mimikatz | hxxp://google[.]com

Resubmissions

03-12-2024 23:11

241203-26qqpavlhm 8

03-12-2024 23:06

03-12-2024 23:04

03-12-2024 23:01

03-12-2024 22:58

Analysis

max time kernel
114s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2024 23:06

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://google.com

Score

10^/10

mimikatz bootkit discovery persistence spyware stealer

Malware Config

Signatures

Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0003000000000713-459.dat	mimikatz

Downloads MZ/PE file

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

NotPetya.exeNotPetya (1).exeNotPetya.exeNotPetya.exeNotPetya.exeNotPetya.exeNotPetya (1).exeNotPetya.exeNotPetya.exeNotPetya.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	NotPetya.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	NotPetya (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	NotPetya.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	NotPetya.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	NotPetya.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	NotPetya.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	NotPetya (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	NotPetya.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	NotPetya.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	NotPetya.exe

Executes dropped EXE 14 IoCs

Processes:

NotPetya.exeNotPetya.exeNotPetya.exe6F7E.tmpNotPetya.exeNotPetya.exeNotPetya.exeNotPetya.exeNotPetya.exeNotPetya (1).exeNotPetya (1).exePetya.A.exePetya.A.exePetya.A.exe

pid	Process
4604	NotPetya.exe
5164	NotPetya.exe
5324	NotPetya.exe
2008	6F7E.tmp
4416	NotPetya.exe
5672	NotPetya.exe
5888	NotPetya.exe
5124	NotPetya.exe
1892	NotPetya.exe
4924	NotPetya (1).exe
956	NotPetya (1).exe
5440	Petya.A.exe
380	Petya.A.exe
3676	Petya.A.exe

Loads dropped DLL 6 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid	Process
5008	rundll32.exe
5204	rundll32.exe
404	rundll32.exe
4280	rundll32.exe
5300	rundll32.exe
1928	rundll32.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
114	raw.githubusercontent.com
115	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

rundll32.exePetya.A.exe

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe
File opened for modification	\??\PhysicalDrive0	Petya.A.exe

Drops file in Program Files directory 56 IoCs

Processes:

rundll32.exe

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCallbacks.h	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\jni_md.h	rundll32.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Archive.zip	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Acrobat Pro DC.pdf	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\ENUtxt.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jvmti.h	rundll32.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Complex Machine.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgePackages.h	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jni.h	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jvmticmlr.h	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPP.VBS	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Dark.pdf	rundll32.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrome.7z	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner_Dark.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Welcome.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\amd64\jvm.cfg	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC	rundll32.exe
File opened for modification	C:\Program Files\RequestCheckpoint.7z	rundll32.exe
File opened for modification	C:\Program Files\MergeUnprotect.doc	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.XLS	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\classfile_constants.h	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Light.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.h	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jawt.h	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.PPT	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Light.pdf	rundll32.exe
File opened for modification	C:\Program Files\GrantConnect.rar	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.PPT	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\FPEXT.MSG	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner_Light.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Cloud Services.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Dark.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Bus Schedule.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\javafx-src.zip	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\SHELLNEW\EXCEL12.XLSX	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.cfg	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h	rundll32.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\amd64\jvm.cfg	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SAMPLES\SOLVSAMP.XLS	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Sign White Paper.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jdwpTransport.h	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\java.settings.cfg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf	rundll32.exe

Drops file in Windows directory 18 IoCs

Processes:

rundll32.exerundll32.exeNotPetya.exeNotPetya.exeNotPetya.exeNotPetya (1).exeNotPetya (1).exeNotPetya.exeNotPetya.exeNotPetya.exerundll32.exerundll32.exeNotPetya.exeNotPetya.exerundll32.exerundll32.exe

description	ioc	Process
File created	C:\Windows\perfc	rundll32.exe
File opened for modification	C:\Windows\perfc.dat	rundll32.exe
File created	C:\Windows\perfc.dat	NotPetya.exe
File opened for modification	C:\Windows\perfc.dat	rundll32.exe
File created	C:\Windows\dllhost.dat	rundll32.exe
File created	C:\Windows\perfc.dat	NotPetya.exe
File opened for modification	C:\Windows\perfc.dat	NotPetya.exe
File opened for modification	C:\Windows\perfc.dat	NotPetya (1).exe
File created	C:\Windows\perfc.dat	NotPetya (1).exe
File created	C:\Windows\perfc.dat	NotPetya.exe
File created	C:\Windows\perfc.dat	NotPetya.exe
File opened for modification	C:\Windows\perfc.dat	NotPetya.exe
File opened for modification	C:\Windows\perfc.dat	rundll32.exe
File opened for modification	C:\Windows\perfc.dat	rundll32.exe
File created	C:\Windows\perfc.dat	NotPetya.exe
File created	C:\Windows\perfc.dat	NotPetya.exe
File opened for modification	C:\Windows\perfc.dat	rundll32.exe
File opened for modification	C:\Windows\perfc.dat	rundll32.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeschtasks.exeNotPetya.exerundll32.exerundll32.exerundll32.exePetya.A.exerundll32.exerundll32.exerundll32.exeNotPetya (1).exeNotPetya.exerundll32.exeNotPetya.exerundll32.exeNotPetya.exeNotPetya.exeNotPetya.exePetya.A.exeNotPetya.exerundll32.exeNotPetya.exerundll32.exeNotPetya (1).exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NotPetya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Petya.A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NotPetya (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NotPetya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NotPetya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NotPetya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NotPetya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NotPetya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Petya.A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NotPetya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NotPetya.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NotPetya (1).exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 3 IoCs

Processes:

msedge.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 319317.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 189923.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 22415.crdownload:SmartScreen	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exe

pid	Process
4008	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exerundll32.exe6F7E.tmprundll32.exerundll32.exerundll32.exerundll32.exemsedge.exerundll32.exemsedge.exe

pid	Process
560	msedge.exe
560	msedge.exe
1448	msedge.exe
1448	msedge.exe
3048	identity_helper.exe
3048	identity_helper.exe
5996	msedge.exe
5996	msedge.exe
5008	rundll32.exe
5008	rundll32.exe
2008	6F7E.tmp
2008	6F7E.tmp
2008	6F7E.tmp
2008	6F7E.tmp
2008	6F7E.tmp
2008	6F7E.tmp
2008	6F7E.tmp
5204	rundll32.exe
5204	rundll32.exe
404	rundll32.exe
404	rundll32.exe
4280	rundll32.exe
4280	rundll32.exe
5300	rundll32.exe
5300	rundll32.exe
3488	msedge.exe
3488	msedge.exe
1928	rundll32.exe
1928	rundll32.exe
1208	msedge.exe
1208	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

Processes:

msedge.exe

pid	Process
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

rundll32.exe6F7E.tmprundll32.exerundll32.exerundll32.exerundll32.exerundll32.exePetya.A.exe

description	pid	Process
Token: SeShutdownPrivilege	5008	rundll32.exe
Token: SeDebugPrivilege	5008	rundll32.exe
Token: SeTcbPrivilege	5008	rundll32.exe
Token: SeDebugPrivilege	2008	6F7E.tmp
Token: SeShutdownPrivilege	5204	rundll32.exe
Token: SeDebugPrivilege	5204	rundll32.exe
Token: SeTcbPrivilege	5204	rundll32.exe
Token: SeShutdownPrivilege	404	rundll32.exe
Token: SeDebugPrivilege	404	rundll32.exe
Token: SeTcbPrivilege	404	rundll32.exe
Token: SeShutdownPrivilege	4280	rundll32.exe
Token: SeDebugPrivilege	4280	rundll32.exe
Token: SeTcbPrivilege	4280	rundll32.exe
Token: SeShutdownPrivilege	5300	rundll32.exe
Token: SeDebugPrivilege	5300	rundll32.exe
Token: SeTcbPrivilege	5300	rundll32.exe
Token: SeShutdownPrivilege	1928	rundll32.exe
Token: SeDebugPrivilege	1928	rundll32.exe
Token: SeTcbPrivilege	1928	rundll32.exe
Token: SeShutdownPrivilege	5440	Petya.A.exe

Suspicious use of FindShellTrayWindow 55 IoCs

Processes:

msedge.exe

pid	Process
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	Process
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe
1448	msedge.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

NotPetya.exeNotPetya.exeNotPetya.exeNotPetya.exeNotPetya.exeNotPetya.exeNotPetya.exeNotPetya.exeNotPetya (1).exeNotPetya (1).exePetya.A.exePetya.A.exe

pid	Process
4604	NotPetya.exe
5164	NotPetya.exe
5324	NotPetya.exe
4416	NotPetya.exe
5672	NotPetya.exe
5888	NotPetya.exe
5124	NotPetya.exe
1892	NotPetya.exe
4924	NotPetya (1).exe
956	NotPetya (1).exe
5440	Petya.A.exe
380	Petya.A.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	Process	procid_target
PID 1448 wrote to memory of 4524	1448	msedge.exe	83
PID 1448 wrote to memory of 4524	1448	msedge.exe	83
PID 1448 wrote to memory of 2208	1448	msedge.exe	84
PID 1448 wrote to memory of 2208	1448	msedge.exe	84
PID 1448 wrote to memory of 2208	1448	msedge.exe	84
PID 1448 wrote to memory of 2208	1448	msedge.exe	84
PID 1448 wrote to memory of 2208	1448	msedge.exe	84
PID 1448 wrote to memory of 2208	1448	msedge.exe	84
PID 1448 wrote to memory of 2208	1448	msedge.exe	84
PID 1448 wrote to memory of 2208	1448	msedge.exe	84
PID 1448 wrote to memory of 2208	1448	msedge.exe	84
PID 1448 wrote to memory of 2208	1448	msedge.exe	84
PID 1448 wrote to memory of 2208	1448	msedge.exe	84
PID 1448 wrote to memory of 2208	1448	msedge.exe	84
PID 1448 wrote to memory of 2208	1448	msedge.exe	84
PID 1448 wrote to memory of 2208	1448	msedge.exe	84
PID 1448 wrote to memory of 2208	1448	msedge.exe	84
PID 1448 wrote to memory of 2208	1448	msedge.exe	84
PID 1448 wrote to memory of 2208	1448	msedge.exe	84
PID 1448 wrote to memory of 2208	1448	msedge.exe	84
PID 1448 wrote to memory of 2208	1448	msedge.exe	84
PID 1448 wrote to memory of 2208	1448	msedge.exe	84
PID 1448 wrote to memory of 2208	1448	msedge.exe	84
PID 1448 wrote to memory of 2208	1448	msedge.exe	84
PID 1448 wrote to memory of 2208	1448	msedge.exe	84
PID 1448 wrote to memory of 2208	1448	msedge.exe	84
PID 1448 wrote to memory of 2208	1448	msedge.exe	84
PID 1448 wrote to memory of 2208	1448	msedge.exe	84
PID 1448 wrote to memory of 2208	1448	msedge.exe	84
PID 1448 wrote to memory of 2208	1448	msedge.exe	84
PID 1448 wrote to memory of 2208	1448	msedge.exe	84
PID 1448 wrote to memory of 2208	1448	msedge.exe	84
PID 1448 wrote to memory of 2208	1448	msedge.exe	84
PID 1448 wrote to memory of 2208	1448	msedge.exe	84
PID 1448 wrote to memory of 2208	1448	msedge.exe	84
PID 1448 wrote to memory of 2208	1448	msedge.exe	84
PID 1448 wrote to memory of 2208	1448	msedge.exe	84
PID 1448 wrote to memory of 2208	1448	msedge.exe	84
PID 1448 wrote to memory of 2208	1448	msedge.exe	84
PID 1448 wrote to memory of 2208	1448	msedge.exe	84
PID 1448 wrote to memory of 2208	1448	msedge.exe	84
PID 1448 wrote to memory of 2208	1448	msedge.exe	84
PID 1448 wrote to memory of 560	1448	msedge.exe	85
PID 1448 wrote to memory of 560	1448	msedge.exe	85
PID 1448 wrote to memory of 1512	1448	msedge.exe	86
PID 1448 wrote to memory of 1512	1448	msedge.exe	86
PID 1448 wrote to memory of 1512	1448	msedge.exe	86
PID 1448 wrote to memory of 1512	1448	msedge.exe	86
PID 1448 wrote to memory of 1512	1448	msedge.exe	86
PID 1448 wrote to memory of 1512	1448	msedge.exe	86
PID 1448 wrote to memory of 1512	1448	msedge.exe	86
PID 1448 wrote to memory of 1512	1448	msedge.exe	86
PID 1448 wrote to memory of 1512	1448	msedge.exe	86
PID 1448 wrote to memory of 1512	1448	msedge.exe	86
PID 1448 wrote to memory of 1512	1448	msedge.exe	86
PID 1448 wrote to memory of 1512	1448	msedge.exe	86
PID 1448 wrote to memory of 1512	1448	msedge.exe	86
PID 1448 wrote to memory of 1512	1448	msedge.exe	86
PID 1448 wrote to memory of 1512	1448	msedge.exe	86
PID 1448 wrote to memory of 1512	1448	msedge.exe	86
PID 1448 wrote to memory of 1512	1448	msedge.exe	86
PID 1448 wrote to memory of 1512	1448	msedge.exe	86
PID 1448 wrote to memory of 1512	1448	msedge.exe	86
PID 1448 wrote to memory of 1512	1448	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://google.com
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdc45246f8,0x7ffdc4524708,0x7ffdc4524718
  2⤵
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,16805129943349480457,17098682105518709411,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1892 /prefetch:2
  2⤵
  PID:2208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,16805129943349480457,17098682105518709411,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,16805129943349480457,17098682105518709411,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
  2⤵
  PID:1512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,16805129943349480457,17098682105518709411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:2548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,16805129943349480457,17098682105518709411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:3732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,16805129943349480457,17098682105518709411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
  2⤵
  PID:3520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,16805129943349480457,17098682105518709411,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
  2⤵
  PID:908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,16805129943349480457,17098682105518709411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
  2⤵
  PID:1172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,16805129943349480457,17098682105518709411,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,16805129943349480457,17098682105518709411,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6020 /prefetch:8
  2⤵
  PID:444
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,16805129943349480457,17098682105518709411,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6020 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,16805129943349480457,17098682105518709411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,16805129943349480457,17098682105518709411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
  2⤵
  PID:4340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,16805129943349480457,17098682105518709411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:1164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1888,16805129943349480457,17098682105518709411,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5264 /prefetch:8
  2⤵
  PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,16805129943349480457,17098682105518709411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:5212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,16805129943349480457,17098682105518709411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
  2⤵
  PID:5224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,16805129943349480457,17098682105518709411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:3520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,16805129943349480457,17098682105518709411,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1220 /prefetch:1
  2⤵
  PID:524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,16805129943349480457,17098682105518709411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6432 /prefetch:1
  2⤵
  PID:2896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,16805129943349480457,17098682105518709411,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
  2⤵
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1888,16805129943349480457,17098682105518709411,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6368 /prefetch:8
  2⤵
  PID:5736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,16805129943349480457,17098682105518709411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2120 /prefetch:1
  2⤵
  PID:5744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,16805129943349480457,17098682105518709411,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6856 /prefetch:8
  2⤵
  PID:5840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,16805129943349480457,17098682105518709411,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7044 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5996
- C:\Users\Admin\Downloads\NotPetya.exe
  "C:\Users\Admin\Downloads\NotPetya.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4604
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Windows\perfc.dat #1
    3⤵
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5008
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 00:11
      4⤵
      System Location Discovery: System Language Discovery
      PID:5360
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 00:11
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4008
  - - C:\Users\Admin\AppData\Local\Temp\6F7E.tmp
      "C:\Users\Admin\AppData\Local\Temp\6F7E.tmp" \\.\pipe\{20E46E24-9A77-414A-963F-05481598FF89}
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2008
- C:\Users\Admin\Downloads\NotPetya.exe
  "C:\Users\Admin\Downloads\NotPetya.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5164
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Windows\perfc.dat #1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5932
- C:\Users\Admin\Downloads\NotPetya.exe
  "C:\Users\Admin\Downloads\NotPetya.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5324
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Windows\perfc.dat #1
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5204
- C:\Users\Admin\Downloads\NotPetya.exe
  "C:\Users\Admin\Downloads\NotPetya.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4416
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Windows\perfc.dat #1
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:404
- C:\Users\Admin\Downloads\NotPetya.exe
  "C:\Users\Admin\Downloads\NotPetya.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5672
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Windows\perfc.dat #1
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4280
- C:\Users\Admin\Downloads\NotPetya.exe
  "C:\Users\Admin\Downloads\NotPetya.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5888
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Windows\perfc.dat #1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2096
- C:\Users\Admin\Downloads\NotPetya.exe
  "C:\Users\Admin\Downloads\NotPetya.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5124
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Windows\perfc.dat #1
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5300
- C:\Users\Admin\Downloads\NotPetya.exe
  "C:\Users\Admin\Downloads\NotPetya.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1892
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Windows\perfc.dat #1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,16805129943349480457,17098682105518709411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,16805129943349480457,17098682105518709411,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7184 /prefetch:8
  2⤵
  PID:5560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,16805129943349480457,17098682105518709411,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2916 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3488
- C:\Users\Admin\Downloads\NotPetya (1).exe
  "C:\Users\Admin\Downloads\NotPetya (1).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4924
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Windows\perfc.dat #1
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1928
- C:\Users\Admin\Downloads\NotPetya (1).exe
  "C:\Users\Admin\Downloads\NotPetya (1).exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:956
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Windows\perfc.dat #1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,16805129943349480457,17098682105518709411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6936 /prefetch:1
  2⤵
  PID:5592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,16805129943349480457,17098682105518709411,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4752 /prefetch:8
  2⤵
  PID:1372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,16805129943349480457,17098682105518709411,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2920 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1208
- C:\Users\Admin\Downloads\Petya.A.exe
  "C:\Users\Admin\Downloads\Petya.A.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5440
- C:\Users\Admin\Downloads\Petya.A.exe
  "C:\Users\Admin\Downloads\Petya.A.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:380
- C:\Users\Admin\Downloads\Petya.A.exe
  "C:\Users\Admin\Downloads\Petya.A.exe"
  2⤵
  - Executes dropped EXE
  PID:3676

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1208

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:968

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e8 0x150
1⤵
PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
30497784cb77f8ac68d422972520caf3

SHA1
acccfd2c2e943161d265acb0eedb97b86ab940a9

SHA256
1b59dba2551f1871da401831c745071f926e780890f0248ce7033e696fdca5d0

SHA512
952b6e8553f73c127528059604f4ff0a58b0b6e6849c17ef3d5ddd7bfd143620b68f46f817550b575071f3800f17ec486de5a861c35b19884125733f69956401

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
a417f6d18d46c78b09e4cfbf0a22fbe5

SHA1
3f1601385fd73d8c673bede6efc6c2d41c356ec4

SHA256
15c3c00f01977bece131be7046b836b382ea0e2f0bbdb15cb557b52cae437afa

SHA512
91789e7124bf7f4fa74994fb10038a09652bf70540237c864ff9e495ab5bb7bae14713d16e445c82505b4237384a28b12c7e686425fec69e7407fa126ceb0b73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
aea2c169418423aac88d54b8b90f25b0

SHA1
41ff54a42411bebbfff1b154bcc832cc9cf2cd27

SHA256
2cdff41cb49eaa35af116e096c310ee24bd214cb58d7ff4fa5a11c84c754e051

SHA512
5874bf5a25e847aafd148dfe6aca8e0a73c3369e370d231d3def5520831332e8d225060c891045fc33313c8f10a37df695dfe9bc348df54e2d2a01e27372202d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
19f176547dc80354ea5eb303062d32a4

SHA1
875710ccc162e6154e231a78897bc3af2e38bb06

SHA256
0aae545568533b03ea908345ef59b9d97b5d77414bd6b93ccbe0b093c9acbf7c

SHA512
4fc0d17a63df80b395d6ae39a5b204ac6ae78ed015993db6cbcbce6188f5618a7e7cbf5811515301f54b8615404b57e89b9da8b7f03519070d018d097349828a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
cd177fa12b9bc6195ad30bac3d94a7d0

SHA1
1ce76c81f8041d20bbdedd1499e74a04938fc175

SHA256
88e8bd166c6d1a67d30dc177f653006f3a42d4b0dc4225800dbb1c5a517335fa

SHA512
770452da1636f29d52d4887b67bb8550d0c0839c0785fb1f5b4e4384297ca4e325438d6ac52e2cbe781c7212cc8bc7c6bf0aa213a15880a601e8bfdace478e8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2428176825192a01f70aeeb259afa9f9

SHA1
d606c79607c8dbcf849a2b87c1bd49b05cf0a06e

SHA256
01f83cbd3d65634358c99f0b59fe2ff712e573a8ff5bbdbb8e1652245e320e12

SHA512
f4c7bf802fcc5b40bd919ed2a49b3de778287aeefb0f53c3c621cc1061dabad4fdea730a506b54f093e331eb34ae283eb4256090988339411e6e7b5521bf2560

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
43dd18532ad840b78015234d7414e368

SHA1
6bf7aebf1c50241796a2359daa806885ba6dbff2

SHA256
d513645a38b4e74fd4ad972957a3d422ce8529682ba46be508eef2042b84d95e

SHA512
7043893ec10486ee519e5ae6819134d44abcb515bea5699acbc71edd4943347b19f75fcf17f783d19b54fce5fa0c827ce7ca08ddca85131ca59029fce4fc6eec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4eb8eef4f89f64ff0efab8fe7c8246ca

SHA1
836a6c00a41f9ca7482587d8323b01fd71abe5e6

SHA256
09a64f2f31cafbffbf6fe760c5c256a28612ce6522903f12e6767d5125ffa258

SHA512
480944b03945cd1653054bd177ff9891359f07c12c4b55cfd402fdaceeac72c3f5799f5a32e1fb9ec69b637264a012e10ad5f6a3f246bfa0067cfdea64136ec9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9ee07b2b8bd5336ef9d62d5b09b93aa9

SHA1
4252b1468217a75636d07f1cd7661372fe4d1cc1

SHA256
d118052f3e21deb97c8b107eeed15a830bf6fc5e3fcf996fc786178c008ceaa7

SHA512
7884b29edb6bb30dd2f16e3de0d8c362dbdd0bc3dea1545f76cec23bdab6befb112f039415574a9f74ab347cc1b9d4ab483b09a9c09df84fef172e828d3439a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ea14184b8b841d82454a4935b34b2f2b

SHA1
8aaf33b98c34a9b074ba540756969297d0de6abd

SHA256
6101bd10a7f7ced471832d07a790a340c729d0b6774f30ead2076d42217d58cc

SHA512
5d738ae2d0e94f6ec1d7c5693f708a6ac0a4f81bb69fbb617a24f6c47356d2a85e9ec9a65c99ec926518da2d54743cbc20a4be592a6b73a762118310bd09155d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c11e00accb392d2d2393cb516826167b

SHA1
4aae72e27f6426b4cc458a95a33df2cc80215908

SHA256
e62408e83674635a0c6e4a510ad03c83e01fc7c22cae4ee59e5264b80161637d

SHA512
4ede1cd43eec093f5a16b3b4d387c47ca9a7e4e6384f84c776dc94d7cf52172840478ad9593bec1ce9869d50d85206b347e0b42cbbb06e2c72a049c57b61c695

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ee34a2c204d5c02a178f7e0517a78aeb

SHA1
54ed628b7b35d09e360711bd10f0814a306dc6ff

SHA256
23f9d943280c976fb666aa5ffd4ecf633913921ab28a8c1a9d7a697fd36ce30a

SHA512
c03e564b0948dd560e6612354140dd82bf63b7f520325541d69272a73beec85d3db594cd0a3a576dda0844ea2ba09dd85ab1fa45b495f875163ca20d8131df42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2a62961402536e1fd60f131106b64617

SHA1
9d0e111fa7473b1725b8b8668ddc10f8780d785f

SHA256
2d53c0e8930b85f1d667c388afd3cf052f335e8623666eda9c5017341cd91105

SHA512
2769393a099eb1ac6e0cce3fb52a418539156eda49049d4e96e6d90a7119917896a352749dff6b3a84b21b3860ade0f2e4632d63a19ae8dbd28c29809c16cbc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f6e3.TMP

Filesize
538B

MD5
753cbcb7520a5b8eea292cbc9158f9f7

SHA1
254a0ea4fdc53d6bb21b10f8103ffb74aa4fff6b

SHA256
de88725ac453a7086248bf9d689e30afbd71d4e5011a2037cb25faafc39897a5

SHA512
f62f790e47696e365542c859c2dbdb95a49aac3ab032819aee2701150b62f1eb81b6c76d53fa37960506e4ea567eabbcfaa961e81716d9ea6d4b63dc9dbc27b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7b881478d8a0fc4adb0ef6ec262375e5

SHA1
a56fc814e984641e0a07f92f80574e9a3ed1a559

SHA256
25fb54039f98f3af7f6691ef72a29d3cc276d6371d8fe504f54d2a87405d8718

SHA512
fb90e099ad054f1573f4043a6cdf5a6e289da243b69d694111d7b7cdffd91569bc64908c923d718354a075bb48188fd774d0cc0e9c8ed027adecf32347436725

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e50be25d12bf1c611e4b7f459aeb2dfc

SHA1
9d796e939c4bd72d8125bd6d75cb719da1f123d5

SHA256
ad35b032379060a07e882905fae5ba698b5115aaa6c9c686072c55d8afaddfa8

SHA512
85a099adb0a5342c9f507f2a85cc876972b2fb7f5e717bd7db9f7da34c5dcea8875bb12954b0cfba10a7e17da907a537045a643e83137843858e0c79ebe511ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\6F7E.tmp

Filesize
55KB

MD5
7e37ab34ecdcc3e77e24522ddfd4852d

SHA1
38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf

SHA256
02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f

SHA512
1b037a2aa8bf951d2ffe2f724aa0b2fbb39c2173215806ba0327bda7b096301d887f9bb7db46f9e04584b16aa6b1aaeaf67f0ecf5f20eb02ceac27c8753ca587

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 22415.crdownload

Filesize
225KB

MD5
af2379cc4d607a45ac44d62135fb7015

SHA1
39b6d40906c7f7f080e6befa93324dddadcbd9fa

SHA256
26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739

SHA512
69899c47d0b15f92980f79517384e83373242e045ca696c6e8f930ff6454219bf609e0d84c2f91d25dfd5ef3c28c9e099c4a3a918206e957be806a1c2e0d3e99

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 319317.crdownload

Filesize
390KB

MD5
5b7e6e352bacc93f7b80bc968b6ea493

SHA1
e686139d5ed8528117ba6ca68fe415e4fb02f2be

SHA256
63545fa195488ff51955f09833332b9660d18f8afb16bdf579134661962e548a

SHA512
9d24af0cb00fb8a5e61e9d19cd603b5541a22ae6229c2acf498447e0e7d4145fee25c8ab9d5d5f18f554e6cbf8ca56b7ca3144e726d7dfd64076a42a25b3dfb6

Download Submit
C:\Windows\perfc.dat

Filesize
353KB

MD5
71b6a493388e7d0b40c83ce903bc6b04

SHA1
34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d

SHA256
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745

SHA512
072205eca5099d9269f358fe534b370ff21a4f12d7938d6d2e2713f69310f0698e53b8aff062849f0b2a521f68bee097c1840993825d2a5a3aa8cf4145911c6f

Download Submit
C:\Windows\perfc.dat

Filesize
353KB

MD5
87e48f32628f23eee59ed36b93735293

SHA1
d9f9a61b4ac96ede4c9e719f475321a160a00bed

SHA256
1799b513968e260d524305c64ef65a6390ce4592972a95711aa10f8923786619

SHA512
2440643ca3dee4e1dffb5d6355481bafffc843959712115d6c8eb7a3d692782eb55253df028fc904aef4b409fcfc59b9d2b8a9262f85b93c4adb124d1bff6188

Download Submit
C:\Windows\perfc.dat

Filesize
353KB

MD5
9a7ffe65e0912f9379ba6e8e0b079fde

SHA1
532bea84179e2336caed26e31805ceaa7eec53dd

SHA256
4b336c3cc9b6c691fe581077e3dd9ea7df3bf48f79e35b05cf87e079ec8e0651

SHA512
e8ebf30488b9475529d3345a00c002fe44336718af8bc99879018982bbc1172fc77f9fee12c541bab9665690092709ef5f847b40201782732c717c331bb77c31

Download Submit
C:\Windows\perfc.dat

Filesize
256KB

MD5
4f0c87d5c1aed149d01a83e67454981b

SHA1
bcaf5377e8ab5b06df2ba9ebc1fbe7961469eed0

SHA256
f3582c043275906123390ba8d0a3e34a1f906498ee16c2fe2be1965079a8907e

SHA512
c9b019584aa49950e18c5d079bfc49287f008348aa7f59c3ec92154c4b4a4a40502a628854f8b3872e09a7dc1287162b6e2219245045aa0ad553a761114165c6

Download Submit
C:\Windows\perfc.dat

Filesize
353KB

MD5
6f6b916884a301fe42518e3adb5d340f

SHA1
566a2e31aaaa345cd2ed4cde11b2988b4a90cfa1

SHA256
c4dd2a06110eaa8d5653e0dcd3891e822a2eb7134a905fb74d6858610e7cf197

SHA512
fb81897718f255ce0d0af97c657d10797b94f7b04596b3d206b1ca1b4f2e1a0e791fd52caf10489a60d53eb896ef9c88a31f546e9e73d7778ece73193204894d

Download Submit
\??\pipe\LOCAL\crashpad_1448_GOQESUKDAZHBTLLB

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/404-499-0x0000000001660000-0x00000000016BE000-memory.dmp

Filesize
376KB

Download
memory/404-507-0x0000000001660000-0x00000000016BE000-memory.dmp

Filesize
376KB

Download
memory/1928-626-0x0000000000EF0000-0x0000000000F4E000-memory.dmp

Filesize
376KB

Download
memory/1928-618-0x0000000000EF0000-0x0000000000F4E000-memory.dmp

Filesize
376KB

Download
memory/4280-525-0x0000000000E20000-0x0000000000E7E000-memory.dmp

Filesize
376KB

Download
memory/4280-532-0x0000000000E20000-0x0000000000E7E000-memory.dmp

Filesize
376KB

Download
memory/5008-454-0x0000000002E10000-0x0000000002E6E000-memory.dmp

Filesize
376KB

Download
memory/5008-456-0x0000000002E10000-0x0000000002E6E000-memory.dmp

Filesize
376KB

Download
memory/5008-449-0x0000000002E10000-0x0000000002E6E000-memory.dmp

Filesize
376KB

Download
memory/5008-467-0x0000000002E10000-0x0000000002E6E000-memory.dmp

Filesize
376KB

Download
memory/5008-440-0x0000000002E10000-0x0000000002E6E000-memory.dmp

Filesize
376KB

Download
memory/5204-490-0x0000000002190000-0x00000000021EE000-memory.dmp

Filesize
376KB

Download
memory/5204-482-0x0000000002190000-0x00000000021EE000-memory.dmp

Filesize
376KB

Download
memory/5300-552-0x0000000002800000-0x000000000285E000-memory.dmp

Filesize
376KB

Download
memory/5300-560-0x0000000002800000-0x000000000285E000-memory.dmp

Filesize
376KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads