Analysis
-
max time kernel
134s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
29/03/2025, 00:30
Behavioral task
behavioral1
Sample
2025-03-28_4c0e5c4aa3eb66907cf32b7bd869dd8f_wannacry.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2025-03-28_4c0e5c4aa3eb66907cf32b7bd869dd8f_wannacry.exe
Resource
win10v2004-20250314-en
General
-
Target
2025-03-28_4c0e5c4aa3eb66907cf32b7bd869dd8f_wannacry.exe
-
Size
1.6MB
-
MD5
4c0e5c4aa3eb66907cf32b7bd869dd8f
-
SHA1
2f97ad58991c727a897f4613e00d6b24a3300a85
-
SHA256
31aa2f05a7cd0b81002336c0f0b5397415b9ee70250862f91215e2bc4bb571d8
-
SHA512
56ddad28ad605fe95b4b8f1ea00a130db1e07e082391ce2a1c8336d4ee6f177d1d9806b8a5e200ddc2bf7319f9ba44f194cb48f52f3e9f2c689e7d9b502eea51
-
SSDEEP
24576:T1I8mdFc9nPV3EouDm6BkNEnzC5CW78UV:OFc3C37zCyG
Malware Config
Extracted
C:\Users\Admin\AppData\Local\read_it.txt
Signatures
-
Chaos
Ransomware family first seen in June 2021.
-
Chaos Ransomware 3 IoCs
resource yara_rule behavioral1/memory/2444-1-0x0000000000B40000-0x0000000000CDE000-memory.dmp family_chaos behavioral1/files/0x000c00000001226b-6.dat family_chaos behavioral1/memory/2908-8-0x00000000000E0000-0x000000000027E000-memory.dmp family_chaos -
Chaos family
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
pid Process 2092 bcdedit.exe 1720 bcdedit.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
pid Process 2020 wbadmin.exe -
Disables Task Manager via registry modification
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 2908 svchost.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\UpdateTask = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" svchost.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini svchost.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini svchost.exe File opened for modification C:\Users\Public\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\Sample Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini svchost.exe File opened for modification C:\Users\Public\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Music\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Searches\desktop.ini svchost.exe File opened for modification C:\Users\Public\Documents\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UGWF8QWZ\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\U3EGUGI8\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MT4W94IX\desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini svchost.exe File opened for modification C:\Users\Public\desktop.ini svchost.exe File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Public\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AQYH36ZT\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Videos\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T1DP8V76\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini svchost.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini svchost.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini svchost.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-21-3063565911-2056067323-3330884624-1000\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BY17T927\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini svchost.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini svchost.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini svchost.exe File opened for modification C:\Users\Public\Libraries\desktop.ini svchost.exe File opened for modification C:\Users\Public\Music\Sample Music\desktop.ini svchost.exe File opened for modification C:\Users\Admin\Links\desktop.ini svchost.