Analysis
-
max time kernel
329s -
max time network
333s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
02-07-2024 08:51
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry.exe
Malware Config
Extracted
C:\Users\Admin\Downloads\!Please Read Me!.txt
wannacry
15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Downloads MZ/PE file
-
Drops startup file 2 IoCs
-
Executes dropped EXE 5 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 4 IoCs
-
Modifies registry class 56 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs
-
Suspicious use of AdjustPrivilegeToken 49 IoCs
-
Suspicious use of FindShellTrayWindow 45 IoCs
-
Suspicious use of SendNotifyMessage 34 IoCs
-
Suspicious use of SetWindowsHookEx 9 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry.exe1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffc66746f8,0x7fffc6674708,0x7fffc66747182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2304,18287052384740507494,15872970893459068161,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2312 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2304,18287052384740507494,15872970893459068161,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2304,18287052384740507494,15872970893459068161,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,18287052384740507494,15872970893459068161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,18287052384740507494,15872970893459068161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2304,18287052384740507494,15872970893459068161,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2304,18287052384740507494,15872970893459068161,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2304,18287052384740507494,15872970893459068161,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5560 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,18287052384740507494,15872970893459068161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2304,18287052384740507494,15872970893459068161,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6060 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,18287052384740507494,15872970893459068161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,18287052384740507494,15872970893459068161,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,18287052384740507494,15872970893459068161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,18287052384740507494,15872970893459068161,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,18287052384740507494,15872970893459068161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6436 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2304,18287052384740507494,15872970893459068161,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6180 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,18287052384740507494,15872970893459068161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6472 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,18287052384740507494,15872970893459068161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,18287052384740507494,15872970893459068161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,18287052384740507494,15872970893459068161,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6356 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2304,18287052384740507494,15872970893459068161,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6808 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2304,18287052384740507494,15872970893459068161,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6836 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,18287052384740507494,15872970893459068161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,18287052384740507494,15872970893459068161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6856 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,18287052384740507494,15872970893459068161,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6908 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,18287052384740507494,15872970893459068161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,18287052384740507494,15872970893459068161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,18287052384740507494,15872970893459068161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2304,18287052384740507494,15872970893459068161,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1744 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2304,18287052384740507494,15872970893459068161,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7136 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2304,18287052384740507494,15872970893459068161,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6564 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,18287052384740507494,15872970893459068161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1404 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2304,18287052384740507494,15872970893459068161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6560 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\WannaCry.exe"C:\Users\Admin\Downloads\WannaCry.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 280641719910410.bat2⤵
-
C:\Windows\SysWOW64\cscript.execscript //nologo c.vbs3⤵
-
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe f2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im MSExchange*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Microsoft.Exchange.*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlserver.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlwriter.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe c2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /b !WannaDecryptor!.exe v2⤵
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe v3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=how+to+buy+bitcoin3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fffc66746f8,0x7fffc6674708,0x7fffc66747184⤵
-
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\!Please Read Me!.txt1⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5f61fa5143fe872d1d8f1e9f8dc6544f9
SHA1df44bab94d7388fb38c63085ec4db80cfc5eb009
SHA256284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64
SHA512971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6
-
Filesize
152B
MD587f7abeb82600e1e640b843ad50fe0a1
SHA1045bbada3f23fc59941bf7d0210fb160cb78ae87
SHA256b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262
SHA512ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618
-
Filesize
5KB
MD5933e13275b99fe1b4cf0e4c2bcf486a3
SHA1aeb168f368c59c3f0e3f39361c590e9b6b32f58f
SHA25692f1f1801c4fe1579e90e7c2bab9089558986551ea0120332b3ffa5285a10987
SHA5129a10e2976f1dae7e057d8283c29fa9904709effbda278e14b824d6f04a865a75d51dd87283686600f1ef6a525fbfaafd52cc475d044fbbc22867444c12db7f7f
-
Filesize
211KB
MD5151fb811968eaf8efb840908b89dc9d4
SHA17ec811009fd9b0e6d92d12d78b002275f2f1bee1
SHA256043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed
SHA51283aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674
-
Filesize
1KB
MD562e2dfd76ad3f85a1bcf7d69da07a8ee
SHA12f42d8ac59ca73e3231bc8adca6ffaf988992dc0
SHA256d7151578cbcd314d23d85bd8c63b92a6c8b6d53fc24025b0179717501e669179
SHA5126bc41341292dae50048fc19d1a844f0cc57ac6d0fc9ea21ea1ecfcd54f1477b95c23ddb10771b440b09c0f78bd207e50843c9db8143ce9eb7d323d7c7a379d99
-
Filesize
5KB
MD5b0a9b9ed240920bda386fb16e8b06edf
SHA1e7f2f04275dd8f16797b8406b9bf7f40eeac105a
SHA256e58562084f99086fa14255d3c87697302ed4821e19a08c3bae2377acb4390ac0
SHA512855ad7b0224b16052f63fb8a1370a4536589d90c4e81b7e4bd2ffae462dbef4572972870ac49481fff19a4cea0f8fe2f7c381726390bb12c5791d151b125f108
-
Filesize
5KB
MD5b61c5b2b06e0d6dde171844ba6e9bdfe
SHA14bec56d6e1d17314f120385edefb08f55e5c3067
SHA2566394abf62b4def0f194f9e53f208f163f304d77ef7aa386300ac812606d7dede
SHA51253e41efc748ebb8375fe8b4da181152fab04bdb2ebdaa51ae7c00055c34ae50faba097a3f78a77516aa90759de36d1e419bb1cc5ff96ef4052f192d1af2e2e1f
-
Filesize
2KB
MD57ca4bb3f7c8b5b5773f2c85cfbed3273
SHA1b404321a7530bbfd9a77fdea63881f3d6ad3572c
SHA2565272d1b36773d93ebde2bb1a12d32bc2258e7d63d908eb6f2910b51a08a3514e
SHA5126c5cc4b1fef49512abd38299ddbc44dee857856830c611f06c8d6444f67bc2fb9fdd54fca2c542d66a6d6679d3b4a5d1c3f8dbb3e573c42af327c4d9259ef3c2
-
Filesize
2KB
MD500a0c06437a7ed8b51efcd0390d7e569
SHA188102ffa2e47dfe1e3977f94bdaded2d6c6e3c58
SHA256e04dff65aa6360974b1b30c15537412d552b5a2b6bf28e8827871121c41bba64
SHA512d4f7f27de00b422bd391ecaf4df59bb3d3999ec5141d9e687dcbedf438955f9b79483caad0b2d77d59e8db38a0df96104381ecd38f9aa1a68e54cba245943b7d
-
Filesize
3KB
MD58bca05b998bd1dc14cc23c94fbfb6639
SHA16b2d6002d9caed0e154338568aeab8c71ac8b32f
SHA2564e391dfccd6f3db1a7d2aa5fbea239d9e3a4a3867b3f2c5ce52dcf686fdfdc6f
SHA5129ecdb075839a263ae053396a2f2e0c833db0b958d60b4e12175defad3e9d875084c6c9934f24517e7cb62ef8b85ceccfd3bb3f8b60688efe6f3718103633628f
-
Filesize
8KB
MD5e5d72e17377255171d47c1694ce77e20
SHA1103c9975b1bf11ba04c9e84f76fa8436a2768f29
SHA2565e699f4f75a2d0af110d11320526d045c027daa002d4c567a1504a23b67d4132
SHA51216617bfafe64b0ab703a4d7c25a6aa80c5d7237170d1ab1f51727fa8f861e588dabd9d5fb3b92a84ca6c0446acdfd14f0c287e6bffbd2663ac2d6a2be0d285da
-
Filesize
8KB
MD573d8a699881a2128f8112db8e1f3f395
SHA1fe1eae3c21dbe740e998d8c87e058ac8e241bef1
SHA25674e3b8934639d5d1e4e031272c6888939b3404cc835efa2a2ce9ab8e3c6e1ad3
SHA512d5d921302163338739b9b62976e7943332fc23fa44d095d4e22a137b9c5a809fcc95a88959bf4afcfc182c3dff1739338e3cec7ee1feffc17b0c5bbd79b74456
-
Filesize
6KB
MD54ca7217ac6b888f97e5ab85df4ee0153
SHA1902ad94e9583316c18d16124fa8094cb9bf6d199
SHA2567d2333af87f7579cdbc718d69417eee138d362418cc083296e3863e151633418
SHA5128bf47f8d1c363855646438bb22cf4e89f64f82a8079d6785ece6484afdc1c3af26fec08a07493de39e9d7640c82bfaeafd8744dd73e36638a7c407c3de899033
-
Filesize
9KB
MD5dc4a65953e84c4140ed28d4d86799795
SHA15d055102f4154014ba7b271647acb347b19f4399
SHA256864eb99589cab94aab2eccab0ec58a51310d9d2b6127fdc25a3505038fa79d6e
SHA51205bcfb722ab7b79620b4d616fc331ec0ece260333252188b66f02ebfbbd1acb12ba33c56e271fcd3060b0bfca4713138459fb2e864033739b95e6caab2279d99
-
Filesize
7KB
MD56a38242d576a6d2a8f9ad57686437798
SHA140c9584270716efbd7abff8572b40040764a1c79
SHA2567610cdb7edbb70de702ea53acfba3d3b94cdd03b9eb90cc3dcbb1621d7e3f632
SHA5123354d50df28a1675fb430c0d0ddbd355b837515f6b05143d9aa997e71b4f4d8f1d78c64b07312a083e4da9e5fbbd1881ebcce5d4d1365cb504c48d762a1fc01f
-
Filesize
8KB
MD55651a2391ef25c72c1095ed8c04efef0
SHA1238aa1954a03e9ae64687d9e2e95d757256aa1f6
SHA256c645d97af1e08bf55cc3bdcb1987e876d8e89798057685e08da5747a1cecfac9
SHA5128410c8797395f5b0206420fbb7150e00d6831fb5d0d607c9c9e758d77ed04b2f8b7cd7cb831ccda83241269819c87d9492b40a6c15dd6ef6d8b26ed740842ef9
-
Filesize
6KB
MD5685bbb9ee0e069d1a6a71c92e119c599
SHA1fe3ed83f914b553b08a0018a949bbd49e8963bde
SHA25634da9e1d88a66177c6b5867b807587821086c448f1a5b43a337ad0b3716038ab
SHA5124e19ea357c1d8fb9f83402906062d636dfb37763333e3cf6ce2128dffa700829f42e559290ff6badb08683b0b87603f3931da96af4328e4fbd1813c5f93e5a01
-
Filesize
72B
MD50f911927f19685712dda1d3595b10808
SHA16eb2edc49649ab39c6c3d46e4cf2aa910eac0f36
SHA2561b3a70a3004641a0023c406ead3cda01faac8940343a7abe28027c9992a50372
SHA5128cf2f7e272019eadc6019a3705328fc0fb9a073a0b82aa8e22447b508f96ac4c4c595cf09b6e0c6c829957abd62e0a31ab25323ff5c19085b2a55eea5d896f3e
-
Filesize
48B
MD5b57edbc7d50c3d4c3525b6d23fe16420
SHA1f1d61a625521d47e28ac6511067d45c9c11c8e51
SHA2564f97ea1aadb72a72aef8ad5466740a8c62596a7d1ea1fcc34888cfa031d8da1c
SHA512ba62c1c9bd50ebbaa2ff6b57b36a85212f2ced679ae10fc085d55fbffa4ab5d4c19a849ec0bcdb6b5a0fad842a1ed004fa90069b279b11517fd2877c20dc03b9
-
Filesize
2KB
MD52b1c1f12a37eb8f56248748eb5848351
SHA164f825252db8ea56a882e0e7feeaebc188ba4a64
SHA256e61841fcd524198f2b2ef02b75f91edf3520061dc853591a1ce74a95a8e07360
SHA51252c24242119506d1e99011436fc62055f33bbdafb490073352b9f2395c4baaa69fad400cdfd1c90841f4288c0ca349f96714726ae01bb810f78850a8b18b1a1b
-
Filesize
1KB
MD52736bd67d0ee85bbc010ffbe1ceb04bb
SHA19cbadaf198641ff9e42860996e6bd61daacdda82
SHA256196e7958bcd2c31e27fba178ff512218d16b358b89e3d62c8109325b0198ee80
SHA512fdb4a5d42b1c98667fe5dbc322498c655002d89b71b726f7126f57c9f22f74da740c87765157e6db1ba3a9929daf914b0d1ac9015ad638c7f94b322729af6178
-
Filesize
1KB
MD5c332d0ad48e7a72972c8320374f14a1b
SHA1a4aea36e0092ca22aee8288064fcbf21c9923d8d
SHA25616c329b0ed48b1b8b57c92489ed7dd8c0e3365c8c36c83e5d2f02fa48411be54
SHA512deda19e5420f5ee111fa1c881e3fe94d383535d89cb2babd7e828ae160e9b18e6f4052a4e34af2d6b845561ebd51685fc9deddccac4fae9e08aff94ea3cc5303
-
Filesize
2KB
MD5dc07358cd070ae18174377f7aafeda0f
SHA159012277fecde24e685ecebc7d57be6676a6ad97
SHA2561302b67a7e7fd67fb22e8af3a895a22f64e9058692d42985fce933a7ede38ed4
SHA512bd833ddecc1f1886c457934dee9e2adc4a5aea83d2e70894c8555aede31fde20120905532905545cb16ff395b139f10f1b4be0c13178b44cf0f8774fe3c09c67
-
Filesize
1KB
MD50149cb710d86a6a170c95ae26c176d4d
SHA16bdf3a669a33185a264e416bb93d7762343fff8e
SHA256f703f7cb0a9eb67934bf4cde96f6b83edb8c38681fbf7b37a3c21b2e93768f17
SHA512576a7919ba403d68b3b42af5f39b2eeae5ba5a6de536a5bcee9bc2cdb42cf4fa2517aaf629b06f5cf4692e05f38e67e23426b5cefc58ed6e166850c3fc992d68
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
28KB
MD5f52b3e5685c4f2b98461bb84fe93ab55
SHA189d471548ded09933e4180cbffae6b54f3227173
SHA2564ed3ecc79883e5c9a3d3aec94acd8d00cd5d88c311b5101e82639c258a2816f0
SHA5122f1652f4e2522276f0b1c7dcb9db117ceebefd3df146222102016993ade3442da03218b35f0bd3b487327a09094d28cebb80d3afe258be2048b330c1bc1c9912
-
Filesize
16KB
MD59e02552124890dc7e040ce55841d75a4
SHA1f4179e9e3c00378fa4ad61c94527602c70aa0ad9
SHA2567b6e4ce73ddd8b5e7a7c4a94374ac2815d0048a5296879d7659a92ee0b425c77
SHA5123e10237b1bff73f3bb031f108b8de18f1b3c3396d63dfee8eb2401ce650392b9417143a9ef5234831d8386fc12e232b583dd45eada3f2828b3a0a818123dd5cd
-
Filesize
11KB
MD5639c37554890edc8b169285997df62e6
SHA16ce693e7075bf988ea5db5b41ea67212c0b55cb5
SHA25633a9fdca523a9e2eef720310765e91dc8b773a04c412395743d28d2c21a49efe
SHA512d1f530e953213f83135a3ab045fcd98552a5358aeb0aac86549708f7cd5f0d4f5e8e544e2abda072158be10d8715d19f6213c281ac87e5cae031d94f1a6f70b3
-
Filesize
10KB
MD5722edbec31d11b5d89e7f3ba400115d5
SHA1bff202bacf4e155ae41c0b5105b028c548b686f8
SHA2564c653ce9dc78709ae5b07d2707c6d2a2d075e478809072c33260cdd23ace3303
SHA512499f8d7d1ee853aafc4bf5c3c7f306a4b915826ccf2aa2e6270a749d94310f8255dd818d3104676eb3ab9119731c947db9211aba87458b008e4c30592e4a4758
-
Filesize
797B
MD5afa18cf4aa2660392111763fb93a8c3d
SHA1c219a3654a5f41ce535a09f2a188a464c3f5baf5
SHA256227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0
SHA5124161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b
-
Filesize
590B
MD57c3d7cb3a952f102e095db0ad8dcf7a9
SHA1a497cb266e432cf141d6f5172b6f25e959d9d69b
SHA2563b4ce3cf7efe809b996d4c9a1d14d1119b3ad250bdea71ff472c9b9a694db617
SHA512247ac06b5d305ba52319485752ca03f2bee77ee0f39602f35e36e3b3d01accb6b0d169ca75684843113159057387d0be27e6e525d9326ad9195e793c1489e951
-
Filesize
136B
MD5aeab0e3d843847400c0f40902b74e9e4
SHA1088653ab8eff236140f3b093a2df528f1c835a6b
SHA2560be100d5bdac83ce0e7498a1fbf24babf8789314a202c05a11fce403fd31223f
SHA51206adb372545ff8c60f32ccb1fe477b0d74cc3e87ff1aec427263e19880c7c768d4c34ea615606a47cd9ecbda52601513a1f3b007c17556118dca28acdbbce235
-
Filesize
136B
MD5d342f62f2a11a8df7c441c99bc197ca9
SHA1f6a859e6303b15100aaa94fac419f601b60a551d
SHA256ffa1c0e44dbff4cd754f584d8e9331faad9f17a609e20e654e43122a28142a78
SHA512dbc272dc2d6a10c21ca3a55d590c14fd30475a979abf861635fb9e1e9b221a232c58f9472868b9944375ac655ac177ecc3aeafb6de0ccc7e2bc3a26dbe5bb177
-
Filesize
136B
MD59b99d2acffa59680c49ffe4aab1db69a
SHA10663b7a36288e164be33f8c118736424d3afc817
SHA256f559d3c06a1bbb5973e4f839530477df7bb038383027311f5b665a28ad32c113
SHA5129cb191ac309d4c0e24ea8ed4699458b13b7c770f49b205f170eba8824d95eb5374ce2eb2c9e8c0899401ed30cc46ecea85d2b4adc7e237e337ac2103694cef8a
-
Filesize
318B
MD5a261428b490a45438c0d55781a9c6e75
SHA1e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e
SHA2564288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44
SHA512304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40
-
Filesize
224KB
MD55c7fb0927db37372da25f270708103a2
SHA1120ed9279d85cbfa56e5b7779ffa7162074f7a29
SHA256be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
SHA512a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
-
Filesize
201B
MD502b937ceef5da308c5689fcdb3fb12e9
SHA1fa5490ea513c1b0ee01038c18cb641a51f459507
SHA2565d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1
SHA512843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653
-
Filesize
628B
MD5bd7abe1724d86cb0b5e87a2f27f55883
SHA1e19cd5aaa5fdd06486505387d3ce1749a268ee8a
SHA2564af5431318e534fe5ce9fb7324ab68462ea3c95e0411ef7bdcedf4359d30473b
SHA51238b9b8a5119edcfb90d45a4c4c22d86add78a63b656233646cefe4c6d6f6cc7f89a315a351ae77fd5a57975af493c8c089d2f51007ba641e69b3b6b99b59fac0
-
Filesize
42KB
MD5980b08bac152aff3f9b0136b616affa5
SHA12a9c9601ea038f790cc29379c79407356a3d25a3
SHA256402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9
SHA512100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496
-
Filesize
236KB
MD5cf1416074cd7791ab80a18f9e7e219d9
SHA1276d2ec82c518d887a8a3608e51c56fa28716ded
SHA25678e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA5120bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5
-
Filesize
72KB