Analysis
-
max time kernel
215s -
max time network
219s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02-08-2024 15:45
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Endermanch/MalwareDatabase/blob/master/ransomwares/ViraLock.zip
Resource
win10v2004-20240802-en
Errors
General
-
Target
https://github.com/Endermanch/MalwareDatabase/blob/master/ransomwares/ViraLock.zip
Malware Config
Signatures
-
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
-
resource yara_rule behavioral1/memory/2916-332-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/2916-333-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/2916-334-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/2916-336-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/2916-339-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/2916-340-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/2916-343-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/2916-344-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/3712-347-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/3712-348-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/2916-349-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/3712-350-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/1624-363-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/2916-364-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/1624-367-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/2916-370-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/2916-371-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/2916-490-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/2916-516-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/2916-544-0x0000000000400000-0x00000000005DE000-memory.dmp upx behavioral1/memory/2916-554-0x0000000000400000-0x00000000005DE000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" [email protected] -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 37 raw.githubusercontent.com 38 raw.githubusercontent.com -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 [email protected] -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language [email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language [email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language [email protected] Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language [email protected] -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 1992 msedge.exe 1992 msedge.exe 4104 msedge.exe 4104 msedge.exe 4652 identity_helper.exe 4652 identity_helper.exe 4764 msedge.exe 4764 msedge.exe 4928 msedge.exe 4928 msedge.exe 64 msedge.exe 64 msedge.exe 2916 [email protected] 2916 [email protected] 2916 [email protected] 2916 [email protected] 2928 msedge.exe 2928 msedge.exe 2928 msedge.exe 2928 msedge.exe 3712 [email protected] 3712 [email protected] 3712 [email protected] 3712 [email protected] 1624 [email protected] 1624 [email protected] 1624 [email protected] 1624 [email protected] 1524 msedge.exe 1524 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeShutdownPrivilege 4804 [email protected] -
Suspicious use of FindShellTrayWindow 57 IoCs
pid Process 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe 4104 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4804 [email protected] -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4104 wrote to memory of 4176 4104 msedge.exe 82 PID 4104 wrote to memory of 4176 4104 msedge.exe 82 PID 4104 wrote to memory of 4888 4104 msedge.exe 83 PID 4104 wrote to memory of 4888 4104 msedge.exe 83 PID 4104 wrote to memory of 4888 4104 msedge.exe 83 PID 4104 wrote to memory of 4888 4104 msedge.exe 83 PID 4104 wrote to memory of 4888 4104 msedge.exe 83 PID 4104 wrote to memory of 4888 4104 msedge.exe 83 PID 4104 wrote to memory of 4888 4104 msedge.exe 83 PID 4104 wrote to memory of 4888 4104 msedge.exe 83 PID 4104 wrote to memory of 4888 4104 msedge.exe 83 PID 4104 wrote to memory of 4888 4104 msedge.exe 83 PID 4104 wrote to memory of 4888 4104 msedge.exe 83 PID 4104 wrote to memory of 4888 4104 msedge.exe 83 PID 4104 wrote to memory of 4888 4104 msedge.exe 83 PID 4104 wrote to memory of 4888 4104 msedge.exe 83 PID 4104 wrote to memory of 4888 4104 msedge.exe 83 PID 4104 wrote to memory of 4888 4104 msedge.exe 83 PID 4104 wrote to memory of 4888 4104 msedge.exe 83 PID 4104 wrote to memory of 4888 4104 msedge.exe 83 PID 4104 wrote to memory of 4888 4104 msedge.exe 83 PID 4104 wrote to memory of 4888 4104 msedge.exe 83 PID 4104 wrote to memory of 4888 4104 msedge.exe 83 PID 4104 wrote to memory of 4888 4104 msedge.exe 83 PID 4104 wrote to memory of 4888 4104 msedge.exe 83 PID 4104 wrote to memory of 4888 4104 msedge.exe 83 PID 4104 wrote to memory of 4888 4104 msedge.exe 83 PID 4104 wrote to memory of 4888 4104 msedge.exe 83 PID 4104 wrote to memory of 4888 4104 msedge.exe 83 PID 4104 wrote to memory of 4888 4104 msedge.exe 83 PID 4104 wrote to memory of 4888 4104 msedge.exe 83 PID 4104 wrote to memory of 4888 4104 msedge.exe 83 PID 4104 wrote to memory of 4888 4104 msedge.exe 83 PID 4104 wrote to memory of 4888 4104 msedge.exe 83 PID 4104 wrote to memory of 4888 4104 msedge.exe 83 PID 4104 wrote to memory of 4888 4104 msedge.exe 83 PID 4104 wrote to memory of 4888 4104 msedge.exe 83 PID 4104 wrote to memory of 4888 4104 msedge.exe 83 PID 4104 wrote to memory of 4888 4104 msedge.exe 83 PID 4104 wrote to memory of 4888 4104 msedge.exe 83 PID 4104 wrote to memory of 4888 4104 msedge.exe 83 PID 4104 wrote to memory of 4888 4104 msedge.exe 83 PID 4104 wrote to memory of 1992 4104 msedge.exe 84 PID 4104 wrote to memory of 1992 4104 msedge.exe 84 PID 4104 wrote to memory of 220 4104 msedge.exe 85 PID 4104 wrote to memory of 220 4104 msedge.exe 85 PID 4104 wrote to memory of 220 4104 msedge.exe 85 PID 4104 wrote to memory of 220 4104 msedge.exe 85 PID 4104 wrote to memory of 220 4104 msedge.exe 85 PID 4104 wrote to memory of 220 4104 msedge.exe 85 PID 4104 wrote to memory of 220 4104 msedge.exe 85 PID 4104 wrote to memory of 220 4104 msedge.exe 85 PID 4104 wrote to memory of 220 4104 msedge.exe 85 PID 4104 wrote to memory of 220 4104 msedge.exe 85 PID 4104 wrote to memory of 220 4104 msedge.exe 85 PID 4104 wrote to memory of 220 4104 msedge.exe 85 PID 4104 wrote to memory of 220 4104 msedge.exe 85 PID 4104 wrote to memory of 220 4104 msedge.exe 85 PID 4104 wrote to memory of 220 4104 msedge.exe 85 PID 4104 wrote to memory of 220 4104 msedge.exe 85 PID 4104 wrote to memory of 220 4104 msedge.exe 85 PID 4104 wrote to memory of 220 4104 msedge.exe 85 PID 4104 wrote to memory of 220 4104 msedge.exe 85 PID 4104 wrote to memory of 220 4104 msedge.exe 85
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Endermanch/MalwareDatabase/blob/master/ransomwares/ViraLock.zip1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9a3ed46f8,0x7ff9a3ed4708,0x7ff9a3ed47182⤵PID:4176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,17746289600453505145,16496376052708320456,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:22⤵PID:4888
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,17746289600453505145,16496376052708320456,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,17746289600453505145,16496376052708320456,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:82⤵PID:220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17746289600453505145,16496376052708320456,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:12⤵PID:4396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17746289600453505145,16496376052708320456,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:12⤵PID:1336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,17746289600453505145,16496376052708320456,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:82⤵PID:1592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,17746289600453505145,16496376052708320456,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,17746289600453505145,16496376052708320456,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4004 /prefetch:82⤵PID:1624
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17746289600453505145,16496376052708320456,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:12⤵PID:4080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,17746289600453505145,16496376052708320456,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17746289600453505145,16496376052708320456,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:12⤵PID:2488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17746289600453505145,16496376052708320456,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2704 /prefetch:12⤵PID:3372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17746289600453505145,16496376052708320456,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1808 /prefetch:12⤵PID:1968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,17746289600453505145,16496376052708320456,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5692 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17746289600453505145,16496376052708320456,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2488 /prefetch:12⤵PID:3208
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17746289600453505145,16496376052708320456,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:12⤵PID:1632
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17746289600453505145,16496376052708320456,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:12⤵PID:4968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,17746289600453505145,16496376052708320456,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:64
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,17746289600453505145,16496376052708320456,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1756 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,17746289600453505145,16496376052708320456,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:12⤵PID:8
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,17746289600453505145,16496376052708320456,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3344 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1524
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1592
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4984
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2764
-
C:\Users\Admin\Downloads\NoMoreRansom (1)\[email protected]"C:\Users\Admin\Downloads\NoMoreRansom (1)\[email protected]"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2916
-
C:\Users\Admin\Downloads\NoMoreRansom (1)\[email protected]"C:\Users\Admin\Downloads\NoMoreRansom (1)\[email protected]"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3712
-
C:\Users\Admin\Downloads\NoMoreRansom (1)\[email protected]"C:\Users\Admin\Downloads\NoMoreRansom (1)\[email protected]"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1624
-
C:\Users\Admin\Downloads\Petya.A\[email protected]"C:\Users\Admin\Downloads\Petya.A\[email protected]"1⤵
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4804
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5d7114a6cd851f9bf56cf771c37d664a2
SHA1769c5d04fd83e583f15ab1ef659de8f883ecab8a
SHA256d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e
SHA51233bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8
-
Filesize
152B
MD5719923124ee00fb57378e0ebcbe894f7
SHA1cc356a7d27b8b27dc33f21bd4990f286ee13a9f9
SHA256aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808
SHA512a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD59a33feab1e22dfe80f07ca5ce9da69ba
SHA1909dc3f72a2525899c1bbe0acff0e266bef90841
SHA2567e2a1dda42e777a7955002eb23b6b866e294069ae3d723d189dbd9ae9114f345
SHA5122a23ed064fd8bae2d5e49e95dbbdb27a0ab352dc6572c407b5ec5f5d9c1eb6b9ddd3a1f316de62f46b5f7d7b17fbb561f36d448915b1de6c99b47a1e50bc8eff
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5bf3a2ccdb61a5e0657277800e4861c7e
SHA1f5c2b0fb0fb0c46bfac69aaef7ed2f56dc714396
SHA25670ca399c7ae3e9e61c6584f9d95b3e474060b53ad7444aa5cc356b7ad5162354
SHA512db2ab976a738e648580d59eaca27ca374b8c7bc53d6dbed4715827335ffc75c890fe2bc4a177cae4b9fb408e28c2bf636ae9577defd9eb1437c87795aa668a1d
-
Filesize
579B
MD58363c8fd74cd1ce2181a1566cdd0e58d
SHA13a32676e469356fe9cbb0a266475ffe86a68b10a
SHA2563b8810fe81456c0b6c97b3928c40227dd4191212a735dce836216e9c8f9f6cc9
SHA512ed74d9e3475dc9af9b4d64c5d6587bac096c8ca51b2269b986441720eb29990c36686730de72118f71e48283f01b73c2d3dffcc611c04bffe0a3e4f3204f91ce
-
Filesize
6KB
MD5aa891fab861004cfab2b4c8e66602269
SHA1264e154f987d9c3f02d3502500bddd3a8d0841ef
SHA256544703d54c0950aaabf38fd15657a97e44dd931159927522f29f1b7a6c1ab026
SHA512ef9fc074fba8e3e545400d64da9aca4b047d374d833f5d120351783d489b402219f1c5fe64c409f7ae45dd02aa1efa0051ad98c96bdccdcdfcd8cc9f3b0a8afe
-
Filesize
6KB
MD56e1d54b986a9dc79bd68f749abb2b127
SHA15b867eacee0392e197e61332cbdd7ccfb22ee213
SHA256aff7a2a80272177c6b152fdb1c25208757b10964e88792a4cba9db282197a1b6
SHA5120bc00e6d3209f032bf63f5fbfe2456063fc9755e914c41ec3824bfae5ea647881cc273600d61d95430c97f51e5f773622fec0dd5dd1fc0409562fc511fef2563
-
Filesize
6KB
MD5bc5915057c47994a0fa5693bdd0e6f57
SHA1309567f8525a2d66c2798c786f4f312f7fa3c672
SHA2560f758437ca6b0f40bc0f7a97678bbafee16dd360aaeb39bc39d0e2f29a2dca2d
SHA512c8db2fb4d7fec699c9b71e2975f2212ed963ea0b17cc85fc80d13152c26a264b9fa85c2e0405a27c3b577253b743515823ae66049558c2eb896a72f96652cddf
-
Filesize
6KB
MD5a6f13fd5f29bdfddc64fd7d9b1f009ed
SHA160cee6e28aa7b8b55da0527a136d6816faa7bab2
SHA256376bd63595255fcf4e9c0a1a6fc2506d555d650cdfddbf3d64a1b18ed53f6053
SHA51291918bb8e3ff9979e61071f5b72ac3443486eb0b8f176a110206d7eea4ccf883f0d06d520a9489d2966bb804eccb0a0c874e8e902e4a970c1c8190ff98513dd9
-
Filesize
1KB
MD5fea2f8b59d4579c9c8d196d11210ce23
SHA1538fc7e43bc31e9e242b58afa55e7b7a593cd978
SHA2560c7e0da49e25c3794b97533ce82f23b75b6e73d72e9a3c6979d25cac533e0d52
SHA51254cc6cca36135c908993503e6d8f2f18809c95fa41feda6ce959d2b008fa0087e2bc17e18df33436c051f3996f0982aba83708de20f013d35850dd42e83ab3f0
-
Filesize
1KB
MD542f3c4eddf006726a5acb4dacbc8b034
SHA184976838c6876f8af62394c458c1a6782c6492a6
SHA2569245a01e2b6229398582cf514b7906e9678e6757de2dd232a79e41da27f7df99
SHA512753f6f9434d4ae0346d2dbae5aaaceca7ca499cdb0c1dc41faa59f54a1b8d004bf08f3cb7597230501fa665bd9d9644834dfa605040e77c30b4272d627bf4632
-
Filesize
874B
MD5bd25db0372f572e0ebc03e1f7286779d
SHA1ae788d2311adf1fadcf5296c0d3a315a43a75b6b
SHA256bc51214ed430cea3abe32d5781c5137e3e51d2324e5e948e4974eea1caa36ca3
SHA51241cea55d33d521df73243c8518ce44cd21702478003648c12fabc440e89afae51c2d85fece8c0efb6701920b3e4fd1a8ade16901bc386837c37e1da6dec72582
-
Filesize
1KB
MD5c09bfb271eb06012960b6b059cfd30ef
SHA1868aa30f041a567d6dcb6df1268d8ef701a82d8d
SHA2560860a5adfb707bd80882087398e9a1bdd1f6fa364f6e02f8e9990f79017d351b
SHA512923ab227cde53e1f4c6e590bc6c32ffef716e1b3a3ec209faf867b3eb9c1b9316709b97bfddc5ad72f6fb003d06ad1d13a77d5263034b5484cd52b2bfd1b0d10
-
Filesize
874B
MD58903604120db88cef83d58da3b6b2223
SHA161d2597507faf6998e7bd4db2698680736859c89
SHA2567d4f943c93c75b21695ddb235b92f2f328c90c1685a7814dc55334cd0dd8ac25
SHA512f7cf9c0c417be7a511e6b89c26c75469ddb3dfedd44987a6ea0e511ebfda920bec7910f7b3401b86ae4228a982d6b9b80e6ed58e7d0a73645f812d1fcbaa9506
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
10KB
MD52fb73088aac5c629fb9cf4668a7d62f8
SHA109ce0d8dd473e8ad2438f4cc523bd253b49490f5
SHA256d5ba4cc8d94b04c78bc8973d3bdf7265debb3c718dfa895dd4a746be9144ac9a
SHA51240bb0abe7325884df6f2748896fe6af3f16b76f675d603101da4035c088d37ba3ab5e93f90858dd7f51e71e841e2df83f691e4e6378ba5e52f66c00e2a4f901a
-
Filesize
10KB
MD549c99fde39ee50ce476d6a27347fac60
SHA1dc84dc7506c3a6f8d8a1491bd323692c33e074f4
SHA256359d9a4de35b3d75b46ca0487d2abcf84dd36af04db832b957d8ec01db71fa3b
SHA5120e7fb27703465b28f2ec0e2328a4ac210c9b580175588fa8773283b174386fc5abc1e71389ec8c4b3cb12f6612d9ab41e7a5e74322a041a42d463de167f3f2f6
-
Filesize
11KB
MD5dcdab02cfc84057a1b4ece3fcb7c5e11
SHA1bbb5ca2cc12fc42064314bef40c669e9d801c84d
SHA256133f1d8f74f69d34043e2f014e39b42078fff76e776e659f7e6460ba042b018a
SHA512c5aa3bb65cb1c3cc80a942f102c57f94dbe3bece9fd53afab8ae3cfaf09fbb8c7f023f6fe9f18b8f1c2c56b8a1eb8a33cae423e5b7e1b6e0937798fa0ae6efcd
-
Filesize
11KB
MD5847d32c894053a50da714223cbc03c5c
SHA118947890f8edb302337153004d8d31b007792ca4
SHA256a4bdbd4d3e86ef2b1e9c9c0b44effe35a9aa8c6e513348e8ae41eb180e4da971
SHA512f11f614c9e88ff929ff0a74c331a649489fc39881a03c4c8392b7d1a80e2a7b9f2615d1747bd5f62652083dfb95b00002bac27bd7cdadd60ba5dfece69baaa10
-
Filesize
916KB
MD5f315e49d46914e3989a160bbcfc5de85
SHA199654bfeaad090d95deef3a2e9d5d021d2dc5f63
SHA2565cbb6442c47708558da29588e0d8ef0b34c4716be4a47e7c715ea844fbcf60d7
SHA512224747b15d0713afcb2641f8f3aa1687516d42e045d456b3ed096a42757a6c10c6626672366c9b632349cf6ffe41011724e6f4b684837de9b719d0f351dfd22e
-
Filesize
128KB
MD51559522c34054e5144fe68ee98c29e61
SHA1ff80eeb6bcf4498c9ff38c252be2726e65c10c34
SHA256e99651aa5c5dcf9128adc8da685f1295b959f640a173098d07018b030d529509
SHA5126dab1f391ab1bea12b799fcfb56d70cfbdbde05ad350b53fcb782418495fad1c275fe1a40f9edd238473c3d532b4d87948bddd140e5912f14aff4293be6e4b4c
-
Filesize
132KB
MD56a47990541c573d44444f9ad5aa61774
SHA1f230fff199a57a07a972e2ee7169bc074d9e0cd5
SHA256b161c762c5894d820cc10d9027f2404a6fec3bc9f8fd84d23ff1daef98493115
SHA512fe8a4fd268106817efc0222c94cb26ad4ae0a39f99aacaa86880b8a2caa83767ffe8a3dd5b0cdcc38b61f1b4d0196064856bd0191b9c2d7a8d8297c864a7716d