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini svchost.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gc0fm1s4h.jpg" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2760 vssadmin.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1784 NOTEPAD.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2908 svchost.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2444 2025-03-28_4c0e5c4aa3eb66907cf32b7bd869dd8f_wannacry.exe 2444 2025-03-28_4c0e5c4aa3eb66907cf32b7bd869dd8f_wannacry.exe 2444 2025-03-28_4c0e5c4aa3eb66907cf32b7bd869dd8f_wannacry.exe 2908 svchost.exe 2908 svchost.exe 2908 svchost.exe -
Suspicious use of AdjustPrivilegeToken 60 IoCs
description pid Process Token: SeDebugPrivilege 2444 2025-03-28_4c0e5c4aa3eb66907cf32b7bd869dd8f_wannacry.exe Token: SeDebugPrivilege 2908 svchost.exe Token: SeBackupPrivilege 2604 vssvc.exe Token: SeRestorePrivilege 2604 vssvc.exe Token: SeAuditPrivilege 2604 vssvc.exe Token: SeIncreaseQuotaPrivilege 3028 WMIC.exe Token: SeSecurityPrivilege 3028 WMIC.exe Token: SeTakeOwnershipPrivilege 3028 WMIC.exe Token: SeLoadDriverPrivilege 3028 WMIC.exe Token: SeSystemProfilePrivilege 3028 WMIC.exe Token: SeSystemtimePrivilege 3028 WMIC.exe Token: SeProfSingleProcessPrivilege 3028 WMIC.exe Token: SeIncBasePriorityPrivilege 3028 WMIC.exe Token: SeCreatePagefilePrivilege 3028 WMIC.exe Token: SeBackupPrivilege 3028 WMIC.exe Token: SeRestorePrivilege 3028 WMIC.exe Token: SeShutdownPrivilege 3028 WMIC.exe Token: SeDebugPrivilege 3028 WMIC.exe Token: SeSystemEnvironmentPrivilege 3028 WMIC.exe Token: SeRemoteShutdownPrivilege 3028 WMIC.exe Token: SeUndockPrivilege 3028 WMIC.exe Token: SeManageVolumePrivilege 3028 WMIC.exe Token: 33 3028 WMIC.exe Token: 34 3028 WMIC.exe Token: 35 3028 WMIC.exe Token: SeIncreaseQuotaPrivilege 3028 WMIC.exe Token: SeSecurityPrivilege 3028 WMIC.exe Token: SeTakeOwnershipPrivilege 3028 WMIC.exe Token: SeLoadDriverPrivilege 3028 WMIC.exe Token: SeSystemProfilePrivilege 3028 WMIC.exe Token: SeSystemtimePrivilege 3028 WMIC.exe Token: SeProfSingleProcessPrivilege 3028 WMIC.exe Token: SeIncBasePriorityPrivilege 3028 WMIC.exe Token: SeCreatePagefilePrivilege 3028 WMIC.exe Token: SeBackupPrivilege 3028 WMIC.exe Token: SeRestorePrivilege 3028 WMIC.exe Token: SeShutdownPrivilege 3028 WMIC.exe Token: SeDebugPrivilege 3028 WMIC.exe Token: SeSystemEnvironmentPrivilege 3028 WMIC.exe Token: SeRemoteShutdownPrivilege 3028 WMIC.exe Token: SeUndockPrivilege 3028 WMIC.exe Token: SeManageVolumePrivilege 3028 WMIC.exe Token: 33 3028 WMIC.exe Token: 34 3028 WMIC.exe Token: 35 3028 WMIC.exe Token: SeBackupPrivilege 1288 wbengine.exe Token: SeRestorePrivilege 1288 wbengine.exe Token: SeSecurityPrivilege 1288 wbengine.exe Token: SeShutdownPrivilege 1212 explorer.exe Token: SeShutdownPrivilege 1212 explorer.exe Token: SeShutdownPrivilege 1212 explorer.exe Token: SeShutdownPrivilege 1212 explorer.exe Token: SeShutdownPrivilege 1212 explorer.exe Token: SeShutdownPrivilege 1212 explorer.exe Token: SeShutdownPrivilege 1212 explorer.exe Token: SeShutdownPrivilege 1212 explorer.exe Token: SeShutdownPrivilege 1212 explorer.exe Token: SeShutdownPrivilege 1212 explorer.exe Token: SeShutdownPrivilege 1212 explorer.exe Token: SeShutdownPrivilege 1212 explorer.exe -
Suspicious use of FindShellTrayWindow 31 IoCs
pid Process 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe -
Suspicious use of SendNotifyMessage 29 IoCs
pid Process 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe 1212 explorer.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 2444 wrote to memory of 2908 2444 2025-03-28_4c0e5c4aa3eb66907cf32b7bd869dd8f_wannacry.exe 30 PID 2444 wrote to memory of 2908 2444 2025-03-28_4c0e5c4aa3eb66907cf32b7bd869dd8f_wannacry.exe 30 PID 2444 wrote to memory of 2908 2444 2025-03-28_4c0e5c4aa3eb66907cf32b7bd869dd8f_wannacry.exe 30 PID 2908 wrote to memory of 2616 2908 svchost.exe 31 PID 2908 wrote to memory of 2616 2908 svchost.exe 31 PID 2908 wrote to memory of 2616 2908 svchost.exe 31 PID 2616 wrote to memory of 2760 2616 cmd.exe 33 PID 2616 wrote to memory of 2760 2616 cmd.exe 33 PID 2616 wrote to memory of 2760 2616 cmd.exe 33 PID 2616 wrote to memory of 3028 2616 cmd.exe 36 PID 2616 wrote to memory of 3028 2616 cmd.exe 36 PID 2616 wrote to memory of 3028 2616 cmd.exe 36 PID 2908 wrote to memory of 1316 2908 svchost.exe 38 PID 2908 wrote to memory of 1316 2908 svchost.exe 38 PID 2908 wrote to memory of 1316 2908 svchost.exe 38 PID 1316 wrote to memory of 2092 1316 cmd.exe 40 PID 1316 wrote to memory of 2092 1316 cmd.exe 40 PID 1316 wrote to memory of 2092 1316 cmd.exe 40 PID 1316 wrote to memory of 1720 1316 cmd.exe 41 PID 1316 wrote to memory of 1720 1316 cmd.exe 41 PID 1316 wrote to memory of 1720 1316 cmd.exe 41 PID 2908 wrote to memory of 1908 2908 svchost.exe 42 PID 2908 wrote to memory of 1908 2908 svchost.exe 42 PID 2908 wrote to memory of 1908 2908 svchost.exe 42 PID 1908 wrote to memory of 2020 1908 cmd.exe 44 PID 1908 wrote to memory of 2020 1908 cmd.exe 44 PID 1908 wrote to memory of 2020 1908 cmd.exe 44 PID 2908 wrote to memory of 1784 2908 svchost.exe 48 PID 2908 wrote to memory of 1784 2908 svchost.exe 48 PID 2908 wrote to memory of 1784 2908 svchost.exe 48 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-03-28_4c0e5c4aa3eb66907cf32b7bd869dd8f_wannacry.exe"C:\Users\Admin\AppData\Local\Temp\2025-03-28_4c0e5c4aa3eb66907cf32b7bd869dd8f_wannacry.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete3⤵
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
PID:2760
-
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3028
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no3⤵
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures4⤵
- Modifies boot configuration data using bcdedit
PID:2092
-
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no4⤵
- Modifies boot configuration data using bcdedit
PID:1720
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet3⤵
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
PID:2020
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt3⤵
- Opens file in notepad (likely ransom note)
PID:1784
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1288
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2820
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵PID:912
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1212
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Defense Evasion
Direct Volume Access
1Indicator Removal
3File Deletion
3Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
601KB
MD51590267bfab5fc9e6d537151be1a1bc3
SHA1e71e9d22611962b68b663b2551196c6c4a91d218
SHA25668edccb4f0be5927faa5a6a1589bd7434bd8cf55df48ee60c12bcf7a235e4b2d
SHA512e0ab8739ecbdb40229da3808f1d7ea9d128091d7647738176f619d7742f82dc4803f6a70982d299e80ae5c99b85cee0c9ef112e915726e94cd72889160a1bf14
-
Filesize
582B
MD5ed5cc52876db869de48a4783069c2a5e
SHA1a9d51ceaeff715ace430f9462ab2ee4e7f33e70e
SHA25645726f2f29967ef016f8d556fb6468a577307d67388cc4530295a9ca10fdfa36
SHA5121745aefb9b4db4cdd7c08ee3a7d133db08f35a336fd18b598211519b481ef25ac84a3e8a3da3db06caef9f531288d1cf0ca8d4b2560637945e7953e8b45421f5
-
Filesize
1.6MB
MD54c0e5c4aa3eb66907cf32b7bd869dd8f
SHA12f97ad58991c727a897f4613e00d6b24a3300a85
SHA25631aa2f05a7cd0b81002336c0f0b5397415b9ee70250862f91215e2bc4bb571d8
SHA51256ddad28ad605fe95b4b8f1ea00a130db1e07e082391ce2a1c8336d4ee6f177d1d9806b8a5e200ddc2bf7319f9ba44f194cb48f52f3e9f2c689e7d9b502eea51
-
Filesize
397KB
MD5a1abeca49ebf4b4b6712c8ab91d376fc
SHA1e3618b6ce34b4bf88c1dd3559af4ef10b5184f6d
SHA256ccebee30ebdb5eed7ead4e38508fe64ed25044a683bc15067bd6c6c4d8d80874
SHA512eaad4b965b0bd0dd01872de36ee9b37fbd96d40c6a28dce30fabcfcc77faffba88eeefed64de9e125c474d867ca607302ce82894561e6083df0e1f036ec4fdf0
-
Filesize
968KB
MD5a5173a80fed1c4ac1981835710cf97b2
SHA120c73bebaa6e707a622fea5bf3a2026d51394f49
SHA256109705f44ea54fdbecd1900a818e65018d44af9102fe201de69b6b83f94ab236
SHA512fcb077761d86dfb16d210abf49d1238c85e8f57921b4b6b0a8e30e7158982df6b1cdf44cbc380e41ba81e818d902f6134f73b8d213360d3be736a4691c006048
-
Filesize
943KB
MD5dc591558361bbe17a1f5ebea5132bb55
SHA1e455875f8f369cea2a770332984299d0073a3ff8
SHA25620329295f5a0f1658b8c2463413f5d79409e75f531c084647ee45482bf84434c
SHA512ffc7cc00e42d40075b0b1ef0351f32a9287b492eab6e564a501941591813c5b1415d28a2f44c6a67db80dac0cdc36a428d82579879b5dc2e3bb8916723c126d1
-
Filesize
620KB
MD52f7bdad1ed9bf41208a48fd273f66d09
SHA15ca5360ead70e42b759e74a0a7c0211c411a8cd8
SHA25676c0a3b75581a3b9027ac69a22cb5ba92b2bfeb438e7e6125a12768d5e45516f
SHA5122ef57f80b2737e9c41eeab32b2c9332ac98934eb97db0e251879866518015e18e3fffe29de221dc828b9f2bad81e65ab66e08dfd0df811b17a6db05d59f48700
-
Filesize
447KB
MD51399b1ad0ca3f68f0c7bf39b609bd3de
SHA1edb5f9c52a50d61a8a1338fc2cd2fa72b7cf3dbb
SHA2561a89cc0cc6de021b3fd252a7a2792c24db0de949c9247a2c4f395d7def8da87d
SHA512174f475ae6ef328abfd7c1c47b14df878500c50a838166c7b20762932394a8fc4065ee804f981de1c491cb7feea8e3f0afe6a33952520ba55ad7431fa9c0489b
-
Filesize
20KB
MD5cb76478c6049184f18748ebb2bdf8b15
SHA187eaf264125e65b838f9d89bcbb41c4347b6a662
SHA256f95bca318584c23923d4bc108ddda47f168c7ae14350f91ef78adc3504f2bc49
SHA512e11f82e1f91ab05dd8b5046880c3b66dcd29be394266a36940eedaef101d89414cb8f439334c7734d6976afc1c1fcd791a46d510ee6fdcfeaa7c58442a28e5ed
-
Filesize
16KB
MD552bf8a0f28af09852f822443890215c7
SHA11028af3def5eeb298528d61a66aee74a59aa5dd8
SHA256a71ab0d210d3108f4f51e412b8f5f4c655f6607d06afdb27bbbe9f0802e93b37
SHA512150e39a79eb44c7300a71deb04b1164c1043f78381ffa434eb277935ff9e5ef2af04315697780be14b2de63d22219638e67fdcd3d94963587c9322a220b62b2d
-
Filesize
720KB
MD591808666f92519c5c4c0dd70e561465e
SHA133f968725ae529802297d65a1ac2d5f08a5d2d25
SHA2565867cf6c06f5286b72d313655e4f14eda636d03e088952824c9923f35d6acb3d
SHA512a1d2f033c02d02fdd44c109eac0c3679218fcaa71e4cf9423985fdfe2f4bacb186cb370c1426dd86a85a7ad65523a9d3a4a189c9a292208b381c96ff0f0b60da
-
Filesize
347KB
MD5f56302173126fd8fe0df981843ba44ae
SHA104bb6bbe39405ccec537ddfb12503565a314d200
SHA256da28069c6fd07d9faf761ed39ae36efa54d2cd3233490bfc2861dffd4fd261b5
SHA51250a8e309519c43bbc4c2dcd4624e268f54461c4e52168451dfbd2465cf42c51a0977c666eaad2f3d01d916492e6d8269b5c545f587566839a3f92ba226b7c918
-
Filesize
645KB
MD5ec0c752963f690462b3a76feb4100523
SHA153dc8321bc884291ec48cb19c2f02a7b4b34ad1b
SHA25685745f0199894ec8707f203e455d588ec3b9639e60dc739da59ecd3846311c00
SHA5127b6c457fed7137eb9971175ba6c8df4c6733fbe48696ff3ca945adab9f2e47f6ce44545947ad4b69114a1714524f6e3efd1af1d4689edcb1be0f101885acb7f9
-
Filesize
521KB
MD58f929986fa067ce3d92bef8ea308cb87
SHA15b7161b1c4d897f5e30faa10a1a487a858a1dc1b
SHA25650245280f666aa16366f33db23fad8ebe718069dc144048985ac2add52ecc491
SHA512f8d9ef20ed1f4809ee74999d469c72177693cb2c5107a04a3acde54c82f52325e5b0af0d2af68a8fab2a31cd63a34781038c0d61049fc016f8c7a73dcb45008d
-
Filesize
769KB
MD55f3a53fe91a2bec5857d4f3d55da9e53
SHA1b4612e1a977d052c426694173cced380f8b7f7f7
SHA2565ff86b8bc6a73146e9761b648ec7537be4c56a292f4624377edcaff54fc72ae1
SHA5120091890397708a2c7f3ed5fd7b248f17ffd33a76e87cfe88aa40ddfe9c8bc6f310459e0b0d8ebee3c513a55c05c74bab2c90ab9430141bfc39731d577aaf623d
-
Filesize
670KB
MD59d878f27f7245ebe3c763cb85567e4b3
SHA1dd40438086a805dedb8cd5bfd355e8360feb0d1c
SHA2562e166612ac5a61dc523c5989820861a59d864ea3bf300fc92153380804076395
SHA512aabb8dc53d9cd271da2b3d5d7e92e2cfecfa074af2a65777d142311b65c3cb7bc094480c62ea2e2abfd1621cbc86757500ae8cfaf746f26365fc9dacbc4b637f
-
Filesize
15KB
MD559d66e800e01341c62f81f98bdf88c20
SHA196ddff686631487a06060ae154bdc28c17c68423
SHA2566ee56152a61ba8c96308274a254b1296341404d725cf20affa00ab91fe1d410e
SHA512a3564fec068e44a910729c3cc670e956bf7a5923638f8cc385eed32867485d96f80e5b91b0bf423ab20af03761fd354a1a097b31a971a1f70715f3c410333f49
-
Filesize
16KB
MD549849bb4297cd852d245628de030b42f
SHA11095e9580f19f0eaf5092cc7fd40c35e7075830c
SHA2565417a4f3cb83047016038914b276791c4f737275fef4e338e6a276d7e6742deb
SHA51297cccba092fb7e5327b6b5895a63e3d03143dc38fdf7fff57b820106085301d52b0512fc2dc5912044b8f6869b67025ebaca495c097c16a0c52b081f07fd7913
-
Filesize
1.3MB
MD5f2fb70e6c7ca9e5450f30134d9e88de4
SHA1c796fe790b880f7ae8312a92e0f9b2ceb489c68c
SHA25685fc9b303632ddd48d6e87e687a1203f7b47b611823db35d0a7f78c79e31ae93
SHA5129705c77651feac42add13973ba0732a1f6a8b87cf49b3aef99c3f057b81b2753fc277727cf403b1c76cdbd4de4e9bbc0c35d998b9158159eeb1e7f11c6cb6c53
-
Filesize
1B
MD5d1457b72c3fb323a2671125aef3eab5d
SHA15bab61eb53176449e25c2c82f172b82cb13ffb9d
SHA2568a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1
SHA512ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0
-
Filesize
2KB
MD582c2078fe3d9b06430395326c7e19a84
SHA1de97f795117406b1d17113ca78dcf989bbda346e
SHA25630821d5bb5a4d8ebcb977669dcf2501374a1acbd3099974f75875c844a0f6def
SHA5126a03f26aa6e41d96c9e2380bbef1bc260e284db8f42a8e96108fbeef352acb5d549e3e930d0b1253f3a24eaab814e094ce1b6f6ff5d5f04d6c300c31b576f5bc
-
Filesize
1KB
MD54afc69f137739b3db799a587422f8bba
SHA1cc986ade566256b1d03693b757c9aab8c14cf9d0
SHA25648ea10f57100556f0cea25bc16cbc5ec21b37875ea67533b3d74228cdf99ac65
SHA51209e10e1317f8b527686ed775fb9b1de6cf5df81a99b636c468d4c40cc612711d1120c610b529a97081925fb0cda389d6e8d7e1b533e659da8423229dd11aa8d4
-
Filesize
2KB
MD5b295ca76ffd44e7555a22f204a6a2724
SHA1d2c64a5b4c6946d7f7a27564aaabaee3605300c7
SHA2563c6d38123337e045f3e2b496a8bfcfd3729015c818134cbb2c9ce9260043e5a5
SHA5126138315ff4d1fb69722b460b4020bd9fe215123e25812ee4959e5b5269ac7333ff4086ed53e07f9112d4db89a9d26a3f40d3771aa19539f1607c59476c674871
-
Filesize
1KB
MD52eb7af8b789c2e1a7a5e60c9869f1e61
SHA1fb9c5819ad8ed1bcb73ce6c2496ce96ded2d4a8d
SHA25617d85ddb5a9e596ad0c04e6473a137c5fbadab39ab98b1bc17ad9de8de146ff0
SHA5124f63f4bf9fb34a52f72cc882fff078d75a577db3ffe55395ada76ec915b6bd5cf2f0f7c7f8df486822ba3af2d713a46b6fba24a54def129f1a79cf0a09bd8cd5