hxxps://github[.]com/kh4sh3i/Ransomware-Samples

Resubmissions

03/07/2024, 22:48

240703-2rckhs1hrh 6

03/07/2024, 20:15

240703-y1lm1awcqk 10

Analysis

max time kernel
126s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
03/07/2024, 22:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/kh4sh3i/Ransomware-Samples

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
37	raw.githubusercontent.com
38	raw.githubusercontent.com
78	raw.githubusercontent.com

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4992	msedge.exe
4992	msedge.exe
3336	msedge.exe
3336	msedge.exe
1944	identity_helper.exe
1944	identity_helper.exe
2640	msedge.exe
2640	msedge.exe
5556	chrome.exe
5556	chrome.exe
5136	msedge.exe
5136	msedge.exe
5136	msedge.exe
5136	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
5556	chrome.exe
5556	chrome.exe
5556	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5556	chrome.exe
Token: SeCreatePagefilePrivilege	5556	chrome.exe
Token: SeShutdownPrivilege	5556	chrome.exe
Token: SeCreatePagefilePrivilege	5556	chrome.exe
Token: SeShutdownPrivilege	5556	chrome.exe
Token: SeCreatePagefilePrivilege	5556	chrome.exe
Token: SeShutdownPrivilege	5556	chrome.exe
Token: SeCreatePagefilePrivilege	5556	chrome.exe
Token: SeShutdownPrivilege	5556	chrome.exe
Token: SeCreatePagefilePrivilege	5556	chrome.exe
Token: SeShutdownPrivilege	5556	chrome.exe
Token: SeCreatePagefilePrivilege	5556	chrome.exe
Token: SeShutdownPrivilege	5556	chrome.exe
Token: SeCreatePagefilePrivilege	5556	chrome.exe
Token: SeShutdownPrivilege	5556	chrome.exe
Token: SeCreatePagefilePrivilege	5556	chrome.exe
Token: SeShutdownPrivilege	5556	chrome.exe
Token: SeCreatePagefilePrivilege	5556	chrome.exe
Token: SeShutdownPrivilege	5556	chrome.exe
Token: SeCreatePagefilePrivilege	5556	chrome.exe
Token: SeShutdownPrivilege	5556	chrome.exe
Token: SeCreatePagefilePrivilege	5556	chrome.exe
Token: SeShutdownPrivilege	5556	chrome.exe
Token: SeCreatePagefilePrivilege	5556	chrome.exe
Token: SeShutdownPrivilege	5556	chrome.exe
Token: SeCreatePagefilePrivilege	5556	chrome.exe
Token: SeShutdownPrivilege	5556	chrome.exe
Token: SeCreatePagefilePrivilege	5556	chrome.exe
Token: SeShutdownPrivilege	5556	chrome.exe
Token: SeCreatePagefilePrivilege	5556	chrome.exe
Token: SeShutdownPrivilege	5556	chrome.exe
Token: SeCreatePagefilePrivilege	5556	chrome.exe
Token: SeShutdownPrivilege	5556	chrome.exe
Token: SeCreatePagefilePrivilege	5556	chrome.exe
Token: SeShutdownPrivilege	5556	chrome.exe
Token: SeCreatePagefilePrivilege	5556	chrome.exe
Token: SeShutdownPrivilege	5556	chrome.exe
Token: SeCreatePagefilePrivilege	5556	chrome.exe
Token: SeShutdownPrivilege	5556	chrome.exe
Token: SeCreatePagefilePrivilege	5556	chrome.exe
Token: SeShutdownPrivilege	5556	chrome.exe
Token: SeCreatePagefilePrivilege	5556	chrome.exe
Token: SeShutdownPrivilege	5556	chrome.exe
Token: SeCreatePagefilePrivilege	5556	chrome.exe
Token: SeShutdownPrivilege	5556	chrome.exe
Token: SeCreatePagefilePrivilege	5556	chrome.exe
Token: SeShutdownPrivilege	5556	chrome.exe
Token: SeCreatePagefilePrivilege	5556	chrome.exe
Token: SeShutdownPrivilege	5556	chrome.exe
Token: SeCreatePagefilePrivilege	5556	chrome.exe
Token: SeShutdownPrivilege	5556	chrome.exe
Token: SeCreatePagefilePrivilege	5556	chrome.exe
Token: SeShutdownPrivilege	5556	chrome.exe
Token: SeCreatePagefilePrivilege	5556	chrome.exe
Token: SeShutdownPrivilege	5556	chrome.exe
Token: SeCreatePagefilePrivilege	5556	chrome.exe
Token: SeShutdownPrivilege	5556	chrome.exe
Token: SeCreatePagefilePrivilege	5556	chrome.exe
Token: SeShutdownPrivilege	5556	chrome.exe
Token: SeCreatePagefilePrivilege	5556	chrome.exe
Token: SeShutdownPrivilege	5556	chrome.exe
Token: SeCreatePagefilePrivilege	5556	chrome.exe
Token: SeShutdownPrivilege	5556	chrome.exe
Token: SeCreatePagefilePrivilege	5556	chrome.exe

Suspicious use of FindShellTrayWindow 59 IoCs

pid	Process
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
5556	chrome.exe
5556	chrome.exe
5556	chrome.exe
5556	chrome.exe
5556	chrome.exe
5556	chrome.exe
5556	chrome.exe
5556	chrome.exe
5556	chrome.exe
5556	chrome.exe
5556	chrome.exe
5556	chrome.exe
5556	chrome.exe
5556	chrome.exe
5556	chrome.exe
5556	chrome.exe
5556	chrome.exe
5556	chrome.exe
5556	chrome.exe
5556	chrome.exe
5556	chrome.exe
5556	chrome.exe
5556	chrome.exe
5556	chrome.exe
5556	chrome.exe
5556	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
5556	chrome.exe
5556	chrome.exe
5556	chrome.exe
5556	chrome.exe
5556	chrome.exe
5556	chrome.exe
5556	chrome.exe
5556	chrome.exe
5556	chrome.exe
5556	chrome.exe
5556	chrome.exe
5556	chrome.exe
5556	chrome.exe
5556	chrome.exe
5556	chrome.exe
5556	chrome.exe
5556	chrome.exe
5556	chrome.exe
5556	chrome.exe
5556	chrome.exe
5556	chrome.exe
5556	chrome.exe
5556	chrome.exe
5556	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3336 wrote to memory of 2184	3336	msedge.exe	82
PID 3336 wrote to memory of 2184	3336	msedge.exe	82
PID 3336 wrote to memory of 4272	3336	msedge.exe	83
PID 3336 wrote to memory of 4272	3336	msedge.exe	83
PID 3336 wrote to memory of 4272	3336	msedge.exe	83
PID 3336 wrote to memory of 4272	3336	msedge.exe	83
PID 3336 wrote to memory of 4272	3336	msedge.exe	83
PID 3336 wrote to memory of 4272	3336	msedge.exe	83
PID 3336 wrote to memory of 4272	3336	msedge.exe	83
PID 3336 wrote to memory of 4272	3336	msedge.exe	83
PID 3336 wrote to memory of 4272	3336	msedge.exe	83
PID 3336 wrote to memory of 4272	3336	msedge.exe	83
PID 3336 wrote to memory of 4272	3336	msedge.exe	83
PID 3336 wrote to memory of 4272	3336	msedge.exe	83
PID 3336 wrote to memory of 4272	3336	msedge.exe	83
PID 3336 wrote to memory of 4272	3336	msedge.exe	83
PID 3336 wrote to memory of 4272	3336	msedge.exe	83
PID 3336 wrote to memory of 4272	3336	msedge.exe	83
PID 3336 wrote to memory of 4272	3336	msedge.exe	83
PID 3336 wrote to memory of 4272	3336	msedge.exe	83
PID 3336 wrote to memory of 4272	3336	msedge.exe	83
PID 3336 wrote to memory of 4272	3336	msedge.exe	83
PID 3336 wrote to memory of 4272	3336	msedge.exe	83
PID 3336 wrote to memory of 4272	3336	msedge.exe	83
PID 3336 wrote to memory of 4272	3336	msedge.exe	83
PID 3336 wrote to memory of 4272	3336	msedge.exe	83
PID 3336 wrote to memory of 4272	3336	msedge.exe	83
PID 3336 wrote to memory of 4272	3336	msedge.exe	83
PID 3336 wrote to memory of 4272	3336	msedge.exe	83
PID 3336 wrote to memory of 4272	3336	msedge.exe	83
PID 3336 wrote to memory of 4272	3336	msedge.exe	83
PID 3336 wrote to memory of 4272	3336	msedge.exe	83
PID 3336 wrote to memory of 4272	3336	msedge.exe	83
PID 3336 wrote to memory of 4272	3336	msedge.exe	83
PID 3336 wrote to memory of 4272	3336	msedge.exe	83
PID 3336 wrote to memory of 4272	3336	msedge.exe	83
PID 3336 wrote to memory of 4272	3336	msedge.exe	83
PID 3336 wrote to memory of 4272	3336	msedge.exe	83
PID 3336 wrote to memory of 4272	3336	msedge.exe	83
PID 3336 wrote to memory of 4272	3336	msedge.exe	83
PID 3336 wrote to memory of 4272	3336	msedge.exe	83
PID 3336 wrote to memory of 4272	3336	msedge.exe	83
PID 3336 wrote to memory of 4992	3336	msedge.exe	84
PID 3336 wrote to memory of 4992	3336	msedge.exe	84
PID 3336 wrote to memory of 3892	3336	msedge.exe	85
PID 3336 wrote to memory of 3892	3336	msedge.exe	85
PID 3336 wrote to memory of 3892	3336	msedge.exe	85
PID 3336 wrote to memory of 3892	3336	msedge.exe	85
PID 3336 wrote to memory of 3892	3336	msedge.exe	85
PID 3336 wrote to memory of 3892	3336	msedge.exe	85
PID 3336 wrote to memory of 3892	3336	msedge.exe	85
PID 3336 wrote to memory of 3892	3336	msedge.exe	85
PID 3336 wrote to memory of 3892	3336	msedge.exe	85
PID 3336 wrote to memory of 3892	3336	msedge.exe	85
PID 3336 wrote to memory of 3892	3336	msedge.exe	85
PID 3336 wrote to memory of 3892	3336	msedge.exe	85
PID 3336 wrote to memory of 3892	3336	msedge.exe	85
PID 3336 wrote to memory of 3892	3336	msedge.exe	85
PID 3336 wrote to memory of 3892	3336	msedge.exe	85
PID 3336 wrote to memory of 3892	3336	msedge.exe	85
PID 3336 wrote to memory of 3892	3336	msedge.exe	85
PID 3336 wrote to memory of 3892	3336	msedge.exe	85
PID 3336 wrote to memory of 3892	3336	msedge.exe	85
PID 3336 wrote to memory of 3892	3336	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/kh4sh3i/Ransomware-Samples
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe966546f8,0x7ffe96654708,0x7ffe96654718
  2⤵
  PID:2184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,5875019653270907109,15042785087296633941,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,5875019653270907109,15042785087296633941,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2420 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,5875019653270907109,15042785087296633941,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
  2⤵
  PID:3892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5875019653270907109,15042785087296633941,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5875019653270907109,15042785087296633941,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
  2⤵
  PID:1656
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,5875019653270907109,15042785087296633941,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5568 /prefetch:8
  2⤵
  PID:1480
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,5875019653270907109,15042785087296633941,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5568 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,5875019653270907109,15042785087296633941,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4120 /prefetch:8
  2⤵
  PID:116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5875019653270907109,15042785087296633941,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1692 /prefetch:1
  2⤵
  PID:724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,5875019653270907109,15042785087296633941,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5644 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5875019653270907109,15042785087296633941,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
  2⤵
  PID:740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5875019653270907109,15042785087296633941,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5875019653270907109,15042785087296633941,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5875019653270907109,15042785087296633941,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
  2⤵
  PID:3516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,5875019653270907109,15042785087296633941,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4836 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5136

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1312

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe84ddab58,0x7ffe84ddab68,0x7ffe84ddab78
  2⤵
  PID:5632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1660 --field-trial-handle=1860,i,2227215877602614989,17342062391168612243,131072 /prefetch:2
  2⤵
  PID:5796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1772 --field-trial-handle=1860,i,2227215877602614989,17342062391168612243,131072 /prefetch:8
  2⤵
  PID:5804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2272 --field-trial-handle=1860,i,2227215877602614989,17342062391168612243,131072 /prefetch:8
  2⤵
  PID:5812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3112 --field-trial-handle=1860,i,2227215877602614989,17342062391168612243,131072 /prefetch:1
  2⤵
  PID:5960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3140 --field-trial-handle=1860,i,2227215877602614989,17342062391168612243,131072 /prefetch:1
  2⤵
  PID:5972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4400 --field-trial-handle=1860,i,2227215877602614989,17342062391168612243,131072 /prefetch:1
  2⤵
  PID:2848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4564 --field-trial-handle=1860,i,2227215877602614989,17342062391168612243,131072 /prefetch:8
  2⤵
  PID:5220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4696 --field-trial-handle=1860,i,2227215877602614989,17342062391168612243,131072 /prefetch:8
  2⤵
  PID:4612

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:6064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
33f9b4f572fe3cee51829012586a3b36

SHA1
77b42fc94ddfa09b75e72a83db3027de8f2de517

SHA256
cfbfd7a9c19f9b29ab26649f863390743878147215f60ffe442ea2d6e342cae8

SHA512
35722f35675689b519a6be15b3abf7ad130d922d6905ebee0272c203e0758108c4a5eceedf02f4486e8463a8e0ad8ea22b2abe613834a24b8a27eb0eb8b3a9d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
98dacd101a73dcf82fc51eeb6b394cc8

SHA1
605fe56777fb0923b893d6715029eded969aa1b8

SHA256
35b409878e2c50305e927257d3e8283371947d91cb298cc592738efbb2b8a16d

SHA512
c9e690452ef3d2a661b290ee1e6ea51a613bd80b61c352f1d7d0724be92c0ef02cb2c110257773d52f1e670d5db2de73c1916ae2191332a4df1a26076263020d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
d0eff76658166e1b8732ff0dd359e208

SHA1
361a041729b5778d7134242b667f9be6264458fe

SHA256
7860cbf3ee0a3df2bd950747aed49d852a1eea45a407d27bac800e9c7a3cc7bc

SHA512
bf79aa810805371e13dff223becbcd4b75887eb714f4f974e58c053c46dad64f6e4bd614e51243e594a9e6636a1642bc91afa3ccd39b4aaff19fe3b617698add

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
db9081c34e133c32d02f593df88f047a

SHA1
a0da007c14fd0591091924edc44bee90456700c6

SHA256
c9cd202ebb55fe8dd3e5563948bab458e947d7ba33bc0f38c6b37ce5d0bd7c3e

SHA512
12f9809958b024571891fae646208a76f3823ae333716a5cec303e15c38281db042b7acf95bc6523b6328ac9c8644794d39a0e03d9db196f156a6ee1fb4f2744

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3a09f853479af373691d131247040276

SHA1
1b6f098e04da87e9cf2d3284943ec2144f36ac04

SHA256
a358de2c0eba30c70a56022c44a3775aa99ffa819cd7f42f7c45ac358b5e739f

SHA512
341cf0f363621ee02525cd398ae0d462319c6a80e05fd25d9aca44234c42a3071b51991d4cf102ac9d89561a1567cbe76dfeaad786a304bec33821ca77080016

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
7a0ae88d0124c6f4745cfb20476f0c24

SHA1
a3bd3cee4133d0e43bbb42f99e4683dbc7442dbb

SHA256
92f49a4c7e8d7eec8b6a338e12f610906be513a68925968251df728bd84b74fa

SHA512
ce9f2663e9976e3586bdeb8a240a2da04d1cc77d442eeff7da9e150dbd9101239ba1c6505326316d9d8d30cce20f4d2a594642c439d3adb3de29d36cdfd04200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
79d0c412c31946420648147a88392b90

SHA1
2698cb6aae7f0c5f1c6a3aded5562d322c2b046b

SHA256
4f92877d7442c3541aeb48700f681c673452c2e39db983a1371c665838bc0144

SHA512
a3cb720b8e6851e596b354443c41812707ed3503b2f5024d96340634ca0c97ea09682f33a4bd01ba0be912ec4ed9c7c98db76cdaf8a1765231f588fc336c16db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
04adc6a6ed63af8d633af08b5004ee89

SHA1
87150f6ec5287ce5d4a0ef665f96f050e434c7ee

SHA256
a92d7bec374cafc6e3359b9996d50e240e331352a2ea2b34fbe6b3c35c9abead

SHA512
b36e72d38efd1be18113ed4424dceb27ec51c96f9e952a53e594c839c2dcfd41e205cb2b9e4494ac3a719d937602455622da8b325b45bb1fdf9ce9665c33f939

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
be85a012866f82533b134a3e7c03581c

SHA1
8f361377763dc0f643a3c2746149ca5850c5d8c0

SHA256
7c0534066657219aeecf9763515dbb8eeb5b0cc4509d25ed75d5347476f443a0

SHA512
38aa3dc3c36a5319162d52fb0bdb7588dfa9fada5247c49ee53d870b7d928ea5be1387e176e8caf3dd6cad9b6975d432eae587c0103f8dffc56f17ef887ae621

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
29d778ed709fd11ba62664ff0a65221f

SHA1
8811e98a14e51d98c9a04c4a186b56878d32ca61

SHA256
99a25f550dd71e1c493ce1d020357acca9da1f538646af1ea9e38cd8b76bd09f

SHA512
86a0213fec0aa919358e8c83eb3cee2e9af64589e74a8f84586aa0dd33d7b2adea41b32e7a8ee62d1e17e4acf149cf601018c38fe97dcb14191c7625a88e1e75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
125e6211484fda833181368247796fcd

SHA1
b49a675da3a54ab40390e69bd4c92e355a15cb65

SHA256
a931b4a92bc070fd3ec4225bed3ef02aaebfe17b77bde27f012ed5fef033df32

SHA512
0affc9313c9e5d2de37dd1d8c4e69f4a13a2d0dfb4cffc56a2beb0f3b16b4dcc14b623ae7b25808a49b555fddc355ede7b433d5069ebc3013a426626e369b257

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d01daa34c2b0e5381ee7c6a99ffadc62

SHA1
43ddc6f18ca09a7220fb01df06c964b49215d5f8

SHA256
f4cd9dd191e37a2677a91efe116c9178e4f120328771ebfa1f386ec9072197ea

SHA512
5e3b8a4b10644d80046fb17c6ef2b8d0e857522670720f20de93df074172e7bbaf4edccecc2412fc59acf3b785a6dba7d80cde36b782a4e965c71c54738ca821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
239a1ca8c59044029eb20b739d91dee8

SHA1
66bbb021fb38cb1fae8610ebfba919c396a63e01

SHA256
696a21e724a0fc8eb0ddffc0fb9963503fb6363ab37c92a791077a745bfb905d

SHA512
0685e6bcc101307979f8c8602c866cf163f8323caf904bdb2ca0c7b794b6b243a7ef2c53d0421ee6d7f7f5134be1b3964bf62facb864a9bfa42f15ed8980b719

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
72f95440cab229b3b0db6befbdd9de32

SHA1
2ee140ee60fae49254d75056dfdf06cdc8bce9af

SHA256
1b3f791d68d5302967f5fda050b71612032594a6b7c6f61cb54398008fab20d5

SHA512
1bde1a19833a3bba10ab1c0cc85ac2667bfd071d63909df60351de8d6dfffaebec950167ead3a171be1bfb6969286164325bb3669f2cad2f4b4b4733fbd552d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7a4ec00335c8d62082b117ca9d104150

SHA1
a5deea7e5a6cc6825ae84f6d4225fa963f4fd2d7

SHA256
6ed3741d46e61cfb785cf1c910a69dc7b8bbac7c4c697c04054602313b481968

SHA512
d6965c915f9c3d5826a1e5b4b00bb99ac97f6cc8ca702c412a7d3ba3797591999c64beef204e345b78342f16f9e502a0bfef92172d055c3ffee77f6063e655d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
be961d889f9ac099ac81fa464dee9186

SHA1
3dd2770f602cc1eabd5c9bf62e6bb449569a9a4f

SHA256
fa20b3a71aa803a20f5fc1c161b417b9c6d8595147219a4a9cfca8941ce8b72c

SHA512
95b5a0aa0a240501e85eb11a8f3565e70211d274d5ce01938ee15e51deaf75b5fdc5f6fdfaef64849af42e1a2b6c4f89a2e0d12fbd3e6beecbbddbc085daf47d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5af3729f905568d4bc2e1c5863ffd19a

SHA1
cf682a448606f701c7fe0bd6b6d2dbac81bb9935

SHA256
074d66b86628575646a5c7b1d2c0cb2f4174a294535277ed14c15a7c91618f13

SHA512
bc8a34ebf0cafd7641bb835172c2c5279c638ef567a540f7f65db2c3148ede432a1bdd53aa11736cd76357e3f6f8016d0692fc79fa42b13671a1e9c931d6077f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe579e82.TMP

Filesize
1KB

MD5
f95ba30e25edfdf490af201a2ee177cf

SHA1
02e970f02e59c9cde80789b348bd89e79293e410

SHA256
7e852d7c3873e54fb0cd21243eb42eb54b51a7e9e8f32111f61dfcd374a727f3

SHA512
c1ab03e5f1f5dc3f8e8cd4582da604173dc488e834ce5210887e89348449c66edf7b3fbfdd13abcf1b48513a97802bf86976eaafcb7c6d8e6d01a2fab6e470b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e002cb05ea9ce2e0a7e98a136c0c44a4

SHA1
89d5331db1b02364b4d2b6c833a8b1f93d315ef0

SHA256
d719f302286f6e005187d1f7b0bcb2d809f0fbe72ee767f8996e5030605ffa29

SHA512
afa8c0152b9b8f999382c961be26897a69616d78d99001007f794174c12114d1743da0007928749ced74b8f9946115ae267d4fe321f17f41108ef3c5e184a31e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e06173853773f515b757e1d324943931

SHA1
8c8fcc8b33797f609d1297217c87ef348b5e499e

SHA256
78e4d043bf0ac3fa45602d8b4f4ba050376b81aba41c3de041e989049f4a551a

SHA512
ab123189609ca7dc9ce7847c82ada125eb51f47fdde6f9dfc24a65da3e5c11d04fc6a5cfd2286c858f821453f9e8b062f86f4649dd74b023da51275b96d6110b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
a5b856dcbf8668036256786186b7a7a3

SHA1
70b12bbce2127b94f6c2d1a64f1b514ab82df680

SHA256
95bf72b89d6094d235b1ce6e257352d9f03abc275823e008f492f7f839f9fe77

SHA512
a9d41f95e556182270b3bdcb3606351b00b75cbb868a61d2d0422e89a65ae2767d96ccd05a116506ab7158eeb8a82937017089ef6547c763d127b7373ee96573

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry_Plus.zip

Filesize
2.3MB

MD5
5641d280a62b66943bf2d05a72a972c7

SHA1
c857f1162c316a25eeff6116e249a97b59538585

SHA256
ab14c3f5741c06ad40632447b2fc10662d151afb32066a507aab4ec866ffd488

SHA512
0633bc32fa6d31b4c6f04171002ad5da6bb83571b9766e5c8d81002037b4bc96e86eb059d35cf5ce17a1a75767461ba5ac0a89267c3d0e5ce165719ca2af1752

Download Submit