hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry[.]exe

Resubmissions

19-04-2024 14:51

240419-r8efbsga3w 1

19-04-2024 14:41

240419-r2pygsfg7t 8

19-04-2024 14:19

240419-rm5qdsfd6s 8

19-04-2024 14:15

240419-rk2kysed83 10

Analysis

max time kernel
961s
max time network
965s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2024 14:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry.exe

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

ChilledWindows.exe

pid process

4412 ChilledWindows.exe

pid	process
4412	ChilledWindows.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ChilledWindows.exe

description	ioc	process
File opened (read-only)	\??\U:	ChilledWindows.exe
File opened (read-only)	\??\A:	ChilledWindows.exe
File opened (read-only)	\??\H:	ChilledWindows.exe
File opened (read-only)	\??\K:	ChilledWindows.exe
File opened (read-only)	\??\M:	ChilledWindows.exe
File opened (read-only)	\??\R:	ChilledWindows.exe
File opened (read-only)	\??\S:	ChilledWindows.exe
File opened (read-only)	\??\J:	ChilledWindows.exe
File opened (read-only)	\??\L:	ChilledWindows.exe
File opened (read-only)	\??\O:	ChilledWindows.exe
File opened (read-only)	\??\Q:	ChilledWindows.exe
File opened (read-only)	\??\V:	ChilledWindows.exe
File opened (read-only)	\??\W:	ChilledWindows.exe
File opened (read-only)	\??\X:	ChilledWindows.exe
File opened (read-only)	\??\Z:	ChilledWindows.exe
File opened (read-only)	\??\E:	ChilledWindows.exe
File opened (read-only)	\??\I:	ChilledWindows.exe
File opened (read-only)	\??\N:	ChilledWindows.exe
File opened (read-only)	\??\T:	ChilledWindows.exe
File opened (read-only)	\??\B:	ChilledWindows.exe
File opened (read-only)	\??\G:	ChilledWindows.exe
File opened (read-only)	\??\P:	ChilledWindows.exe
File opened (read-only)	\??\Y:	ChilledWindows.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

74 raw.githubusercontent.com
73 raw.githubusercontent.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
74	raw.githubusercontent.com
73	raw.githubusercontent.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

ChilledWindows.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2288054676-1871194608-3559553667-1000\{492CF0E0-A784-4790-A031-15312AEFD957}	ChilledWindows.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 368204.crdownload:SmartScreen msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 368204.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
844	msedge.exe
844	msedge.exe
1144	msedge.exe
1144	msedge.exe
3000	identity_helper.exe
3000	identity_helper.exe
4008	msedge.exe
4008	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe
1384	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

1144 msedge.exe
1144 msedge.exe
1144 msedge.exe
1144 msedge.exe
1144 msedge.exe
1144 msedge.exe
1144 msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

ChilledWindows.exeAUDIODG.EXE

description	pid	process
Token: SeShutdownPrivilege	4412	ChilledWindows.exe
Token: SeCreatePagefilePrivilege	4412	ChilledWindows.exe
Token: 33	4408	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4408	AUDIODG.EXE
Token: SeShutdownPrivilege	4412	ChilledWindows.exe
Token: SeCreatePagefilePrivilege	4412	ChilledWindows.exe
Token: SeShutdownPrivilege	4412	ChilledWindows.exe
Token: SeCreatePagefilePrivilege	4412	ChilledWindows.exe

Suspicious use of FindShellTrayWindow 44 IoCs

Processes:

msedge.exeChilledWindows.exe

pid	process
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
4412	ChilledWindows.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

msedge.exe

pid	process
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1144 wrote to memory of 2384	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 2384	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 3324	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 3324	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 3324	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 3324	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 3324	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 3324	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 3324	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 3324	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 3324	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 3324	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 3324	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 3324	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 3324	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 3324	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 3324	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 3324	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 3324	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 3324	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 3324	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 3324	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 3324	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 3324	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 3324	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 3324	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 3324	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 3324	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 3324	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 3324	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 3324	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 3324	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 3324	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 3324	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 3324	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 3324	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 3324	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 3324	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 3324	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 3324	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 3324	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 3324	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 844	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 844	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 116	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 116	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 116	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 116	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 116	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 116	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 116	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 116	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 116	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 116	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 116	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 116	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 116	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 116	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 116	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 116	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 116	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 116	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 116	1144	msedge.exe	msedge.exe
PID 1144 wrote to memory of 116	1144	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbe31f46f8,0x7ffbe31f4708,0x7ffbe31f4718
  2⤵
  PID:2384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,3333788986882659755,3319810751776406504,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:3324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,3333788986882659755,3319810751776406504,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,3333788986882659755,3319810751776406504,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
  2⤵
  PID:116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3333788986882659755,3319810751776406504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:2016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3333788986882659755,3319810751776406504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:3276
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,3333788986882659755,3319810751776406504,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 /prefetch:8
  2⤵
  PID:820
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,3333788986882659755,3319810751776406504,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3333788986882659755,3319810751776406504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:2392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3333788986882659755,3319810751776406504,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:1288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3333788986882659755,3319810751776406504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
  2⤵
  PID:1316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3333788986882659755,3319810751776406504,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:2568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,3333788986882659755,3319810751776406504,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5680 /prefetch:8
  2⤵
  PID:1376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3333788986882659755,3319810751776406504,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:1056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2112,3333788986882659755,3319810751776406504,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6360 /prefetch:8
  2⤵
  PID:3308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,3333788986882659755,3319810751776406504,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3744 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4008
- C:\Users\Admin\Downloads\ChilledWindows.exe
  "C:\Users\Admin\Downloads\ChilledWindows.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,3333788986882659755,3319810751776406504,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5152 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1384

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2244

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x518 0x528
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d9da931f98579d9af12b0cddeea667a

SHA1
5f02b023ce6b879af428b39ce9573f2343ef4771

SHA256
ae100e49b8a80ae8b977141fca8c9d0b35112f92af89ebe4dc5dbf2b1311fff0

SHA512
bd338bf14893d2c2f529eb0542b6b82e2beed5614d449c4147a87067f6ba1ff8d7bb178ad56d7b1491acd9d08d5bac5d1906160cf14998a13957117967a28680

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e95d45b99ee46b05441be74a152f3af8

SHA1
76adb523ca3943c8eeb4793a7daaa1f27cbab7d4

SHA256
435d76228edca3be83910f980b82f508e25541918fc3d7c4278a77307c880fb0

SHA512
35ec6bb16d0aba61622e6c9c8d1d4823b8d3e13644ab0b849cace25e0ed2adcf3cd98f6e7e7a24be8c64e360ea3be71523ed12d3c061d88eaa24276bfd91da80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
890cb61835b5977bc48fb2318164d0a4

SHA1
42c2784dae3952bd89ada9b5d14ac9d2be99dcc5

SHA256
a1af153e40779d8c6998a4dff81b2a3b51e51076d9d559163931d46a118b972c

SHA512
96a4ae9939820b9fe5066d5b8a5371a050dd29809e5c3e26ce96e8a5d22346940f8030c3e15d89add4540e21569657e3d32b9128ae32aa329df923b5b47fc89d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
46fa4f5f7344089589d117bd7599b3a9

SHA1
b6cc1fe19e527d4a372c97e4d195ed94eee40030

SHA256
223280d95a13f1af6af06459bbf230874500c212a2e16f63914eff3f22e8b57a

SHA512
6b680aedde7e806802652aab9ab31cb21438bc8756b063955e6f03bbbdf1273f7d47c40ec1a19fe27537afeb8d6cc219a246d31f7c6822b481649fe296e2a45c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8faf1018d0c48f0b83550814d325bbd3

SHA1
bb42d46c8f8f346f727130f02c3986e9c81f2ef4

SHA256
269e8bfcca4b1a1216e71bbadc9c6dd160dee2f912ec219122e4881054b3d8f4

SHA512
e8da76b999537795382e154f100f1fcdd3c11d629bcbe7b8fd7d0e57f4d9488874ea013eb729683078f9ce33c3c0de641afd581257f6745e2ab47a0561df9678

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a1282d349e86ba0d1f53a0d7eeed4224

SHA1
526c42dca5f20751ecddd99e96d1f1b39c3cfe89

SHA256
9b2fdb44df0a55a3e274e6324e188a177732883445e023bff92f1b8f783042f7

SHA512
f9902548a2c5b112b427c14f6049d46e0407b168ba8ef4d7f46749ad77ba96cace758317436262d90c112a8e86b87196444e9f02595d820f26ac6e572db00c0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
06239036a3265b49daece0348824c1ff

SHA1
6751bd4f69ed01cc76fd536a9b9b69723dac643b

SHA256
f65c5d075e2aa61cf5078a5fee3c8560db6e2979aa85dd5508b6aa863bbf8199

SHA512
9dce2b657431625731bd54ea27f3b841e026ebde16e5719dffe087e67c4b0af5bcfbffc1f36b6355b064b0712f149b93a3061253e3f77407f544173d71cc8e51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7ce93a172f20e0b7952eaaa27c8aa79d

SHA1
98ef89d262a149cc98b826088e23e53e392fd626

SHA256
bd266a913473ba02624211508f5e8b44240ff06890df35857bbd2929de544a97

SHA512
2b3a65ed70ea7c8b168e455ab94268a0c5ceed3ad295024400efa149052528a88ac5fb79f250c615b313720c82cd4aecb5dfe7d36aa1521f72f08d51da776f18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
23d544eb1567659ce04fc5e75b9834be

SHA1
7269e2d414172fe2d00b00edbb76a6d84900ea51

SHA256
17b3a80e82e21f20f44c479afaa0797844942e83c98278560666959d3c7151ec

SHA512
5a52db9c8aed8d2f75dbb9d8e4c175f9c4566a587f5921264d1b6253c08ec142f3cca478c173cd8f063d4b0a9770e2ae62a2e631859b1e1173e2beabc4e7f7a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
576e83c1432aa0b2a97b98e1e603ee45

SHA1
b8ac02412b03cf249f4943bbd85ebbd85f3a8889

SHA256
a14ba96dfa9b38b9981de1b12529c08bc3e884cb7ecae60f6a3c5418dafd736e

SHA512
3c763bdcccfdf9415cbec63269cf3d88666ed9231143cb002f813ebbcf0d8e2d21d87e179c37bd9f2d35dd0abfe8b9f018ba81c2e1b01699cfc5a8d6f9139266

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
c507de9adc9f8cd933a1e13d86f4daf6

SHA1
4e006377e38860ccb275e0274ead4b017a9a12be

SHA256
441dba0d79cd58c692ca5b2fb5329a5892d85d23f652b46efd169c5b0fb7a3e1

SHA512
2b8cbec80c7a9c979646bf1df1627bdc2a512de7c4e636922183475d323ab5dcd1398280ff659285c93917b120d31d062bfa734fb1877ccd667b2ecb5c9fb769

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
950d1455170ef42ab264c9276649076a

SHA1
4335ab85f60a0b8a7738b849cb200cf4cb38ae19

SHA256
90dbfb885a10ff850896db310894c5b6f1d0219690259da4cd83932596e702d3

SHA512
e22a226c8878426fd06a7ae2c6c9d0074d414d9a05f832a8a3c14c8c8995a43ff4f9d448151021f560e0c802b4053562f323f9a653f2a20dcb4c52663399f166

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8d679250b7f75bf54500aefbfc20a623

SHA1
c396e70002f3218a5da675cbcf6f6fbf7544786c

SHA256
10395638e49101ee7e86470717382d701736ad57974ab7e6a0338aab748c5555

SHA512
1e9c1f6181e331a5835fa024f52519398b6161bdc484b0c83e63bff29a4091bdf9afa281b4d7902b611eda93349f9dbcf3002b803a15712489093892a291c31b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5805f6.TMP

Filesize
874B

MD5
67007d6d5278323e0d837de4d05fe475

SHA1
2091b2b8892ef45ade60788e47cd06290db47ee3

SHA256
4f6a65e7ef990b9a8abf2278cd8515e5afa245454af4847dff4d9e673af4294a

SHA512
d134e5e47f5b07e22ccbd26b3aa7a4310ad0d1246bb2f8ee87838e9b1cc5db5fb785dff4115e2094712aaed782b5b531d03fea4ff73a1532c9f76ba6fb28220d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e463bbdda791dbe7e1ec1e3055865c77

SHA1
39d6daaa3906d2f0a0bb22a53393ed4ba55eae06

SHA256
1fc0c566d48f9525df0b178219710a0aafd4389d28349ea00730e9ea63474ee2

SHA512
73358e7c47b263b4fd245d4a5c92dd7ec43b2e52ce84ac7fac321ff9cd1330c0e2b4e09e61077a896fc37482226cb0304bf6f7c0c32208efdef798dba75a1dee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e090c886206069b86c0089eeb2426dbd

SHA1
d2e3f63ef4e8de87de7bdab0fd02d149b0a694cd

SHA256
e23a00c81211baec110ee4f7d2812783e5ff2bc1a808e1da25de18e52880aaea

SHA512
3252ff03fde44165913e76a1097f921cc248a9e928780888af84a305c16422a30b7293cc54bf4d9950f78f97d1f4bf950fce208b3b25cfc2837e268ba9c83bd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
265a98472f0b7cbbd65df4ee09d8b51d

SHA1
02817865d874670fbc6a1c3c0d4503fb8a558c43

SHA256
3190ffca8ae856136c5c72f22569c1dfe5c4d95da7bb26fbc2edab8e4fa21705

SHA512
094520094c7defeeb9a710ec5d3822a000c32020cbc04609e275b2d384954c031e422df7a7b5ee0c31e6436d36188933dd63a0aa562b23e27f111f308d92d5aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
576KB

MD5
d8c32a97d64419e597fd6d4317b0327d

SHA1
ba5eb33fb111dadbfccc486a449ef0bfd1fe228c

SHA256
8839a415b6103c7ca5f72525298451bbcec6a6f5ff0d08389af3234d08099a7f

SHA512
d87e22ff3268447b97000c24804ce9f32674e929e82c71a0f91c637479306f7ebaa1a8693ee5fe5d7ec24f09f3f377155e03a94ed29fc7a58ca37eb494644a81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 368204.crdownload

Filesize
4.4MB

MD5
6a4853cd0584dc90067e15afb43c4962

SHA1
ae59bbb123e98dc8379d08887f83d7e52b1b47fc

SHA256
ccb9502bf8ba5becf8b758ca04a5625c30b79e2d10d2677cc43ae4253e1288ec

SHA512
feb223e0de9bd64e32dc4f3227e175b58196b5e614bca8c2df0bbca2442a564e39d66bcd465154149dc7ebbd3e1ca644ed09d9a9174b52236c76e7388cb9d996

Download Submit
C:\Users\Admin\Downloads\chilledwindows.mp4

Filesize
3.6MB

MD5
698ddcaec1edcf1245807627884edf9c

SHA1
c7fcbeaa2aadffaf807c096c51fb14c47003ac20

SHA256
cde975f975d21edb2e5faa505205ab8a2c5a565ba1ff8585d1f0e372b2a1d78b

SHA512
a2c326f0c653edcd613a3cefc8d82006e843e69afc787c870aa1b9686a20d79e5ab4e9e60b04d1970f07d88318588c1305117810e73ac620afd1fb6511394155

Download Submit
\??\pipe\LOCAL\crashpad_1144_IANCUDQKPIEZWMPZ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4412-257-0x00007FFBD0A40000-0x00007FFBD1501000-memory.dmp

Filesize
10.8MB

Download
memory/4412-274-0x000000001F1D0000-0x000000001F1DE000-memory.dmp

Filesize
56KB

Download
memory/4412-271-0x000000001C100000-0x000000001C108000-memory.dmp

Filesize
32KB

Download
memory/4412-259-0x000000001B900000-0x000000001B910000-memory.dmp

Filesize
64KB

Download
memory/4412-258-0x000000001B900000-0x000000001B910000-memory.dmp

Filesize
64KB

Download
memory/4412-272-0x000000001B900000-0x000000001B910000-memory.dmp

Filesize
64KB

Download
memory/4412-238-0x00000000008D0000-0x0000000000D34000-memory.dmp

Filesize
4.4MB

Download
memory/4412-329-0x00007FFBD0A40000-0x00007FFBD1501000-memory.dmp

Filesize
10.8MB

Download
memory/4412-330-0x000000001B900000-0x000000001B910000-memory.dmp

Filesize
64KB

Download
memory/4412-273-0x000000001F200000-0x000000001F238000-memory.dmp

Filesize
224KB

Download
memory/4412-354-0x000000001B900000-0x000000001B910000-memory.dmp

Filesize
64KB

Download
memory/4412-355-0x000000001B900000-0x000000001B910000-memory.dmp

Filesize
64KB

Download
memory/4412-369-0x00007FFBD0A40000-0x00007FFBD1501000-memory.dmp

Filesize
10.8MB

Download