wannacry | 34a69f418aa66491c66d2db8a926fdb2de348ca9aa842245273a5a9b706fb88a

Resubmissions

14-12-2024 12:00

241214-n6qtsssqbn 3

14-12-2024 09:33

241214-ljgw9szkdr 10

Analysis

max time kernel
172s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-12-2024 09:33

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

744360644695740120.html
Size

418KB
MD5

41a6223135a87d35342db09435135093
SHA1

443d9994896f85ea89edf41530b87d8e5d2122d8
SHA256

34a69f418aa66491c66d2db8a926fdb2de348ca9aa842245273a5a9b706fb88a
SHA512

b978faafe9d981c15269a944eb917e379fce45a83d2cd43d193cc928207e8084af8854f6795a6a1934364baaa8bf1ee79d2bb197971c71a083ed7af052d846c9
SSDEEP

3072:pCtkAF8cQo7UQEonp5f33TEzaZxWxIFnyCx2NBcwwNB8zoJnOMuWS9uQJYHwwPd0:pufnFnFw4eNl

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD75DF.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD75C8.tmp	WannaCry.exe

Executes dropped EXE 13 IoCs

pid	Process
2136	WannaCry.exe
6040	!WannaDecryptor!.exe
5400	WannaCry.exe
5416	WannaCry.exe
2996	WannaCry.exe
5868	WannaCry.exe
1884	WannaCry.exe
5636	WannaCry.exe
5708	WannaCry.exe
1584	!WannaDecryptor!.exe
1740	!WannaDecryptor!.exe
4540	!WannaDecryptor!.exe
5984	!WannaDecryptor!.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
119	raw.githubusercontent.com
120	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
4660	taskkill.exe
5868	taskkill.exe
3684	taskkill.exe
5796	taskkill.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "157"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	taskmgr.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 937234.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 761613.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
3368	msedge.exe
3368	msedge.exe
2520	msedge.exe
2520	msedge.exe
1688	chrome.exe
1688	chrome.exe
5236	identity_helper.exe
5236	identity_helper.exe
5348	msedge.exe
5348	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
4268	msedge.exe
5816	chrome.exe
5816	chrome.exe
5816	chrome.exe
5816	chrome.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeCreatePagefilePrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeCreatePagefilePrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeCreatePagefilePrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeCreatePagefilePrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeCreatePagefilePrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeCreatePagefilePrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeCreatePagefilePrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeCreatePagefilePrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeCreatePagefilePrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeCreatePagefilePrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeCreatePagefilePrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeCreatePagefilePrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeCreatePagefilePrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeCreatePagefilePrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeCreatePagefilePrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeCreatePagefilePrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeCreatePagefilePrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeCreatePagefilePrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeCreatePagefilePrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeCreatePagefilePrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeCreatePagefilePrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeCreatePagefilePrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeCreatePagefilePrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeCreatePagefilePrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeCreatePagefilePrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeCreatePagefilePrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeCreatePagefilePrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeCreatePagefilePrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeCreatePagefilePrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeCreatePagefilePrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeCreatePagefilePrivilege	1688	chrome.exe
Token: SeShutdownPrivilege	1688	chrome.exe
Token: SeCreatePagefilePrivilege	1688	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
1688	chrome.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe
2288	taskmgr.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
6040	!WannaDecryptor!.exe
6040	!WannaDecryptor!.exe
1584	!WannaDecryptor!.exe
1584	!WannaDecryptor!.exe
1740	!WannaDecryptor!.exe
1740	!WannaDecryptor!.exe
4540	!WannaDecryptor!.exe
4540	!WannaDecryptor!.exe
5984	!WannaDecryptor!.exe
5984	!WannaDecryptor!.exe
5812	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2784	2520	msedge.exe	84
PID 2520 wrote to memory of 2784	2520	msedge.exe	84
PID 2520 wrote to memory of 5032	2520	msedge.exe	86
PID 2520 wrote to memory of 5032	2520	msedge.exe	86
PID 2520 wrote to memory of 5032	2520	msedge.exe	86
PID 2520 wrote to memory of 5032	2520	msedge.exe	86
PID 2520 wrote to memory of 5032	2520	msedge.exe	86
PID 2520 wrote to memory of 5032	2520	msedge.exe	86
PID 2520 wrote to memory of 5032	2520	msedge.exe	86
PID 2520 wrote to memory of 5032	2520	msedge.exe	86
PID 2520 wrote to memory of 5032	2520	msedge.exe	86
PID 2520 wrote to memory of 5032	2520	msedge.exe	86
PID 2520 wrote to memory of 5032	2520	msedge.exe	86
PID 2520 wrote to memory of 5032	2520	msedge.exe	86
PID 2520 wrote to memory of 5032	2520	msedge.exe	86
PID 2520 wrote to memory of 5032	2520	msedge.exe	86
PID 2520 wrote to memory of 5032	2520	msedge.exe	86
PID 2520 wrote to memory of 5032	2520	msedge.exe	86
PID 2520 wrote to memory of 5032	2520	msedge.exe	86
PID 2520 wrote to memory of 5032	2520	msedge.exe	86
PID 2520 wrote to memory of 5032	2520	msedge.exe	86
PID 2520 wrote to memory of 5032	2520	msedge.exe	86
PID 2520 wrote to memory of 5032	2520	msedge.exe	86
PID 2520 wrote to memory of 5032	2520	msedge.exe	86
PID 2520 wrote to memory of 5032	2520	msedge.exe	86
PID 2520 wrote to memory of 5032	2520	msedge.exe	86
PID 2520 wrote to memory of 5032	2520	msedge.exe	86
PID 2520 wrote to memory of 5032	2520	msedge.exe	86
PID 2520 wrote to memory of 5032	2520	msedge.exe	86
PID 2520 wrote to memory of 5032	2520	msedge.exe	86
PID 2520 wrote to memory of 5032	2520	msedge.exe	86
PID 2520 wrote to memory of 5032	2520	msedge.exe	86
PID 2520 wrote to memory of 5032	2520	msedge.exe	86
PID 2520 wrote to memory of 5032	2520	msedge.exe	86
PID 2520 wrote to memory of 5032	2520	msedge.exe	86
PID 2520 wrote to memory of 5032	2520	msedge.exe	86
PID 2520 wrote to memory of 5032	2520	msedge.exe	86
PID 2520 wrote to memory of 5032	2520	msedge.exe	86
PID 2520 wrote to memory of 5032	2520	msedge.exe	86
PID 2520 wrote to memory of 5032	2520	msedge.exe	86
PID 2520 wrote to memory of 5032	2520	msedge.exe	86
PID 2520 wrote to memory of 5032	2520	msedge.exe	86
PID 2520 wrote to memory of 3368	2520	msedge.exe	87
PID 2520 wrote to memory of 3368	2520	msedge.exe	87
PID 2520 wrote to memory of 1100	2520	msedge.exe	88
PID 2520 wrote to memory of 1100	2520	msedge.exe	88
PID 2520 wrote to memory of 1100	2520	msedge.exe	88
PID 2520 wrote to memory of 1100	2520	msedge.exe	88
PID 2520 wrote to memory of 1100	2520	msedge.exe	88
PID 2520 wrote to memory of 1100	2520	msedge.exe	88
PID 2520 wrote to memory of 1100	2520	msedge.exe	88
PID 2520 wrote to memory of 1100	2520	msedge.exe	88
PID 2520 wrote to memory of 1100	2520	msedge.exe	88
PID 2520 wrote to memory of 1100	2520	msedge.exe	88
PID 2520 wrote to memory of 1100	2520	msedge.exe	88
PID 2520 wrote to memory of 1100	2520	msedge.exe	88
PID 2520 wrote to memory of 1100	2520	msedge.exe	88
PID 2520 wrote to memory of 1100	2520	msedge.exe	88
PID 2520 wrote to memory of 1100	2520	msedge.exe	88
PID 2520 wrote to memory of 1100	2520	msedge.exe	88
PID 2520 wrote to memory of 1100	2520	msedge.exe	88
PID 2520 wrote to memory of 1100	2520	msedge.exe	88
PID 2520 wrote to memory of 1100	2520	msedge.exe	88
PID 2520 wrote to memory of 1100	2520	msedge.exe	88

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\744360644695740120.html
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbbcb646f8,0x7ffbbcb64708,0x7ffbbcb64718
  2⤵
  PID:2784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,7928962071362222270,7393598666516425122,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
  2⤵
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,7928962071362222270,7393598666516425122,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,7928962071362222270,7393598666516425122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
  2⤵
  PID:1100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7928962071362222270,7393598666516425122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:2632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7928962071362222270,7393598666516425122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:3908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7928962071362222270,7393598666516425122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:1
  2⤵
  PID:672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7928962071362222270,7393598666516425122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
  2⤵
  PID:1308
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,7928962071362222270,7393598666516425122,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:8
  2⤵
  PID:3732
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,7928962071362222270,7393598666516425122,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7928962071362222270,7393598666516425122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:5596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7928962071362222270,7393598666516425122,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
  2⤵
  PID:5604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7928962071362222270,7393598666516425122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:1
  2⤵
  PID:5852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7928962071362222270,7393598666516425122,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:1
  2⤵
  PID:5860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7928962071362222270,7393598666516425122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
  2⤵
  PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7928962071362222270,7393598666516425122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
  2⤵
  PID:5836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7928962071362222270,7393598666516425122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:5596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7928962071362222270,7393598666516425122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
  2⤵
  PID:4776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7928962071362222270,7393598666516425122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4832 /prefetch:1
  2⤵
  PID:3856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,7928962071362222270,7393598666516425122,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4692 /prefetch:8
  2⤵
  PID:6084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,7928962071362222270,7393598666516425122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:4044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,7928962071362222270,7393598666516425122,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6192 /prefetch:8
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,7928962071362222270,7393598666516425122,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6076 /prefetch:8
  2⤵
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,7928962071362222270,7393598666516425122,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6128 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5348
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 292251734168881.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:768
  - - C:\Windows\SysWOW64\cscript.exe
      cscript //nologo c.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:372
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe f
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:6040
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im MSExchange*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:4660
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Microsoft.Exchange.*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:5796
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlserver.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:3684
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlwriter.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:5868
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe c
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1584
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b !WannaDecryptor!.exe v
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2236
  - - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
      !WannaDecryptor!.exe v
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1740
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2348
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1308
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4540
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5984
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5400
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5416
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2996
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5868
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1884
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5636
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,7928962071362222270,7393598666516425122,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1820 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4268

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3916

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbac72cc40,0x7ffbac72cc4c,0x7ffbac72cc58
  2⤵
  PID:3124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1932,i,12769725187516741215,4007143069423754221,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:3484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2136,i,12769725187516741215,4007143069423754221,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  PID:2888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2260,i,12769725187516741215,4007143069423754221,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2452 /prefetch:8
  2⤵
  PID:4976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,12769725187516741215,4007143069423754221,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:3844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3156,i,12769725187516741215,4007143069423754221,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:1164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4448,i,12769725187516741215,4007143069423754221,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2276 /prefetch:1
  2⤵
  PID:1988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4940,i,12769725187516741215,4007143069423754221,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4956 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5816

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1096

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5484

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4696

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:2288

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3936855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\50a314e4-3ca9-46c0-89f2-325c1f0e0152.tmp

Filesize
9KB

MD5
ed374c4448ff7ab18750124f5adae536

SHA1
167bcaaf7303ae97f196a3fb917ffae3120ecadc

SHA256
e49195308c2fae0ad0aacaf95d4db8a5fd4f9c091e138793b16a03bebdaee3c2

SHA512
a496ce54bc161bfb907f24137fb68e0e9e488b0b0413aa4662e0d112cb15ec61439ee6eb7b11a590460f501410ce6dd27dadd4e73540a6fb24d27a789db0b206

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e71f257431d4bb29e21b504c073503b0

SHA1
615c29a8feb6b4b2cd5e34136ab9e69005b48683

SHA256
71283f64f830aee1a6bad8e9fad1261338fb6ebd423644844ed66ac1aca8b138

SHA512
905973759dd2b07e0f28241adebfb58775ad30de53ef6c786df866f53503692512bb18b8484f682d6818a3e8227b74ba4dd639f4b4474ba49c9558d4330bfb3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
a9e2fe4e8439fd36a0bba617a137fc84

SHA1
f24cbd4a45399d4b5993ff472df2d4651f25ce7c

SHA256
a47267de03f9da019d15e47999f9484d45745900d581ef87ce7179392906c362

SHA512
2be89968a5e46e1928274e687e652eeec53d9834c5361e662ad0b3bcb8e0f42a04c71108058d7f0d1d7f1f1599f1c8e997f65d64ba7961a2bde6cb20eea8be95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3f2e564bc5fae55f0ec040334b0ee68b

SHA1
20332f62964eec377aa20322a3b8a2df738e47fd

SHA256
041c2d24595c5c8b345b74eb7371332b8762b5cd9aba655783172c3f3afff2c3

SHA512
3757dae199890f3024a9f04c54292f2abd7217b20cfa982ef24e490032b8d76e9e3af0964ed8823806aa50e94d1d34f33be42f9bae34c6962012af738ce6bd09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5be067e82a15d25aec39c0dfb9630217

SHA1
6d1468acef4b63747f7eee8d4bc9a658224b0a3c

SHA256
6a86693eb0c3a3bfcf8b0043d0f25c2a06aa32fae33b9a6ce9418fec20a8e84d

SHA512
9b74b802e815c34a9a4e064b7211d6039044498857ce7a65677195e142025e8d21343c1ca44d4618015bd94f0db7f19ed44adaa25ab9ee30ee99419a078b7e08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cf4b1b14d4ad10591bd9ad835f4f541b

SHA1
2d183bcde89b8a063bb35f12d22e7af33bce845a

SHA256
42da70cbf13ecc7b5e8eae6424c67b5d8afb4ef2a6e1a6d2b50ff4973d678458

SHA512
89134e3543e5c91c55f5250bfbbafd22e0fb979b78b1d75dce89947760e975ed19b92997a6f9c8ba94dfbd53e397d72ab001b56afe1e9b1e9ffd12177d66d13d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d0a92741d3f5a598a78be3e3c59bd0da

SHA1
dbe9394ab9e9ce1a2149b8ff16e18616b760503a

SHA256
5f6a2a430fae81585221a128188590abdf681ae40e9ba4fc6444145375b5bcdc

SHA512
939e93d3c80d882885f96bedf092b59ac10fa1885173c866c8c021f80c717f8a0561cc0ada9781865a10521945930ca77b1cbaea6274bb00fbd83de1763ebe4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e783678a36b739d1254cb19a189afb25

SHA1
2bc9365d41c5f503876e198a2079c3b9d7f8c4b6

SHA256
9d7a8152ab00eebc1f864d7b349b505ef56ab78ca1a20511ac2eaf35a46a42c3

SHA512
75bc388e51a7f1e6140fa0b4efb6c9a1e70ff2ddcc3770fa6fe638553b02067e53578cabcf29b0f7e872032df0fdfaba46afee5b064ca47903dc471a8a4c8038

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
255f51e0e0ad38229ad61651f16d327b

SHA1
bc7e67173aaa287920f505c51dd6a35925d240d1

SHA256
a4d4a7470ec6d06213cc466e5f173339b819e54b2826aa0d13194e59c2c920b1

SHA512
57fa3db038a61aeddbbd1861f06ece53bb688729eb0af5c7f240633c973f5e64c910b8734c6a37c21d4c15d736b9d8e86cf83e1729e36e0dd2218a1e0816b877

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
db865c5ff8c7ef1b791526acae57ab23

SHA1
2d82014d9629a89783c2d982d3ec29d7af1074ae

SHA256
b0dea72eb9270d1ab08ca8d919003fa815ca82cb26f02c5e073054b49ada6766

SHA512
92258b9b00e6367acc369279c0da682cf773dcd2fff6181d73c8859be1eb29fca0b303a33bdb3ea8130a6648711c7990f78fa96d5bf000eeefeb13915048a668

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ff92cbe495d54c585e9e3752138f6ff5

SHA1
777870431022be426d6ad2010e362c8e587d6c10

SHA256
61f3c50bf79879288505e201b1c0bf7b5fa49a99ee9fc73f5a6fc3416c66c6f1

SHA512
842d24fb6c9c9ca5178e1c36d61a820f64bd60726eb51494be3b25cf226709d1490686dab2a90777e5512d459fe99744599430a9dc978bf6c7ecab7f22817516

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
70bd004ea6b8fa147e7539c5ea54bdef

SHA1
74770a1d4f6f64ef8b5f8a3c435fd6aa6460becb

SHA256
b265c9582094004956f42e5a954ebf762bfdf9cdf58348f29e6048380562eecc

SHA512
5dcbdb945597e88ef7a6ef24f7b93b825b6001b85f764fd05d4407198b4a35501c8feeb0ed4df5af37eed9d2bf77c7d05960ea8e349f8016733e28f9c04c726b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6bd9a8c15c573617aaa3c31abc7bc9e2

SHA1
f8444d2f20af85c46f31c727f6b9c0ceadea62b0

SHA256
eb595b7c7b3b2e9bf620c34229d1283b7b65616e153d37a616c40853e4e607eb

SHA512
163d6da1ece745f2817469e6bbde082f01511c581d5a1cbcc03a711ebea4f95568bd20373b5f36d8b6ef00ee7a3540d48a0c66c93bacd7e5ac30ad03e065229c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2ebc165d2f444bc46d0710df24349549

SHA1
ad73faea06f9b211b81d66f73713fb9a7a4d3557

SHA256
036f756e2c8f4857e32d0ddbca0b99cb8602b29603f1728901d1dd48cd59ccac

SHA512
144d731a06edc036f3810a53fba269ae73086b73d2a4fc2a1cb05f51af5fda0dbafbbfa52ba003cae49464a68f31aa8115bc745f26fedfa5da32e69bb0056115

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
d359a0cd927c0990bb55ecde1c7c3db1

SHA1
8b042d3c37d707ea1d912c42c191dbfa2cd980da

SHA256
812b2112555269ea2550c05f8620f85b3cb91f648b26d25b3ac5170123b5bbc9

SHA512
fe51405fcd47e51f23a5a4a5147245671327afbefc411fe9f501a4c95d1ba8c8853e27df34db0311c699488917a4c0eb5661f59a48e8a7ece635d5145b85c733

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
bef21f1343fddc0693d533f9ac93a8cb

SHA1
088eb89c3c4449d4420362f6eb81a4437a53f70a

SHA256
635b0e1d379aaff636ff22c5a404becb78d6da2a6c2e547e1890aba0a1bc0d20

SHA512
ce58ad1292099a473a6c6afddec03ab31c54f1a57232d6be94484b4c41943fd905295bd76ca755ac8befc6ad044e371f705f0f0e9775f88d5196201806633f6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
ffb9389979152d08de6f725a124f5949

SHA1
f4c24742542e77af1948319a6e54c85a59492ece

SHA256
cf9ae9e57d839a1e12623f22b6f0325333b016b6673b4264e85773514a5ee8bc

SHA512
8388693de8d31bd814f2fb76d1667646f7d0e21343b4b4abd55ffa4b006d06aab5b98e8799b07998ef8190cde39175253b1d758d17c0dc929870a9d6acfb259d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc058ebc0f8181946a312f0be99ed79c

SHA1
0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

SHA256
378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

SHA512
36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0486d6f8406d852dd805b66ff467692

SHA1
77ba1f63142e86b21c951b808f4bc5d8ed89b571

SHA256
c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

SHA512
065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
3c48103bea0f621489c61407e91b3527

SHA1
ba48e65412a4ff467a566dd0d594185189a3797b

SHA256
f0e6bf5433c752816c51960631cb650fdc125fb7d9d774811f7e8269de697fdd

SHA512
aef1b6c0cfcc7355960c5934559f13c38f20e7eb41291e6329cb1ada0a488fa3ca94f97955316ac310b72bc174c9717e9e3cfba8b9ca8d69704316026de68b41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
6bf37efabc7f5cbf26f16fff5930762d

SHA1
6b06e390849166bc34fa05f6218ff7509a328fe1

SHA256
6b0e41d1dd2fcdb0ddf47c730b88d572016ea2c2d04cd78fe7c95ab0b9337429

SHA512
8ff22d7197a8b647385ebf42e784cb04a15a7ab906abfcdb43198f31a168cf59b0852592b6c2be0311504a7d717d30c7fa8951a69aa1d8b14679206d007bae51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
28233ea2b4c85a7a2c4ceef5c0b677ea

SHA1
41aa3675927be8953bd2c79b4db2ba685ad6e8ba

SHA256
33caf021d82d7344edfed75b2831d57f5758b24e2b1369127219762f72bf592a

SHA512
36e5a23cc7e6a4e515c545f3edbbd665ca9c6838f800de029766c1b36bf5d3b66befc3d3226f171d970a9b8c59f1ab40623715fbe3473c53ca8f6de34969a105

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
984911e28949fe9f6dcf8a97b8ba69fe

SHA1
6ee5c40cc99fb46b1d6f8986e10477c0a28f5f6d

SHA256
fe784f825fd97c0806c0d26069d1d45923a1af2fdb7377103923d90ad4aa4631

SHA512
3610c93bc405f8a8d6912b6dc73ec35c48675b7b5009fb4e2b0e3f61c29700deb6efc9c514cadcd4f7d72863e709e9e390408c4553afcd9489e653e9b287a0c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3aeee012858a4be75b4f2a65732619aa

SHA1
f8b0997995b3bb05362713d32b5e071a7d6e7135

SHA256
344df88f56e5b1e9ddb563c7854313468d084a98c958339db9270b127032f37f

SHA512
966b776bb13899e1b6518538866dbaaad1d5d1af4eaa41a6a145babc506ad2fcd355b9fc5c5c16d2f08c1fbf7adedaa9b1d74b1ea524c38ba8a2a3da493f4cd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6ea64a4303a9f016b802e6b2a5d83db7

SHA1
41902f20ba7fcb5dc89f8937283f13aa9012428f

SHA256
f8ca89a6456ccd5c727887a02a495e7a35a89c21fc6d437ddd89ccb721a71447

SHA512
d01e676ea4e81273343a4e159aa58adf57c94ece342d045b9f6eef1aa72a0c985c977fb811f76edb6d3a1bafd8da0245ce84b8259b82ca24067c08f17a9f6331

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7be5341e3b52c645bdf09dc24383bc98

SHA1
63c9834f48c08ae416ca463edad777dc40f4c83a

SHA256
b2ef07ca11d53ad1e19fcd34f0d3231e9ff27ae78089012ae5362e0a8180f22b

SHA512
38bc2a409a8395b80ca9541fdf1cfd8e586de014aef3af0784fee37c49a6dd2f2cd586255e0d52c20e9fe53a0fc80cf42174f2f0a57f0a4b7d9160de5ae7ba68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2784296ab52e594ec9911049645c4388

SHA1
2af7b0be73ad2f34338149277a7d74ab6ef8e970

SHA256
423d8d5f2eb01e2a5acaee8d76c949c8ff75c888e841ce6f08455bca1cdceb01

SHA512
dc0ec82822593150a9c44e46124a0a7a088606b1f87316367d50f86832fd39cdd4ac423508e58467e681a4390b3638aa1f28eaea3f1648787bbe207ce3f9b358

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cb08a0788d9aa797ad2cb0798048635a

SHA1
a7717c8c2a7d7bc8ecfd2a3963a590d013cc8cef

SHA256
7896670641d379fd6675e05e03bba40224ec0c172c11cb7e190fe339d5964a66

SHA512
a220278b91540039b3a9531765bf7358b3d4fbd274d6327ca57b5efe15fd568b07651d0ef8cea507c3b2945725f9dd53e7923c702971b644389abef6002b6adf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b67b78f90f89c428cb8623ddfdde8f93

SHA1
4cd50901d270cdbfeb4307c12ae6af7f7d6a2ea9

SHA256
0443db0ba59f8dd30bfa6783dcdc53ff8537f9c30a2be1082b1431027176dfac

SHA512
bdf21e0fb43840871f6d40313fa48b9c1806366b1955001053f60013e505fe7c298fb9e9d193ad0881e8a85453a2cf18e46aa169e562abc867e3d479653a5212

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b19b9f8f82983bd653129b29f39a7e6a

SHA1
31cefcbf15ed0987db199ca69b98ef35f7ea12cf

SHA256
82ad6a571ebf8d04d774083da9ea26d7a01c252f5aa19bc11a9fee7903ca99df

SHA512
ee8e9b7744b75e483c6ff584a235753bba59a4baa574f8484e0e4209c29c71d59bbaef2458f2f574f94121128cbe0a6ebaeb8a891cf7d0261f17671619d8da97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f7cd.TMP

Filesize
1KB

MD5
70efb5d20c9e57256de58a50e498e553

SHA1
2283514c21f3849c882d7558870f125d98a50f99

SHA256
2c89ae4031906fff23cf93f78027347918df479fb6fecdeaec0777362f374a76

SHA512
f12ae2272b0ad321af61605570a7babcfea758a154dfba7b3e521a979389151322b713f536263276b3931435b7f6bf22afa3b312441b7a2a79bb5c2154081a54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d478f083dad343c16006fdcc3db03171

SHA1
4be5c89c32117887290fd19bef678af714743320

SHA256
9d66d8050fa31f9ec56b1e601a255ab9fb3288fc03dadd3d8fb831aa8ec1702e

SHA512
a94d38f129a77be57cc3f7763ae215c125ce9e16a1fb17dd119751f4958adb5e693d444518861887c4635fe1c0aeed15d3e0f1e1016e006574bc57c550c9f239

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
68a3e78b5d76b299eb3e751bd28c7c5f

SHA1
fc7574d1a1f85e4f8a2cc056f0808298c9f4f639

SHA256
a7961ac9b677fb583efb77563e6a5fc710f00f38322a0dd67d0f3dd5a4cf8f3e

SHA512
023bb07a8bc053bf7742d416a856e939da1765cadb09c95c55c45e28e42a5ca7dcba468e5911348d3a2b4706739c6306769d8b4a5c6bcd0874f0788eb27fe5ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
64788787d40d580729264facc6bc26fe

SHA1
78b6087d632295026864d5687727749a02aeeda5

SHA256
bb247efdf4af45720c43f129142d1f5ee45ab8fb5dc6b2292770f3a5ad0293dc

SHA512
0255567e88a6629d811e93bb7f09cf1433a9966350683ce781534c1597f3506a172cf45e20388b708bba927b357861c450dfe0abf569e2b385774a2bc2cf706d

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
790a82717bdc4072a2dbd2a48bfd44dd

SHA1
09e034e428c6a3a2eac576e7393d764d559abfc8

SHA256
ec31f37d245fd207eb4dc8db2baf28b993e2f9c1926b49fe820c07e7656c01bc

SHA512
82873b31617418bf51efa78afcf51e8fe78f118f417eec63db301279257ef8f8d4e8d0e523379b8c3f4810867c0f83bdc907bda74fe9cfc221ff9f9930b21a40

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
8a43e641093cbea2465969b10f5b1709

SHA1
8ce7bb70960ac257a7ed4aff8813dc00fa2fd576

SHA256
89aa340914a367e3cb44fa0482a31f8d2cb9c733ff603fb6d276980fd71bb6fb

SHA512
090f6bd34c98b73c10674c0d7dea53e18a5cb76b018cf0d060eacf513d371b4fd987b70c4e5f3fb9bc17a7b8262a9ea0214d26afd58987028e2f444ce68944bf

Download Submit
C:\Users\Admin\Downloads\292251734168881.bat

Filesize
318B

MD5
a261428b490a45438c0d55781a9c6e75

SHA1
e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e

SHA256
4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44

SHA512
304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

Download Submit
C:\Users\Admin\Downloads\c.vbs

Filesize
201B

MD5
02b937ceef5da308c5689fcdb3fb12e9

SHA1
fa5490ea513c1b0ee01038c18cb641a51f459507

SHA256
5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1

SHA512
843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

Download Submit
C:\Users\Admin\Downloads\c.wry

Filesize
628B

MD5
946cbedc6eb1a7dc5f8c486bdbc86328

SHA1
4a640ab01489103aeaa1c7f029eab6221ae2fe18

SHA256
3afce68d1265c6a2ea44317b41eeda3fe4c1c4c027bc345dcde9fe7b37821248

SHA512
d8552bfd8b80a61afd5cdfd2029bdce07d487ef149ff11a49438437eaf7dd249f640113a678305a9ef9985282be905f2d881419863dacfaf05a741e88d18b4f8

Download Submit
C:\Users\Admin\Downloads\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Downloads\r.wry

Filesize
729B

MD5
880e6a619106b3def7e1255f67cb8099

SHA1
8b3a90b2103a92d9facbfb1f64cb0841d97b4de7

SHA256
c9e9dc06f500ae39bfeb4671233cc97bb6dab58d97bb94aba4a2e0e509418d35

SHA512
c35ca30e0131ae4ee3429610ce4914a36b681d2c406f67816f725aa336969c2996347268cb3d19c22abaa4e2740ae86f4210b872610a38b4fa09ee80fcf36243

Download Submit
C:\Users\Admin\Downloads\t.wry

Filesize
68KB

MD5
5557ee73699322602d9ae8294e64ce10

SHA1
1759643cf8bfd0fb8447fd31c5b616397c27be96

SHA256
a7dd727b4e0707026186fcab24ff922da50368e1a4825350bd9c4828c739a825

SHA512
77740de21603fe5dbb0d9971e18ec438a9df7aaa5cea6bd6ef5410e0ab38a06ce77fbaeb8fc68e0177323e6f21d0cee9410e21b7e77e8d60cc17f7d93fdb3d5e

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
memory/2136-493-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/2288-2113-0x0000024652BD0000-0x0000024652BD1000-memory.dmp

Filesize
4KB

Download
memory/2288-2114-0x0000024652BD0000-0x0000024652BD1000-memory.dmp

Filesize
4KB

Download
memory/2288-2106-0x0000024652BD0000-0x0000024652BD1000-memory.dmp

Filesize
4KB

Download
memory/2288-2112-0x0000024652BD0000-0x0000024652BD1000-memory.dmp

Filesize
4KB

Download
memory/2288-2111-0x0000024652BD0000-0x0000024652BD1000-memory.dmp

Filesize
4KB

Download
memory/2288-2110-0x0000024652BD0000-0x0000024652BD1000-memory.dmp

Filesize
4KB

Download
memory/2288-2115-0x0000024652BD0000-0x0000024652BD1000-memory.dmp

Filesize
4KB

Download
memory/2288-2116-0x0000024652BD0000-0x0000024652BD1000-memory.dmp

Filesize
4KB

Download
memory/2288-2104-0x0000024652BD0000-0x0000024652BD1000-memory.dmp

Filesize
4KB

Download
memory/2288-2105-0x0000024652BD0000-0x0000024652BD1000-memory.dmp

Filesize
4KB

Download
memory/2996-2157-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads