wannacry | hxxp://thisisnotawebsitedotcom[.]com

Analysis

max time kernel
406s
max time network
402s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
21-09-2024 16:15

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://thisisnotawebsitedotcom.com

Score

10^/10

wannacry defense_evasion discovery evasion persistence ransomware spyware stealer trojan upx worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\system.exe"	reg.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDE43B.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDE442.tmp	WannaCry.exe

Executes dropped EXE 10 IoCs

pid	Process
2960	Hydra.exe
5364	EternalRocks.exe
3364	Xyeta (12).exe
196	ChilledWindows.exe
4412	Vista (4).exe
5624	Birele.exe
5756	7ev3n.exe
4080	system.exe
504	WannaCry.exe
3372	!WannaDecryptor!.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0005000000026066-867.dat	upx
behavioral1/memory/3364-962-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/3364-972-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/files/0x000300000002ab59-1237.dat	upx
behavioral1/memory/5624-1257-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral1/memory/5624-1258-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral1/memory/5624-1260-0x0000000000400000-0x0000000000438000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\AppData\\Local\\system.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	ChilledWindows.exe
File opened (read-only)	\??\H:	ChilledWindows.exe
File opened (read-only)	\??\L:	ChilledWindows.exe
File opened (read-only)	\??\M:	ChilledWindows.exe
File opened (read-only)	\??\N:	ChilledWindows.exe
File opened (read-only)	\??\O:	ChilledWindows.exe
File opened (read-only)	\??\P:	ChilledWindows.exe
File opened (read-only)	\??\Q:	ChilledWindows.exe
File opened (read-only)	\??\B:	ChilledWindows.exe
File opened (read-only)	\??\E:	ChilledWindows.exe
File opened (read-only)	\??\I:	ChilledWindows.exe
File opened (read-only)	\??\J:	ChilledWindows.exe
File opened (read-only)	\??\K:	ChilledWindows.exe
File opened (read-only)	\??\S:	ChilledWindows.exe
File opened (read-only)	\??\T:	ChilledWindows.exe
File opened (read-only)	\??\U:	ChilledWindows.exe
File opened (read-only)	\??\V:	ChilledWindows.exe
File opened (read-only)	\??\Y:	ChilledWindows.exe
File opened (read-only)	\??\X:	ChilledWindows.exe
File opened (read-only)	\??\Z:	ChilledWindows.exe
File opened (read-only)	\??\G:	ChilledWindows.exe
File opened (read-only)	\??\R:	ChilledWindows.exe
File opened (read-only)	\??\W:	ChilledWindows.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
48	raw.githubusercontent.com
62	raw.githubusercontent.com

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 10 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\7ev3n.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WindowsUpdate.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\EternalRocks.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Xyeta (12).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Cerber5.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Hydra.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Vista (4).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\ChilledWindows.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Birele.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
6128	3364	WerFault.exe	135
3288	5624	WerFault.exe	158

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SCHTASKS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7ev3n.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hydra.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Xyeta (12).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vista (4).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Birele.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
1804	taskkill.exe
4672	taskkill.exe
3188	taskkill.exe
6020	taskkill.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "225"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3007475212-2160282277-2943627620-1000\{4D943732-836E-4BB4-9F69-01495FDB055D}	ChilledWindows.exe

NTFS ADS 42 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 57959.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 116566.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\ChilledWindows.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Birele.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 454839.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 419172.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 749597.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 719537.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 637109.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 879228.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 923638.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 89266.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 694975.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 51645.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 931285.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 226690.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 224734.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Xyeta (12).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 177758.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 708734.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 728954.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\EternalRocks.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 377682.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 62204.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\7ev3n.exe:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Local\system.exe\:Zone.Identifier:$DATA	7ev3n.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 635314.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Hydra.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 56335.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Local\system.exe\:SmartScreen:$DATA	7ev3n.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 152069.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 438106.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 115599.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WindowsUpdate.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 133671.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 220384.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Cerber5.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 166385.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 904934.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Vista (4).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 477648.crdownload:SmartScreen	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1188	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2216	msedge.exe
2216	msedge.exe
5768	msedge.exe
5768	msedge.exe
1344	identity_helper.exe
1344	identity_helper.exe
2308	msedge.exe
2308	msedge.exe
5920	msedge.exe
5920	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
4400	msedge.exe
2744	msedge.exe
2744	msedge.exe
4156	msedge.exe
4156	msedge.exe
1692	msedge.exe
1692	msedge.exe
4544	msedge.exe
4544	msedge.exe
3024	msedge.exe
3024	msedge.exe
5488	msedge.exe
5488	msedge.exe
1612	msedge.exe
1612	msedge.exe
3324	msedge.exe
3324	msedge.exe
2792	msedge.exe
2792	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 26 IoCs

pid	Process
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: 33	1996	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1996	AUDIODG.EXE
Token: SeShutdownPrivilege	196	ChilledWindows.exe
Token: SeCreatePagefilePrivilege	196	ChilledWindows.exe
Token: SeShutdownPrivilege	196	ChilledWindows.exe
Token: SeCreatePagefilePrivilege	196	ChilledWindows.exe
Token: SeShutdownPrivilege	196	ChilledWindows.exe
Token: SeCreatePagefilePrivilege	196	ChilledWindows.exe
Token: SeShutdownPrivilege	5540	shutdown.exe
Token: SeRemoteShutdownPrivilege	5540	shutdown.exe
Token: SeDebugPrivilege	3188	taskkill.exe
Token: SeDebugPrivilege	4672	taskkill.exe
Token: SeDebugPrivilege	6020	taskkill.exe
Token: SeDebugPrivilege	1804	taskkill.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe
5768	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5268	PickerHost.exe
3372	!WannaDecryptor!.exe
3372	!WannaDecryptor!.exe
5864	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5768 wrote to memory of 6008	5768	msedge.exe	78
PID 5768 wrote to memory of 6008	5768	msedge.exe	78
PID 5768 wrote to memory of 3412	5768	msedge.exe	79
PID 5768 wrote to memory of 3412	5768	msedge.exe	79
PID 5768 wrote to memory of 3412	5768	msedge.exe	79
PID 5768 wrote to memory of 3412	5768	msedge.exe	79
PID 5768 wrote to memory of 3412	5768	msedge.exe	79
PID 5768 wrote to memory of 3412	5768	msedge.exe	79
PID 5768 wrote to memory of 3412	5768	msedge.exe	79
PID 5768 wrote to memory of 3412	5768	msedge.exe	79
PID 5768 wrote to memory of 3412	5768	msedge.exe	79
PID 5768 wrote to memory of 3412	5768	msedge.exe	79
PID 5768 wrote to memory of 3412	5768	msedge.exe	79
PID 5768 wrote to memory of 3412	5768	msedge.exe	79
PID 5768 wrote to memory of 3412	5768	msedge.exe	79
PID 5768 wrote to memory of 3412	5768	msedge.exe	79
PID 5768 wrote to memory of 3412	5768	msedge.exe	79
PID 5768 wrote to memory of 3412	5768	msedge.exe	79
PID 5768 wrote to memory of 3412	5768	msedge.exe	79
PID 5768 wrote to memory of 3412	5768	msedge.exe	79
PID 5768 wrote to memory of 3412	5768	msedge.exe	79
PID 5768 wrote to memory of 3412	5768	msedge.exe	79
PID 5768 wrote to memory of 3412	5768	msedge.exe	79
PID 5768 wrote to memory of 3412	5768	msedge.exe	79
PID 5768 wrote to memory of 3412	5768	msedge.exe	79
PID 5768 wrote to memory of 3412	5768	msedge.exe	79
PID 5768 wrote to memory of 3412	5768	msedge.exe	79
PID 5768 wrote to memory of 3412	5768	msedge.exe	79
PID 5768 wrote to memory of 3412	5768	msedge.exe	79
PID 5768 wrote to memory of 3412	5768	msedge.exe	79
PID 5768 wrote to memory of 3412	5768	msedge.exe	79
PID 5768 wrote to memory of 3412	5768	msedge.exe	79
PID 5768 wrote to memory of 3412	5768	msedge.exe	79
PID 5768 wrote to memory of 3412	5768	msedge.exe	79
PID 5768 wrote to memory of 3412	5768	msedge.exe	79
PID 5768 wrote to memory of 3412	5768	msedge.exe	79
PID 5768 wrote to memory of 3412	5768	msedge.exe	79
PID 5768 wrote to memory of 3412	5768	msedge.exe	79
PID 5768 wrote to memory of 3412	5768	msedge.exe	79
PID 5768 wrote to memory of 3412	5768	msedge.exe	79
PID 5768 wrote to memory of 3412	5768	msedge.exe	79
PID 5768 wrote to memory of 3412	5768	msedge.exe	79
PID 5768 wrote to memory of 2216	5768	msedge.exe	80
PID 5768 wrote to memory of 2216	5768	msedge.exe	80
PID 5768 wrote to memory of 2184	5768	msedge.exe	81
PID 5768 wrote to memory of 2184	5768	msedge.exe	81
PID 5768 wrote to memory of 2184	5768	msedge.exe	81
PID 5768 wrote to memory of 2184	5768	msedge.exe	81
PID 5768 wrote to memory of 2184	5768	msedge.exe	81
PID 5768 wrote to memory of 2184	5768	msedge.exe	81
PID 5768 wrote to memory of 2184	5768	msedge.exe	81
PID 5768 wrote to memory of 2184	5768	msedge.exe	81
PID 5768 wrote to memory of 2184	5768	msedge.exe	81
PID 5768 wrote to memory of 2184	5768	msedge.exe	81
PID 5768 wrote to memory of 2184	5768	msedge.exe	81
PID 5768 wrote to memory of 2184	5768	msedge.exe	81
PID 5768 wrote to memory of 2184	5768	msedge.exe	81
PID 5768 wrote to memory of 2184	5768	msedge.exe	81
PID 5768 wrote to memory of 2184	5768	msedge.exe	81
PID 5768 wrote to memory of 2184	5768	msedge.exe	81
PID 5768 wrote to memory of 2184	5768	msedge.exe	81
PID 5768 wrote to memory of 2184	5768	msedge.exe	81
PID 5768 wrote to memory of 2184	5768	msedge.exe	81
PID 5768 wrote to memory of 2184	5768	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://thisisnotawebsitedotcom.com
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff6db93cb8,0x7fff6db93cc8,0x7fff6db93cd8
  2⤵
  PID:6008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:3412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:8
  2⤵
  PID:2184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:4232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
  2⤵
  PID:4912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4828 /prefetch:8
  2⤵
  PID:3296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
  2⤵
  PID:5132
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5652 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:5684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1
  2⤵
  PID:1032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
  2⤵
  PID:1264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5836 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3852 /prefetch:1
  2⤵
  PID:2484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3964 /prefetch:1
  2⤵
  PID:3852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
  2⤵
  PID:3780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
  2⤵
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
  2⤵
  PID:3300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1
  2⤵
  PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
  2⤵
  PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
  2⤵
  PID:5272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6708 /prefetch:8
  2⤵
  PID:6100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6536 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5920
- C:\Users\Admin\Downloads\Hydra.exe
  "C:\Users\Admin\Downloads\Hydra.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5260 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
  2⤵
  PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6760 /prefetch:8
  2⤵
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6976 /prefetch:8
  2⤵
  PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6768 /prefetch:8
  2⤵
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6444 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1020 /prefetch:8
  2⤵
  PID:3188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6440 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4156
- C:\Users\Admin\Downloads\EternalRocks.exe
  "C:\Users\Admin\Downloads\EternalRocks.exe"
  2⤵
  - Executes dropped EXE
  PID:5364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
  2⤵
  PID:6016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7616 /prefetch:8
  2⤵
  PID:5160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7532 /prefetch:8
  2⤵
  PID:3016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7448 /prefetch:8
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7148 /prefetch:8
  2⤵
  PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7192 /prefetch:8
  2⤵
  PID:332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6684 /prefetch:8
  2⤵
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7288 /prefetch:8
  2⤵
  PID:3204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7020 /prefetch:8
  2⤵
  PID:852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7612 /prefetch:8
  2⤵
  PID:128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7220 /prefetch:8
  2⤵
  PID:6088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7908 /prefetch:8
  2⤵
  PID:5388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7440 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1692
- C:\Users\Admin\Downloads\Xyeta (12).exe
  "C:\Users\Admin\Downloads\Xyeta (12).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3364
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 472
    3⤵
    - Program crash
    PID:6128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6768 /prefetch:1
  2⤵
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8084 /prefetch:8
  2⤵
  PID:5556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7544 /prefetch:8
  2⤵
  PID:4056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7284 /prefetch:8
  2⤵
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6684 /prefetch:8
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7112 /prefetch:8
  2⤵
  PID:5608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5132 /prefetch:8
  2⤵
  PID:988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7924 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3024
- C:\Users\Admin\Downloads\ChilledWindows.exe
  "C:\Users\Admin\Downloads\ChilledWindows.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6952 /prefetch:1
  2⤵
  PID:5168
- C:\Users\Admin\Downloads\Vista (4).exe
  "C:\Users\Admin\Downloads\Vista (4).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
  2⤵
  PID:6112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8056 /prefetch:8
  2⤵
  PID:2564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6020 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8112 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8040 /prefetch:8
  2⤵
  PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1612
- C:\Users\Admin\Downloads\Birele.exe
  "C:\Users\Admin\Downloads\Birele.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5624
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5624 -s 280
    3⤵
    - Program crash
    PID:3288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8096 /prefetch:1
  2⤵
  PID:3876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7056 /prefetch:8
  2⤵
  PID:5208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6712 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3324
- C:\Users\Admin\Downloads\7ev3n.exe
  "C:\Users\Admin\Downloads\7ev3n.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:5756
- - C:\Users\Admin\AppData\Local\system.exe
    "C:\Users\Admin\AppData\Local\system.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4080
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:3720
  - - C:\Windows\SysWOW64\SCHTASKS.exe
      C:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1188
  - - C:\windows\SysWOW64\cmd.exe
      C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:3092
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
        5⤵
        Modifies WinLogon for persistence
        System Location Discovery: System Language Discovery
        
        PID:5720
  - - C:\windows\SysWOW64\cmd.exe
      C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:5792
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:64
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:4672
  - - C:\windows\SysWOW64\cmd.exe
      C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:824
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:64
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2016
  - - C:\windows\SysWOW64\cmd.exe
      C:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:852
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:64
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1648
  - - C:\windows\SysWOW64\cmd.exe
      C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:4216
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:64
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5216
  - - C:\windows\SysWOW64\cmd.exe
      C:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:3848
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:64
        5⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:2120
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
      4⤵
      System Location Discovery: System Language Discovery
      PID:3444
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:64
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5024
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1448
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown -r -t 10 -f
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7308 /prefetch:8
  2⤵
  PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,7643253773880362990,9862745934498575978,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3472 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2792
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 163581726935715.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6100
  - - C:\Windows\SysWOW64\cscript.exe
      cscript //nologo c.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:5888
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe f
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3372
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im MSExchange*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1804
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Microsoft.Exchange.*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4672
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlserver.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:6020
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlwriter.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3188

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5804

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4464

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004C0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3364 -ip 3364
1⤵
PID:5548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5624 -ip 5624
1⤵
PID:664

C:\Windows\System32\PickerHost.exe
C:\Windows\System32\PickerHost.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5268

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39e2855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
4663f3209acc8b343531172fa9fe9491

SHA1
10d61b8b35ee641db67023203e8cf9a796412371

SHA256
537bb2ec638c05dad561de8931cecc7f883fa057ea6b755939983445bbdee748

SHA512
140aa185ef7d28fd6b37bd8875a247adbe5361c2674dfae3729ff5886e49e736a7a826a021cd5a3fa9e146a372fe3ff88a8b6bf0862e5d70f8fdc04d5902914b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\22ce3952-6a1d-4521-ba3a-be1925ce9409.tmp

Filesize
11KB

MD5
d78fb6124b09e95d1fadb2cbaa97cc32

SHA1
0228f720d221e0fb544600fb33cdce0b408141b7

SHA256
ea6c328d710a9237d9c3aab89432f77f972123591d95dadb87108a7c92eaa327

SHA512
d8e61b1222867ac7fc7e9ea76581b5bfb677fcc5022b4d25c3f50840f2f9533084a2521010b767280056c3a4ca601d9c2270114f586fa0089a3911db00b98eb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b4ae6009e2df12ce252d03722e8f4288

SHA1
44de96f65d69cbae416767040f887f68f8035928

SHA256
7778069a1493fdb62e6326ba673f03d9a8f46bc0eea949aabbbbc00dcdaddf9d

SHA512
bb810721e52c77793993470692bb2aab0466f13ed4576e4f4cfa6bc5fcfc59c13552299feb6dfd9642ea07b19a5513d90d0698d09ca1d15e0598133929c05fe1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4bf4b59c3deb1688a480f8e56aab059d

SHA1
612c83e7027b3bfb0e9d2c9efad43c5318e731bb

SHA256
867ab488aa793057395e9c10f237603cfb180689298871cdf0511132f9628c82

SHA512
2ec6c89f9653f810e9f80f532abaff2a3c0276f6d299dce1b1eadf6a59e8072ed601a4f9835db25d4d2610482a00dd5a0852d0ef828678f5c5ed33fe64dddca9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000035

Filesize
84KB

MD5
9d15a3b314600b4c08682b0202700ee7

SHA1
208e79cdb96328d5929248bb8a4dd622cf0684d1

SHA256
3ab3833e31e4083026421c641304369acfd31b957b78af81f3c6ef4968ef0e15

SHA512
9916397b782aaafa68eb6a781ea9a0db27f914035dd586142c818ccbd7e69036896767bedba97489d5100de262a554cf14bcdf4a24edda2c5d37217b265398d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
7a5262360fb3e9018796f193f735aeb4

SHA1
ed4563fd68a3c7e6d1de978460228d63020f08ae

SHA256
a3dbe44b75e55fad2805877ab1f33bf76113e32583ce97653530c8095825c8ad

SHA512
978a0998a84cafd432923ff95231be38468c026ad8980313fc9eac4be631e6fb2172804c206b005fcd8a80557e53c830fe8c0dcc470d9aa7b59c47ba6864cbb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
b641cd0d493a5495b462f4034f59a345

SHA1
8ac2735ab5e8a0a0fbeaa7239b922cae61c67f9d

SHA256
effe8c15162f6ebfff656c1790ff4e07f69977c6e99316e215dcbe1f31508179

SHA512
6693664ee98087c5ebf9d0bb33605dc6b939cb27162948bcad820bde6e74cc67b51f1e165a1cebb69c58fee4edf5df5d656bb8a305a30449b9a1c39885b9b9af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
d7f09d9e205dcd2bf3c1e717429e2c17

SHA1
391f7da2c1a729616aa3afea6002591aeefe1ab6

SHA256
95b7732772838a76103137e70c452663b2a0d0874ad8c2f849b169e20925d27c

SHA512
5d6d7ef79fe595e5a2eedcee29e91e8c44e1f7563e32051f8f6fd860e49aee5d931fa87ea641604901407861232b3121296cea018c77b40283df099dbde5767e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
280754898af7f217f5574f3063aa81e4

SHA1
3884ce9f186d0842021b36727df1c5105f46dbcc

SHA256
ff50c2bc10cbbf2c787064d6766ef3994100103e7d5d861ce965b9a583dce2ee

SHA512
f7744acafac3bf95825b732aa3fc073aef6ee0e18dc2a7e1c972a89736152e95c07db708b74851a256c1a9b3d37ad5891510106bf7388f0c92f1feb439ab9ccd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2076efd56cd193da001bee78ba4667c4

SHA1
995a9b42b31fbd42d56ead83c4f8ef4b702652a4

SHA256
902bc418d53438789d127e7974c9e34e23516faa581f96bc5b444bdca4782593

SHA512
435fb273503f74a6e11c7ad07df3439661f20dc92b3cb3e55e0b0331f753a7acfeb9af0b70f81a2a223850c31b1d73b7ab6991b006b5d5bf45f19a83a74c2a1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0bab0779cec3f1b883d2d66a03ec77e4

SHA1
0f68e04cd9ab4876b478115c81d2fab552afb5be

SHA256
4e618ba909769ab7c8a6c909ae3b0670794607044bb1140cbb59f534314ad96b

SHA512
3a8229fd65b6e66a975a43eb1a6c22c8c62b48ed50a7269e9470f8d245445b89061aa4cd8e0d3af09aa1efa4e453c2a23b30e2b9003c99639eedb7eef5d18e74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
51960e35ace04e499344bad23452835f

SHA1
1068b380132728507f3a763b70d8bb3937d06f50

SHA256
c78eabdf223b67f7759d6ec62eb03431a1187cb8b471c826bd408b36b3107c19

SHA512
57327e542f0cd5351e19b177ec1aca65f0f07be329ce9b9b6a5e7cc80ae1455cc3f7fb9a38487aaee214bcf08cfbb78bee4f713bc03d969f28108f0ba4cfbe9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
bc360bc25271d309ee578028be98fb11

SHA1
30c90c08e9aa180bb52b888a2087d333a6c1841c

SHA256
6c3c61508659b1831e6893bf9ccdd610b9cc36c8dd33b86ea10fb378510f413c

SHA512
b51cd3a128d63e4258bc95d919fc64a6671ce2f83b0162cd5d7964c8085225997df44b7c1ab8a260c760293f455f8e08362fb40919d51f002cb162cfdb40d18d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1e89fce462025546d62391b4e454b105

SHA1
782fb8f820cea3b7ebba64cc3b09ef8d15450637

SHA256
af5ab26d9ae5f003c9b56c950bf62301f3b2e18a8d9e00f429cd5d3c14e7958d

SHA512
7c3ce4a6bbe491a3432126bc40ae77b659cd7af52f48ffc48b1a1eecda32ea37ae8458abd5ddc5f1c6003302768d869345661994ea9870595d1e9ca84877379a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
913be732197edc1c6955e225dad8ac13

SHA1
fff1002f38ef406c1d259615800374086d619da1

SHA256
034012392d2fa584ae4514479c5dc40c7d94c91468e92782113754402e2c3187

SHA512
4000bb70996ae43934c4d4c09354e134cd67e19cb37bd7ca2bcdba26cb40bd09395cd02c7a33124a58cabbffde00fe83b41dd3824b509217ac3927a5d87f48cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5dd018b6eda8b379e137a8ec423480ad

SHA1
af7574044363fa481f9e180310219d1dd005f1db

SHA256
621be20ce10449be4f92c3badb46a293ef418221860fbed79547293d4f24f3b8

SHA512
58047e3ef5a71d5966697ef196a0429f20a155f6302cd6f548792ecf62fb25b426c3dfacb824270ab748c7f3637f3f1400a910d605eb1b9982b632fe41f06652

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
56b33013610832d0cfcd8802ffa0d1a8

SHA1
cbc614a5a639ce02fef90017aaa2084530685952

SHA256
1c7044ff21d40c4374cc49f62bfb305df965067b5e3912fbfd4dd615e847a325

SHA512
477dc8ed37bf546444bca498fe89f05527fa92ae71e5ff81468478083a31533a6097be8edcfc9634c9d78b4e3f6657213b471eb6cf72d26cff903123cfffca62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
06a67b2384ec0508e1afbbaedd3fffe6

SHA1
24e4c037109f387ab1d45863a9ace7dc67b0c27f

SHA256
b3bdbe413f73e64d8812e842786561ec7ac7f127be817d06de44a64247f177a3

SHA512
017125ba15de80f9e75effce7968a737b08d3e06491fa7ea94bbb5a33e51b1c2d2c77fab9b1c3b1f0c13ac63053eebf2a4bd38f8ef5fa81a6a71ec6909828da8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
863b6cb424575a52ba0ede0930c50cfd

SHA1
6d165ba1fe8eade14aad42bb5b5a4cba0588d7bb

SHA256
dd019bc0c092a7970976b6c1053ec719c4a12b689bb503a509734c107a723eb3

SHA512
e996502870229399bd38b349c85f7863c93e8c2b4e0c09508c70964d2eb1d2d2dd82af24c42f96765cec635bff3a23e55dd8b2fda380f7af139139bbd30e2991

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1817f16f013f88f3d4f245b2b6679393

SHA1
2a90a2db8f4aa9dd8ea4d7422cc1972a7c1a4fa7

SHA256
6943fe5af29dcd8b7bf1e5d512eeaab9c2d4c1cbad83e421e81f1bb8049a8cf4

SHA512
ab1d07865b8d93a4a7d3ccbf6a8335223cf8be1d3333507116dbedf08251689909ef863fc35c9662f05e216959de1ff445e9087163cdb4f23e73c3efa688fa6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9a0bd0dda4d30afefeb4f4c53ef4f9a1

SHA1
3f47b8746d456f07a77c33b7a2e35d29b3a4107c

SHA256
99d0d790ccbb115b8aaebb39dcbbd07a2d37d9b73cb827bf0b4b70bf380347fb

SHA512
5a107122c6ea6fe1b8e99d8a67a37498b2d0acd0d133daff2b30a530aeabead07ea76dc9f71991ebf6ab7ebaa88ddabaeec3956fc88629acc355b71c6c123947

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
68c905681f1689c6255877e2ad7f1be3

SHA1
5aafb4701ec0cbbdab94c9c083bc6e01d0d5bda3

SHA256
d14c80590e357865c71a5d81013dcdf445c9f12719be01f80ee35150ecc1596b

SHA512
21a161e14efdb230037617d17ef34e2b48c9f971d1eee7e325937de2dad8b1499d956aa30579c84c589d992fc7cec0261cafec05aec2e61dfee9b07a5281db21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
777f721a2d9008ff2ca45bc72d9d7983

SHA1
f3941d7a57efc4ec83c9f2adb0cc57dc14f6a9cb

SHA256
037c932edddd5ae92f2dc637cb77f0fcd10b754ce2f220760ca3e96893b41bae

SHA512
76a9598374ff6a4ad900da48c1a9b554d26cf19af9246deee8d3249f3a15d6205ec2a413687ef27bbe31eaad2b802ea80e1e6c942e8114fce8899a39cb4b7bdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f1702e901b8f2720c8f605eb8fb1b491

SHA1
c2cc60212f7fab9c6a15f5eb9981cfbc765d5615

SHA256
e8bd29abca17ba5d0551606e5407004d347462b900cff4eec7d14bbcf80232d0

SHA512
93dcd11e481a49e70a84433dfff77144bc8543c4622feb92a72d546bbb142c9b24be487149378004b627a79219b29b8652317886ecaf8f57c478756c2302f91d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f40c9ec7594b52563f5012c714ef78ad

SHA1
13af52ca903cc200f586ff073d6e6aa0a74c9471

SHA256
d32a3bba67d3b7ef1342571ddad9fac2286be4ced5fa116c97024cb0f771a1cb

SHA512
f8df922b69142f277eaff3e6c9b6c57bc05d01bb5711da9fa1b8b9b3e437dc08f17f154e2f1af64075a227d83a123fb65ae6fb437fac25d23890c9bfbc36c8d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
77f4753e2a84d24664e06b717c42e3f5

SHA1
6bb4ca8be49b634142f975d6c1f13bc18a8eee4d

SHA256
c284223b3cf68af108b781377f3db66b5c5737df54bf34e01618296df7c2461a

SHA512
09d7f99246e54ddc235bbc4912cf597d66a97e256ffc2348f84758abdc409043d2b03933c57613a908e30149ee65657e1aee280e7630fff6ecb1fe11ed087fef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
dc9a3cc88672dccf2eaf2857a6a09b9c

SHA1
47c3a9c07254744c8a8d789fc6d94532e3756675

SHA256
7596be36a86320bc9e9401529cde9ad3872e7eb46ded0a040c72fb78b8606f75

SHA512
05da9e17192b56f1d7b8991136e78b1333c88047044120eb6fe6c1be70a64a6907bdd6abd78c6ff4b3eb0a5a2d2c62d5c5a03f76a32bbb275298ba2ad4de0f6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
742d85d1c5897ce6f9f6754d66391969

SHA1
ee2fd7c14dbc100f1e09464624c49c4aaeaf27f2

SHA256
c7e6785bda1ca5f0e85a18dcddb65219c65a4dc590926e50206269dab440f11d

SHA512
263c230eb68f32e16e2371e8f954afe01133fbaad812a082b6d461ff18847910c2286af8fb016eee7e56e2cb136339d3f6715ba1d8ac4eef6aa7a645b166f082

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
aa631a12780946eef91f691f655de0da

SHA1
20023277cee6d950064f3c0f80789532f20dfb4d

SHA256
69a074e1cdce3e27d5036264c2946330339d8d6821159d02c9c2617766eb97fd

SHA512
ef1c33e64a6c46e740c8b0e2d57056c28d2c6679a8b2a133e5afa211d33a21097e2d50bc0ad936cbf3b18b37fbb446309547764062774a48026a890b1de52078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
513943a3e787dfd8975111d918614ce7

SHA1
9ff438779e6d6387b938c241b3a593090c102305

SHA256
91be5fbfd7fab91f73175764f26413793de4c2d5115fac88cb463d4757a42862

SHA512
79b3bb3c7205f04d4d21001b3962654a58b6eb60e6a361a9d750bb1188ca5f4ccc9d150d685eadbbd50cb590fe5eb73c4ab2b5c2a02515d8e5d0bb4cf5d41b51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c4f9a43ae2be18d7cb0982a3e5adbd82

SHA1
493815459e118b67b63b6f26471cfdd2977602ff

SHA256
d19a0ab3e95b891902e8cf36acb01f71538f71425603cc2aaa417c656049f965

SHA512
cfa4576c3e6dd4cabb461fccdf1c36a79a864562c47cc2afc772502211fc4a2010d28b693ed9faf78a027ffa6dea4dfda3c179fde28c05c2d384396c18115765

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3e94e184eeca82d04f25a2d67c41f964

SHA1
26dffd44bb0947b05d529f1f5d69ea8f2fe9937e

SHA256
9bae0755e6e786245d85deb8e0c0781a3b7f93da8c3af5eaa9e2b159498a2fdd

SHA512
8459c433e137a24b472e813ff35549a9c19f2e2c0eeb253cbc35a5f899e697c41b0b08618f1f9f032c968a8ceb221c3f1e535e254560a5aba155b56313193aa1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d9c236f64ca2a81b61ed2db6c169e031

SHA1
e938457993b01d374c9c83f015d420e5f82f5758

SHA256
0a111ccbae8e076cc4177f2928fe2a29ab71dddb743b6a81290dace886bf80b1

SHA512
8933ef072bde5300beb42407b98f5af71dd4e2f23c49ed99aaed372b4048475babbf439c0ab5687b0936f241209c9fdf8f5091d52a0b4dab25607c2c4abcb7c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58468a.TMP

Filesize
705B

MD5
63271cba55155a6dbb417453682165bd

SHA1
4ae678e1bed27abfe1d7a3f2ba628817f8020a1c

SHA256
0de99e6c0c7b39e8a54f13e5ac4b127d06a63af5c1726f382e228aa99e68ed3c

SHA512
a1fec91db6c6766f657b4d9d253c5ed21747f23d6976579047c622d624a61fdff802f509ffc35883438699f7565c339a1535a30f162ffde44ad486356f3a9348

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9f290d8c586ac782c093f1c7d6ca391b

SHA1
f3dff61793eaea77128941816933b2c03d04a2b3

SHA256
9755015db1cd02a5f8dfeeb2732a7686822291d6450dedbe74b8f842809ed7d0

SHA512
b8736422d51fd48567005fc25cd4550337f04ecbb6e7d0d3eca938174076160a8b635b50968e5ade5a6d2e9013f912726f3675520cddd076f9d75bf1641f3599

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
aac9d4357a64fcdfe7fa4ce8315de489

SHA1
b4ea72a31867d925bc256485ed814dfd3576a443

SHA256
ae0df6d435b49e4560a062711e95a14379b1191bca9217e6f7d1c3d0ec9e9992

SHA512
39384861c4193a16b86a53546e949fd44b18e4f1953e24a53489ce61249feecf650cfacf1372dfd821dedaa00aabf81ebe98742bd22481163fbc91151518c358

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2597ed36073ae49940633566249e49dd

SHA1
d8b5b141d395c4efbc8367c31cffbb5d323e761a

SHA256
c9436886032d1727606336124b33b018fb7e039733e205208112e1d652686fd4

SHA512
bcb0f3ae652b8b6aab146857c2c3b786037af6589316f116dab7c3b55876c656a9268cdb562afecb77af35111a0329319785f2975b6def501abbf33adfef6e43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
87491925a6d28a3daac8d42ad6b70241

SHA1
f9873205dae09dcb7dc92d232ea9170c86d11645

SHA256
ee6d5888d5376e08f5b5c4b9ffafb86bd5695c1eddee8ac52698ec40d7f92cd6

SHA512
ca79684073fa832d8675560e33aa360a701c28113bb81b0e94b39f6c4547e10f04537adf214e51dcab62bb20c10b499172fdbfbaa6c5ee093f312c48e73be45c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5f989c0d56d2fda0f15c42d061f9cba8

SHA1
0829ce03dc292877b2a261ac64da4798b252f3d3

SHA256
96779f617b7fb239de9fd762f78f96b04940865cd06cb1700c45d2c2dde38abe

SHA512
6a56f33e710530aa6be0b5586d7ad3b1f641b1bd022b6fd8a25f492bca6dbc42dc26605faef41655c5f3fda6c1f880b18d5bffd763f84f56fdbf2765c08ec91e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1c4b7e4a555596f4ea240dc12202a00d

SHA1
f7ef4060466a63a9640768f746e7721fa9d0e3dc

SHA256
6679c0651dc0a0211b5028d35ddc3cf4023e8c649ad91db9131c5ca742d217be

SHA512
8376d8f1575a7fa062d337ef42e4819d253971e2dc722cf62884d166a1e2a825dff263f8034876e042b5e3439aa7eb678089e0db632f5494e3dd380abf63b55a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\a15a3fb1-f83b-49af-be1b-28a607149384.tmp

Filesize
10KB

MD5
a02384bb07f6178563f2b4a03a81eb07

SHA1
21e041529311eae075014fa05edc181e1770d6e9

SHA256
51423b9553077e83484eb66c3ea4e8f6b9e92e9a3a2db6de42fa779680e1e264

SHA512
02c21a9e176b68d9458457a9891b40835c63de0c28ce36edb0264bfe741d459dec6348e3d3e15b596313060c8aafc66d7dc16c0c6afd01d7c423e3744ec02814

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
640KB

MD5
a0528d39b87514f3497f9d335b74468f

SHA1
b69fa694b8fbae3a770b0c2ee97fd93e4f5400c1

SHA256
fd87eb7c89e52351df3bf4597229b9e492913dc77221bcbb68a7200873d7e8c6

SHA512
78447b5e0066cb39c7870dba8dcede55b67f2dfd546223bb518ab0d0b1c2754d0894f6efeebf49eae668f021fb77ada0f084e377313d4c6e293977b22d06a922

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\55c86f3d-5036-4d10-b95f-d2ea8b790803.tmp

Filesize
1.9MB

MD5
faa6cb3e816adaeaabf2930457c79c33

SHA1
6539de41b48d271bf4237e6eb09b0ee40f9a2140

SHA256
6680317e6eaa04315b47aaadd986262cd485c8a4bd843902f4c779c858a3e31b

SHA512
58859556771203d736ee991b651a6a409de7e3059c2afe81d4545864295c383f75cfbabf3cffaa0c412a6ec27bf939f0893c28152f53512c7885e597db8d2c66

Download Submit
C:\Users\Admin\Downloads\Hydra.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 166385.crdownload

Filesize
43KB

MD5
b2eca909a91e1946457a0b36eaf90930

SHA1
3200c4e4d0d4ece2b2aadb6939be59b91954bcfa

SHA256
0b6c0af51cde971b3e5f8aa204f8205418ab8c180b79a5ac1c11a6e0676f0f7c

SHA512
607d20e4a46932c7f4d9609ef9451e2303cd79e7c4778fe03f444e7dc800d6de7537fd2648c7c476b9f098588dc447e8c39d8b21cd528d002dfa513a19c6ebbf

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 177758.crdownload

Filesize
4.4MB

MD5
6a4853cd0584dc90067e15afb43c4962

SHA1
ae59bbb123e98dc8379d08887f83d7e52b1b47fc

SHA256
ccb9502bf8ba5becf8b758ca04a5625c30b79e2d10d2677cc43ae4253e1288ec

SHA512
feb223e0de9bd64e32dc4f3227e175b58196b5e614bca8c2df0bbca2442a564e39d66bcd465154149dc7ebbd3e1ca644ed09d9a9174b52236c76e7388cb9d996

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 377682.crdownload

Filesize
760KB

MD5
515198a8dfa7825f746d5921a4bc4db9

SHA1
e1da0b7f046886c1c4ff6993f7f98ee9a1bc90ae

SHA256
0fda176b199295f72fafc3bc25cefa27fa44ed7712c3a24ca2409217e430436d

SHA512
9e47037fe40b79ebf056a9c6279e318d85da9cd7e633230129d77a1b8637ecbafc60be38dd21ca9077ebfcb9260d87ff7fcc85b8699b3135148fe956972de3e8

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 419172.crdownload

Filesize
5.0MB

MD5
c52f20a854efb013a0a1248fd84aaa95

SHA1
8a2cfe220eebde096c17266f1ba597a1065211ab

SHA256
cf8533849ee5e82023ad7adbdbd6543cb6db596c53048b1a0c00b3643a72db30

SHA512
07b057d4830d3e2d17c7400d56f969c614a8bae4ba1a13603bb53decd1890ddcfbaad452c59cc88e474e2fd3abd62031bf399c2d7cf6dc69405dc8afcea55b9a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 438106.crdownload:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 56335.crdownload

Filesize
315KB

MD5
9f8bc96c96d43ecb69f883388d228754

SHA1
61ed25a706afa2f6684bb4d64f69c5fb29d20953

SHA256
7d373ccb96d1dbb1856ef31afa87c2112a0c1795a796ab01cb154700288afec5

SHA512
550a891c1059f58aa983138caf65a7ea9c326cb1b94c15f3e7594128f6e9f1295b9c2dbc0925637dba7c94e938083fffc6a63dc7c2e5b1e247679931cce505c6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 635314.crdownload

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 694975.crdownload

Filesize
116KB

MD5
41789c704a0eecfdd0048b4b4193e752

SHA1
fb1e8385691fa3293b7cbfb9b2656cf09f20e722

SHA256
b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23

SHA512
76391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 728954.crdownload

Filesize
313KB

MD5
fe1bc60a95b2c2d77cd5d232296a7fa4

SHA1
c07dfdea8da2da5bad036e7c2f5d37582e1cf684

SHA256
b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d

SHA512
266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

Download Submit
C:\Users\Admin\Downloads\WindowsUpdate.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\chilledwindows.mp4

Filesize
3.6MB

MD5
698ddcaec1edcf1245807627884edf9c

SHA1
c7fcbeaa2aadffaf807c096c51fb14c47003ac20

SHA256
cde975f975d21edb2e5faa505205ab8a2c5a565ba1ff8585d1f0e372b2a1d78b

SHA512
a2c326f0c653edcd613a3cefc8d82006e843e69afc787c870aa1b9686a20d79e5ab4e9e60b04d1970f07d88318588c1305117810e73ac620afd1fb6511394155

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
memory/196-1082-0x000000001C890000-0x000000001C89E000-memory.dmp

Filesize
56KB

Download
memory/196-1081-0x000000001C8C0000-0x000000001C8F8000-memory.dmp

Filesize
224KB

Download
memory/196-1080-0x000000001C810000-0x000000001C818000-memory.dmp

Filesize
32KB

Download
memory/196-1068-0x0000000000FA0000-0x0000000001404000-memory.dmp

Filesize
4.4MB

Download
memory/504-1725-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/504-1460-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/2960-544-0x00000000056E0000-0x0000000005C86000-memory.dmp

Filesize
5.6MB

Download
memory/2960-546-0x00000000052C0000-0x00000000052CA000-memory.dmp

Filesize
40KB

Download
memory/2960-543-0x0000000000770000-0x0000000000780000-memory.dmp

Filesize
64KB

Download
memory/2960-545-0x0000000005210000-0x00000000052A2000-memory.dmp

Filesize
584KB

Download
memory/3364-972-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3364-962-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4412-1739-0x0000000000400000-0x0000000000ABC000-memory.dmp

Filesize
6.7MB

Download
memory/4412-1182-0x0000000000400000-0x0000000000ABC000-memory.dmp

Filesize
6.7MB

Download
memory/4412-1160-0x0000000000400000-0x0000000000ABC000-memory.dmp

Filesize
6.7MB

Download
memory/4412-1211-0x0000000000400000-0x0000000000ABC000-memory.dmp

Filesize
6.7MB

Download
memory/5364-797-0x0000000001220000-0x0000000001228000-memory.dmp

Filesize
32KB

Download
memory/5364-795-0x000000001D630000-0x000000001DB40000-memory.dmp

Filesize
5.1MB

Download
memory/5364-720-0x000000001C300000-0x000000001C7CE000-memory.dmp

Filesize
4.8MB

Download
memory/5364-719-0x000000001B780000-0x000000001BBAE000-memory.dmp

Filesize
4.2MB

Download
memory/5364-796-0x000000001DBE0000-0x000000001DC7C000-memory.dmp

Filesize
624KB

Download
memory/5624-1260-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5624-1258-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5624-1257-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads