troldesh | hxxp://google[.]com

Analysis

max time kernel
480s
max time network
484s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2024 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://google.com

Score

10^/10

troldesh wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer trojan upx worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD4C68.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD4C61.tmp	WannaCry.exe

Executes dropped EXE 11 IoCs

pid	Process
2464	WinNuke.98.exe
1292	NoMoreRansom.exe
2724	NoMoreRansom.exe
5044	NoMoreRansom.exe
4964	WinNuke.98.exe
4448	NoMoreRansom.exe
4244	WannaCry.exe
1792	!WannaDecryptor!.exe
2464	!WannaDecryptor!.exe
2176	!WannaDecryptor!.exe
1960	!WannaDecryptor!.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 45 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1292-603-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1292-613-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1292-614-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1292-615-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1292-658-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2724-680-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2724-681-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1292-682-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2724-683-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5044-688-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1292-689-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5044-690-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1292-693-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1292-695-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4448-698-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4448-699-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1292-704-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1292-714-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1292-753-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1292-754-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1292-764-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1292-774-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1292-775-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1292-776-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1292-777-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1292-778-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1292-779-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1292-783-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1292-2266-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1292-2300-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1292-2310-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1292-2313-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1292-2314-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1292-2316-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1292-2463-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1292-2504-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1292-2539-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1292-2558-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1292-2569-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1292-2580-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1292-2581-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1292-2583-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1292-2584-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1292-2586-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1292-2596-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	NoMoreRansom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
121	raw.githubusercontent.com
122	raw.githubusercontent.com
167	discord.com
170	discord.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoMoreRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinNuke.98.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoMoreRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoMoreRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NoMoreRansom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
3132	taskkill.exe
3652	taskkill.exe
3704	taskkill.exe
4688	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-656926755-4116854191-210765258-1000\{548F36FC-E025-458F-9805-18DB96BCCB45}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 236544.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 830522.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 414038.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
3740	msedge.exe
3740	msedge.exe
3400	msedge.exe
3400	msedge.exe
3684	identity_helper.exe
3684	identity_helper.exe
1088	msedge.exe
1088	msedge.exe
2476	msedge.exe
2476	msedge.exe
4356	msedge.exe
4356	msedge.exe
4356	msedge.exe
4356	msedge.exe
2176	msedge.exe
2176	msedge.exe
1292	NoMoreRansom.exe
1292	NoMoreRansom.exe
1292	NoMoreRansom.exe
1292	NoMoreRansom.exe
2724	NoMoreRansom.exe
2724	NoMoreRansom.exe
2724	NoMoreRansom.exe
2724	NoMoreRansom.exe
5044	NoMoreRansom.exe
5044	NoMoreRansom.exe
5044	NoMoreRansom.exe
5044	NoMoreRansom.exe
4448	NoMoreRansom.exe
4448	NoMoreRansom.exe
4448	NoMoreRansom.exe
4448	NoMoreRansom.exe
344	msedge.exe
344	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4964	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 29 IoCs

pid	Process
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

description	pid	Process
Token: SeDebugPrivilege	4688	taskkill.exe
Token: SeDebugPrivilege	3704	taskkill.exe
Token: SeDebugPrivilege	3132	taskkill.exe
Token: SeDebugPrivilege	3652	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1056	WMIC.exe
Token: SeSecurityPrivilege	1056	WMIC.exe
Token: SeTakeOwnershipPrivilege	1056	WMIC.exe
Token: SeLoadDriverPrivilege	1056	WMIC.exe
Token: SeSystemProfilePrivilege	1056	WMIC.exe
Token: SeSystemtimePrivilege	1056	WMIC.exe
Token: SeProfSingleProcessPrivilege	1056	WMIC.exe
Token: SeIncBasePriorityPrivilege	1056	WMIC.exe
Token: SeCreatePagefilePrivilege	1056	WMIC.exe
Token: SeBackupPrivilege	1056	WMIC.exe
Token: SeRestorePrivilege	1056	WMIC.exe
Token: SeShutdownPrivilege	1056	WMIC.exe
Token: SeDebugPrivilege	1056	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1056	WMIC.exe
Token: SeRemoteShutdownPrivilege	1056	WMIC.exe
Token: SeUndockPrivilege	1056	WMIC.exe
Token: SeManageVolumePrivilege	1056	WMIC.exe
Token: 33	1056	WMIC.exe
Token: 34	1056	WMIC.exe
Token: 35	1056	WMIC.exe
Token: 36	1056	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1056	WMIC.exe
Token: SeSecurityPrivilege	1056	WMIC.exe
Token: SeTakeOwnershipPrivilege	1056	WMIC.exe
Token: SeLoadDriverPrivilege	1056	WMIC.exe
Token: SeSystemProfilePrivilege	1056	WMIC.exe
Token: SeSystemtimePrivilege	1056	WMIC.exe
Token: SeProfSingleProcessPrivilege	1056	WMIC.exe
Token: SeIncBasePriorityPrivilege	1056	WMIC.exe
Token: SeCreatePagefilePrivilege	1056	WMIC.exe
Token: SeBackupPrivilege	1056	WMIC.exe
Token: SeRestorePrivilege	1056	WMIC.exe
Token: SeShutdownPrivilege	1056	WMIC.exe
Token: SeDebugPrivilege	1056	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1056	WMIC.exe
Token: SeRemoteShutdownPrivilege	1056	WMIC.exe
Token: SeUndockPrivilege	1056	WMIC.exe
Token: SeManageVolumePrivilege	1056	WMIC.exe
Token: 33	1056	WMIC.exe
Token: 34	1056	WMIC.exe
Token: 35	1056	WMIC.exe
Token: 36	1056	WMIC.exe
Token: SeBackupPrivilege	3276	vssvc.exe
Token: SeRestorePrivilege	3276	vssvc.exe
Token: SeAuditPrivilege	3276	vssvc.exe
Token: 33	4480	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4480	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1792	!WannaDecryptor!.exe
1792	!WannaDecryptor!.exe
2464	!WannaDecryptor!.exe
2464	!WannaDecryptor!.exe
2176	!WannaDecryptor!.exe
2176	!WannaDecryptor!.exe
1960	!WannaDecryptor!.exe
1960	!WannaDecryptor!.exe
4964	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3400 wrote to memory of 4684	3400	msedge.exe	83
PID 3400 wrote to memory of 4684	3400	msedge.exe	83
PID 3400 wrote to memory of 3760	3400	msedge.exe	84
PID 3400 wrote to memory of 3760	3400	msedge.exe	84
PID 3400 wrote to memory of 3760	3400	msedge.exe	84
PID 3400 wrote to memory of 3760	3400	msedge.exe	84
PID 3400 wrote to memory of 3760	3400	msedge.exe	84
PID 3400 wrote to memory of 3760	3400	msedge.exe	84
PID 3400 wrote to memory of 3760	3400	msedge.exe	84
PID 3400 wrote to memory of 3760	3400	msedge.exe	84
PID 3400 wrote to memory of 3760	3400	msedge.exe	84
PID 3400 wrote to memory of 3760	3400	msedge.exe	84
PID 3400 wrote to memory of 3760	3400	msedge.exe	84
PID 3400 wrote to memory of 3760	3400	msedge.exe	84
PID 3400 wrote to memory of 3760	3400	msedge.exe	84
PID 3400 wrote to memory of 3760	3400	msedge.exe	84
PID 3400 wrote to memory of 3760	3400	msedge.exe	84
PID 3400 wrote to memory of 3760	3400	msedge.exe	84
PID 3400 wrote to memory of 3760	3400	msedge.exe	84
PID 3400 wrote to memory of 3760	3400	msedge.exe	84
PID 3400 wrote to memory of 3760	3400	msedge.exe	84
PID 3400 wrote to memory of 3760	3400	msedge.exe	84
PID 3400 wrote to memory of 3760	3400	msedge.exe	84
PID 3400 wrote to memory of 3760	3400	msedge.exe	84
PID 3400 wrote to memory of 3760	3400	msedge.exe	84
PID 3400 wrote to memory of 3760	3400	msedge.exe	84
PID 3400 wrote to memory of 3760	3400	msedge.exe	84
PID 3400 wrote to memory of 3760	3400	msedge.exe	84
PID 3400 wrote to memory of 3760	3400	msedge.exe	84
PID 3400 wrote to memory of 3760	3400	msedge.exe	84
PID 3400 wrote to memory of 3760	3400	msedge.exe	84
PID 3400 wrote to memory of 3760	3400	msedge.exe	84
PID 3400 wrote to memory of 3760	3400	msedge.exe	84
PID 3400 wrote to memory of 3760	3400	msedge.exe	84
PID 3400 wrote to memory of 3760	3400	msedge.exe	84
PID 3400 wrote to memory of 3760	3400	msedge.exe	84
PID 3400 wrote to memory of 3760	3400	msedge.exe	84
PID 3400 wrote to memory of 3760	3400	msedge.exe	84
PID 3400 wrote to memory of 3760	3400	msedge.exe	84
PID 3400 wrote to memory of 3760	3400	msedge.exe	84
PID 3400 wrote to memory of 3760	3400	msedge.exe	84
PID 3400 wrote to memory of 3760	3400	msedge.exe	84
PID 3400 wrote to memory of 3740	3400	msedge.exe	85
PID 3400 wrote to memory of 3740	3400	msedge.exe	85
PID 3400 wrote to memory of 400	3400	msedge.exe	86
PID 3400 wrote to memory of 400	3400	msedge.exe	86
PID 3400 wrote to memory of 400	3400	msedge.exe	86
PID 3400 wrote to memory of 400	3400	msedge.exe	86
PID 3400 wrote to memory of 400	3400	msedge.exe	86
PID 3400 wrote to memory of 400	3400	msedge.exe	86
PID 3400 wrote to memory of 400	3400	msedge.exe	86
PID 3400 wrote to memory of 400	3400	msedge.exe	86
PID 3400 wrote to memory of 400	3400	msedge.exe	86
PID 3400 wrote to memory of 400	3400	msedge.exe	86
PID 3400 wrote to memory of 400	3400	msedge.exe	86
PID 3400 wrote to memory of 400	3400	msedge.exe	86
PID 3400 wrote to memory of 400	3400	msedge.exe	86
PID 3400 wrote to memory of 400	3400	msedge.exe	86
PID 3400 wrote to memory of 400	3400	msedge.exe	86
PID 3400 wrote to memory of 400	3400	msedge.exe	86
PID 3400 wrote to memory of 400	3400	msedge.exe	86
PID 3400 wrote to memory of 400	3400	msedge.exe	86
PID 3400 wrote to memory of 400	3400	msedge.exe	86
PID 3400 wrote to memory of 400	3400	msedge.exe	86

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.com
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8540646f8,0x7ff854064708,0x7ff854064718
  2⤵
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,16754546877110187741,3854689342328020187,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:3760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,16754546877110187741,3854689342328020187,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2516 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,16754546877110187741,3854689342328020187,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
  2⤵
  PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16754546877110187741,3854689342328020187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:4236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16754546877110187741,3854689342328020187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:2280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16754546877110187741,3854689342328020187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
  2⤵
  PID:3696
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,16754546877110187741,3854689342328020187,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  PID:2888
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,16754546877110187741,3854689342328020187,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16754546877110187741,3854689342328020187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16754546877110187741,3854689342328020187,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:4340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16754546877110187741,3854689342328020187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
  2⤵
  PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16754546877110187741,3854689342328020187,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
  2⤵
  PID:2540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16754546877110187741,3854689342328020187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:2836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16754546877110187741,3854689342328020187,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16754546877110187741,3854689342328020187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
  2⤵
  PID:4196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16754546877110187741,3854689342328020187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:3104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16754546877110187741,3854689342328020187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
  2⤵
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2056,16754546877110187741,3854689342328020187,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5548 /prefetch:8
  2⤵
  PID:1416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2056,16754546877110187741,3854689342328020187,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3056 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16754546877110187741,3854689342328020187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16754546877110187741,3854689342328020187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1864 /prefetch:1
  2⤵
  PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16754546877110187741,3854689342328020187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
  2⤵
  PID:1816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,16754546877110187741,3854689342328020187,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5964 /prefetch:8
  2⤵
  PID:2648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16754546877110187741,3854689342328020187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6356 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2056,16754546877110187741,3854689342328020187,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6960 /prefetch:8
  2⤵
  PID:2168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16754546877110187741,3854689342328020187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:1
  2⤵
  PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,16754546877110187741,3854689342328020187,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6836 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2476
- C:\Users\Admin\Downloads\WinNuke.98.exe
  "C:\Users\Admin\Downloads\WinNuke.98.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,16754546877110187741,3854689342328020187,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6796 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16754546877110187741,3854689342328020187,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:1
  2⤵
  PID:2924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2056,16754546877110187741,3854689342328020187,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=6312 /prefetch:8
  2⤵
  PID:2000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16754546877110187741,3854689342328020187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7224 /prefetch:1
  2⤵
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2056,16754546877110187741,3854689342328020187,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7460 /prefetch:8
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,16754546877110187741,3854689342328020187,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7148 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2176
- C:\Users\Admin\Downloads\NoMoreRansom.exe
  "C:\Users\Admin\Downloads\NoMoreRansom.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16754546877110187741,3854689342328020187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2056,16754546877110187741,3854689342328020187,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4148 /prefetch:8
  2⤵
  PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16754546877110187741,3854689342328020187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6804 /prefetch:1
  2⤵
  PID:808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,16754546877110187741,3854689342328020187,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6708 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:344
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 13581722951681.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4968
  - - C:\Windows\SysWOW64\cscript.exe
      cscript //nologo c.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:3024
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe f
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1792
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im MSExchange*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3704
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Microsoft.Exchange.*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4688
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlserver.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3652
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlwriter.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3132
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe c
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2464
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b !WannaDecryptor!.exe v
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4564
  - - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
      !WannaDecryptor!.exe v
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2176
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5028
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16754546877110187741,3854689342328020187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
  2⤵
  PID:2680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16754546877110187741,3854689342328020187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7920 /prefetch:1
  2⤵
  PID:2224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16754546877110187741,3854689342328020187,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16754546877110187741,3854689342328020187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8140 /prefetch:1
  2⤵
  PID:3932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16754546877110187741,3854689342328020187,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8180 /prefetch:1
  2⤵
  PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16754546877110187741,3854689342328020187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
  2⤵
  PID:2108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16754546877110187741,3854689342328020187,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,16754546877110187741,3854689342328020187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8024 /prefetch:1
  2⤵
  PID:544

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2708

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3788

C:\Users\Admin\Downloads\NoMoreRansom.exe
"C:\Users\Admin\Downloads\NoMoreRansom.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2724

C:\Users\Admin\Desktop\NoMoreRansom.exe
"C:\Users\Admin\Desktop\NoMoreRansom.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5044

C:\Users\Admin\Downloads\WinNuke.98.exe
"C:\Users\Admin\Downloads\WinNuke.98.exe"
1⤵
- Executes dropped EXE
PID:4964

C:\Users\Admin\Desktop\NoMoreRansom.exe
"C:\Users\Admin\Desktop\NoMoreRansom.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4448

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3276

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3ec 0x150
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\!Please Read Me!.txt
1⤵
PID:532

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9e3fc58a8fb86c93d19e1500b873ef6f

SHA1
c6aae5f4e26f5570db5e14bba8d5061867a33b56

SHA256
828f4eacac1c40b790fd70dbb6fa6ba03dcc681171d9b2a6579626d27837b1c4

SHA512
e5e245b56fa82075e060f468a3224cf2ef43f1b6d87f0351a2102d85c7c897e559be4caeaecfdc4059af29fdc674681b61229319dda95cb2ee649b2eb98d313e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27304926d60324abe74d7a4b571c35ea

SHA1
78b8f92fcaf4a09eaa786bbe33fd1b0222ef29c1

SHA256
7039ad5c2b40f4d97c8c2269f4942be13436d739b2e1f8feb7a0c9f9fdb931de

SHA512
f5b6181d3f432238c7365f64fc8a373299e23ba8178bcc419471916ef8b23e909787c7c0617ab22e4eb90909c02bd7b84f1386fbc61e2bdb5a0eb474175da4bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
6cb02626502137ff769427d64213bf15

SHA1
1986e73fedae09d102531800c22f6bc2d7591e90

SHA256
5b975097a35179e48095ceb849dd196bb75d6f6da2cc7657c815c2fe97e82e21

SHA512
51bd986829e842fb2fe2b056aae80618b895e88fe8d363fe8c5398624e3aa8af437b6a96ffe3180e507d1df14edcea3d46bfa059d27b402ccb39a12b96db971c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
4a5460f4e76a45d199b3be5caea11a34

SHA1
e72df2bf48938e47d7031972129e3f13bb37f2ab

SHA256
99d29f5bb0c7f7439273762a375dbd936345dba8f073f3664efb6cef3188a9cf

SHA512
8183bd62635c1f13930b36a310598970b37b1faf67a16efa4d7d1db97ba09cabbc0b3c08c1e308dbd28c54e993e958c0d3d4f748e6a73dbf8a84049369b1aef5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
5334306e5fa52466cb6ab5545426ddbc

SHA1
583c7a77c2d03ac765564ebad22715e1352e3b76

SHA256
0d78f4157a02251532e9ee307b06b0b2ca1d2cc81a2c18d6b089e45ea2f183d9

SHA512
a28d22fc4a22aa93bdb2d8d713593d03bf40c7f6312c30649ed1b9121ea8afbf333894f3312d3137628f9a1d0a1dc43d9a7b6ca2ebeb9ef72e91654d88ad127a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
72a25925cc26681fe52d19e86a3f017b

SHA1
b4888bcf76300122bc1f6c3ba2222b831566b731

SHA256
0e94cebff521f5f0a1b6fe3eea3bde9a73d1040ddf740f0f468413fc4a810973

SHA512
b95186e7af5dbe1b9798914f225d5134633b81874ae9d3bd97a615862cf63bea8073c3e50f4dfc839f8baddf01ed64c099bfff7e3e9be372708bc1c11c247f0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
7fcca8b1dcfe29a0f59dced7c02f5a3d

SHA1
3ed49d1330050024c3f585a7058c9896d061dc79

SHA256
00b37193d5cc69cefdf877e3d5bc86b04ce4672cf8f8665badb945a3c6c2262d

SHA512
75bd8e9b6c4f69cb4990a5204e3c481cf4386a33aeaaa4e6be9871d7830806a12ad08b06443e39db7f376e4c84a5f1b7d4152e434ea55ae909e8ea40e4617dba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
1e625841adede72969752586255bc4d2

SHA1
bbf49b67ed809d813c5722d6442881830972a7da

SHA256
89e3e86f7965b64464baae2944b417735fab5da5f681e138947bd4d6acda3abb

SHA512
77ad8b42ed608fccba8ea7c1f0259152f639ee6d6dc106d4ff71380cdbed81f29b88bafaa2a40cd5d283222c338922a67ae204b7173eb33ecdf5e5c90babb3a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
40817cd1a2e5df05a61e192664f37903

SHA1
2b221e0062ed3bec14879684d253affe93ea1123

SHA256
c6683193d04274c90f8a19de8e95b7faafc25273c8f3ab67a17792196e36b006

SHA512
cda7045e8f26f0a911160a629fba81b688e893ef53db1a2a461a427cf62607e698deccb1a31e8e12ae96b42bdaa51b8a58aef9b9193c8ae55296aa201aa4cfc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
2c9e4b31946218a6dd913bccc03bb707

SHA1
a124e1372c001e0de56759cc3794549c6ed02fc8

SHA256
7b7d0a3e5e226d18130f31cf1951148feb8e1e2a3ae040c44881d305c4defa53

SHA512
8e1bf1a85a22b9486e91971c7aadfc42900c6294d89bae6b0fbbfc6c936ca3a6efc488ebfe1e77e238412087468b080e9058284f3a33ebd51259a351eb03dfa5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
b55f6a896603a0cdfbb7d3f05fe2e6cc

SHA1
ce744257f3e2a3a5dc5f2905ff167e6ffd89556e

SHA256
060ca16b2295e6c0472918f7740f1614721a9456e43034e56d447560363138b3

SHA512
90fdb0e8c2d0e8b9cace9047abf4ec9adb653aba19adc915de8b6f841581fe8cfdb3b0c7e8c3e307a83e55e50215665f4ca845616602ea998a06987520d73092

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
e678155a2bb278edfadd08deed1fbe83

SHA1
0a1f9fadd0afe0afd3c81298b49d1c7cbc3b8d53

SHA256
d24fd6a50361b1bb3395e203171ad2168410555d83d32d555c6b92cdf7182b2f

SHA512
80911940bbd78a99ecb4369c0354700cd0975ca3d57f4daedb36ae3986e2d1b1d656779fccfcebdcf592b15c73e540b25fb10b4152087eff1c489e60ad5a5bd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7dfdb351fb48e18aeb2012e0f0fa7834

SHA1
faf9e326c93855a318251c3d7a1343318dd6fd4f

SHA256
c74e00b962fb71c78386b4c68ff70130561845c330433f628828e6805f63a5f6

SHA512
b2eb1c6f3f99e276c2f8dba54006dee962742d15408b3f60438ca2467fafe56d88b0a04cfd019d1f095e508c3a33a72404c0d4df97995545b4e946c69f66f7b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
48f96e25f3b9018453688628b5e19772

SHA1
bf0684bb6b1387b41e0016f8d71a16bdb787062c

SHA256
de98a02255e7dd657d8a01f7903491ea02d6c912f3828d8edf27a953ca74d096

SHA512
e6416f042b2b41b8236f6963fddf279d71b3ac92c1cb42d7f565f4e107105874b2bcfd844404fd4011621c49bf24faa31b5f568754c91a9420d385ff1172c2a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
537bf5d8db7c2cb9d05d2c15da89f722

SHA1
881c09b627a73afbc9ad8942ef12a83c6ae91523

SHA256
a807255b4b6842acfe6cedef6356a9c211db761bf256052598cf710a0761f428

SHA512
d3bed5c4f08069d9d29bfd6ff22ebf9e2e92b36b6e388b1163813dec342df7a988215cd009fc2677a98223e3edb041bab2ed86b57cc7e0601ef659debcdc4860

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
1b94d5a029415f6252bb680ad6733b6c

SHA1
a238c6deeab03b12d36391990e15f78172c62e49

SHA256
ab9cb8a270da73ba1da999de4ba4d16267cea96231452d6d1189667b0c7cff8c

SHA512
c34f609301a9ae003f541935e08cea6c3c756847d9149b1e09c6ebe128bd1729bb5dd7e1ea280710c4be392c36c97bade677afb29234c2ecee0699d935a31f51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a24ed57818abf1fa96941e49d38c2bc5

SHA1
ee809d838cac0b3bca83ad6c439093890c0c2eac

SHA256
67b95785c2090b35d3874015cf0876e4373034516f8d5c5c22b415106692ffb5

SHA512
efe81e4f4d2f6219e5d7cdc14f4c2ddc58a00e521a3ceb9de3c77867b5a3823be756ce2a9387e90e12c441a6e91e010423c443c60a80e89f383573954977a23b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
92eec5505e1a68616619e395fb9d4282

SHA1
4afae0b410235254716db4c31300627395cd93b8

SHA256
4ad827d561f82d307afb4333632ecc002b5f36a8b84bba514cb209cf6b90d972

SHA512
b39fd90dd953f9c4dad649339b014a32f3a30a0ad794ca77d074388e479fde15366a0336d954a314992d16db05141bea29e77b77191ee4aa0d179dd54add6c89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4e76d8238af4bdedf3a2af49bf000ee2

SHA1
ac0569982ea43027e87efbfc5032a49f0534054e

SHA256
abbf326505c56d3a767957a90dd8bf1e1690ccaac98636e3322dd22ea6d81c8b

SHA512
9fb618f7c22e9e3b660e9331153d872d385894e95cec8d3db54f86cf892419d2c52c880ab5283cea08db949e8fdaa293428289364eedb6ae823faf014aae9420

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
4efbe98fe2dade7ad4f882308804330d

SHA1
8d77779ac74ee1e5019ff4f3063247fab2c0dc29

SHA256
fe5e75249f694a553fd20d71a834a48345d80799f425b0fbda4f48e2e2d3c986

SHA512
f7f777ac30e3145d4340dde9add678192a6d14652dc1b3dd0c1a3d15992ad6e26eb17208f9736e79cb1ea5e234fa6fedf14e32e55db10655ad637cb8374a0519

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
be9fab189ac6187b37ecd76bd49ae9e3

SHA1
f879f2133813040200021461b4870162b9aa1c19

SHA256
27c6e5872f154f8c5091c0150fa56d8cba51778324733be8343e713c258ab1d0

SHA512
a0d97b96bb0b962540fbb1e262d7f90f1fa14272076e50176b025880ccaff0cd6079ec696b59c8e7bb35c19c37d639483f145199b1fc3d59784688c448b2096a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
683070eeb1da910055ec91c2214f3078

SHA1
bc7e72e6e1ce71e012f6be78e681e2684b1ae727

SHA256
aaff445fee993dd3b556ca8e39b6acdad231660960fa22d66617a01186c165f5

SHA512
181e40afc47aafbe705a2b949bc8fee175f97cd96b76851a5b159ad3aab3273c3a0bb5f48687cd9b496ddb3ed123631e84e41d7be1d9fa7270018a6a80444af2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
78998c9fc8379dc13c8eec19c806874f

SHA1
2e5aa0e0218cc84262c8fef972f6023d0f780db2

SHA256
9581062900f6ba0891a909cafb3b80714840a87d5f2b364a6e2c5dfbaba9ecb1

SHA512
675be981f631d5d35023a4cf328cf8b170288c14967783f7499b724905d517526503ea98dd4656daaa830c1a04fc41fcaf96c19283926e8973688bc377fcf8c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
08831f384b4b006e36fbeab8ac814064

SHA1
367c2907b3818ddba3d5ab19cd579a98b6e23bbd

SHA256
a3b3e997928815a76cc0edd92683aade9950c3c8704dcf3219cce49b1f88196c

SHA512
4abed07c3806e927dc5d5c6a76f3b4e0101040d4071e9e0f6f1d1752c2dd5fb9acb6a236fc83ed26e2e23c7a357c53f71240fd9ae41c2367ed5d17b8f63b495f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8acd4f2668f838d0d987adf550c5b1a8

SHA1
2ab5418c89636fe76dc416894a7026f4ff4e9478

SHA256
4a2b3b04717881d9d84480660d70253036c528bc4c020a4233fb66af3ce9be60

SHA512
3c0fa2839f2239b6eeb92aaa9af0cf5be41ddb3474e5ec75567c6135151e6a8b286690b5e9c3bd7d8c3ebd5e41bceba6e266557630dd444ab101801187dcc07f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
49b79173922dcc8eb171b6c86ceae36f

SHA1
533d07aa5b871c57a441b6019b9c2dc225720a17

SHA256
ce9468f692ce7f6a4f0d113cbe7fb31d6152ca91c239ecd6848ea6bf8d1884bf

SHA512
360470557af09a1091519b2e53cfc416ea8bfb592a4016df925b8209922b32c62e095767ce96716b2f11ef85637e366da412ef5f2dfb0af1aa44bd4db132719f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
44ac793fd972e273b7d7f45056f3970b

SHA1
c7a6201dc7b712762e087ccc47a78f7d40668efc

SHA256
98160bb748e636ccc5d7969a5b2f647b66fde39b5abd6edcc1be7beb89222bfd

SHA512
a660cd144516d0fccc7f04ee124e2252a77540d3d4aa7320dc66f036aed9084e18e49800f4710f6b019fcb2c9dbe4d4f8560a78ef5ad610770473e871b91c090

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7ee6b211a43c6bcc5719849c20460a1d

SHA1
4f59bc0d705ecd040fab08741f636d0eed9529bc

SHA256
d1b06f41ee5dc76b165ac1ddf95d024b26f9fb4c156b7524431ca013320bda48

SHA512
13b1617dd804038863f12c4358617e5424060cf8ab9c3a6145cf2b6cfce6830349ad9429a5780ce0990574174129a0116c910419b19fc3f90b1cf52cad9efa67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58aaa3.TMP

Filesize
536B

MD5
6ec49399e96d89c915ed0191dc912d96

SHA1
6137d2381f36b85347bd2ef73a89ae3bc107eab9

SHA256
3a157f9e0618006c6209c0eeadd5dc6594573475aea62a419211d33cc09eab41

SHA512
0c724e6e0a5b24d718dfafd2c428aa89ed0f85adcba424ed47d379f5effcaca90414c4ad1f78ec59041dc58a4ce389610959442477b782a762d8494928f74318

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a81478a6-e4aa-47a9-b81f-7f2fb27073b6.tmp

Filesize
6KB

MD5
8a66ad631219d9a0e3e9ca5a46ea0e1f

SHA1
3a3c5f0c80f70e5389a8e75674127e39416e40ff

SHA256
ca7ea33dabe327a4f5666b2e1ec6ad758bff2a4deb223855971067d014b024cb

SHA512
cdbb7eb3da207077794b344a5524bc15b1bf6bae1e2e2e7c766fb675dc743b069ad4cbe29750dd244a444059dbbf679c999e99f26a825eb9769cb0ce2db663e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5e3a300cc91f23f772de30742b36336d

SHA1
9caa89fa52ecf3dfce19a9f02448ff408ea2d069

SHA256
4782f6af9a96a59ad084a809745600162109eee32691ce815489f7ca1848773a

SHA512
36deff876f6901f331dd2a76e898a4fdf9a17082774da83cbbaca5594b29e56de92336320d720867cc859cdcaf9f8a605261ea3fd7b6ad67a07a9e0cd30b4581

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fc77343b02e0e916e7ce00b2ab011447

SHA1
76d2d070caf06f15c3e259fe389ebdea602e1df8

SHA256
594a5c18b447018b082378b161f544105a51cfae10609ae256bd1aea10eba872

SHA512
a9f2c7465ead2299235720edf04fa18fb658488b5b63a8de5c06d6236e797b7e493cf735da70723ae9c0e52bfb4db51cef2b859d409c7d0ca5548828a13b8e1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e5502835ba4a66496894090a95a8887e

SHA1
b622cc816974aa73722777c811445964706ff160

SHA256
a2d77faec0ff289061ba1ca4ec3a11e475f068cc7e26bdeefeecbbf77db2806a

SHA512
dbaf95a5d9592140540fe3b07c95abf12d348d590491cfa343337da8cc086dafbf8eabe24d321ba52c78b3525ffd997c9c9d0e7b8c44feb9c9f6868cc4b1f570

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
be31bfa4e57ee54be6da400bc8db3b2b

SHA1
944b5c40c12d3936406a091e29f547b3c8f7de68

SHA256
c6b00ea3c52de5bab3147b94d0eebc4b23d2a446729a88049e79185c81314294

SHA512
dee4ae1164f844bdcdb772003ed31e927cf9c08cce60e1562535d966ab823d2f59ac7f63fd867cff146f08fb1610a1b3145b39ed7ed13ea2e57e97872a12973b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d60443756367f08d85044f777d5b8d14

SHA1
3143f59d85363842859bcde9e77a17a20486ce2f

SHA256
5b5d5e6efdcc1373caa2be2094497da2b547d0a147167f7b332e5796c1aa1d01

SHA512
e42e71d5942887b5695ac9523333725336c3e0f436f486b9bf1d9bfb27e6bc26b9f2c6587ecee5acfe3a19a94e6210711fe1457547db8e0273f7afb86f437d23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ed617b736dadcb18cd08dd0815ebd8d6

SHA1
d3a2aa65311378b3297168ee554d8b989919dab9

SHA256
6a836baec59316cf4c12448e591e5741a31b24ec16bbdd55c5fd15c2f2622692

SHA512
f5f5219e01eeea773de897c10c615606f7930a93e4622e0f3ba4c421babe31a58bfe30bc2977ec094d62b020d89487b3e410f0f3aaec4e7e1b9785fe0acb495d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
15KB

MD5
0cab37587f7dcbfe9782f620635962d1

SHA1
f68554e680c8705160b762676d667d8aacd78fb7

SHA256
d8600873b6a911be2c5266fb452337ad9d9d68a2775957ec27ed06089e526c64

SHA512
34295c6c0b1e1e009c4cf950d2bece0b567c8101175e6d8d263db9033752c3a5592ae0eba167a8cd9cbb352bea29a276adbe8806e8b3b3c20a4aa3877081c47b

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
2fbe780bc345cfe3c604850b686c30a1

SHA1
a08c125c59a0ea0604bf176bddad4b9fa2344214

SHA256
9a192de8795ce19c13eaf2316615ae9bc2b403ef3fa831b86e4ae544cac368f5

SHA512
22607483ae936c2f62a6a590917d9b6ead55ad332301e733509251c0e5f246aeddda3bf38d1150c212b88bdba510a911f6f564dd96d9fedfb3bfca4d499537af

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
87dd9c0e5e50cc171028428a481241a4

SHA1
1995c39ff0783e89199594cb4a2c185d079cf024

SHA256
fa87f06f79ccef56efe4bd4c558dc912bc691df52f3f2e7684f589d196669b3a

SHA512
62dbe06c66058d188dd8cac5ca78496612964c788852fdd57adfaa14e1032c191ee4ae65f6299a6be31664e217942a159c45acdfe3d30b46519990e623963dc3

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
1113b7f2d34904307d5ac65bc54cad4e

SHA1
91843b4c219cf6863eca6871d3ff535ceaabc397

SHA256
6cc329c6f18cb6b951272e8cc05b40dd0be1cb0717af102fbcf80c836a1b9a9d

SHA512
75c5416d5e4f9c4fccd3d7c2971efe02ffe516a178c12448f9c63de341d66f3a614b5454b7571d0aa6a6e4f868aab891d32c1d191b9ae77abc611063fc7bdcb3

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
b201bdd44f12c7359088385b025e149a

SHA1
c110618c80900fc0b6fb3468b20925ce4b82fed3

SHA256
5334fb59bc44e2fc5fb16d09e011b2f7401f73f9f26e428943610db760fdf32b

SHA512
42cdd1069c7928408edbaaf30c17ca6203193aa14cb3100cc302a3ec113f5d66367cc84ad859afe8083f3dc172cb7890acb0a27f288c853acfa9acbd6a879654

Download Submit
C:\Users\Admin\Downloads\13581722951681.bat

Filesize
318B

MD5
a261428b490a45438c0d55781a9c6e75

SHA1
e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e

SHA256
4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44

SHA512
304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 236544.crdownload

Filesize
32KB

MD5
eb9324121994e5e41f1738b5af8944b1

SHA1
aa63c521b64602fa9c3a73dadd412fdaf181b690

SHA256
2f1f93ede80502d153e301baf9b7f68e7c7a9344cfa90cfae396aac17e81ce5a

SHA512
7f7a702ddec8d94cb2177b4736d94ec53e575be3dd2d610410cb3154ba9ad2936c98e0e72ed7ab5ebbcbe0329be0d9b20a3bcd84670a6d1c8d7e0a9a3056edd2

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 414038.crdownload

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 830522.crdownload

Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\Downloads\c.vbs

Filesize
201B

MD5
02b937ceef5da308c5689fcdb3fb12e9

SHA1
fa5490ea513c1b0ee01038c18cb641a51f459507

SHA256
5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1

SHA512
843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

Download Submit
C:\Users\Admin\Downloads\c.wry

Filesize
628B

MD5
50473320933abd7441725f11215dec16

SHA1
50c0175bbf44c6042f1a6e9170fc155229de7119

SHA256
efdfebc6018c6eee941f9112a6aaef10d85cc088fe3b1ce1d0716ed65f34dad1

SHA512
b8390a9164e79fbc434d87b3a7fef28c3db2fb492a3bbb69dae9e9157065211ca1b789e0477734a784faf35cc9981247e89e6e6a15cc7e7dfa2c0c171b55344d

Download Submit
C:\Users\Admin\Downloads\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
memory/1292-614-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1292-2313-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1292-777-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1292-778-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1292-779-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1292-783-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1292-2596-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1292-775-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1292-774-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1292-764-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1292-754-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1292-753-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1292-714-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1292-704-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1292-603-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1292-2266-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1292-2586-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1292-695-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1292-693-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1292-2300-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1292-2584-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1292-2310-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1292-689-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1292-776-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1292-2314-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1292-2316-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1292-2583-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1292-2463-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1292-2581-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1292-682-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1292-2580-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1292-2504-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1292-2569-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1292-658-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1292-2539-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1292-615-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1292-2558-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1292-613-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2724-680-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2724-681-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2724-683-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4244-802-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/4448-698-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4448-699-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5044-688-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5044-690-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download