cryptolocker | eaff50eecfd88126ee71a6988703f95f2a5721148bee36405013d1b39129666c

Resubmissions

03-08-2024 10:44

240803-mssksswamd 10

03-08-2024 10:41

240803-mq39hswakb 4

Analysis

max time kernel
1050s
max time network
1050s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-08-2024 10:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

pcwallpaper1.png
Size

2.8MB
MD5

f0dfc4234473c72624c5ebb54c85e3bd
SHA1

16faaf731199084de4b6e7738a945de12ba18ef0
SHA256

eaff50eecfd88126ee71a6988703f95f2a5721148bee36405013d1b39129666c
SHA512

a9504be3c43009a4296578cb5fa791868d89a02d497f73605f0abeeade81935e273eb36f6d8ea869c762082ac09233edcebabfaffd881f3c9f765edca033ec9c
SSDEEP

49152:UIJsjnko2yOsRhsRUn72VPsomkOMlFlgyh/UenXT9daWyLb3WTW3UUJDA3xK:Uosj3jhsGn7wsxkOMTlggznjty2qhJUs

Score

10^/10

cryptolocker troldesh wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer trojan worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker
Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

Processes:

WannaCry.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDBC2D.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDBC34.tmp	WannaCry.exe

Executes dropped EXE 8 IoCs

Processes:

FreeRAM XP Pro.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe{34184A33-0407-212E-3320-09040709E2C2}.exe{34184A33-0407-212E-3320-09040709E2C2}.exe

pid	process
1540	FreeRAM XP Pro.exe
6192	!WannaDecryptor!.exe
5000	!WannaDecryptor!.exe
6012	!WannaDecryptor!.exe
5956	!WannaDecryptor!.exe
6800	!WannaDecryptor!.exe
5576	{34184A33-0407-212E-3320-09040709E2C2}.exe
5308	{34184A33-0407-212E-3320-09040709E2C2}.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

FreeRAM XP Pro.exeWannaCry.exe{34184A33-0407-212E-3320-09040709E2C2}.exeNoMoreRansom.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FreeRAM XP = "\"C:\\Program Files (x86)\\YourWare Solutions\\FreeRAM XP Pro\\FreeRAM XP Pro.exe\" -win"	FreeRAM XP Pro.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe"	{34184A33-0407-212E-3320-09040709E2C2}.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	NoMoreRansom.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 21 IoCs

Web Service

T1102

Processes:

flow	ioc
1592	raw.githubusercontent.com
607	raw.githubusercontent.com
653	raw.githubusercontent.com
706	camo.githubusercontent.com
707	camo.githubusercontent.com
1353	raw.githubusercontent.com
1490	raw.githubusercontent.com
1602	raw.githubusercontent.com
605	raw.githubusercontent.com
624	raw.githubusercontent.com
629	raw.githubusercontent.com
641	raw.githubusercontent.com
654	raw.githubusercontent.com
1491	raw.githubusercontent.com
606	raw.githubusercontent.com
627	raw.githubusercontent.com
628	raw.githubusercontent.com
261	raw.githubusercontent.com
604	raw.githubusercontent.com
630	raw.githubusercontent.com
1702	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

!WannaDecryptor!.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Drops file in Program Files directory 2 IoCs

Processes:

Install FreeRAM XP Pro 1.52.exe

description	ioc	process
File created	C:\Program Files (x86)\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe	Install FreeRAM XP Pro 1.52.exe
File opened for modification	C:\Program Files (x86)\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe	Install FreeRAM XP Pro 1.52.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Install FreeRAM XP Pro 1.52.exeWannaCry.exe!WannaDecryptor!.exe{34184A33-0407-212E-3320-09040709E2C2}.exetaskkill.exe!WannaDecryptor!.exe{34184A33-0407-212E-3320-09040709E2C2}.exe!WannaDecryptor!.execmd.exeCryptoLocker.exeWMIC.exeCryptoLocker.exeNoMoreRansom.exeNoMoreRansom.exeNoMoreRansom.execscript.exetaskkill.exe!WannaDecryptor!.exe!WannaDecryptor!.exeNoMoreRansom.execmd.exetaskkill.exeWannaCry.execmd.exeNoMoreRansom.exeFreeRAM XP Pro.exetaskkill.exeNoMoreRansom.exeNoMoreRansom.exeNoMoreRansom.exeWannaCry.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install FreeRAM XP Pro 1.52.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34184A33-0407-212E-3320-09040709E2C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34184A33-0407-212E-3320-09040709E2C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoMoreRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoMoreRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoMoreRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoMoreRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoMoreRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FreeRAM XP Pro.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoMoreRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoMoreRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoMoreRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

6068 taskkill.exe
6244 taskkill.exe
5944 taskkill.exe
5992 taskkill.exe
Modifies data under HKEY_USERS 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedge.exe

pid	process
6068	taskkill.exe
6244	taskkill.exe
5944	taskkill.exe
5992	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe

Modifies registry class 3 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{3A3E8A64-7424-4A63-8170-8D8C63E5EFED}	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2170637797-568393320-3232933035-1000\{8A4EC1FD-6500-4F0E-B58C-6D55942258D6}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1064 NOTEPAD.EXE

pid	process
1064	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

NoMoreRansom.exeNoMoreRansom.exeNoMoreRansom.exeNoMoreRansom.exeNoMoreRansom.exeNoMoreRansom.exeNoMoreRansom.exeNoMoreRansom.exe

pid	process
5192	NoMoreRansom.exe
5192	NoMoreRansom.exe
5192	NoMoreRansom.exe
5192	NoMoreRansom.exe
5460	NoMoreRansom.exe
5460	NoMoreRansom.exe
5460	NoMoreRansom.exe
5460	NoMoreRansom.exe
5988	NoMoreRansom.exe
5988	NoMoreRansom.exe
5988	NoMoreRansom.exe
5988	NoMoreRansom.exe
6824	NoMoreRansom.exe
6824	NoMoreRansom.exe
6824	NoMoreRansom.exe
6824	NoMoreRansom.exe
3816	NoMoreRansom.exe
3816	NoMoreRansom.exe
3816	NoMoreRansom.exe
3816	NoMoreRansom.exe
6992	NoMoreRansom.exe
6992	NoMoreRansom.exe
6992	NoMoreRansom.exe
6992	NoMoreRansom.exe
7036	NoMoreRansom.exe
7036	NoMoreRansom.exe
7036	NoMoreRansom.exe
7036	NoMoreRansom.exe
7128	NoMoreRansom.exe
7128	NoMoreRansom.exe
7128	NoMoreRansom.exe
7128	NoMoreRansom.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

Install FreeRAM XP Pro 1.52.exe!WannaDecryptor!.exe

pid process

3204 Install FreeRAM XP Pro 1.52.exe
5956 !WannaDecryptor!.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

WannaCry.exe

pid process

6884 WannaCry.exe

pid	process
3204	Install FreeRAM XP Pro 1.52.exe
5956	!WannaDecryptor!.exe

pid	process
6884	WannaCry.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

AUDIODG.EXEtaskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exevssvc.exe

description	pid	process
Token: 33	3480	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3480	AUDIODG.EXE
Token: SeDebugPrivilege	6244	taskkill.exe
Token: SeDebugPrivilege	6068	taskkill.exe
Token: SeDebugPrivilege	5944	taskkill.exe
Token: SeDebugPrivilege	5992	taskkill.exe
Token: SeIncreaseQuotaPrivilege	5380	WMIC.exe
Token: SeSecurityPrivilege	5380	WMIC.exe
Token: SeTakeOwnershipPrivilege	5380	WMIC.exe
Token: SeLoadDriverPrivilege	5380	WMIC.exe
Token: SeSystemProfilePrivilege	5380	WMIC.exe
Token: SeSystemtimePrivilege	5380	WMIC.exe
Token: SeProfSingleProcessPrivilege	5380	WMIC.exe
Token: SeIncBasePriorityPrivilege	5380	WMIC.exe
Token: SeCreatePagefilePrivilege	5380	WMIC.exe
Token: SeBackupPrivilege	5380	WMIC.exe
Token: SeRestorePrivilege	5380	WMIC.exe
Token: SeShutdownPrivilege	5380	WMIC.exe
Token: SeDebugPrivilege	5380	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5380	WMIC.exe
Token: SeRemoteShutdownPrivilege	5380	WMIC.exe
Token: SeUndockPrivilege	5380	WMIC.exe
Token: SeManageVolumePrivilege	5380	WMIC.exe
Token: 33	5380	WMIC.exe
Token: 34	5380	WMIC.exe
Token: 35	5380	WMIC.exe
Token: 36	5380	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5380	WMIC.exe
Token: SeSecurityPrivilege	5380	WMIC.exe
Token: SeTakeOwnershipPrivilege	5380	WMIC.exe
Token: SeLoadDriverPrivilege	5380	WMIC.exe
Token: SeSystemProfilePrivilege	5380	WMIC.exe
Token: SeSystemtimePrivilege	5380	WMIC.exe
Token: SeProfSingleProcessPrivilege	5380	WMIC.exe
Token: SeIncBasePriorityPrivilege	5380	WMIC.exe
Token: SeCreatePagefilePrivilege	5380	WMIC.exe
Token: SeBackupPrivilege	5380	WMIC.exe
Token: SeRestorePrivilege	5380	WMIC.exe
Token: SeShutdownPrivilege	5380	WMIC.exe
Token: SeDebugPrivilege	5380	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5380	WMIC.exe
Token: SeRemoteShutdownPrivilege	5380	WMIC.exe
Token: SeUndockPrivilege	5380	WMIC.exe
Token: SeManageVolumePrivilege	5380	WMIC.exe
Token: 33	5380	WMIC.exe
Token: 34	5380	WMIC.exe
Token: 35	5380	WMIC.exe
Token: 36	5380	WMIC.exe
Token: SeBackupPrivilege	3860	vssvc.exe
Token: SeRestorePrivilege	3860	vssvc.exe
Token: SeAuditPrivilege	3860	vssvc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

FreeRAM XP Pro.exe

pid	process
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

FreeRAM XP Pro.exe

pid	process
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe
1540	FreeRAM XP Pro.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid	process
6192	!WannaDecryptor!.exe
6192	!WannaDecryptor!.exe
5000	!WannaDecryptor!.exe
5000	!WannaDecryptor!.exe
6012	!WannaDecryptor!.exe
6012	!WannaDecryptor!.exe
5956	!WannaDecryptor!.exe
5956	!WannaDecryptor!.exe
6800	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Install FreeRAM XP Pro 1.52.exeWannaCry.execmd.execmd.exe!WannaDecryptor!.execmd.exeCryptoLocker.exe{34184A33-0407-212E-3320-09040709E2C2}.exemsedge.exe

description	pid	process	target process
PID 3204 wrote to memory of 1540	3204	Install FreeRAM XP Pro 1.52.exe	FreeRAM XP Pro.exe
PID 3204 wrote to memory of 1540	3204	Install FreeRAM XP Pro 1.52.exe	FreeRAM XP Pro.exe
PID 3204 wrote to memory of 1540	3204	Install FreeRAM XP Pro 1.52.exe	FreeRAM XP Pro.exe
PID 6884 wrote to memory of 6968	6884	WannaCry.exe	cmd.exe
PID 6884 wrote to memory of 6968	6884	WannaCry.exe	cmd.exe
PID 6884 wrote to memory of 6968	6884	WannaCry.exe	cmd.exe
PID 6968 wrote to memory of 7036	6968	cmd.exe	cscript.exe
PID 6968 wrote to memory of 7036	6968	cmd.exe	cscript.exe
PID 6968 wrote to memory of 7036	6968	cmd.exe	cscript.exe
PID 6884 wrote to memory of 6192	6884	WannaCry.exe	!WannaDecryptor!.exe
PID 6884 wrote to memory of 6192	6884	WannaCry.exe	!WannaDecryptor!.exe
PID 6884 wrote to memory of 6192	6884	WannaCry.exe	!WannaDecryptor!.exe
PID 6884 wrote to memory of 6068	6884	WannaCry.exe	taskkill.exe
PID 6884 wrote to memory of 6068	6884	WannaCry.exe	taskkill.exe
PID 6884 wrote to memory of 6068	6884	WannaCry.exe	taskkill.exe
PID 6884 wrote to memory of 6244	6884	WannaCry.exe	taskkill.exe
PID 6884 wrote to memory of 6244	6884	WannaCry.exe	taskkill.exe
PID 6884 wrote to memory of 6244	6884	WannaCry.exe	taskkill.exe
PID 6884 wrote to memory of 5992	6884	WannaCry.exe	taskkill.exe
PID 6884 wrote to memory of 5992	6884	WannaCry.exe	taskkill.exe
PID 6884 wrote to memory of 5992	6884	WannaCry.exe	taskkill.exe
PID 6884 wrote to memory of 5944	6884	WannaCry.exe	taskkill.exe
PID 6884 wrote to memory of 5944	6884	WannaCry.exe	taskkill.exe
PID 6884 wrote to memory of 5944	6884	WannaCry.exe	taskkill.exe
PID 6884 wrote to memory of 5000	6884	WannaCry.exe	!WannaDecryptor!.exe
PID 6884 wrote to memory of 5000	6884	WannaCry.exe	!WannaDecryptor!.exe
PID 6884 wrote to memory of 5000	6884	WannaCry.exe	!WannaDecryptor!.exe
PID 6884 wrote to memory of 6092	6884	WannaCry.exe	cmd.exe
PID 6884 wrote to memory of 6092	6884	WannaCry.exe	cmd.exe
PID 6884 wrote to memory of 6092	6884	WannaCry.exe	cmd.exe
PID 6092 wrote to memory of 6012	6092	cmd.exe	!WannaDecryptor!.exe
PID 6092 wrote to memory of 6012	6092	cmd.exe	!WannaDecryptor!.exe
PID 6092 wrote to memory of 6012	6092	cmd.exe	!WannaDecryptor!.exe
PID 6884 wrote to memory of 5956	6884	WannaCry.exe	!WannaDecryptor!.exe
PID 6884 wrote to memory of 5956	6884	WannaCry.exe	!WannaDecryptor!.exe
PID 6884 wrote to memory of 5956	6884	WannaCry.exe	!WannaDecryptor!.exe
PID 6012 wrote to memory of 6120	6012	!WannaDecryptor!.exe	cmd.exe
PID 6012 wrote to memory of 6120	6012	!WannaDecryptor!.exe	cmd.exe
PID 6012 wrote to memory of 6120	6012	!WannaDecryptor!.exe	cmd.exe
PID 6120 wrote to memory of 5380	6120	cmd.exe	WMIC.exe
PID 6120 wrote to memory of 5380	6120	cmd.exe	WMIC.exe
PID 6120 wrote to memory of 5380	6120	cmd.exe	WMIC.exe
PID 5580 wrote to memory of 5576	5580	CryptoLocker.exe	{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 5580 wrote to memory of 5576	5580	CryptoLocker.exe	{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 5580 wrote to memory of 5576	5580	CryptoLocker.exe	{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 5576 wrote to memory of 5308	5576	{34184A33-0407-212E-3320-09040709E2C2}.exe	{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 5576 wrote to memory of 5308	5576	{34184A33-0407-212E-3320-09040709E2C2}.exe	{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 5576 wrote to memory of 5308	5576	{34184A33-0407-212E-3320-09040709E2C2}.exe	{34184A33-0407-212E-3320-09040709E2C2}.exe
PID 2924 wrote to memory of 1636	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 1636	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4804	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4804	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4804	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4804	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4804	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4804	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4804	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4804	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4804	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4804	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4804	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4804	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4804	2924	msedge.exe	msedge.exe
PID 2924 wrote to memory of 4804	2924	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\pcwallpaper1.png
1⤵
PID:400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4360,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=1296 /prefetch:8
1⤵
PID:396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
PID:2916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=4136,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=5100 /prefetch:1
1⤵
PID:3776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=5104,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=5128 /prefetch:1
1⤵
PID:3092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5688,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=5696 /prefetch:8
1⤵
PID:720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --field-trial-handle=5708,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=6004 /prefetch:1
1⤵
PID:4416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=5996,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=6036 /prefetch:1
1⤵
PID:1512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5100,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=5084 /prefetch:8
1⤵
PID:1448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=5720,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=5088 /prefetch:1
1⤵
PID:2556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6468,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=6024 /prefetch:8
1⤵
PID:3560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=3800,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=6464 /prefetch:1
1⤵
PID:3768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --field-trial-handle=6552,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=6620 /prefetch:8
1⤵
PID:4484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --field-trial-handle=6576,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=6752 /prefetch:8
1⤵
- Modifies registry class
PID:2928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --field-trial-handle=6568,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=6780 /prefetch:1
1⤵
PID:4888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --field-trial-handle=6312,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=6392 /prefetch:1
1⤵
PID:1388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --field-trial-handle=6812,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=6188 /prefetch:1
1⤵
PID:4336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --field-trial-handle=7008,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=7080 /prefetch:1
1⤵
PID:2252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --field-trial-handle=6280,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=6448 /prefetch:1
1⤵
PID:2152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --field-trial-handle=6896,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=6888 /prefetch:1
1⤵
PID:3912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=6912,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=6924 /prefetch:8
1⤵
PID:4112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --field-trial-handle=6948,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=7340 /prefetch:1
1⤵
PID:220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --field-trial-handle=5552,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=7584 /prefetch:1
1⤵
PID:4788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --field-trial-handle=7324,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=7440 /prefetch:8
1⤵
PID:3620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --field-trial-handle=7468,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=7700 /prefetch:1
1⤵
PID:2628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --field-trial-handle=5740,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=5728 /prefetch:8
1⤵
PID:4696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=5816,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=5780 /prefetch:8
1⤵
PID:2560

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --field-trial-handle=5848,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=7520 /prefetch:1
1⤵
PID:1968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --field-trial-handle=6472,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=7548 /prefetch:1
1⤵
PID:1384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --field-trial-handle=5756,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=5836 /prefetch:1
1⤵
PID:2260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --field-trial-handle=5736,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=6868 /prefetch:1
1⤵
PID:4324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --field-trial-handle=7604,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=7364 /prefetch:8
1⤵
PID:4332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=4728,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=7544 /prefetch:8
1⤵
PID:3324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --field-trial-handle=6484,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=7296 /prefetch:1
1⤵
PID:2120

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a4 0x300
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --field-trial-handle=7716,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=6244 /prefetch:1
1⤵
PID:2016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --field-trial-handle=6496,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=5784 /prefetch:1
1⤵
PID:852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --field-trial-handle=1404,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=4764 /prefetch:1
1⤵
PID:1516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --field-trial-handle=8152,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=8128 /prefetch:1
1⤵
PID:948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --field-trial-handle=8004,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=8220 /prefetch:1
1⤵
PID:3216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --field-trial-handle=8244,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=8364 /prefetch:1
1⤵
PID:3360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --field-trial-handle=8104,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=8040 /prefetch:1
1⤵
PID:2820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --field-trial-handle=8036,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=8376 /prefetch:1
1⤵
PID:2180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --field-trial-handle=5744,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=8596 /prefetch:1
1⤵
PID:4472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --field-trial-handle=7560,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=5804 /prefetch:8
1⤵
PID:2384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=8284,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=8268 /prefetch:8
1⤵
PID:4716

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_framxpro.zip\Readme and Notes.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1064

C:\Users\Admin\Downloads\framxpro\Install FreeRAM XP Pro 1.52.exe
"C:\Users\Admin\Downloads\framxpro\Install FreeRAM XP Pro 1.52.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3204

C:\Program Files (x86)\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
"C:\Program Files (x86)\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=8464,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=8444 /prefetch:8
1⤵
PID:2736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --field-trial-handle=8420,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=7400 /prefetch:1
1⤵
PID:2836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --field-trial-handle=8180,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=7520 /prefetch:1
1⤵
PID:3572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --field-trial-handle=7964,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=6244 /prefetch:1
1⤵
PID:4192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --field-trial-handle=2484,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=8720 /prefetch:8
1⤵
PID:1592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --field-trial-handle=8832,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=8824 /prefetch:1
1⤵
PID:4660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --field-trial-handle=3888,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=8200 /prefetch:1
1⤵
PID:2756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --field-trial-handle=8128,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=8848 /prefetch:8
1⤵
PID:4016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=9016,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=9024 /prefetch:8
1⤵
PID:2240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=67 --field-trial-handle=8372,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=8756 /prefetch:1
1⤵
PID:1964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --field-trial-handle=8868,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=8072 /prefetch:8
1⤵
PID:320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=8720,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=9148 /prefetch:8
1⤵
PID:1384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=70 --field-trial-handle=8924,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=8088 /prefetch:1
1⤵
PID:740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --field-trial-handle=8676,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=6964 /prefetch:8
1⤵
PID:232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=8068,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=8092 /prefetch:8
1⤵
PID:436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=73 --field-trial-handle=8768,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=9144 /prefetch:1
1⤵
PID:1792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=74 --field-trial-handle=8408,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=8852 /prefetch:1
1⤵
PID:2928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=75 --field-trial-handle=8784,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=8640 /prefetch:1
1⤵
PID:3592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=76 --field-trial-handle=8060,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=8424 /prefetch:1
1⤵
PID:4332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=77 --field-trial-handle=8072,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=8944 /prefetch:1
1⤵
PID:3496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=78 --field-trial-handle=8640,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=9048 /prefetch:1
1⤵
PID:800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=79 --field-trial-handle=4588,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=9060 /prefetch:1
1⤵
PID:4920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=80 --field-trial-handle=8960,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=8920 /prefetch:1
1⤵
PID:2976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=81 --field-trial-handle=9308,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=9292 /prefetch:1
1⤵
PID:2032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=82 --field-trial-handle=8348,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=9636 /prefetch:1
1⤵
PID:4492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=83 --field-trial-handle=9160,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=9180 /prefetch:1
1⤵
PID:4244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=84 --field-trial-handle=8656,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=9528 /prefetch:1
1⤵
PID:4028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=85 --field-trial-handle=9752,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=9736 /prefetch:1
1⤵
PID:4632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=86 --field-trial-handle=9968,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=10048 /prefetch:1
1⤵
PID:2256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=87 --field-trial-handle=10008,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=10172 /prefetch:1
1⤵
PID:4988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=88 --field-trial-handle=10260,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=10280 /prefetch:1
1⤵
PID:2876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=89 --field-trial-handle=10508,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=10472 /prefetch:1
1⤵
PID:5240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=90 --field-trial-handle=10684,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=10696 /prefetch:1
1⤵
PID:5300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=91 --field-trial-handle=10872,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=10772 /prefetch:1
1⤵
PID:5632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=92 --field-trial-handle=11004,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=11036 /prefetch:1
1⤵
PID:5696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=93 --field-trial-handle=11144,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=7928 /prefetch:1
1⤵
PID:5860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=94 --field-trial-handle=8692,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=11444 /prefetch:1
1⤵
PID:5932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=95 --field-trial-handle=11476,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=11504 /prefetch:1
1⤵
PID:5940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=96 --field-trial-handle=11528,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=11300 /prefetch:1
1⤵
PID:5948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=97 --field-trial-handle=11804,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=11784 /prefetch:1
1⤵
PID:5956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=98 --field-trial-handle=11936,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=11960 /prefetch:1
1⤵
PID:5964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=99 --field-trial-handle=12092,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=12108 /prefetch:1
1⤵
PID:5972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=100 --field-trial-handle=12232,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=12248 /prefetch:1
1⤵
PID:5980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=101 --field-trial-handle=12476,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=12504 /prefetch:1
1⤵
PID:5508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=102 --field-trial-handle=12944,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=12948 /prefetch:1
1⤵
PID:6300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=103 --field-trial-handle=12596,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=12912 /prefetch:1
1⤵
PID:6452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=104 --field-trial-handle=8888,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=12604 /prefetch:1
1⤵
PID:6516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=105 --field-trial-handle=9400,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=9624 /prefetch:1
1⤵
PID:6624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=12920,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=6184 /prefetch:8
1⤵
PID:6780

C:\Users\Admin\Downloads\WannaCry.exe
"C:\Users\Admin\Downloads\WannaCry.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:6884

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 325781722682534.bat
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:6968

C:\Windows\SysWOW64\cscript.exe
cscript //nologo c.vbs
3⤵
- System Location Discovery: System Language Discovery
PID:7036

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe f
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6192

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im MSExchange*
2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6068

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Microsoft.Exchange.*
2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6244

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlserver.exe
2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5992

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlwriter.exe
2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5944

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe c
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5000

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b !WannaDecryptor!.exe v
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:6092

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe v
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:6012

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:6120

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5380

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5956

C:\Users\Admin\Downloads\WannaCry.exe
"C:\Users\Admin\Downloads\WannaCry.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4644

C:\Users\Admin\Downloads\WannaCry.exe
"C:\Users\Admin\Downloads\WannaCry.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:7044

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:5508

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
"C:\Users\Admin\Downloads\!WannaDecryptor!.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --field-trial-handle=11400,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=4276 /prefetch:8
1⤵
PID:6296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=108 --field-trial-handle=1652,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=9324 /prefetch:1
1⤵
PID:3004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=109 --field-trial-handle=11428,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=4268 /prefetch:1
1⤵
PID:6960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=110 --field-trial-handle=12144,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=8920 /prefetch:1
1⤵
PID:5736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=10092,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=10056 /prefetch:8
1⤵
PID:5344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --field-trial-handle=10236,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=10012 /prefetch:8
1⤵
PID:2968

C:\Users\Admin\Downloads\CryptoLocker.exe
"C:\Users\Admin\Downloads\CryptoLocker.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5580

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Downloads\CryptoLocker.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5576

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w0000021C
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=113 --field-trial-handle=12116,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=12160 /prefetch:1
1⤵
PID:6000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=7912,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=6196 /prefetch:8
1⤵
PID:6108

C:\Users\Admin\Downloads\CryptoLocker.exe
"C:\Users\Admin\Downloads\CryptoLocker.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:5376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=115 --field-trial-handle=9412,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=9388 /prefetch:1
1⤵
PID:6020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --field-trial-handle=9376,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=9312 /prefetch:8
1⤵
PID:5992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=10084,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=10204 /prefetch:8
1⤵
PID:6284

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --field-trial-handle=6804,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=9416 /prefetch:8
1⤵
PID:896

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --field-trial-handle=6804,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=9416 /prefetch:8
1⤵
PID:6040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=119 --field-trial-handle=8920,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=12188 /prefetch:1
1⤵
PID:4800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=120 --field-trial-handle=9340,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=9396 /prefetch:1
1⤵
PID:5220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=7960,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=11416 /prefetch:8
1⤵
PID:6844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --field-trial-handle=10148,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=6528 /prefetch:8
1⤵
PID:60

C:\Users\Admin\Downloads\NoMoreRansom.exe
"C:\Users\Admin\Downloads\NoMoreRansom.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5192

C:\Users\Admin\Downloads\NoMoreRansom.exe
"C:\Users\Admin\Downloads\NoMoreRansom.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5460

C:\Users\Admin\Downloads\NoMoreRansom.exe
"C:\Users\Admin\Downloads\NoMoreRansom.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5988

C:\Users\Admin\Downloads\NoMoreRansom.exe
"C:\Users\Admin\Downloads\NoMoreRansom.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:6824

C:\Users\Admin\Downloads\NoMoreRansom.exe
"C:\Users\Admin\Downloads\NoMoreRansom.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3816

C:\Users\Admin\Downloads\NoMoreRansom.exe
"C:\Users\Admin\Downloads\NoMoreRansom.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:6992

C:\Users\Admin\Downloads\NoMoreRansom.exe
"C:\Users\Admin\Downloads\NoMoreRansom.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:7036

C:\Users\Admin\Downloads\NoMoreRansom.exe
"C:\Users\Admin\Downloads\NoMoreRansom.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:7128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=127.0.6533.89 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=127.0.2651.86 --initial-client-data=0x238,0x23c,0x240,0x234,0x260,0x7ffbb653d198,0x7ffbb653d1a4,0x7ffbb653d1b0
2⤵
PID:1636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2120,i,976192686250524624,13198853703450260185,262144 --variations-seed-version --mojo-platform-channel-handle=2116 /prefetch:2
2⤵
PID:4804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1932,i,976192686250524624,13198853703450260185,262144 --variations-seed-version --mojo-platform-channel-handle=2356 /prefetch:3
2⤵
PID:4496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2404,i,976192686250524624,13198853703450260185,262144 --variations-seed-version --mojo-platform-channel-handle=2556 /prefetch:8
2⤵
PID:3944

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=4564,i,976192686250524624,13198853703450260185,262144 --variations-seed-version --mojo-platform-channel-handle=4584 /prefetch:8
2⤵
PID:6016

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=4564,i,976192686250524624,13198853703450260185,262144 --variations-seed-version --mojo-platform-channel-handle=4584 /prefetch:8
2⤵
PID:6008

C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe"
1⤵
PID:4080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe

Filesize
1.5MB

MD5
667f078955a93fe382f74d5f109dfe31

SHA1
2ddc132677fd42947eed067b71bd45e8051c3dab

SHA256
49b816eb5385272cf443df61f42cac4381340d74a064b6d73aa944c5bab22424

SHA512
1972d08b71b15794699c6b67d85d14dbc5554559b1f5f793280fc88a92f0656a2e7f50ff22350048e08ded5c37b6e513e476e2479661feccc1e0f141b3e9b897

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\256.png.WCRY

Filesize
12KB

MD5
39216f268223c3056856bafc191a3a7a

SHA1
d247e15720610e1a9da509796e63acc185954a18

SHA256
a1c531f34b078b018e11f13df8063959aa476ca598a9c38b44ef7892df0705f6

SHA512
02a37026e035b8923a02ad3e820cefcd7527390e6d40d724e4f8eb8a585f5a99178ba6348b520fdd6ae26cc7c6c4437549f40412cea73f1fc665b988033abda4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
211B

MD5
b1d99716c83423e35a33a956f461c3a1

SHA1
dda1dd7a715a9f64a26f6840a117983fcbc5fd93

SHA256
1e7d67f803a692f4c1b294e25456079a1ce625154393226206985d820f22424c

SHA512
a800209c823db91a06935b7568f25af9db598a3f94be57d299c432b25b10cdd2e94dd03e44c791cfb142b1711934ba112f80e74c86b24aa092d03aa694298360

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
27KB

MD5
4b90f6081711e600e073a04996200f8a

SHA1
0a6c87b3043ed7927dc302dc53946acbbd48d373

SHA256
4cb73892353d5f0554136c508a746190f0d946ff29771a3911367e1d9e4b3f3a

SHA512
c120e87f56824b5099a6f01ac64c1810f60e0da440cbc7563de3cd3cc9811cf66db594f0e58cdce4cd92fc370047a7e94dc1c9d32c04ceda8db6c9f34095d1fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
137KB

MD5
1d70263e2e10535626731667a7dfebd2

SHA1
f0607814f042f412013a0b968acc6c0a02456bf4

SHA256
e95b211be778c1feeda0d955e98a07a63bb44e508e8a57d74ef44e7b5e000dfc

SHA512
9cb6a27f4e0c638227dfd82c5699a2b60537d7ac653e96e1605fb5f7428699a3a3e8cc2f2055449ddd3686a9a037c20cf2d6bb47003f5966f49847955daf919c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\images\acmDismissIcon.svg.WCRY

Filesize
2KB

MD5
194d60a142e447bd467f220320e29d1b

SHA1
5c17d6bcedbbcb92e9aef020c176e9a4d146c82b

SHA256
1448a1563b85d8f5c246e8ec6ad8f31b99d21baf37d4c69116f873793d9f0039

SHA512
181be3c107f5fb9950089307e887dae1d97cfb15b5bf79bcf3ef6fa3009c653a1f4fd18df667ee8099d13e30ee16a680436e2355ff697ff7b46c94109bc17796

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\images\chevron.svg.WCRY

Filesize
584B

MD5
b2c60a7555e9c52f9e6ab6c3f49a08ab

SHA1
35ca4b40bc6efbcb4d60f69bde48c6e8a0de0e34

SHA256
e65078f3236bc5cd3b65d752f7053356545c4fff7066790a479f93d7e609a8fe

SHA512
39f877e5f3a3f18fd47bbed1cc4e83b5424cfb44150bfd45e0ceda22f99d5e8a3121b8a4f679284fa287921e220121497b37ec3f3010d2771ae5e8fc1eb04cc6

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\AQRNK2VS\2\ClsFWl1pZV32d4Wn-WU-cLg_mT0.gz[1].js.WCRY

Filesize
285KB

MD5
3eb24e2760a26855b9a1d35b36831e1c

SHA1
ca9722988e04983e52f77b99af9f69916aceac29

SHA256
b072c8cb64fab464898983c23f2e80c5a3ae4e869fb54511bc3e5adb4f3beb5a

SHA512
4c17769f7390ac67c48bda7d54a9e5db5c00b08fa3d276ca472f9e6518dea76e5abcfae240258d8c41c2eab6506225c26fe5f2b6e490ae73c41a90439e4e7ffc

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\AQRNK2VS\2\KRGF6ZIGAEc_qQJgueszZZZOzNs.gz[1].js.WCRY

Filesize
44KB

MD5
33de1f0215b6a02d8c142e9d9258763a

SHA1
eb6f3abdc7f2712eff740748174e9c5a2e1a8f27

SHA256
167fa0d2fbf53a75b4e96548dfc26f2122bdee84ec18dcbcde3222a776164b47

SHA512
dfad2a0969df34f9946fa0243d2ddfff350bf03ad7b040710e5a2728d267497415d7f98854ee897ee18aa9094d75903fab6246c87fbf241357579337cfd7c64d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt.WCRY

Filesize
1KB

MD5
b388269c8db9af79b7c221a3ae75f5b1

SHA1
3fbe46cb161357fe2cc7165e9f36c4cddec5b66f

SHA256
06e7d6032ee8b78fb31cdab3f32a719d2d9492736086b34f336faa705ee9f4dc

SHA512
90afe06e89629b5a6584961ee34275081a5dd9fc9a8a11b0bfaa07a03ebbd912b84ebd279a1d49b75c711add267900d0973145af26db0448ca7cc46dba738cfb

Download Submit
C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe

Filesize
338KB

MD5
04fb36199787f2e3e2135611a38321eb

SHA1
65559245709fe98052eb284577f1fd61c01ad20d

SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
a164f7bc6c5c7b6b3545cada0c6cbe7f

SHA1
315cf19f14a2664593e2af98b3c64e672985bd1d

SHA256
b13547d7530aca7a2a1b06727a7ceddc0eb1892f474086032173bbaaad457eb8

SHA512
9fad0d8fd98906894ab6e056ffdefa45fce8bdd4d740ce5f7f5fc0a35e88acd49d60439a0397ef158a91c67f48b679c8838940436df7520a667fe3d67e11c911

Download Submit
C:\Users\Admin\Downloads\00000000.eky

Filesize
1KB

MD5
ff11eebaccd69dd9e7ea6ceea677ff2f

SHA1
181ca070a8037a8cf1b735eb05a864a8a6b86aea

SHA256
4222249bf9025e5b64817acfacbb3ecbd126051ada42719c6d6f98a8f49d0c00

SHA512
e9cdbd53f1bef9242ed717237b310280cace00e48684cbbea40e5f1288adc03b547bb9f407671877b974fc6c81069caf98279e45beae683d9fd5cd4ea63eb466

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
af0858291e614c59689221675c212b48

SHA1
2797b5557f279c67c93c2d65d25756bd82f8043a

SHA256
a399a2ea838b04344f8c154319ef34afef6ebf7564b7be2b4fc9c67327503756

SHA512
b12e4836704c2f14607d3cd6a7e7f805c51bf8780bf91a079977194ec1e1444cab1e4d1a4b31583cdbae2e627e96a2276c86c9890a916fb040d49e5852109f93

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
0c6a4a0cb073273a9e3ab4255c52d9d1

SHA1
7c265585d5012cf80545db2d87d77df1cbb710e8

SHA256
028fb7507a5d04329567172fcd3f5e4bde670cadb7ec7ca05a02102406d05b32

SHA512
a55f936679d97bd09ec9988ec9a812dda8a3038f13c116b3f89b971d6fcde561b30c2e5791f5a7db968ccb70ed35238397fcac6468f4f0fca2117930d5dbf57d

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
c27fdf55696c2d698fea51138b75dc62

SHA1
520149a246ec2cdeb8253dcbc1df37bed0beeda4

SHA256
79efd19cc8c55263b3d5f82e1397096d3b2c105a6aeec025cf0faafcf03230a6

SHA512
359be9410041867fff420cce3f297ffd494f49abc3aa9a20a34e2096b452ed3ea8aea64ededaeb8c33221fd4d2e783a4b433d942984e34b469c812fd3079daeb

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
605328adbbb46d04aba52697c2d25073

SHA1
d9b7e34c6034d76fe6c8f5f4074d192132d196c5

SHA256
cb3978d7a2fd6cf41a6a3b2a9cca5ed929cd034456da241983cf9ad00a527c42

SHA512
488e54bb52ef4540f262ce6eb20753475bb7ec75a099ef4aad629d5c872310edc02db9e26bf85d613d4be9915e7f4c36ebafba1024c46b5ece589bf5ef450aa4

Download Submit
C:\Users\Admin\Downloads\325781722682534.bat

Filesize
318B

MD5
a261428b490a45438c0d55781a9c6e75

SHA1
e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e

SHA256
4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44

SHA512
304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

Download Submit
C:\Users\Admin\Downloads\c.vbs

Filesize
201B

MD5
02b937ceef5da308c5689fcdb3fb12e9

SHA1
fa5490ea513c1b0ee01038c18cb641a51f459507

SHA256
5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1

SHA512
843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

Download Submit
C:\Users\Admin\Downloads\c.wry

Filesize
628B

MD5
6374aa86162f9bb054a4efcd3c2bc91a

SHA1
e2b40341e824987f83f696c31a8b3ceeb69a0fa2

SHA256
33ce134ae7be0c3d897b2bdd83e13377dac7cdcae5d92f01ea616962163f9e05

SHA512
68baffbb6b5b69489753852f139e4de071db18adbc6606098b457e6c477fa5c237e69d1365e9e2c05c2860aec5c0b88d64f5cd9977b1428ad880470bc30e79dc

Download Submit
C:\Users\Admin\Downloads\f.wry

Filesize
766B

MD5
c57db86686db87a12a859fd466a70fba

SHA1
ff4bc0de138ea9312c39eec286edef2bda03a73d

SHA256
9db383428d8ad88916554f294722f6378add4e60e2395a7ce911abd63a6eca47

SHA512
ab3e7a48068accd1fb5b6468e97e171877db6410848a13e1a11f549d6ad992dc62c5e95f7e5e8302ef5af73ebbdc97e178ad920749497b21e2a9260160c75632

Download Submit
C:\Users\Admin\Downloads\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Downloads\r.wry

Filesize
729B

MD5
880e6a619106b3def7e1255f67cb8099

SHA1
8b3a90b2103a92d9facbfb1f64cb0841d97b4de7

SHA256
c9e9dc06f500ae39bfeb4671233cc97bb6dab58d97bb94aba4a2e0e509418d35

SHA512
c35ca30e0131ae4ee3429610ce4914a36b681d2c406f67816f725aa336969c2996347268cb3d19c22abaa4e2740ae86f4210b872610a38b4fa09ee80fcf36243

Download Submit
C:\Users\Admin\Downloads\t.wry

Filesize
68KB

MD5
5557ee73699322602d9ae8294e64ce10

SHA1
1759643cf8bfd0fb8447fd31c5b616397c27be96

SHA256
a7dd727b4e0707026186fcab24ff922da50368e1a4825350bd9c4828c739a825

SHA512
77740de21603fe5dbb0d9971e18ec438a9df7aaa5cea6bd6ef5410e0ab38a06ce77fbaeb8fc68e0177323e6f21d0cee9410e21b7e77e8d60cc17f7d93fdb3d5e

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
48KB

MD5
69b4403480c89592cf11742c3b158e76

SHA1
e20fd69638d14860144def627c7a938530b8767c

SHA256
dbf18a272a8c669b1d7d91aab0edbc0cdeed0f350aa6afb74f51a595ad315dac

SHA512
cede0814b1bb7cace53340c72cc6f48ffd093040d79b38e04fe6bd17b61b44b3e8bbfa38432b157829e9599d28b6e30ea1a1897589cbaa3c0a00e88df68a5425

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\Pictures\MoveSync.tif.WCRY

Filesize
338KB

MD5
177fb347fd250f6d54aec5fda6471615

SHA1
fcaf117c4d048110f972b9e3c55ea3c5e2a4f2f9

SHA256
d9088b91062c47ff74111ec3a6d08e9dd1352d2070d75ebe1821a7565d03b93d

SHA512
c8bc96a658d6211121b9038b86919e4407e851224e2c89607c60136fe1da117ff6f301a8e36d9aa587493b5cf9562302fa9ab93209acc79ae416524c40da07af

Download Submit
\??\pipe\crashpad_2924_IXTNCBHTONFBLMSY

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1540-24-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/1540-22-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/1540-42-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/1540-1600-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/1540-1601-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/1540-1605-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/1540-38-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/1540-1611-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/1540-36-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/1540-35-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/1540-26-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/1540-25-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/1540-74-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/1540-23-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/1540-1575-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/1540-16-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/1540-1628-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/1540-1629-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/1540-20-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/1540-1639-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/1540-1641-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/1540-1642-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/1540-1644-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/1540-1645-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/1540-1648-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/1540-1651-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/1540-17-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/1540-19-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/1540-18-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/3204-4-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/3204-15-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/6884-49-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download