wannacry | fd563cf7c0c862ab910cf558b5a123354b616e84902d277edf09f378ff6f9786

max time kernel
954s
max time network
938s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2024 13:11

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

b28242123ed2cf6000f0aa036844bd29.dll
Size

87KB
MD5

b28242123ed2cf6000f0aa036844bd29
SHA1

915f41a6c59ed743803ea0ddde08927ffd623586
SHA256

fd563cf7c0c862ab910cf558b5a123354b616e84902d277edf09f378ff6f9786
SHA512

08e5966ca90f08c18c582e6c67d71186a6f9c025fc9f78020e1ce202814de094171111b7f3623d81f7371acdf92206446f7c0425e08e8f5f5b6fd969007d9fca
SSDEEP

1536:0A1KsVHBnVJ0T1rFTQHUPx+nVP7ZSRILMZoXyqqEbzPCAdt6rFTc:0A1rVIrFTOUsnVP7sRILgAPCvrFTc

Score

10^/10

wannacry bootkit defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD2124.tmp	WannaCry (1).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD212B.tmp	WannaCry (1).exe

Executes dropped EXE 26 IoCs

pid	Process
5064	WannaCry (1).exe
2064	!WannaDecryptor!.exe
1820	WannaCry (1).exe
4708	WannaCry (1).exe
1552	WannaCry (1).exe
1692	WannaCry (1).exe
4148	WannaCry (1).exe
4684	WannaCry (1).exe
2036	WannaCry (1).exe
1900	!WannaDecryptor!.exe
1428	!WannaDecryptor!.exe
1020	!WannaDecryptor!.exe
2936	MEMZ.exe
4372	MEMZ.exe
1804	MEMZ.exe
3620	MEMZ.exe
3704	MEMZ.exe
4660	MEMZ.exe
2096	MEMZ.exe
4460	MEMZ.exe
3504	MEMZ.exe
4788	MEMZ.exe
3316	MEMZ.exe
1848	MEMZ.exe
2044	MEMZ.exe
4900	MEMZ.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry (1).exe\" /r"	WannaCry (1).exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
114	raw.githubusercontent.com
115	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4192	3564	WerFault.exe	83

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
4688	taskkill.exe
2420	taskkill.exe
2900	taskkill.exe
1772	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	msedge.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 952434.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 586459.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 963150.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 207101.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2388	msedge.exe
2388	msedge.exe
3200	msedge.exe
3200	msedge.exe
4068	identity_helper.exe
4068	identity_helper.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
4276	msedge.exe
4276	msedge.exe
1984	msedge.exe
1984	msedge.exe
1804	MEMZ.exe
1804	MEMZ.exe
4372	MEMZ.exe
4372	MEMZ.exe
1804	MEMZ.exe
1804	MEMZ.exe
4372	MEMZ.exe
3620	MEMZ.exe
3620	MEMZ.exe
4372	MEMZ.exe
1804	MEMZ.exe
1804	MEMZ.exe
4372	MEMZ.exe
4372	MEMZ.exe
3620	MEMZ.exe
4660	MEMZ.exe
3620	MEMZ.exe
4660	MEMZ.exe
3704	MEMZ.exe
3704	MEMZ.exe
1804	MEMZ.exe
3704	MEMZ.exe
3704	MEMZ.exe
1804	MEMZ.exe
4660	MEMZ.exe
3620	MEMZ.exe
4660	MEMZ.exe
3620	MEMZ.exe
4372	MEMZ.exe
4372	MEMZ.exe
1804	MEMZ.exe
3620	MEMZ.exe
3620	MEMZ.exe
1804	MEMZ.exe
4660	MEMZ.exe
3704	MEMZ.exe
4660	MEMZ.exe
3704	MEMZ.exe
1804	MEMZ.exe
1804	MEMZ.exe
3704	MEMZ.exe
4660	MEMZ.exe
3704	MEMZ.exe
4660	MEMZ.exe
3620	MEMZ.exe
4372	MEMZ.exe
3620	MEMZ.exe
4372	MEMZ.exe
1804	MEMZ.exe
3620	MEMZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	2420	taskkill.exe
Token: SeDebugPrivilege	2900	taskkill.exe
Token: SeDebugPrivilege	1772	taskkill.exe
Token: SeDebugPrivilege	4688	taskkill.exe
Token: SeIncreaseQuotaPrivilege	388	WMIC.exe
Token: SeSecurityPrivilege	388	WMIC.exe
Token: SeTakeOwnershipPrivilege	388	WMIC.exe
Token: SeLoadDriverPrivilege	388	WMIC.exe
Token: SeSystemProfilePrivilege	388	WMIC.exe
Token: SeSystemtimePrivilege	388	WMIC.exe
Token: SeProfSingleProcessPrivilege	388	WMIC.exe
Token: SeIncBasePriorityPrivilege	388	WMIC.exe
Token: SeCreatePagefilePrivilege	388	WMIC.exe
Token: SeBackupPrivilege	388	WMIC.exe
Token: SeRestorePrivilege	388	WMIC.exe
Token: SeShutdownPrivilege	388	WMIC.exe
Token: SeDebugPrivilege	388	WMIC.exe
Token: SeSystemEnvironmentPrivilege	388	WMIC.exe
Token: SeRemoteShutdownPrivilege	388	WMIC.exe
Token: SeUndockPrivilege	388	WMIC.exe
Token: SeManageVolumePrivilege	388	WMIC.exe
Token: 33	388	WMIC.exe
Token: 34	388	WMIC.exe
Token: 35	388	WMIC.exe
Token: 36	388	WMIC.exe
Token: SeIncreaseQuotaPrivilege	388	WMIC.exe
Token: SeSecurityPrivilege	388	WMIC.exe
Token: SeTakeOwnershipPrivilege	388	WMIC.exe
Token: SeLoadDriverPrivilege	388	WMIC.exe
Token: SeSystemProfilePrivilege	388	WMIC.exe
Token: SeSystemtimePrivilege	388	WMIC.exe
Token: SeProfSingleProcessPrivilege	388	WMIC.exe
Token: SeIncBasePriorityPrivilege	388	WMIC.exe
Token: SeCreatePagefilePrivilege	388	WMIC.exe
Token: SeBackupPrivilege	388	WMIC.exe
Token: SeRestorePrivilege	388	WMIC.exe
Token: SeShutdownPrivilege	388	WMIC.exe
Token: SeDebugPrivilege	388	WMIC.exe
Token: SeSystemEnvironmentPrivilege	388	WMIC.exe
Token: SeRemoteShutdownPrivilege	388	WMIC.exe
Token: SeUndockPrivilege	388	WMIC.exe
Token: SeManageVolumePrivilege	388	WMIC.exe
Token: 33	388	WMIC.exe
Token: 34	388	WMIC.exe
Token: 35	388	WMIC.exe
Token: 36	388	WMIC.exe
Token: SeBackupPrivilege	436	vssvc.exe
Token: SeRestorePrivilege	436	vssvc.exe
Token: SeAuditPrivilege	436	vssvc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2064	!WannaDecryptor!.exe
2064	!WannaDecryptor!.exe
1900	!WannaDecryptor!.exe
1900	!WannaDecryptor!.exe
1428	!WannaDecryptor!.exe
1428	!WannaDecryptor!.exe
1020	!WannaDecryptor!.exe
1020	!WannaDecryptor!.exe
4372	MEMZ.exe
4660	MEMZ.exe
3620	MEMZ.exe
3704	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 3564	1596	regsvr32.exe	83
PID 1596 wrote to memory of 3564	1596	regsvr32.exe	83
PID 1596 wrote to memory of 3564	1596	regsvr32.exe	83
PID 3200 wrote to memory of 2544	3200	msedge.exe	101
PID 3200 wrote to memory of 2544	3200	msedge.exe	101
PID 3200 wrote to memory of 1400	3200	msedge.exe	102
PID 3200 wrote to memory of 1400	3200	msedge.exe	102
PID 3200 wrote to memory of 1400	3200	msedge.exe	102
PID 3200 wrote to memory of 1400	3200	msedge.exe	102
PID 3200 wrote to memory of 1400	3200	msedge.exe	102
PID 3200 wrote to memory of 1400	3200	msedge.exe	102
PID 3200 wrote to memory of 1400	3200	msedge.exe	102
PID 3200 wrote to memory of 1400	3200	msedge.exe	102
PID 3200 wrote to memory of 1400	3200	msedge.exe	102
PID 3200 wrote to memory of 1400	3200	msedge.exe	102
PID 3200 wrote to memory of 1400	3200	msedge.exe	102
PID 3200 wrote to memory of 1400	3200	msedge.exe	102
PID 3200 wrote to memory of 1400	3200	msedge.exe	102
PID 3200 wrote to memory of 1400	3200	msedge.exe	102
PID 3200 wrote to memory of 1400	3200	msedge.exe	102
PID 3200 wrote to memory of 1400	3200	msedge.exe	102
PID 3200 wrote to memory of 1400	3200	msedge.exe	102
PID 3200 wrote to memory of 1400	3200	msedge.exe	102
PID 3200 wrote to memory of 1400	3200	msedge.exe	102
PID 3200 wrote to memory of 1400	3200	msedge.exe	102
PID 3200 wrote to memory of 1400	3200	msedge.exe	102
PID 3200 wrote to memory of 1400	3200	msedge.exe	102
PID 3200 wrote to memory of 1400	3200	msedge.exe	102
PID 3200 wrote to memory of 1400	3200	msedge.exe	102
PID 3200 wrote to memory of 1400	3200	msedge.exe	102
PID 3200 wrote to memory of 1400	3200	msedge.exe	102
PID 3200 wrote to memory of 1400	3200	msedge.exe	102
PID 3200 wrote to memory of 1400	3200	msedge.exe	102
PID 3200 wrote to memory of 1400	3200	msedge.exe	102
PID 3200 wrote to memory of 1400	3200	msedge.exe	102
PID 3200 wrote to memory of 1400	3200	msedge.exe	102
PID 3200 wrote to memory of 1400	3200	msedge.exe	102
PID 3200 wrote to memory of 1400	3200	msedge.exe	102
PID 3200 wrote to memory of 1400	3200	msedge.exe	102
PID 3200 wrote to memory of 1400	3200	msedge.exe	102
PID 3200 wrote to memory of 1400	3200	msedge.exe	102
PID 3200 wrote to memory of 1400	3200	msedge.exe	102
PID 3200 wrote to memory of 1400	3200	msedge.exe	102
PID 3200 wrote to memory of 1400	3200	msedge.exe	102
PID 3200 wrote to memory of 1400	3200	msedge.exe	102
PID 3200 wrote to memory of 2388	3200	msedge.exe	103
PID 3200 wrote to memory of 2388	3200	msedge.exe	103
PID 3200 wrote to memory of 3140	3200	msedge.exe	104
PID 3200 wrote to memory of 3140	3200	msedge.exe	104
PID 3200 wrote to memory of 3140	3200	msedge.exe	104
PID 3200 wrote to memory of 3140	3200	msedge.exe	104
PID 3200 wrote to memory of 3140	3200	msedge.exe	104
PID 3200 wrote to memory of 3140	3200	msedge.exe	104
PID 3200 wrote to memory of 3140	3200	msedge.exe	104
PID 3200 wrote to memory of 3140	3200	msedge.exe	104
PID 3200 wrote to memory of 3140	3200	msedge.exe	104
PID 3200 wrote to memory of 3140	3200	msedge.exe	104
PID 3200 wrote to memory of 3140	3200	msedge.exe	104
PID 3200 wrote to memory of 3140	3200	msedge.exe	104
PID 3200 wrote to memory of 3140	3200	msedge.exe	104
PID 3200 wrote to memory of 3140	3200	msedge.exe	104
PID 3200 wrote to memory of 3140	3200	msedge.exe	104
PID 3200 wrote to memory of 3140	3200	msedge.exe	104
PID 3200 wrote to memory of 3140	3200	msedge.exe	104

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b28242123ed2cf6000f0aa036844bd29.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\b28242123ed2cf6000f0aa036844bd29.dll
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3564
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 604
    3⤵
    - Program crash
    PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3564 -ip 3564
1⤵
PID:4640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd41bd46f8,0x7ffd41bd4708,0x7ffd41bd4718
  2⤵
  PID:2544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,3096788788216488217,10102976406397983112,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2
  2⤵
  PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,3096788788216488217,10102976406397983112,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,3096788788216488217,10102976406397983112,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
  2⤵
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3096788788216488217,10102976406397983112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:2824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3096788788216488217,10102976406397983112,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:2948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3096788788216488217,10102976406397983112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3096788788216488217,10102976406397983112,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,3096788788216488217,10102976406397983112,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3368 /prefetch:8
  2⤵
  PID:1932
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,3096788788216488217,10102976406397983112,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3368 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3096788788216488217,10102976406397983112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
  2⤵
  PID:812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3096788788216488217,10102976406397983112,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3096788788216488217,10102976406397983112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
  2⤵
  PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3096788788216488217,10102976406397983112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:2144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3096788788216488217,10102976406397983112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
  2⤵
  PID:3168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3096788788216488217,10102976406397983112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3096788788216488217,10102976406397983112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
  2⤵
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3096788788216488217,10102976406397983112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
  2⤵
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3096788788216488217,10102976406397983112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3052 /prefetch:1
  2⤵
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3096788788216488217,10102976406397983112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4572 /prefetch:1
  2⤵
  PID:2436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,3096788788216488217,10102976406397983112,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5316 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2156,3096788788216488217,10102976406397983112,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1760 /prefetch:8
  2⤵
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3096788788216488217,10102976406397983112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2156,3096788788216488217,10102976406397983112,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6496 /prefetch:8
  2⤵
  PID:1592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3096788788216488217,10102976406397983112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:1
  2⤵
  PID:2412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2156,3096788788216488217,10102976406397983112,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6400 /prefetch:8
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,3096788788216488217,10102976406397983112,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4776 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4276
- C:\Users\Admin\Downloads\WannaCry (1).exe
  "C:\Users\Admin\Downloads\WannaCry (1).exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:5064
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 188311734355187.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3504
  - - C:\Windows\SysWOW64\cscript.exe
      cscript //nologo c.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:2488
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe f
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2064
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im MSExchange*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2420
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Microsoft.Exchange.*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2900
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlserver.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1772
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlwriter.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4688
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe c
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1900
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b !WannaDecryptor!.exe v
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3924
  - - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
      !WannaDecryptor!.exe v
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1428
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:980
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:388
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1020
- C:\Users\Admin\Downloads\WannaCry (1).exe
  "C:\Users\Admin\Downloads\WannaCry (1).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1820
- C:\Users\Admin\Downloads\WannaCry (1).exe
  "C:\Users\Admin\Downloads\WannaCry (1).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4708
- C:\Users\Admin\Downloads\WannaCry (1).exe
  "C:\Users\Admin\Downloads\WannaCry (1).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1552
- C:\Users\Admin\Downloads\WannaCry (1).exe
  "C:\Users\Admin\Downloads\WannaCry (1).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1692
- C:\Users\Admin\Downloads\WannaCry (1).exe
  "C:\Users\Admin\Downloads\WannaCry (1).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4148
- C:\Users\Admin\Downloads\WannaCry (1).exe
  "C:\Users\Admin\Downloads\WannaCry (1).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4684
- C:\Users\Admin\Downloads\WannaCry (1).exe
  "C:\Users\Admin\Downloads\WannaCry (1).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3096788788216488217,10102976406397983112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6676 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2156,3096788788216488217,10102976406397983112,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4776 /prefetch:8
  2⤵
  PID:180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3096788788216488217,10102976406397983112,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:1
  2⤵
  PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2156,3096788788216488217,10102976406397983112,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5928 /prefetch:8
  2⤵
  PID:1884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,3096788788216488217,10102976406397983112,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5956 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1984
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2936
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4372
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1804
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3620
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3704
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4660
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /main
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    PID:2096
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      System Location Discovery: System Language Discovery
      PID:4032
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4460
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:3504
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:4788
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:3316
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:1848
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    PID:2044
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /main
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    PID:4900
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2156,3096788788216488217,10102976406397983112,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4032 /prefetch:8
  2⤵
  PID:1816

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3936

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4496

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1616

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
17KB

MD5
18a9531f05f4a3662558d102349767b1

SHA1
328114b78180b5931d651669bf0b21d3a5cf8adc

SHA256
2d427df292899c50caad69f5c59737ff07f39544e52ff6b9d01f4fb82ec0d716

SHA512
b52d9f81a88694bbb16551a50fefd69a3f3dcd0ce5d3d3f3e3a2c1d7de969b5f6e27ca9fd22f7e964108f9b39eb083a44ef161ee3b8c39f61fa5939a15d21b2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
c593f5d3f2b30f6c0d1a24a95f959b53

SHA1
296acbde3ea58aa4f979eaf215c721421f8bca51

SHA256
94da181669d0021f5d885aa517827dd54e73f061ab6924044c92c570529bdf5f

SHA512
a8fb328dbdd52de3fe9d3c372fbc51273a12c46790c94ef84094b1a1f432dcb34b7ad2b2c7a10fc8ef9f82b6c4e81140aa4c5d6dde28067e83d8459ded981212

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
ce02833e859d2d01c862655df87eadd8

SHA1
801a6094719ae7f95ac9509d534c50c4b5513df3

SHA256
8218af9303c27d4b9b52b46daffa429a729b9c486539457a2c5f4d068ae4d7bc

SHA512
48444435f443dedf3056e163377f64e21b0100f7a5d939d3bbd5a9fa1413b2d13ec53ac8efea06e79af41c9ebc91fafa66d86750d6c824fe42e5d5d458ccfdc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
61e991156200ef872d356547d8e0b8c4

SHA1
5fa6e5a4fe30ab1ce371245e217a4106304a5b3d

SHA256
e8b87948e3d83bfb7b0fb022834f9ca14737e250c4c1357bde31e25d2053758a

SHA512
319bec5fa91908142cae008e719df8d88343a36ee5abed27eda24119e563bc7fb5d7d8118296a5f569c869612a68c858587330691e6ba4200c9db5c1ab86a9af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
956B

MD5
4c9c14bc24020df0e819acab8bea1ea6

SHA1
f77a7d412939f31e420866cc36d6e3b0c5991d9c

SHA256
6b7e4ca17c515eeb016d81f5acaf509ab8e563d1c3eff950720f619cb345a7f3

SHA512
f0e476bf48377115c7dfbb9fc9fb751da7c7b19cefb8e66621f8f1d4e11265ac4f37bbfed4d3d91e7b34dceee4c1a211f7eb209a6a10f182b19292b9445c7dce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
ea060be98fec6c53684f4ca9c3965e8a

SHA1
0180964410bf25f874e49e98c368194414d5ccd1

SHA256
0be93bb64bf555850020d03452dbee7321812aba895658b541182169f8f1ce89

SHA512
230c80288acf7222cb7ca27247e352c2d3f75f173fe5375bfa078144d4b3cc00aed32bdf2c02159db0fda4b476f0b50894c738eec05d3e7ce62e37ca9ef4115d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
06dff987f653e0e3e029ca2565051f85

SHA1
d2514003a8e04c859b9fc6ceff3202ec5b0dbb74

SHA256
edec866ff71707b5759cb2f7cc93de0703cc5738718e226b86004ac2da475840

SHA512
0369c6e1ad399fe2ed1c7c80cc03db564ff39570eaa78f3ab72943c3ce3903915b439525addb88473c55328137055ce5ca5d2c686e62c7387b90d9192656d5dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3b064db9deb31fad41dd70e21449b23a

SHA1
ab480187009ed313682a860a5c3c34e805041b9d

SHA256
532b8981624219beeb3dd632ac71d8c6fe51d358162367e916c2c51f7bd9a09c

SHA512
163cea807b8be541e7c12a2496724db9f63a13595e516c0a229d37a7b45803e2989e9fa7c2c0c6c86e2f6736f06b54f902daa865e9d3f0424b802651f317af42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8c5acb5aabdf44debf8a140540a20fb1

SHA1
a3368f5a0736d484e79c2bd859d2923b534edc95

SHA256
a888c8d108a72a1c17fb8b75209adabade9637b24b699d5808761c3572f47abb

SHA512
ebe595034ccb6792f721438d5a3cd41938ef52c57c5909056b6310c7f5d80c4669bdc75695848f92ba1f0173a5b9874db7cce77699b6bd13b1af7a6c6a2d5a55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
eb939367a2ffb2d45f2cc76ca5e995a2

SHA1
ad9d416d50a03a866e84241e2331866da922b8d6

SHA256
c315ca32c5114beecac4c904f999ec1455cc5084e71784fe58be9b138b67aa76

SHA512
9ab4fd3f84345330074b02686075ebf4a7eee68436c8aa8ea9b3e67aede70def415c2636ea94a7b07bc02c5327dd2ae7de4b8e3a918bffd8f0829ee73c5390d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c9fffe7adeec92f45905f96570bc0f3d

SHA1
c9dd87923b586cb33e33c7b369a959e2b6d54e08

SHA256
5bc675ba6f2a10b1d4b5fca2beeebc4ff2ef089ceb1c341e4401745186786128

SHA512
575ffd74bf390c4c11662cb0fc08ed76abba1c73b038d6a19eed4b36f66503f014524a540ed9b7bf581472e4fcb39e9ce9ac9aca6d9d07a27c5ea58999fdb079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0b48ee79b6ec5b2374d6709dd6b6719a

