ion 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\kab.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\nl.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\License.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\et.txt 7z2408-x64.exe File opened for modification C:\Program Files\7-Zip\Lang\lv.txt 7z2408-x64.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\infpub.dat BadRabbit.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\dispci.exe rundll32.exe File created C:\Windows\infpub.dat BadRabbit.exe File opened for modification C:\Windows\AB98.tmp rundll32.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\Nope.txt RedEye.exe File created C:\Windows\infpub.dat BadRabbit.exe File created C:\Windows\cscc.dat rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe -
System Location Discovery: System Language Discovery 1 TTPs 17 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BadRabbit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OneDriveSetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OneDriveSetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7z2408-x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OneDrive.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BadRabbit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language BadRabbit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language OneDrive.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 OneDrive.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz OneDrive.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 OneDrive.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz OneDrive.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Interacts with shadow copies 3 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1896 vssadmin.exe 5608 vssadmin.exe 5652 vssadmin.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION OneDrive.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION OneDrive.exe Set value (int) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\OneDrive.exe = "11000" OneDrive.exe -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent LogonUI.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "46" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" LogonUI.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{0f872661-c863-47a4-863f-c065c182858a}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{e9de26a1-51b2-47b4-b1bf-c87059cc02a7} OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{c1439245-96b4-47fc-b391-679386c5d40f}\TypeLib\Version = "1.0" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{944903E8-B03F-43A0-8341-872200D2DA9C}\ProxyStubClsid32 OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CLSID\{389510b7-9e58-40d7-98bf-60b911cb0ea9}\VersionIndependentProgID\ = "FileSyncCustomStatesProvider.FileSyncCustomStatesProvider" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384}\ = "ISetItemPropertiesCallback" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{a7126d4c-f492-4eb9-8a2a-f673dbdd3334} OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\BannerNotificationHandler.BannerNotificationHandler\ = "BannerNotificationHandler Class" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\TypeLib OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\TypeLib\Version = "1.0" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{049FED7E-C3EA-4B66-9D92-10E8085D60FB}\ProxyStubClsid32 OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384} OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\BannerNotificationHandler.BannerNotificationHandler.1\CLSID\ = "{2e7c0a19-0438-41e9-81e3-3ad3d64f55ba}" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\CLSID\{021E4F06-9DCC-49AD-88CF-ECC2DA314C8A}\LocalServer32 OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\CLSID\{5999E1EE-711E-48D2-9884-851A709F543D}\TypeLib OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{385ED83D-B50C-4580-B2C3-9E64DBE7F511}\TypeLib OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{8D3F8F15-1DE1-4662-BF93-762EABE988B2}\ProxyStubClsid32 OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67}\ = "ISyncInformationLookupCallback" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{679EC955-75AA-4FB2-A7ED-8C0152ECF409}\ProxyStubClsid32 OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{0d4e4444-cb20-4c2b-b8b2-94e5656ecae8}\ = "IGetSyncStatusCallback" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\OOBERequestHandler.OOBERequestHandler.1 OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67}\ProxyStubClsid32 OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{944903E8-B03F-43A0-8341-872200D2DA9C}\ = "ICheckFileHashCallback" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{1B71F23B-E61F-45C9-83BA-235D55F50CF9}\TypeLib\Version = "1.0" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{2EB31403-EBE0-41EA-AE91-A1953104EA55}\ProxyStubClsid32 OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\TypeLib\Version = "1.0" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{1b7aed4f-fcaf-4da4-8795-c03e635d8edc}\TypeLib OneDrive.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000} 7z2408-x64.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384} OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{3A4E62AE-45D9-41D5-85F5-A45B77AB44E5}\TypeLib\Version = "1.0" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\TypeLib\Version = "1.0" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E} OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\FileSyncClient.AutoPlayHandler.1\ = "FileSyncClient AutoPlayHandler Class" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{2387C6BD-9A36-41A2-88ED-FF731E529384}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013\\FileSyncShell.dll" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\SyncEngineFileInfoProvider.SyncEngineFileInfoProvider\CLSID OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\CLSID\{6bb93b4e-44d8-40e2-bd97-42dbcf18a40f}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\OneDrive.exe /cci /client=Personal" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\ = "IFileSyncClient8" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{b5c25645-7426-433f-8a5f-42b7ff27a7b2} OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\odopen\shell\open OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{0299ECA9-80B6-43C8-A79A-FB1C5F19E7D8}\ = "IFileSyncClient3" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{5D5DD08F-A10E-4FEF-BCA7-E73E666FC66C}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\TypeLib\ = "{BAE13F6C-0E2A-4DEB-AA46-B8F55319347C}" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\TypeLib\{082D3FEC-D0D0-4DF6-A988-053FECE7B884}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\OneDrive\\18.151.0729.0013" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\ProxyStubClsid32 OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{2F12C599-7AA5-407A-B898-09E6E4ED2D1E}\TypeLib\Version = "1.0" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{AF60000F-661D-472A-9588-F062F6DB7A0E}\TypeLib\Version = "1.0" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\CLSID\{9489FEB2-1925-4D01-B788-6D912C70F7F2}\TypeLib\ = "{638805C3-4BA3-4AC8-8AAC-71A0BA2BC284}" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\SyncEngineCOMServer.SyncEngineCOMServer.1\CLSID\ = "{AB807329-7324-431B-8B36-DBD581F56E0B}" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67}\ = "ISyncInformationLookupCallback" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32\ThreadingModel = "Apartment" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\CLSID\{1BF42E4C-4AF4-4CFD-A1A0-CF2960B8F63E}\ = "UpToDateOverlayHandler2 Class" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{869BDA08-7ACF-42B8-91AE-4D8D597C0B33}\TypeLib OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6} OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{F0AF7C30-EAE4-4644-961D-54E6E28708D6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\WOW6432Node\Interface\{53de12aa-df96-413d-a25e-c75b6528abf2}\TypeLib\Version = "1.0" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{2692D1F2-2C7C-4AE0-8E73-8F37736C912D}\TypeLib\ = "{909A6CCD-6810-46C4-89DF-05BE7EB61E6C}" OneDrive.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{390AF5A7-1390-4255-9BC9-935BFCFA5D57}\ = "IAlbumMetadataCallback" OneDrive.exe Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Interface\{02C98E2C-6C9F-49F8-9B57-3A6E1AA09A67}\ProxyStubClsid32 OneDrive.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 799744.crdownload:SmartScreen msedge.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5468 schtasks.exe 4744 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 5628 OneDrive.exe -
Suspicious behavior: EnumeratesProcesses 39 IoCs
pid Process 2784 msedge.exe 2784 msedge.exe 916 msedge.exe 916 msedge.exe 3476 identity_helper.exe 3476 identity_helper.exe 5244 msedge.exe 5244 msedge.exe 732 msedge.exe 732 msedge.exe 5780 msedge.exe 5780 msedge.exe 5780 msedge.exe 5780 msedge.exe 2488 rundll32.exe 2488 rundll32.exe 2488 rundll32.exe 2488 rundll32.exe 5292 rundll32.exe 5292 rundll32.exe 5380 AB98.tmp 5380 AB98.tmp 5380 AB98.tmp 5380 AB98.tmp 5380 AB98.tmp 5380 AB98.tmp 5380 AB98.tmp 1292 rundll32.exe 1292 rundll32.exe 4360 RedEye.exe 4360 RedEye.exe 4360 RedEye.exe 4360 RedEye.exe 5628 OneDrive.exe 5628 OneDrive.exe 3224 OneDriveSetup.exe 3224 OneDriveSetup.exe 3224 OneDriveSetup.exe 3224 OneDriveSetup.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs
pid Process 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeShutdownPrivilege 2488 rundll32.exe Token: SeDebugPrivilege 2488 rundll32.exe Token: SeTcbPrivilege 2488 rundll32.exe Token: SeShutdownPrivilege 5292 rundll32.exe Token: SeDebugPrivilege 5292 rundll32.exe Token: SeTcbPrivilege 5292 rundll32.exe Token: SeDebugPrivilege 5380 AB98.tmp Token: SeShutdownPrivilege 1292 rundll32.exe Token: SeDebugPrivilege 1292 rundll32.exe Token: SeTcbPrivilege 1292 rundll32.exe Token: SeDebugPrivilege 4360 RedEye.exe Token: SeBackupPrivilege 2624 vssvc.exe Token: SeRestorePrivilege 2624 vssvc.exe Token: SeAuditPrivilege 2624 vssvc.exe Token: SeIncreaseQuotaPrivilege 3224 OneDriveSetup.exe Token: SeShutdownPrivilege 4636 shutdown.exe Token: SeRemoteShutdownPrivilege 4636 shutdown.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe -
Suspicious use of SendNotifyMessage 26 IoCs
pid Process 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 916 msedge.exe 5628 OneDrive.exe 5628 OneDrive.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 5480 7z2408-x64.exe 5628 OneDrive.exe 5048 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 916 wrote to memory of 4828 916 msedge.exe 83 PID 916 wrote to memory of 4828 916 msedge.exe 83 PID 916 wrote to memory of 1148 916 msedge.exe 84 PID 916 wrote to memory of 1148 916 msedge.exe 84 PID 916 wrote to memory of 1148 916 msedge.exe 84 PID 916 wrote to memory of 1148 916 msedge.exe 84 PID 916 wrote to memory of 1148 916 msedge.exe 84 PID 916 wrote to memory of 1148 916 msedge.exe 84 PID 916 wrote to memory of 1148 916 msedge.exe 84 PID 916 wrote to memory of 1148 916 msedge.exe 84 PID 916 wrote to memory of 1148 916 msedge.exe 84 PID 916 wrote to memory of 1148 916 msedge.exe 84 PID 916 wrote to memory of 1148 916 msedge.exe 84 PID 916 wrote to memory of 1148 916 msedge.exe 84 PID 916 wrote to memory of 1148 916 msedge.exe 84 PID 916 wrote to memory of 1148 916 msedge.exe 84 PID 916 wrote to memory of 1148 916 msedge.exe 84 PID 916 wrote to memory of 1148 916 msedge.exe 84 PID 916 wrote to memory of 1148 916 msedge.exe 84 PID 916 wrote to memory of 1148 916 msedge.exe 84 PID 916 wrote to memory of 1148 916 msedge.exe 84 PID 916 wrote to memory of 1148 916 msedge.exe 84 PID 916 wrote to memory of 1148 916 msedge.exe 84 PID 916 wrote to memory of 1148 916 msedge.exe 84 PID 916 wrote to memory of 1148 916 msedge.exe 84 PID 916 wrote to memory of 1148 916 msedge.exe 84 PID 916 wrote to memory of 1148 916 msedge.exe 84 PID 916 wrote to memory of 1148 916 msedge.exe 84 PID 916 wrote to memory of 1148 916 msedge.exe 84 PID 916 wrote to memory of 1148 916 msedge.exe 84 PID 916 wrote to memory of 1148 916 msedge.exe 84 PID 916 wrote to memory of 1148 916 msedge.exe 84 PID 916 wrote to memory of 1148 916 msedge.exe 84 PID 916 wrote to memory of 1148 916 msedge.exe 84 PID 916 wrote to memory of 1148 916 msedge.exe 84 PID 916 wrote to memory of 1148 916 msedge.exe 84 PID 916 wrote to memory of 1148 916 msedge.exe 84 PID 916 wrote to memory of 1148 916 msedge.exe 84 PID 916 wrote to memory of 1148 916 msedge.exe 84 PID 916 wrote to memory of 1148 916 msedge.exe 84 PID 916 wrote to memory of 1148 916 msedge.exe 84 PID 916 wrote to memory of 1148 916 msedge.exe 84 PID 916 wrote to memory of 2784 916 msedge.exe 85 PID 916 wrote to memory of 2784 916 msedge.exe 85 PID 916 wrote to memory of 1576 916 msedge.exe 86 PID 916 wrote to memory of 1576 916 msedge.exe 86 PID 916 wrote to memory of 1576 916 msedge.exe 86 PID 916 wrote to memory of 1576 916 msedge.exe 86 PID 916 wrote to memory of 1576 916 msedge.exe 86 PID 916 wrote to memory of 1576 916 msedge.exe 86 PID 916 wrote to memory of 1576 916 msedge.exe 86 PID 916 wrote to memory of 1576 916 msedge.exe 86 PID 916 wrote to memory of 1576 916 msedge.exe 86 PID 916 wrote to memory of 1576 916 msedge.exe 86 PID 916 wrote to memory of 1576 916 msedge.exe 86 PID 916 wrote to memory of 1576 916 msedge.exe 86 PID 916 wrote to memory of 1576 916 msedge.exe 86 PID 916 wrote to memory of 1576 916 msedge.exe 86 PID 916 wrote to memory of 1576 916 msedge.exe 86 PID 916 wrote to memory of 1576 916 msedge.exe 86 PID 916 wrote to memory of 1576 916 msedge.exe 86 PID 916 wrote to memory of 1576 916 msedge.exe 86 PID 916 wrote to memory of 1576 916 msedge.exe 86 PID 916 wrote to memory of 1576 916 msedge.exe 86 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://google.com1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff7fd646f8,0x7fff7fd64708,0x7fff7fd647182⤵PID:4828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:22⤵PID:1148
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2548 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:82⤵PID:1576
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:12⤵PID:4424
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:12⤵PID:1484
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:12⤵PID:3596
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 /prefetch:82⤵PID:3152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:12⤵PID:1996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:12⤵PID:4952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3044 /prefetch:12⤵PID:1444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:12⤵PID:632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:12⤵PID:3880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:12⤵PID:2224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:12⤵PID:2756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:12⤵PID:4244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:12⤵PID:4128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:12⤵PID:4892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:12⤵PID:3548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:12⤵PID:3520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2220 /prefetch:82⤵PID:784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:12⤵PID:2612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:12⤵PID:1356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7000 /prefetch:12⤵PID:1728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7132 /prefetch:12⤵PID:2372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7096 /prefetch:82⤵PID:4988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7152 /prefetch:12⤵PID:3228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6876 /prefetch:12⤵PID:2668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:12⤵PID:4916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6868 /prefetch:12⤵PID:4988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5244
-
-
C:\Users\Admin\Downloads\7z2408-x64.exe"C:\Users\Admin\Downloads\7z2408-x64.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4580 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,12227093425122037428,4192119212591225938,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1220 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5780
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3484
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1732
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3564
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:856 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2488 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal3⤵
- System Location Discovery: System Language Discovery
PID:5188 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal4⤵
- System Location Discovery: System Language Discovery
PID:5228
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3458842052 && exit"3⤵
- System Location Discovery: System Language Discovery
PID:5308 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3458842052 && exit"4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5468
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 09:25:003⤵
- System Location Discovery: System Language Discovery
PID:5480 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 09:25:004⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:4744
-
-
-
C:\Windows\AB98.tmp"C:\Windows\AB98.tmp" \\.\pipe\{7E58A905-6AB8-4553-9C06-DEDA7D6D232B}3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5380
-
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3932 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5292
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\BadRabbit.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4816 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1292
-
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\RedEye.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\RedEye.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Drops autorun.inf file
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4360 -
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:1896
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:5652
-
-
C:\Windows\SYSTEM32\vssadmin.exevssadmin delete shadows /all /quiet2⤵
- Interacts with shadow copies
PID:5608
-
-
C:\Windows\SYSTEM32\NetSh.exeNetSh Advfirewall set allprofiles state off2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5712
-
-
C:\Windows\System32\shutdown.exe"C:\Windows\System32\shutdown.exe" -r -t 00 -f2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4636
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\RedEye.exe"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Ransomware\RedEye.exe"1⤵PID:5220
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"1⤵
- Modifies system executable filetype association
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5628 -
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe" /update /restart2⤵
- Executes dropped EXE
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3224 -
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe /update /restart /peruser /childprocess /extractFilesWithLessThreadCount /renameReplaceOneDriveExe /renameReplaceODSUExe /removeNonCurrentVersions /enableODSUReportingMode3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1648
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"C:\Users\Admin\AppData\Local\Microsoft\OneDrive\OneDrive.exe"1⤵
- Modifies system executable filetype association
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
PID:5252
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3909055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5048
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
4Change Default File Association
1Component Object Model Hijacking
1Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
4Change Default File Association
1Component Object Model Hijacking
1Image File Execution Options Injection
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Indicator Removal
2File Deletion
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
99KB
MD5d346530e648e15887ae88ea34c82efc9
SHA15644d95910852e50a4b42375bddfef05f6b3490f
SHA256f972b164d9a90821be0ea2f46da84dd65f85cd0f29cd1abba0c8e9a7d0140902
SHA51262db21717f79702cbdd805109f30f51a7f7ff5f751dc115f4c95d052c5405eb34d5e8c5a83f426d73875591b7d463f00f686c182ef3850db2e25989ae2d83673
-
Filesize
1KB
MD52d2a235f1b0f4b608c5910673735494b
SHA123a63f6529bfdf917886ab8347092238db0423a0
SHA256c897436c82fda9abf08b29fe05c42f4e59900116bbaf8bfd5b85ef3c97ab7884
SHA51210684245497f1a115142d49b85000075eb36f360b59a0501e2f352c9f1d767c447c6c44c53a3fb3699402a15a8017bdbd2edd72d8599fdd4772e9e7cb67f3086
-
Filesize
152B
MD5b8880802fc2bb880a7a869faa01315b0
SHA151d1a3fa2c272f094515675d82150bfce08ee8d3
SHA256467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812
SHA512e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2
-
Filesize
152B
MD5ba6ef346187b40694d493da98d5da979
SHA1643c15bec043f8673943885199bb06cd1652ee37
SHA256d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73
SHA5122e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c
-
Filesize
62KB
MD5c3c0eb5e044497577bec91b5970f6d30
SHA1d833f81cf21f68d43ba64a6c28892945adc317a6
SHA256eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb
SHA51283d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38
-
Filesize
70KB
MD5807dda2eb77b3df60f0d790fb1e4365e
SHA1e313de651b857963c9ab70154b0074edb0335ef4
SHA25675677b9722d58a0a288f7931cec8127fd786512bd49bfba9d7dcc0b8ef2780fc
SHA51236578c5aedf03f9a622f3ff0fdc296aa1c2d3074aaea215749b04129e9193c4c941c8a07e2dbbf2f64314b59babb7e58dfced2286d157f240253641c018b8eda
-
Filesize
19KB
MD576a3f1e9a452564e0f8dce6c0ee111e8
SHA111c3d925cbc1a52d53584fd8606f8f713aa59114
SHA256381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c
SHA512a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274
-
Filesize
63KB
MD5710d7637cc7e21b62fd3efe6aba1fd27
SHA18645d6b137064c7b38e10c736724e17787db6cf3
SHA256c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b
SHA51219aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD58e0623dd1c957fc473af5334fc081593
SHA17ebb33967a2b384429ab280f3aa3ca3b54f5452a
SHA2561c029b44869582d345b96be9e83965012d083449c13159457e58c5fe6d4232ab
SHA512c299ccccd745505da09ce285c2e8c3bd1398ba8d43d1275d2551712987029be9f4274c84d76061521ccb9029608f1650dc681c70ae6f5486257e23a0df13f8fa
-
Filesize
2KB
MD567bd0a149d59ceb5b23896ffa1826ba1
SHA18a9477dc128544e2e40724346ea53261cee07074
SHA25696ea19231d4d4228a016bf748a89c7c6565b4192ad8c6e423b45cb392acf27d4
SHA5126cd85e25a9ccd023663ef7c95150975b15352f3c86dda3b71ca24d29e0448cf84dca5bf88b650c6873282dc79d1d0b8fcf2dcf37534f9fbc39900c271603cbd7
-
Filesize
7KB
MD5e0b9a03a7258c336c5dbf157ccedbd31
SHA1f44b77023bfec4a221a527d9b9c5215e6615046f
SHA25653e160399ecc3b780931615aeeb2a939af143582c6717c83836b44e4a48ddb85
SHA5120877ece0be98000217810a16209d489bcf9e8a34224d26d210ccf20405245c953f990a3be33b419a3babd374404cb7d86c3eb57a411d0e80399674caba262812
-
Filesize
7KB
MD56c40b005a929e6a42484f6d3b3e5d13a
SHA18f07d6db99c34ea719f6378a1ceb942cf1dbf1c2
SHA256f84652834bc00aca2ee2b030f1128acec71f675e927aafa166c35f3ef6c6305d
SHA5127a115e64e515b5e00260df3f219d943e48683c15bab9b01eaf90e08f72c2b05572234116398848d4424296b5a74b100c2cbf253298c682d6be13bbfd7106a32d
-
Filesize
7KB
MD5346d95f4e4fed7ccfb1eb7881242fde0
SHA17667ba65f36359ee9f44e2965f2d16b8a8d08ddd
SHA256d792d3e56926c97845f6398b335522f0bdd00415fbd411fae87b3f8dfa70d395
SHA512971b53b3e51c8174cf2bc4cd4a3b1deab030b0184afbf0094f73f33c4af5107f513fb17f08c76f46d94fe29fcbb986ec114a130d1434b9f6a11dd72c470ea9a7
-
Filesize
6KB
MD5a41e2c8cbf6824ea9331d16f3cd33f95
SHA1fb7b68ea271174d2dd0ed1efdc33230e28f10c8c
SHA256ddc8abe74a3374c72d29c82640cc4679fb31ecf029b9619dcb150dc1bdeb819a
SHA512d820f95e0bf0e3af8455f9b6c74f2182d419c98e43798a19d9ea6d7d8a25b229a5b19ff036e59f6eee1081f0fd3530b3de7ce122f45e33f6224c81ce1bada5cc
-
Filesize
5KB
MD5248418322ec79299cd2c34d0d4143ae9
SHA1618b0c7d2546e56eab95108e8c5c3035351f7f6d
SHA256a339bd9c5621920d8a5a001c1dbfce0a3b7efc26ec3eb978f6b90ed3f2b82190
SHA512ddd000dac27d0d6369749b367c576df31aaf01fc2ca5e14c47f2121728e4c76e9ed523226d60ed512d073703f1dceb8f0ad8454190dad491b833580ede9e3b17
-
Filesize
1KB
MD598c046d10de02ff3d0a072b6822051d7
SHA1ef84bace64280b1a26bd45559453c0686981fc79
SHA2565fc3b26c6795a504901182ee7fd5bfb7f342777824692beb5bc74c714cccdf3d
SHA5125e9ff3a000f88ecff420a3fdd540e378f83603f8929951fb4c3a2bfed5eb873ec9550b4c154038bb3dbc8d0a174a824a2bc4c5c70dd779c910e5cae29b0eee30
-
Filesize
1KB
MD555f9d6a580016b9b22e497c9f23db58c
SHA13894d4e3460c94181259c67759f12f25e00b1293
SHA256c91940f9306701202f29fa2457d0935778765a5a4fb3b21ef9acff5b241950ad
SHA512fc2a7692eae6f18ccd1ca8ba8a72366d196bf482b484df1371277f47c36c0b724e5beaffe23941e312e0fd9caea2d05c44f7bd9915c062a4141e300a16a1cd04
-
Filesize
1KB
MD5d70f60bf17909bd07fc11e0db22b1238
SHA1d335f86da52d6caa637042e7710254720d311a0a
SHA256af349c1d143ef63caec6337224ae6f3319a8495950cac5d140de41bea85084c4
SHA5124bb4f4241e8b12a983eb8c21aaa1b9a57b7fe768402fddc0f0f425ed9ce7d00a95eea27adb224336c02a5f92bea450362bceadf2041dd94a6ae9ab926fc6b292
-
Filesize
204B
MD50040e3ff1d5ab37ee29816a9f8aec651
SHA1490c373c0981e1c452709a19f869d6721a62fa3e
SHA2562faba35be316944e5745674872b3b8edfd028ddd5ffd15aaab56b5f8f19ccdb2
SHA512a84232430d79ed2f6dca20e94b85b59bb69a944c781ef5ed9bc80004a5d2c7f19c78a6dd9a3f967d43baf94fdf4f0dda3f2d519bebee7c50681c83679f25394e
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
12KB
MD50745ebad86f7969ef9ec9fd2cf109759
SHA15d658fbf4d068e2aefe225d49c941dce232cd0b1
SHA25656ce61c48fc86340a04fd35e9eefd6557a90f8d5599ec38749a8faa0bdbd9dee
SHA512bdfa78addad064aa84fd063829438bed6a16d3db99ff8adf558c29958ddee44864cf3d6f4273381d85895404e2ebf9fa8d96a549c3c4d7ab5adf1384f1f126ab
-
Filesize
11KB
MD518e3488f845d033f3a00c446a0fd8c8e
SHA1d3899f733fbc21a29d79ccc604007658f60d4cf7
SHA256a5edf8772b90cb9a5821bc99eab31383c8f788fcc947d2261753e3a8be25ef8d
SHA512194ada8e2ddbdf3e6428f355cbefde8afae8d2f5f54baeded75ed9191f8be8ff5950774ca7c8a507d48fe24bebde0c89209eac52d61d13695123abd779a4c3ec
-
Filesize
11KB
MD5964580bc41b1144b708206bf58984372
SHA148787a5dc05c2529d2e6abedb551daea77fc4030
SHA256254c3bd3c0a6693435453f07b28453cc3736363b5bb3c8a577209b8ccf4ca4a9
SHA51231b7d1bd6c0ebc1281b442322520dab8719e7b21366218fee38ce3c4672cc690b572ef77535606cee25b759daae92d0a41d2a61b735296b4bcbaab7092324dda
-
Filesize
40.2MB
MD5fb4aa59c92c9b3263eb07e07b91568b5
SHA16071a3e3c4338b90d892a8416b6a92fbfe25bb67
SHA256e70e80dbbc9baba7ddcee70eda1bb8d0e6612dfb1d93827fe7b594a59f3b48b9
SHA51260aabbe2fd24c04c33e7892eab64f24f8c335a0dd9822eb01adc5459e850769fc200078c5ccee96c1f2013173bc41f5a2023def3f5fe36e380963db034924ace
-
Filesize
6KB
MD5130b8af55adf2cc475071e6777311d18
SHA1d26538ce13cba60625b875f672ec5baade0c99e9
SHA256eb7fe30cc1573915cfd005240e5b265996d6c416f5bb383cc65361ff7f595c33
SHA512ec7d4048fc8212129e621ee8e9202ed9cd7da0f9953c413804d290d1b0ba13a76ddc280833ea230727516e3fcf3f93e548bad067e9969431ee37ffe93f85759b
-
Filesize
217KB
MD50be0ca009a5cb720b700940e2b4b50d3
SHA151ad0c90ee74ee4ff81ea5f0cce47489bdbdb51e
SHA256ad5aa515b71303c3943e4bbd2ad08dd7dbd1a94a432a6d5d7ded06aee77fd5ce
SHA5120603de255eab1c83161c80a82b9b411e87553662ab8602ea20e2c992f8783a0cf13015692edabc960b7249c0af5644ad2eee1a84d6359be2f91032a170b92531
-
Filesize
4KB
MD52887c19ce79f266b959d6840711ca594
SHA1fcbeab5c9abf1292c81d2e5914f00eae4c4805b1
SHA256d593cff2a971e0f5c3248c30929f5a4efde0ddc571ff77ef14520b53247f2c80
SHA512146e9b32eb7e920855f0ef766bf97debeb6babdfd830dc0895f5625ddd13c083a3dcec5d00dc8612697b41ab13a327d63d4a1daa486f800083c585b3ea0083c7
-
Filesize
20KB
MD5c108a9d181e0875c62c01ddfe077144c
SHA19e76a3871163f26030e6c509e74b10738ad305f1
SHA256071afd69e6312cf7d8e9c48cb2af714b7554b162f2432a5bd5335f090ff823ad
SHA5129052c5794cf28d90d1edcc1802e831dbd70366a464545a34851813beffcc239dd0b2c30f2ff5ebc34209b861237b7ebc4fdb8a652aa4362fe33b9c9a9c9786af
-
Filesize
38B
MD5cc04d6015cd4395c9b980b280254156e
SHA187b176f1330dc08d4ffabe3f7e77da4121c8e749
SHA256884d272d16605590e511ae50c88842a8ce203a864f56061a3c554f8f8265866e
SHA512d3cb7853b69649c673814d5738247b5fbaaae5bb7b84e4c7b3ff5c4f1b1a85fc7261a35f0282d79076a9c862e5e1021d31a318d8b2e5a74b80500cb222642940
-
Filesize
63KB
MD5e516a60bc980095e8d156b1a99ab5eee
SHA1238e243ffc12d4e012fd020c9822703109b987f6
SHA256543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7
SHA5129b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58
-
Filesize
726B
MD553244e542ddf6d280a2b03e28f0646b7
SHA1d9925f810a95880c92974549deead18d56f19c37
SHA25636a6bd38a8a6f5a75b73caffae5ae66dfabcaefd83da65b493fa881ea8a64e7d
SHA5124aa71d92ea2c46df86565d97aac75395371d3e17877ab252a297b84dca2ab251d50aaffc62eab9961f0df48de6f12be04a1f4a2cbde75b9ae7bcce6eb5450c62
-
Filesize
470B
MD50dcf46419cf59a50c4703af24a0566cf
SHA139f56330fd7453921eba7d32d3aa0f529204e060
SHA25698028c1061044e7ed56f4f3f76987a86d5a0ddf81ac9a320d2378ee2d06ae1ba
SHA51257338837ee35e358cf93d7a5baa37aaea1f854d25f02bfb5c4a141f7d8500bbd9774d77b2c51a8ef83e9f5e5f6494da6331173223d98f7b7395d6519bc64f303
-
Filesize
1.5MB
MD50330d0bd7341a9afe5b6d161b1ff4aa1
SHA186918e72f2e43c9c664c246e62b41452d662fbf3
SHA25667cb9d3452c9dd974b04f4a5fd842dbcba8184f2344ff72e3662d7cdb68b099b
SHA512850382414d9d33eab134f8bd89dc99759f8d0459b7ad48bd9588405a3705aeb2cd727898529e3f71d9776a42e141c717e844e0b5c358818bbeac01d096907ad1
-
Filesize
60KB
MD5347ac3b6b791054de3e5720a7144a977
SHA1413eba3973a15c1a6429d9f170f3e8287f98c21c
SHA256301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c
SHA5129a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787
-
Filesize
401KB
MD51d724f95c61f1055f0d02c2154bbccd3
SHA179116fe99f2b421c52ef64097f0f39b815b20907
SHA256579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
SHA512f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113