Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-09-2024 03:08

General

  • Target

    https://hypeddit.com/extremest/extremestdeadlyvirus

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �
Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 4 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: LoadsDriver 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://hypeddit.com/extremest/extremestdeadlyvirus
    1⤵
      PID:4028
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=3660,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=2108 /prefetch:1
      1⤵
        PID:3696
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --field-trial-handle=4296,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=4936 /prefetch:1
        1⤵
          PID:4204
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5380,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=4504 /prefetch:8
          1⤵
            PID:824
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5384,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=5436 /prefetch:8
            1⤵
              PID:1348
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=5388,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=5864 /prefetch:1
              1⤵
                PID:1980
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5808,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=5868 /prefetch:8
                1⤵
                  PID:4220
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=5820,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=6200 /prefetch:1
                  1⤵
                    PID:3372
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --field-trial-handle=6380,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=6388 /prefetch:8
                    1⤵
                      PID:4052
                    • C:\Windows\system32\AUDIODG.EXE
                      C:\Windows\system32\AUDIODG.EXE 0x398 0x310
                      1⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:3336
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --field-trial-handle=6608,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=6600 /prefetch:8
                      1⤵
                      • Modifies registry class
                      PID:1976
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=6628,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=6700 /prefetch:1
                      1⤵
                        PID:2596
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=5760,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=6224 /prefetch:1
                        1⤵
                          PID:2764
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=5140,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=5088 /prefetch:1
                          1⤵
                            PID:1136
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6740,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=6612 /prefetch:8
                            1⤵
                              PID:1544
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --field-trial-handle=6232,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=6768 /prefetch:1
                              1⤵
                                PID:4504
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --field-trial-handle=5992,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=5972 /prefetch:1
                                1⤵
                                  PID:368
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --field-trial-handle=6252,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=6272 /prefetch:1
                                  1⤵
                                    PID:2208
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --field-trial-handle=6732,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=6808 /prefetch:1
                                    1⤵
                                      PID:3492
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --field-trial-handle=4936,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=6980 /prefetch:1
                                      1⤵
                                        PID:2688
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=7088,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=7048 /prefetch:8
                                        1⤵
                                          PID:4628
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --field-trial-handle=5864,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=7284 /prefetch:8
                                          1⤵
                                            PID:4272
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --field-trial-handle=7236,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=7260 /prefetch:1
                                            1⤵
                                              PID:2640
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=7660,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=7648 /prefetch:8
                                              1⤵
                                                PID:2740
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=5412,i,12470628711992022444,7767535593390851522,262144 --variations-seed-version --mojo-platform-channel-handle=5436 /prefetch:8
                                                1⤵
                                                  PID:1940
                                                • C:\Users\Admin\Downloads\WannaCry.exe
                                                  "C:\Users\Admin\Downloads\WannaCry.exe"
                                                  1⤵
                                                  • Drops startup file
                                                  • Adds Run key to start application
                                                  • System Location Discovery: System Language Discovery
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:2284
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c 232861726801778.bat
                                                    2⤵
                                                    • System Location Discovery: System Language Discovery
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:4620
                                                    • C:\Windows\SysWOW64\cscript.exe
                                                      cscript //nologo c.vbs
                                                      3⤵
                                                      • System Location Discovery: System Language Discovery
                                                      PID:3644
                                                  • C:\Users\Admin\Downloads\!WannaDecryptor!.exe
                                                    !WannaDecryptor!.exe f
                                                    2⤵
                                                    • Executes dropped EXE
                                                    • System Location Discovery: System Language Discovery
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:3616
                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                    taskkill /f /im MSExchange*
                                                    2⤵
                                                    • System Location Discovery: System Language Discovery
                                                    • Kills process with taskkill
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:3392
                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                    taskkill /f /im Microsoft.Exchange.*
                                                    2⤵
                                                    • System Location Discovery: System Language Discovery
                                                    • Kills process with taskkill
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:4340
                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                    taskkill /f /im sqlserver.exe
                                                    2⤵
                                                    • System Location Discovery: System Language Discovery
                                                    • Kills process with taskkill
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2264
                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                    taskkill /f /im sqlwriter.exe
                                                    2⤵
                                                    • System Location Discovery: System Language Discovery
                                                    • Kills process with taskkill
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:3124
                                                  • C:\Users\Admin\Downloads\!WannaDecryptor!.exe
                                                    !WannaDecryptor!.exe c
                                                    2⤵
                                                    • Executes dropped EXE
                                                    • System Location Discovery: System Language Discovery
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:3860
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    cmd.exe /c start /b !WannaDecryptor!.exe v
                                                    2⤵
                                                    • System Location Discovery: System Language Discovery
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:1916
                                                    • C:\Users\Admin\Downloads\!WannaDecryptor!.exe
                                                      !WannaDecryptor!.exe v
                                                      3⤵
                                                      • Executes dropped EXE
                                                      • System Location Discovery: System Language Discovery
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:1984
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
                                                        4⤵
                                                        • System Location Discovery: System Language Discovery
                                                        PID:1212
                                                        • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                                          wmic shadowcopy delete
                                                          5⤵
                                                          • System Location Discovery: System Language Discovery
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:3984
                                                  • C:\Users\Admin\Downloads\!WannaDecryptor!.exe
                                                    !WannaDecryptor!.exe
                                                    2⤵
                                                    • Executes dropped EXE
                                                    • Sets desktop wallpaper using registry
                                                    • System Location Discovery: System Language Discovery
                                                    • Suspicious use of FindShellTrayWindow
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:3660
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
                                                  1⤵
                                                  • Enumerates system info in registry
                                                  • Modifies data under HKEY_USERS
                                                  • Modifies registry class
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:4460
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=127.0.6533.89 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=127.0.2651.86 --initial-client-data=0x238,0x23c,0x240,0x234,0x264,0x7ffe8db5d198,0x7ffe8db5d1a4,0x7ffe8db5d1b0
                                                    2⤵
                                                      PID:4816
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2864,i,4440413223219652004,4062558906241245699,262144 --variations-seed-version --mojo-platform-channel-handle=2860 /prefetch:2
                                                      2⤵
                                                        PID:4484
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1856,i,4440413223219652004,4062558906241245699,262144 --variations-seed-version --mojo-platform-channel-handle=2920 /prefetch:3
                                                        2⤵
                                                          PID:4788
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2144,i,4440413223219652004,4062558906241245699,262144 --variations-seed-version --mojo-platform-channel-handle=3048 /prefetch:8
                                                          2⤵
                                                            PID:4032
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=4224,i,4440413223219652004,4062558906241245699,262144 --variations-seed-version --mojo-platform-channel-handle=4712 /prefetch:8
                                                            2⤵
                                                              PID:1572
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=4624,i,4440413223219652004,4062558906241245699,262144 --variations-seed-version --mojo-platform-channel-handle=4732 /prefetch:8
                                                              2⤵
                                                                PID:1184
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --field-trial-handle=2476,i,4440413223219652004,4062558906241245699,262144 --variations-seed-version --mojo-platform-channel-handle=2840 /prefetch:8
                                                                2⤵
                                                                  PID:5080
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe"
                                                                1⤵
                                                                  PID:1940
                                                                • C:\Windows\system32\vssvc.exe
                                                                  C:\Windows\system32\vssvc.exe
                                                                  1⤵
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:1044

                                                                Network

                                                                MITRE ATT&CK Enterprise v15

                                                                Replay Monitor

                                                                Loading Replay Monitor...

                                                                Downloads

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

                                                                  Filesize

                                                                  2B

                                                                  MD5

                                                                  99914b932bd37a50b983c5e7c90ae93b

                                                                  SHA1

                                                                  bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

                                                                  SHA256

                                                                  44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

                                                                  SHA512

                                                                  27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

                                                                  Filesize

                                                                  2B

                                                                  MD5

                                                                  d751713988987e9331980363e24189ce

                                                                  SHA1

                                                                  97d170e1550eee4afc0af065b78cda302a97674c

                                                                  SHA256

                                                                  4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                                  SHA512

                                                                  b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

                                                                  Filesize

                                                                  40B

                                                                  MD5

                                                                  20d4b8fa017a12a108c87f540836e250

                                                                  SHA1

                                                                  1ac617fac131262b6d3ce1f52f5907e31d5f6f00

                                                                  SHA256

                                                                  6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

                                                                  SHA512

                                                                  507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

                                                                  Filesize

                                                                  30KB

                                                                  MD5

                                                                  2d6b915fbcc492c721ca16903e040ba4

                                                                  SHA1

                                                                  1dc157616e1eb386f8829b830074e0a5e6df35ba

                                                                  SHA256

                                                                  4fc96373920c7900921993f9c45956b4074a8f96f618f52541cff7a6d293637b

                                                                  SHA512

                                                                  6fd076b195cb74d2e3729ffb0c82f1b0fbaa0f95da99a9234170fc069abe5d29c34ebb88bfeba7ff30186cea90e5bf09eecba65c2e320f05b7ad3e4328b92ea8

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a1ea3820-1182-4702-a520-7c95b3af6188.tmp

                                                                  Filesize

                                                                  15KB

                                                                  MD5

                                                                  b0da1e0a087ce6bc34efcb4af4b3427a

                                                                  SHA1

                                                                  e4faa586cc76f94ced49b291513396ca7fa66ef2

                                                                  SHA256

                                                                  98e92505c4525410fc9fc30a0e1500505a8d9281abd62fd703acf262a0b46c04

                                                                  SHA512

                                                                  9267b214a66b644c2b1e70d4c6f17a0042687349674c9f0e8b49ab9be04f507416d1eb6982d949f24dfc87808f21d5fff59adb5c6816cf82b992d4edff99d5f4

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                  Filesize

                                                                  95KB

                                                                  MD5

                                                                  b31932b08eb51a35c83cd797b314c5ea

                                                                  SHA1

                                                                  341e5b95058a5cee6ccdf356f62d56ef772e1e3e

                                                                  SHA256

                                                                  a349eebf3eef0a75df857f99e271d70e7838d1ea9a936467c20d019c74d23178

                                                                  SHA512

                                                                  4603457de4cbfa403c67db6d112ca5fa36e15170a155c4ad9bd5c1bae8c92f5b7018b6901a5c630a1f63f449938e44c8f0a9786f1bb720457c45d0227652fc61

                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                  Filesize

                                                                  91KB

                                                                  MD5

                                                                  ff5d062c0216919e8d41799fee2a8b82

                                                                  SHA1

                                                                  0025bfa715235350db56a4cd71aa5afa7dea4985

                                                                  SHA256

                                                                  10bab1b31523b2b89ca9af56283755398586664e2ec02749d5fc9f39c567c9c0

                                                                  SHA512

                                                                  814e587e04f490b87e8e499dde13fac0c42daaf3f2db304f7016deca3e14a3f8482982ed29560aa8be2528f7fdfd822dc433c33ac253b045ecedfc65ef226a35

                                                                • C:\Users\Admin\Downloads\!Please Read Me!.txt

                                                                  Filesize

                                                                  797B

                                                                  MD5

                                                                  afa18cf4aa2660392111763fb93a8c3d

                                                                  SHA1

                                                                  c219a3654a5f41ce535a09f2a188a464c3f5baf5

                                                                  SHA256

                                                                  227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

                                                                  SHA512

                                                                  4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

                                                                • C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnk

                                                                  Filesize

                                                                  590B

                                                                  MD5

                                                                  d239fb24e2723327a2cb13f423176bcd

                                                                  SHA1

                                                                  6d109b08037b1527ca8b1313489ce862efe7d488

                                                                  SHA256

                                                                  71ab287c8e641c43110a0e5350db6d59b677be6f2793f601fcd5f9810fcef3dc

                                                                  SHA512

                                                                  46f1ad4ef5346b0c704992cc7166fa92f146a23cee36b70e1ee48f340dcdc3a7b80c6ada50d221c9bb445143ece311a464613aada2ca01798f253ca0af21ebf8

                                                                • C:\Users\Admin\Downloads\00000000.res

                                                                  Filesize

                                                                  136B

                                                                  MD5

                                                                  07ec9fcf98bf5ae12cc540c0a40f692e

                                                                  SHA1

                                                                  2ce01f16d114b354a0433f920bd9e36ec9e1fece

                                                                  SHA256

                                                                  1e90c9cb6ad2e1726cd36b8bb5ff46d682bad551321d9286eaae6f90433ce31f

                                                                  SHA512

                                                                  451a3ca77591457e57248a484ba2e6144cf08e3b1178c7979c5f181f227d0eda0affce5a65919fd3f7b6901a1f2f70f9944f5f6722e93e2d7aa3975ae0e5366a

                                                                • C:\Users\Admin\Downloads\00000000.res

                                                                  Filesize

                                                                  136B

                                                                  MD5

                                                                  e6e592d75f453697847a4223476af210

                                                                  SHA1

                                                                  a2ecfdf4f3d277b7108838288c43b1f24407033f

                                                                  SHA256

                                                                  d432b9dc35abe1e4dc71fecb66342281e69beaee62c2cfe502ebe3ff10690de6

                                                                  SHA512

                                                                  6dcefaead6a0ed2f44c39ad0fc5feb9083bea25d61aa45044b86fe7549e9380bcf0e59f34ff121403e0637bd5334582111070e19417c9a0167af4b00a334d733

                                                                • C:\Users\Admin\Downloads\00000000.res

                                                                  Filesize

                                                                  136B

                                                                  MD5

                                                                  91e2068f80abf10632670426d6043c7a

                                                                  SHA1

                                                                  3f72101c14003a54d111656701334f2f65c302f2

                                                                  SHA256

                                                                  4489233497dc64e39de57f4da4cdfe1f8056e4508157fc5bff7c045e32b2f733

                                                                  SHA512

                                                                  5a1e0293912484641193fc3959db634f9c03a33ba775d01c0deb77e92cde3352d4b335e6acbc52ad1ac8e1f157deeb239bfa7e8e6f83cf0e22178bd71ca9d05a

                                                                • C:\Users\Admin\Downloads\232861726801778.bat

                                                                  Filesize

                                                                  318B

                                                                  MD5

                                                                  a261428b490a45438c0d55781a9c6e75

                                                                  SHA1

                                                                  e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e

                                                                  SHA256

                                                                  4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44

                                                                  SHA512

                                                                  304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

                                                                • C:\Users\Admin\Downloads\c.vbs

                                                                  Filesize

                                                                  201B

                                                                  MD5

                                                                  02b937ceef5da308c5689fcdb3fb12e9

                                                                  SHA1

                                                                  fa5490ea513c1b0ee01038c18cb641a51f459507

                                                                  SHA256

                                                                  5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1

                                                                  SHA512

                                                                  843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

                                                                • C:\Users\Admin\Downloads\c.wry

                                                                  Filesize

                                                                  628B

                                                                  MD5

                                                                  71b8eb4c00950c5a674f1bb281772cda

                                                                  SHA1

                                                                  b87978d82478a6bead672c9f966bdc9eac831765

                                                                  SHA256

                                                                  717f3dab2f05e54fca251c66639349ee1d032239d1a8bcf115bf02e35014480d

                                                                  SHA512

                                                                  475661aa0deb950b3c8657563a312d690deae66afc55f9a7fde67d4dadfea943104fc781aa5e19a88001dedcd3d4da2ed1a922328af729b9f98373effd909d47

                                                                • C:\Users\Admin\Downloads\m.wry

                                                                  Filesize

                                                                  42KB

                                                                  MD5

                                                                  980b08bac152aff3f9b0136b616affa5

                                                                  SHA1

                                                                  2a9c9601ea038f790cc29379c79407356a3d25a3

                                                                  SHA256

                                                                  402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

                                                                  SHA512

                                                                  100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

                                                                • C:\Users\Admin\Downloads\u.wry

                                                                  Filesize

                                                                  236KB

                                                                  MD5

                                                                  cf1416074cd7791ab80a18f9e7e219d9

                                                                  SHA1

                                                                  276d2ec82c518d887a8a3608e51c56fa28716ded

                                                                  SHA256

                                                                  78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

                                                                  SHA512

                                                                  0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

                                                                • memory/2284-10-0x0000000010000000-0x0000000010012000-memory.dmp

                                                                  Filesize

                                                                  72KB