SHA1
2010a4593c7b8eead29383e59aedfa80083a843f

SHA256
bfa1673b83dbc580da06f80f2940202ea07bbfb808e0a2d093a110471d0df843

SHA512
0dd991f2d5857c91d1ba236753f2d85c0eb5bc8d7a137e959946037f2f39175c2b635e1a47b7ceb768178b2fa0d844e52a11fefa8a64e7d74edc287554c784af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d8aa526e2d55f598d736061807d29290

SHA1
ed8d0d450dc7179e0cbbe33f7cdb5705b4163772

SHA256
2fee6c56b850f691614e4776f7b5bbf706fa7a985515856fc0c6fa18e9c85132

SHA512
845ccf0b547ee6e1fa59329e60a165efe43439ba1e65f440e27b4a03a6334d6d2810f73a0383c80d3571dd674de19c1e82e9c4a7e76261146dadb72d43940011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cf699f487a7f164b295703ba64f943c8

SHA1
d0de7618afa96d1df341a6665c9b97281edd817f

SHA256
1ace0d30d7c23e105cd0d019d3ad2200a1c125cc0dea4acf689e17e6a9e8e770

SHA512
e85612697b13fabd1e5b44eb696b523123f6828299c08bbf9bd056164e9ad03f88aed042c2f9d8309c0e702e94f2e7eebadf557ee2cc37e03dbf59168428d81a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8844bc028e800a9e00be37c6054e3c28

SHA1
45ba99f16e0d6432fc82366048ca6ad1a2a6b887

SHA256
164e8cd1e3056f00330d143ac6e1f48fc66ba4b96304592f38bfe8a5426aa067

SHA512
4a75ddbcc50986574feea0bb5b1bd80b4eb6118482ed2f84ab93cd4ecc3a49f85537218927f519d36e6f15c828b0ebc348f430fdd22d5e8ca47f242122a74aec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2a18126b0fec831c7d3a5bf8543dc299

SHA1
6cd17d078ec11f674be55c9f58f6b2e508c13109

SHA256
4525d45f1593d9e738eaf037a4b325f59388955ea74f029c0df12caa6dbc6496

SHA512
d9cb9d69db250c706bc46da1dda4a3425629c035c4e8154e5801982035b8bcf1ea1f2f6a09c9f39549ce76a36262104df247f7375b4fe70463316fa6d7139bd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e9e1754ed775fdaf7884931c63deb0ce

SHA1
8c008c22900ead229cddd63700d2312cb0dc6b20

SHA256
60b9b13ec9577501eae09fa87780d412568260d517c26b29d8b72977c5814452

SHA512
b9a121759e1ac28b7fbfea3dda0590d02f0999e7337900d5e369214ae7cb194dca11d79cbc7aafd3acdd7ee1b772eabeed4ae4017235eb4719a94b7371fb983f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fc306103809bb5a92b84b33398d4e81c

SHA1
07f592a9f4dc94d97c0b4b437183c6259ee7efbe

SHA256
369b90e3e06f55e282c53697ed57cd20248f62239145a19aaaae7ab513652415

SHA512
95c9e58ca5a673129ee06683154162dadf7aa868547dbf75cad1010f17461d971a0c161e8c5c3f93de470754da89d5d1d8e130e1b6e2324cd12e7cc8d3ee41c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d42355007e3dd36eae33ca210211a20a

SHA1
4345101a841f3970b0c9227ac77cb0b501ba7d62

SHA256
c9dd573c4787b7229408d0f185f3a8d7fed29da459a37ce3c71f5d0cda17d8a7

SHA512
ff95341bb0596dc0222884707907f1d789eb2e25739941f11b5981635b88ba52cd12cca004617abc28a2f1706f2cdf16f00798df0e5c10badbb872dc0db663a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d18c7d37c634283cc87cd2e780a203d8

SHA1
b46b1ae32b58dc1d2b5c71edcd02819dc2662729

SHA256
b5937786020b7c68696bcd9cde53a51af277ae0ba9ea4718606f0b007adc9b9b

SHA512
9fd491ed55eeb5c023534832c67469274a87868f9f45944750881eeefaa7944743ce69510d985de371b95da8112061887fc6f1e6c48229f914064cc5f6e2ea1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
caca14e5abb40cda751b8d1d260fbbb3

SHA1
4f0e273d808e5ceb2ec7bb957690e1a10291d3d5

SHA256
726a186aefab247bce9d7c3d9e088b98952a3053edb919c2be7f9b5a96fd3e19

SHA512
bfc571aa3046da3d041c6743343965fd4edaf7ff79c75cb07e1de79bb5de90aeb100256b3796ab053f9279d11cd9c33d8e2ba93b8bba9a64cdd406e833e53757

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8585c088045880ade86120181fdcd7ab

SHA1
e84d914940ec8f82ae32d1c264432faf115c654a

SHA256
a534ed02a1d0f6ab61af5133d49fd566ebc40adb4247710ffc73b0cce866c2fe

SHA512
6ed89688d69f5d2b1aff5dd255cc46fcaaeba1ae732f879f774efb606b87ea8eceadf2cf756307ec837635cb3c6da462fd622a53c06879230bc93adb7527d4d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ce3b2bbef178f5ffcdfd04d9c44b2bfc

SHA1
23fd7caadf26ecc065a2ac42ef07cfee3272be39

SHA256
d12bc796485037efa66c66f6cd77a614f5392b16c2cce6f5753129c0fdd72adc

SHA512
570404e75e2f8d4ecdbcdfb57fd1c89d4335bc864b59756b6b97040688eb0bf4b317bbe6dff6cc3bf122013f257d80713ac9f83d180078b169b25f3ee4465a11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f706248af7858859509ff0636f3f689b

SHA1
ae112a3c6d2d5040648a74f2c647e247f9069ffb

SHA256
06f244b7477b68555d5d5816910686a4ce7e728ff3b65fa5dbd3fb5bb324becd

SHA512
786143e07d71cee961f3f805a74ead2db97b6983d1c9368c5741e8e975727aea906c59df0c33bc02d860032430adb132426b2301a49821b933ac8cb926831e61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe583ee8.TMP

Filesize
1KB

MD5
7a302f4eadaed04fd48c6c5591e64e0a

SHA1
7a33a9bef97ecee28f3c09186634b3db215c150e

SHA256
0163707c4cf6279e548ad8af4676b203cc078225f3ec6a61b128c4c8e3b42ec2

SHA512
246b457107b04803cde1b35e21528020d0abc0b4545e2ea5409c77c9bf5a035645f538c49d654a33a13b6688f52f1c6a280317ec0a1d7b5b876bd3990de2a5f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
76KB

MD5
5b111c10ad816b500db30efabcc7fcd9

SHA1
8517fd7055129337d756059091ac772e660bdcaa

SHA256
3f1099f5d3d1f13caecd7c347c8e8656d38a086d5b300176f0556b46089ae876

SHA512
6972c95cc2dd7d228d271191524064fffcd4cc03fff5ede7f80c23ac9bc5e918ec6f19f8e34829b41ccb4d89d8e42da512916f975a2bf3a81a9537710a5ef455

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
86c62ac411e69962580ace147c34db45

SHA1
17b8bb79d972cf485d347ec79386a481867a274c

SHA256
08a52c4541ea09211e030a2d165a233c90442b44fa396c138504c1dea7fa6efd

SHA512
09357c2386b5a3e4a6f835478869875779b05e984bf340e8ca0ffd440b598d26447b8983297abe8d039beaf1d9a1087873008d78bd48867dc7d107192c0b0324

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
75081c4dd679de14f1b2ef31ab9e6ea6

SHA1
24f9cee478ca2ca4292b5c2bbfc7198aff09db92

SHA256
25834d96fbda41e227a10951df2f89e17ea83fc1e17b6b1ed264eca48b73f663

SHA512
33df6b1783541a508c9118b63693dbc0df040244d18f145ba18344c02ae2f4d76fc10794eb4f4b772d6633c479da698e383e540f1d6d96a031f1727f3e5e414b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
98be3d848c571e46c119e3e495fc3b85

SHA1
0345856d26d61a69c861cab354cbcdff053262a4

SHA256
24f0e6a0566d3884548a9bf529dcf237b57c04aacc766c30943728b121677949

SHA512
aeca1d5b1b4d7ee60b1bf10dd3fd978cbd0a1f12fa1eb0338875d5c541145b4a843bdab21ea68f3fdd758026d6bad774e7b313b11c924248434a2fddae3d9c73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e587aaad46d80587cc5ce68f89de50d8

SHA1
5a98b8ce5fd08215c62cf6f2eef84b57b90555b5

SHA256
4b82d4c15579c9e24b52cb6c72cf12565ec59d8ba077dedfe884b754461f09e1

SHA512
e6106898269837c8548b1b706349903a942aac6ff0c1371ce69cf6f87c137d4241dba45261701ab7949e7f0baa5558fadeff25742cd992b78b403f26e4dd5a3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8a5860ba6985bbb909aa92ff25bd5618

SHA1
59fe3dbd397465e371ead497c74b3ed61c1b7a37

SHA256
f2e69ba4684f80f621594a3571d64ea2406b1d9287fbb62ec8d3573b16a51892

SHA512
67ccfb6275f467b2a7465d864b55d7acebf620c18c25de8876687d5ba27be97a8bf8da6d3f178cf83314252840e886f633d22d9f71579c835d85ba845184f847

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
99781fe4bccf57103b5765b42eb454db

SHA1
9783573ac6b4d27693928b48db0095e4e79b5f8c

SHA256
85d8105c58e91ee7db37138e124e82315a04eb8dff4c0057f74bda52bfa2f4bd

SHA512
1b47125f3af311917d21dcdd20dd27d66d3c7cfb54fe950596c6b232a6f03ab979e2614a61a3f9d96ca5e548e1abb1386a1cd4875e0a4bed9333a1d310b81c6c

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
519a189cd7e0a2b8719fbe0028f46f06

SHA1
68b0170064a7650ecfdc8fb7dca95bf946d7304d

SHA256
2b666d33d9a4282e984b2bd868a0a9286d2e04bb15465679b3072e8626922b98

SHA512
3698c64452b0132b70bf84bd0e8eb7d738e06ab06f7f93746ce2abc83fb69980a7e8e8db10a500e2e9e8df7e8b8dc59714518d9368908a410be9748f5f3c1603

Download Submit
C:\Users\Admin\Downloads\188311734355187.bat

Filesize
318B

MD5
a261428b490a45438c0d55781a9c6e75

SHA1
e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e

SHA256
4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44

SHA512
304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

Download Submit
C:\Users\Admin\Downloads\6def2572-6124-499c-881c-e354dd3af7fd.tmp

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 963150.crdownload

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\c.vbs

Filesize
201B

MD5
02b937ceef5da308c5689fcdb3fb12e9

SHA1
fa5490ea513c1b0ee01038c18cb641a51f459507

SHA256
5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1

SHA512
843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

Download Submit
C:\Users\Admin\Downloads\c.wry

Filesize
628B

MD5
b5eb646988fc395e8ffe9c1dc5e197cc

SHA1
a3218c7cfdc7c029794bd62777c45b8358267f0c

SHA256
12aedf47be4944d482bab395b9bd910e6fe88dd71a6c02660f60fae51e29b631

SHA512
0e2d182c19d4ad9b958ae6434ac51d8b69f9d290f92e70ce92b41d89c6d4257aadcbe18e96896dfd85ae0f49f8d362b6af486d3ba820c97d7783c1eb8588aee9

Download Submit
C:\Users\Admin\Downloads\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Downloads\r.wry

Filesize
729B

MD5
880e6a619106b3def7e1255f67cb8099

SHA1
8b3a90b2103a92d9facbfb1f64cb0841d97b4de7

SHA256
c9e9dc06f500ae39bfeb4671233cc97bb6dab58d97bb94aba4a2e0e509418d35

SHA512
c35ca30e0131ae4ee3429610ce4914a36b681d2c406f67816f725aa336969c2996347268cb3d19c22abaa4e2740ae86f4210b872610a38b4fa09ee80fcf36243

Download Submit
C:\Users\Admin\Downloads\t.wry

Filesize
68KB

MD5
5557ee73699322602d9ae8294e64ce10

SHA1
1759643cf8bfd0fb8447fd31c5b616397c27be96

SHA256
a7dd727b4e0707026186fcab24ff922da50368e1a4825350bd9c4828c739a825

SHA512
77740de21603fe5dbb0d9971e18ec438a9df7aaa5cea6bd6ef5410e0ab38a06ce77fbaeb8fc68e0177323e6f21d0cee9410e21b7e77e8d60cc17f7d93fdb3d5e

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
memory/3564-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/5064-760-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads