wannacry | hxxps://github[.]com/Daksh17440/VIRUS-1[.]0

Analysis

max time kernel
308s
max time network
308s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 01:06

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Daksh17440/VIRUS-1.0

Score

10^/10

wannacry bootkit defense_evasion discovery execution impact persistence pyinstaller ransomware spyware stealer upx worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (209) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fd4ce0b0.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDCF54.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDCF6B.tmp	WannaCry.exe

Executes dropped EXE 20 IoCs

pid	Process
3676	VIRUS.exe
2828	VIRUS.exe
5576	CryptoWall.exe
3948	WannaCry.exe
4832	!WannaDecryptor!.exe
7148	WannaCry.exe
4372	!WannaDecryptor!.exe
5940	!WannaDecryptor!.exe
116	!WannaDecryptor!.exe
4604	MEMZ.exe
5604	MEMZ.exe
5728	MEMZ.exe
5808	MEMZ.exe
5972	MEMZ.exe
6076	MEMZ.exe
5712	MEMZ.exe
3512	RedBoot.exe
6840	protect.exe
7896	assembler.exe
9056	overwrite.exe

Loads dropped DLL 6 IoCs

pid	Process
2828	VIRUS.exe
2828	VIRUS.exe
2828	VIRUS.exe
2828	VIRUS.exe
2828	VIRUS.exe
2828	VIRUS.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000800000002343f-2598.dat	upx
behavioral1/memory/3512-2644-0x0000000000C50000-0x0000000000EDE000-memory.dmp	upx
behavioral1/memory/3512-2893-0x0000000000C50000-0x0000000000EDE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fd4ce0b0 = "C:\\Users\\Admin\\AppData\\Roaming\\fd4ce0b0.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fd4ce0b = "C:\\fd4ce0b0\\fd4ce0b0.exe"	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
54	raw.githubusercontent.com
55	raw.githubusercontent.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
151	ip-addr.es
103	ip-addr.es
105	ip-addr.es

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe
File opened for modification	\??\PhysicalDrive0	overwrite.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/3512-2893-0x0000000000C50000-0x0000000000EDE000-memory.dmp	autoit_exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000700000002351f-236.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	protect.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assembler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	overwrite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RedBoot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoWall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
8332	taskkill.exe
8180	taskkill.exe
8856	taskkill.exe
8484	taskkill.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "237"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 539303.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 653080.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 378507.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 390036.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 705824.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
688	msedge.exe
688	msedge.exe
3540	msedge.exe
3540	msedge.exe
3384	identity_helper.exe
3384	identity_helper.exe
2636	msedge.exe
2636	msedge.exe
6760	msedge.exe
6760	msedge.exe
7136	msedge.exe
7136	msedge.exe
7136	msedge.exe
7136	msedge.exe
7932	msedge.exe
7932	msedge.exe
8760	msedge.exe
8760	msedge.exe
5728	MEMZ.exe
5604	MEMZ.exe
5604	MEMZ.exe
5728	MEMZ.exe
5728	MEMZ.exe
5604	MEMZ.exe
5604	MEMZ.exe
5728	MEMZ.exe
5604	MEMZ.exe
5604	MEMZ.exe
6076	MEMZ.exe
6076	MEMZ.exe
5972	MEMZ.exe
5972	MEMZ.exe
5808	MEMZ.exe
5808	MEMZ.exe
5604	MEMZ.exe
5808	MEMZ.exe
5808	MEMZ.exe
5604	MEMZ.exe
5972	MEMZ.exe
5972	MEMZ.exe
6076	MEMZ.exe
6076	MEMZ.exe
5728	MEMZ.exe
5728	MEMZ.exe
5604	MEMZ.exe
5728	MEMZ.exe
5604	MEMZ.exe
5728	MEMZ.exe
6076	MEMZ.exe
6076	MEMZ.exe
5972	MEMZ.exe
5972	MEMZ.exe
5808	MEMZ.exe
5808	MEMZ.exe
5604	MEMZ.exe
5604	MEMZ.exe
5972	MEMZ.exe
5972	MEMZ.exe
5808	MEMZ.exe
5808	MEMZ.exe
6076	MEMZ.exe
5728	MEMZ.exe
6076	MEMZ.exe
5728	MEMZ.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
116	!WannaDecryptor!.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
660	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
5576	CryptoWall.exe
1248	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs

pid	Process
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

description	pid	Process
Token: SeDebugPrivilege	8856	taskkill.exe
Token: SeDebugPrivilege	8332	taskkill.exe
Token: SeDebugPrivilege	8180	taskkill.exe
Token: SeDebugPrivilege	8484	taskkill.exe
Token: SeIncreaseQuotaPrivilege	6740	WMIC.exe
Token: SeSecurityPrivilege	6740	WMIC.exe
Token: SeTakeOwnershipPrivilege	6740	WMIC.exe
Token: SeLoadDriverPrivilege	6740	WMIC.exe
Token: SeSystemProfilePrivilege	6740	WMIC.exe
Token: SeSystemtimePrivilege	6740	WMIC.exe
Token: SeProfSingleProcessPrivilege	6740	WMIC.exe
Token: SeIncBasePriorityPrivilege	6740	WMIC.exe
Token: SeCreatePagefilePrivilege	6740	WMIC.exe
Token: SeBackupPrivilege	6740	WMIC.exe
Token: SeRestorePrivilege	6740	WMIC.exe
Token: SeShutdownPrivilege	6740	WMIC.exe
Token: SeDebugPrivilege	6740	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6740	WMIC.exe
Token: SeRemoteShutdownPrivilege	6740	WMIC.exe
Token: SeUndockPrivilege	6740	WMIC.exe
Token: SeManageVolumePrivilege	6740	WMIC.exe
Token: 33	6740	WMIC.exe
Token: 34	6740	WMIC.exe
Token: 35	6740	WMIC.exe
Token: 36	6740	WMIC.exe
Token: SeIncreaseQuotaPrivilege	6740	WMIC.exe
Token: SeSecurityPrivilege	6740	WMIC.exe
Token: SeTakeOwnershipPrivilege	6740	WMIC.exe
Token: SeLoadDriverPrivilege	6740	WMIC.exe
Token: SeSystemProfilePrivilege	6740	WMIC.exe
Token: SeSystemtimePrivilege	6740	WMIC.exe
Token: SeProfSingleProcessPrivilege	6740	WMIC.exe
Token: SeIncBasePriorityPrivilege	6740	WMIC.exe
Token: SeCreatePagefilePrivilege	6740	WMIC.exe
Token: SeBackupPrivilege	6740	WMIC.exe
Token: SeRestorePrivilege	6740	WMIC.exe
Token: SeShutdownPrivilege	6740	WMIC.exe
Token: SeDebugPrivilege	6740	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6740	WMIC.exe
Token: SeRemoteShutdownPrivilege	6740	WMIC.exe
Token: SeUndockPrivilege	6740	WMIC.exe
Token: SeManageVolumePrivilege	6740	WMIC.exe
Token: 33	6740	WMIC.exe
Token: 34	6740	WMIC.exe
Token: 35	6740	WMIC.exe
Token: 36	6740	WMIC.exe
Token: SeBackupPrivilege	7464	vssvc.exe
Token: SeRestorePrivilege	7464	vssvc.exe
Token: SeAuditPrivilege	7464	vssvc.exe
Token: SeShutdownPrivilege	3512	RedBoot.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe
3540	msedge.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4832	!WannaDecryptor!.exe
4832	!WannaDecryptor!.exe
4372	!WannaDecryptor!.exe
4372	!WannaDecryptor!.exe
5940	!WannaDecryptor!.exe
5940	!WannaDecryptor!.exe
116	!WannaDecryptor!.exe
116	!WannaDecryptor!.exe
4604	MEMZ.exe
5604	MEMZ.exe
5728	MEMZ.exe
5808	MEMZ.exe
5972	MEMZ.exe
6076	MEMZ.exe
5712	MEMZ.exe
3512	RedBoot.exe
6840	protect.exe
7952	LogonUI.exe
5728	MEMZ.exe
5728	MEMZ.exe
5728	MEMZ.exe
5604	MEMZ.exe
6076	MEMZ.exe
5808	MEMZ.exe
5972	MEMZ.exe
5728	MEMZ.exe
5604	MEMZ.exe
5808	MEMZ.exe
6076	MEMZ.exe
6076	MEMZ.exe
5604	MEMZ.exe
5808	MEMZ.exe
5972	MEMZ.exe
5972	MEMZ.exe
5728	MEMZ.exe
5728	MEMZ.exe
5808	MEMZ.exe
5972	MEMZ.exe
5972	MEMZ.exe
5604	MEMZ.exe
6076	MEMZ.exe
5604	MEMZ.exe
6076	MEMZ.exe
5808	MEMZ.exe
5728	MEMZ.exe
5728	MEMZ.exe
5808	MEMZ.exe
5604	MEMZ.exe
6076	MEMZ.exe
5808	MEMZ.exe
5604	MEMZ.exe
6076	MEMZ.exe
5972	MEMZ.exe
5972	MEMZ.exe
5728	MEMZ.exe
5728	MEMZ.exe
5808	MEMZ.exe
6076	MEMZ.exe
5972	MEMZ.exe
5808	MEMZ.exe
5604	MEMZ.exe
5604	MEMZ.exe
6076	MEMZ.exe
5972	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 4272	3540	msedge.exe	85
PID 3540 wrote to memory of 4272	3540	msedge.exe	85
PID 3540 wrote to memory of 1672	3540	msedge.exe	86
PID 3540 wrote to memory of 1672	3540	msedge.exe	86
PID 3540 wrote to memory of 1672	3540	msedge.exe	86
PID 3540 wrote to memory of 1672	3540	msedge.exe	86
PID 3540 wrote to memory of 1672	3540	msedge.exe	86
PID 3540 wrote to memory of 1672	3540	msedge.exe	86
PID 3540 wrote to memory of 1672	3540	msedge.exe	86
PID 3540 wrote to memory of 1672	3540	msedge.exe	86
PID 3540 wrote to memory of 1672	3540	msedge.exe	86
PID 3540 wrote to memory of 1672	3540	msedge.exe	86
PID 3540 wrote to memory of 1672	3540	msedge.exe	86
PID 3540 wrote to memory of 1672	3540	msedge.exe	86
PID 3540 wrote to memory of 1672	3540	msedge.exe	86
PID 3540 wrote to memory of 1672	3540	msedge.exe	86
PID 3540 wrote to memory of 1672	3540	msedge.exe	86
PID 3540 wrote to memory of 1672	3540	msedge.exe	86
PID 3540 wrote to memory of 1672	3540	msedge.exe	86
PID 3540 wrote to memory of 1672	3540	msedge.exe	86
PID 3540 wrote to memory of 1672	3540	msedge.exe	86
PID 3540 wrote to memory of 1672	3540	msedge.exe	86
PID 3540 wrote to memory of 1672	3540	msedge.exe	86
PID 3540 wrote to memory of 1672	3540	msedge.exe	86
PID 3540 wrote to memory of 1672	3540	msedge.exe	86
PID 3540 wrote to memory of 1672	3540	msedge.exe	86
PID 3540 wrote to memory of 1672	3540	msedge.exe	86
PID 3540 wrote to memory of 1672	3540	msedge.exe	86
PID 3540 wrote to memory of 1672	3540	msedge.exe	86
PID 3540 wrote to memory of 1672	3540	msedge.exe	86
PID 3540 wrote to memory of 1672	3540	msedge.exe	86
PID 3540 wrote to memory of 1672	3540	msedge.exe	86
PID 3540 wrote to memory of 1672	3540	msedge.exe	86
PID 3540 wrote to memory of 1672	3540	msedge.exe	86
PID 3540 wrote to memory of 1672	3540	msedge.exe	86
PID 3540 wrote to memory of 1672	3540	msedge.exe	86
PID 3540 wrote to memory of 1672	3540	msedge.exe	86
PID 3540 wrote to memory of 1672	3540	msedge.exe	86
PID 3540 wrote to memory of 1672	3540	msedge.exe	86
PID 3540 wrote to memory of 1672	3540	msedge.exe	86
PID 3540 wrote to memory of 1672	3540	msedge.exe	86
PID 3540 wrote to memory of 1672	3540	msedge.exe	86
PID 3540 wrote to memory of 688	3540	msedge.exe	87
PID 3540 wrote to memory of 688	3540	msedge.exe	87
PID 3540 wrote to memory of 4984	3540	msedge.exe	88
PID 3540 wrote to memory of 4984	3540	msedge.exe	88
PID 3540 wrote to memory of 4984	3540	msedge.exe	88
PID 3540 wrote to memory of 4984	3540	msedge.exe	88
PID 3540 wrote to memory of 4984	3540	msedge.exe	88
PID 3540 wrote to memory of 4984	3540	msedge.exe	88
PID 3540 wrote to memory of 4984	3540	msedge.exe	88
PID 3540 wrote to memory of 4984	3540	msedge.exe	88
PID 3540 wrote to memory of 4984	3540	msedge.exe	88
PID 3540 wrote to memory of 4984	3540	msedge.exe	88
PID 3540 wrote to memory of 4984	3540	msedge.exe	88
PID 3540 wrote to memory of 4984	3540	msedge.exe	88
PID 3540 wrote to memory of 4984	3540	msedge.exe	88
PID 3540 wrote to memory of 4984	3540	msedge.exe	88
PID 3540 wrote to memory of 4984	3540	msedge.exe	88
PID 3540 wrote to memory of 4984	3540	msedge.exe	88
PID 3540 wrote to memory of 4984	3540	msedge.exe	88
PID 3540 wrote to memory of 4984	3540	msedge.exe	88
PID 3540 wrote to memory of 4984	3540	msedge.exe	88
PID 3540 wrote to memory of 4984	3540	msedge.exe	88

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Daksh17440/VIRUS-1.0
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc538f46f8,0x7ffc538f4708,0x7ffc538f4718
  2⤵
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,1048263003066570156,17590557241941518907,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2008 /prefetch:2
  2⤵
  PID:1672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1972,1048263003066570156,17590557241941518907,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1972,1048263003066570156,17590557241941518907,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,1048263003066570156,17590557241941518907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:1044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,1048263003066570156,17590557241941518907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1972,1048263003066570156,17590557241941518907,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:8
  2⤵
  PID:2924
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1972,1048263003066570156,17590557241941518907,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1972,1048263003066570156,17590557241941518907,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5456 /prefetch:8
  2⤵
  PID:2160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,1048263003066570156,17590557241941518907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
  2⤵
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1972,1048263003066570156,17590557241941518907,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6176 /prefetch:8
  2⤵
  PID:3380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,1048263003066570156,17590557241941518907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:1
  2⤵
  PID:2924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,1048263003066570156,17590557241941518907,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:1
  2⤵
  PID:3976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,1048263003066570156,17590557241941518907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
  2⤵
  PID:2108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,1048263003066570156,17590557241941518907,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:3084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1972,1048263003066570156,17590557241941518907,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6264 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2636
- C:\Users\Admin\Downloads\VIRUS.exe
  "C:\Users\Admin\Downloads\VIRUS.exe"
  2⤵
  - Executes dropped EXE
  PID:3676
- - C:\Users\Admin\Downloads\VIRUS.exe
    "C:\Users\Admin\Downloads\VIRUS.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2828
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:4648
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:4976
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:2980
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:1968
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:4904
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:1916
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:3664
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:3736
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:4664
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:964
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:2552
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:2712
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:3052
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:4520
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:2980
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:4904
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:4664
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:5052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:4648
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:5128
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:5144
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:5172
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:5192
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:5216
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:5240
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:5276
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:5312
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:5340
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:5380
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:5404
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:5444
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:5476
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:5504
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:5528
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:5572
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:5604
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:5632
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:5688
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:5712
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:5728
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:5752
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:5808
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:5844
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:5856
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:5892
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:5920
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:5956
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:5972
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:5988
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:6020
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:6060
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:6076
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:6120
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:6140
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4648
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:5188
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:5336
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:5384
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:5444
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:5616
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:5648
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:5632
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:5712
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:5756
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:5960
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5956
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:6096
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:6124
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:5196
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:5644
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:5616
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:5936
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:5756
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:6096
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:5196
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:5936
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:6184
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:6204
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:6236
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:6268
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:6300
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:6332
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:6364
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:6396
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:6428
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:6452
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:6480
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:6512
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:6548
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:6572
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:6608
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:6620
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:6656
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:6688
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:6712
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:6748
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:6776
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:6796
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:6828
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:6848
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:6888
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:6908
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:6940
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:6964
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:7040
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:7060
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:7100
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:7116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:6160
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:6224
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:6344
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:6304
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:6432
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:6552
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:6672
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:6744
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:6808
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:6888
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:6980
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:7080
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:7040
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:6184
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:6160
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:6344
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:6432
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:6672
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:6980
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:6184
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:7212
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:7236
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:7264
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:7284
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:7312
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:7340
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:7404
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:7436
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:7472
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:7496
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:7528
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:7544
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:7560
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:7592
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:7632
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:7664
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:7700
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:7716
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:7740
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:7776
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:7812
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:7840
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:7876
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:7888
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:7924
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:7940
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:7968
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:7992
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:8036
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:8048
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:8088
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:8116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:8152
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:8176
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:7248
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:7212
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:7368
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:7428
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:7404
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:7472
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:7588
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:7712
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:3936
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:7812
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:7876
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:7968
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:8136
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:7248
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:7372
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:7704
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:7968
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:7248
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:8196
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:8220
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:8240
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:8276
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:8328
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:8356
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:8380
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:8408
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:8436
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:8464
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:8480
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:8520
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:8560
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:8588
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:8620
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:8656
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:8680
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:8708
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:8728
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:8744
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:8768
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:8812
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:8852
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:8880
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:8896
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c start
      4⤵
      PID:8928
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:8964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,1048263003066570156,17590557241941518907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
  2⤵
  PID:1948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,1048263003066570156,17590557241941518907,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1
  2⤵
  PID:8704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,1048263003066570156,17590557241941518907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
  2⤵
  PID:6108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,1048263003066570156,17590557241941518907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:6200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,1048263003066570156,17590557241941518907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:4016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,1048263003066570156,17590557241941518907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:2960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,1048263003066570156,17590557241941518907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
  2⤵
  PID:7328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,1048263003066570156,17590557241941518907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
  2⤵
  PID:7720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,1048263003066570156,17590557241941518907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1052 /prefetch:1
  2⤵
  PID:728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1972,1048263003066570156,17590557241941518907,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2340 /prefetch:8
  2⤵
  PID:9020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1972,1048263003066570156,17590557241941518907,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6280 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6760
- C:\Users\Admin\Downloads\CryptoWall.exe
  "C:\Users\Admin\Downloads\CryptoWall.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  PID:5576
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\syswow64\explorer.exe"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    PID:1248
  - - C:\Windows\SysWOW64\svchost.exe
      -k netsvcs
      4⤵
      System Location Discovery: System Language Discovery
      PID:1432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,1048263003066570156,17590557241941518907,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3564 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:7136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,1048263003066570156,17590557241941518907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
  2⤵
  PID:7488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1972,1048263003066570156,17590557241941518907,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6400 /prefetch:8
  2⤵
  PID:5828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1972,1048263003066570156,17590557241941518907,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6764 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:7932
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 230131726880906.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6728
  - - C:\Windows\SysWOW64\cscript.exe
      cscript //nologo c.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:5036
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe f
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4832
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im MSExchange*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:8856
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Microsoft.Exchange.*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:8484
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlserver.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:8332
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlwriter.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:8180
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe c
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4372
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b !WannaDecryptor!.exe v
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3868
  - - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
      !WannaDecryptor!.exe v
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:5940
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4324
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6740
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:116
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:7148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,1048263003066570156,17590557241941518907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
  2⤵
  PID:1452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1972,1048263003066570156,17590557241941518907,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  PID:4288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1972,1048263003066570156,17590557241941518907,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:8760
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4604
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5604
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5728
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5808
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5972
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:6076
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /main
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5712
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      System Location Discovery: System Language Discovery
      PID:6220
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=batch+virus+download
      4⤵
      PID:6344
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc538f46f8,0x7ffc538f4708,0x7ffc538f4718
        5⤵
        
        PID:7176
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=virus+builder+legit+free+download
      4⤵
      PID:8700
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc538f46f8,0x7ffc538f4708,0x7ffc538f4718
        5⤵
        
        PID:8744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,1048263003066570156,17590557241941518907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1932 /prefetch:1
  2⤵
  PID:7664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,1048263003066570156,17590557241941518907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1
  2⤵
  PID:7280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,1048263003066570156,17590557241941518907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1480 /prefetch:1
  2⤵
  PID:8568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,1048263003066570156,17590557241941518907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3100 /prefetch:1
  2⤵
  PID:5240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,1048263003066570156,17590557241941518907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
  2⤵
  PID:8440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,1048263003066570156,17590557241941518907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1480 /prefetch:1
  2⤵
  PID:4148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1972,1048263003066570156,17590557241941518907,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6748 /prefetch:8
  2⤵
  PID:7524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,1048263003066570156,17590557241941518907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:7872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1972,1048263003066570156,17590557241941518907,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3348 /prefetch:8
  2⤵
  PID:7100
- C:\Users\Admin\Downloads\RedBoot.exe
  "C:\Users\Admin\Downloads\RedBoot.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3512
- - C:\Users\Admin\75689037\protect.exe
    "C:\Users\Admin\75689037\protect.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:6840
- - C:\Users\Admin\75689037\assembler.exe
    "C:\Users\Admin\75689037\assembler.exe" -f bin "C:\Users\Admin\75689037\boot.asm" -o "C:\Users\Admin\75689037\boot.bin"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:7896
- - C:\Users\Admin\75689037\overwrite.exe
    "C:\Users\Admin\75689037\overwrite.exe" "C:\Users\Admin\75689037\boot.bin"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    PID:9056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2632

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3020

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7464

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3883055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:7952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eeaa8087eba2f63f31e599f6a7b46ef4

SHA1
f639519deee0766a39cfe258d2ac48e3a9d5ac03

SHA256
50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

SHA512
eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022

Filesize
212KB

MD5
08ec57068db9971e917b9046f90d0e49

SHA1
28b80d73a861f88735d89e301fa98f2ae502e94b

SHA256
7a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1

SHA512
b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
d5b270c2a1acdcd4b73f15284726c07c

SHA1
a2ea20ee90fb51a592565a26d13c436f74c5fcbd

SHA256
83f972492c3773ea8c6a66225430bc03c0c3c47fe9f40d1b533dea794fc51134

SHA512
fbb27074fc3c2cb872fc5fd76ab0923dd17f2ab5e3eb0b82677197769de03b3160ee2642d12a7a47154e0e57b39740ee8bf8d037f230a41d73c9c647ea925525

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
79e51956f22af579db79241b89396839

SHA1
6eba130236ad1aefed5a862b183ef964498990a6

SHA256
7b090d3d0df79a3c340ec75a9d2ebb789c6d5d28575d20c9c2e0a24b24d689e5

SHA512
3cff9a245edb02ab61b246ef7d1eff35869918e69fbf19193c42a59a97ca65b464656c11f01e99ef4aeca926aa49e3af5a9ecb0f91645bb12e5856f2de2c602f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
99f3ea4c08f1ff887927150550e76f72

SHA1
51590a6233bf02b499b708f7784e696358c5e1f8

SHA256
3982554d06cd09ede5fd111028f578bf29e65365f57b32d731bb88de2d51b930

SHA512
d541a56f2e8b94f5ce7c729bbe0de545b95c5a38c1035c17ecd5431226aa6a63104d38ef8677383758e8923d449a4c77b39e5d6f868a86a03362244ff043addc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
5da98012d080fbf679a8cdac5b45f613

SHA1
414ecc49bcaa0049d39c026294801040109cd421

SHA256
bb8a747651d324a2b43af3bf7fb458f0e6e51096e3c73bb2d5b8770022e059af

SHA512
02597c1fa511901cf6bfbfe518e42ea458af406a61393f450c69b41d1297e3ae6498b168311d3c740e5b33461d9f3ec628e3c6740cf4e61498d3dcbb4defe00e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
c304bada39f1563fe5819e6975fb7077

SHA1
8a8b1ac5fc3d491accc027a7eae837dd689c85d4

SHA256
33830927aaa1fb33b401ca7ebd59024e7fe1e8c225e1535d37f89d94902f9ca5

SHA512
0327e77229b7219e7a6d7a704d5855219a00f4fd0b554b5c70451a0dd7f42fa8bdd1ca207ed2128bf8bb9ecdbf4a31a20ccc1b9cccd0ad86bf05a0a764df1abc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
46fa4f5f7344089589d117bd7599b3a9

SHA1
b6cc1fe19e527d4a372c97e4d195ed94eee40030

SHA256
223280d95a13f1af6af06459bbf230874500c212a2e16f63914eff3f22e8b57a

SHA512
6b680aedde7e806802652aab9ab31cb21438bc8756b063955e6f03bbbdf1273f7d47c40ec1a19fe27537afeb8d6cc219a246d31f7c6822b481649fe296e2a45c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
788B

MD5
58bd451949305d7c576bf424297d4e69

SHA1
3e54b6019641b4972d5ba3eac3b53473a567ebe5

SHA256
1203dc85aaed93fd6f539c73a326d34d32951101a10b5d8bc365b31750a13ac5

SHA512
921738ce131f4c66c975660abbbe011ca3a77a5bcc8ee26ea663adf477e84d0a0896b7d123cb3e034e5bf0ae09d61e08d6a425c283db73ed2fac6e0ae354ab19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
7e4696e82fcd12e701dd6753b71ff515

SHA1
4daa56e37e759ad5b604bd8dd08580297c5aecc6

SHA256
5b773f0c59a78568e23d0822df36d3d5b370d5452727ceeda63c32d3c6423052

SHA512
86b7e84de9064977f8f901e6d6d084b013325a7e377e166d7203fd6a520db25a717afe5b1f59802e03ef954988374deea214c4042e71a592a1775a7c0076544d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
628274a4211e53bd5eff5a893e493f5a

SHA1
37f2cabf1faabb512f2eb5bf9314cd52bc1b7adf

SHA256
ab769c14f455524f383baae162eed60fee49782198ba2f55dd0808b689cee5ab

SHA512
12293c2b7abbcc93afec0fd947a2e4dc3bafc5e7b581de316b0e8ae14db85aa5099beda5cd6fd793d6368525515063ba2da8f511a27f55e9e025397fe5a7c47b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
703743837f7f2a68a5be645606e27662

SHA1
b8a2f5bd1b82a52d3d69981f882056fae764fc8c

SHA256
b22912f686f62c8980aea43e887476b98f480db5261a2f387ad8642f2666e33f

SHA512
d0cb9295470d715abb9242d2d678ef89eabb643059b0e4ecac33232fd16f9c121316f81a3f021827158798134732580f1f9762150f704a1849d56fc709744a6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f52899bc263a6a737a949d99c8775063

SHA1
f99ff98e8d477b234d1a417c1927f9a2e0025ffd

SHA256
7f0cd62a32b4637d22f075c39baf5c2430594c0ad439459cbaa9fa978ec833d0

SHA512
ae06d85ba503d274fe89878a81177d6315d146ee0843ee1bb845e9e91acfbb8a23b70bc5498588cd4edfa120010ae58c540ab69458973bad7df4c8cb51e1da6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e32d51c3856fd0607e866ae1e54b37de

SHA1
8d57a977b39d445ace2447699421b3e652f54d50

SHA256
e8bb1d36622db2a42515505e25d107482c84d9cc63170b10260d64c70c8cdbad

SHA512
ac8de135aa061138a94fe949625d80a4e0e5f6c652744ec6935bfbaf523bcc321f588e70e552212225b221ad135aa7ef05f9687f1e316ea9540a2e91b39f96ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b39a2060d7c8fe33770710d5afa5831e

SHA1
e44899dbd94c089f5968f5721f8fb372299dfdce

SHA256
7e37c4277cc39359e446573dfff905cdef0315f63c41092721a4df1894e96cce

SHA512
81fe6b619430783c92b7400c788971f1c996d1758baf243bd8a179d247092731f84d94298ebadb675cdca7fc07e88df411c3d41634065c8c67fcaacd8c9fe005

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
061fc07a51c11216b7384edfb68052b1

SHA1
508cc66431cef105390bdc7ea50075307667926a

SHA256
9ec83e94adc3b0d40dd65656d255548274a30854a1bb96d5efd4e5e63409c36e

SHA512
6ad0c92f864fecf8518721191bcbe19ee621084f872ff8615e326dee5b635066fd62c6a1181f68465b758eadde74ddd33aa2198fb4461892b8e1537cc6baee30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
53a73bf7b4d8793b5381460fa8c21914

SHA1
dafe8b5005936f41aa9187edbeed6524bdf90174

SHA256
6cb68eb9adc41cb47ee8c43714d8163333b22dc1dedfb540a7ef5994933b7930

SHA512
af00ea49e4e4a8ebbfc88039e4749c16ab18ae07c03e42165b616154ce0a9b0450db033fe39b397b65817e4ab69099c172c15cd81aeb1ddefd6089a3fbfb5c3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
74d973ddec753a474530f80b62f599f9

SHA1
8cd6afc42897ff14c6325e70608d8965afb3ee5b

SHA256
d34986a4aee5a136fc813d1b09dc7f1cdae3a7cf93d3f8791c5f59b90e962960

SHA512
22b09e89c203a1ee1df4e9a3ec64848aa24fff99a94a9315f5bf01475336b201d7a35ae85ffa0e0036f48c063a0e6a989ec17e30f3bc51474c67c4a6b6c925d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
14777f7898f3329482d0d183fe5515c7

SHA1
52e3efe9eb6ff7962715e0dfa73cec41c070810c

SHA256
3fb7cd06b3bdd8717114230cf326b4ebfc476266aba73721a8c23a0fe6a46943

SHA512
35e603e4c30a5923a814adcc5afcf549c8de9be918ca472cf420c114fd63906490767ceabae012d31a008acfb9ab59157dbd514a518d839fa2e38b9e1dac6424

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
dc4180ec01d7e7990407c17e265c0b6d

SHA1
9c8ba6d5b7d9fd7ba72051de7024816946c628b6

SHA256
ce177b431c091aa074b974f0c00a923c81c399b29676ce5cbfc20d6c99e83044

SHA512
7827d077f26253905ab38dd7938d344915edbfb956694cc29a7fc13b3597057f1f98ba50e503233eddda15b481bf2ece8b587e8558f7f72e35066b2fc019d812

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ec28384dc9a63ba19f97eaa835003691

SHA1
f090053e3c3a4ed71424c347e701400923330167

SHA256
e66f6a19a94d1fa98d9b4f4cdae9fd9cdbb7de6c739d3bcd6dfa63df2a92fd23

SHA512
5e025c5a0bc1305864553943313ae5f5f8020125d29823607595f147481b5f8ee5a92a72bbb10e8e31e93e123af636db0f0e5a3bcbd008ad89a98185c47ed477

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
09923e19ec4ca68c1147622fa7e8ea1b

SHA1
9a370777f712679b302d523c3d7212efc1050a58

SHA256
6f04ae9ecbba9c18d7fd84d25aa7f2a2ff2eefb8ac188521d1fcc26bd05f66d0

SHA512
bf2b5a32248c947f9f2e274571e7ce1438bbaadc3702339e276a92e7cf2276d5d438db1f9049e2b6cbc7828858edf9c024eaffa75cbefc4dd108bf09e0553d09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8324e5f9568f519544b22beac08bfa04

SHA1
3a8b5e3cff58898b2f65cffab7888385b87daa7e

SHA256
e276dc4c75c9dff32acaaf7ac135f131f4678596769462148db622bca9e506cf

SHA512
7b2a96ea58f752e7719621d2f5d49b2dbf534fea323a6b151e5cd8d4cd3389802df91355b475f4de0d9001837f33de3b9efea70c92e2c3b914414f08607e1a4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b4d09134e779592176b0f7ffc59f04aa

SHA1
0d6aa14403649c737ab2e4e7766ec77e544a0303

SHA256
f03e94168e1773001154b3fcdc31e779e3f161f83ca2851bb1091b62fc609c10

SHA512
ce9be5807459030a80b3e29fa5313b795408cd85f5add3c93ba0307b1e3d54389093f68c4ecefff513429f3dde39c763684311a2066c86fc3b17f07bb84905f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
895f975effe4e3c3e86dac57fdb81a8f

SHA1
717c974efa3a762df14dbb71595ffdbdc4eff63b

SHA256
302029c8a8d0e430a1e085b8653cb674fae6dc080c305ea1c12cd23b84e9cfb5

SHA512
9144ecd88a97dde0ee0cdb13ee57d2296495b620655b4364f8d8a6cecde9f7c755c3a12008226835f9cac5c9a3d99fd1e49dfe2913932aaff9fdd06e157c62a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f2ffa91b22df0cdec8e9ec3b978b19ff

SHA1
0bc38364d9f67f5143d21d550e66b924a94f0bfd

SHA256
ed879e26185d66867ac3e566f71b96458b4ae6baf679289eb3d1b4e426e4509e

SHA512
ff0aca97b57408b2560cbc36b8fe5e3b9957cd67f0117e8c3e239e56bfa8b679d19798f8f1eb232abf59990a08d9a59381ee853206a6e65e27f039d4c596b35a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bdcd27dbdc2897244988eb4e56573f94

SHA1
fb4e8618254c983dd882acf3e2fb69ca7143d623

SHA256
69636aa3b6e94d9226cef89abf110f75fb5b7397215fa1044cb9b0e28da817b0

SHA512
fcbb15b55fadb36e440e0254cd7f2e12f87cbba52e57783aa2157e5274dde1e07235a89659a6f44e7a01d5b3ad61751a681ba31738e70afec92d4e1e6c6ba42e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
26d4d8f771f39d8f2059e41c05c5f8dc

SHA1
f9ed1e511cae6797ecdf3016c61169abcbfc138d

SHA256
eb53f5274bf880f680c21485ebc3155872dcba7345c1682cbc030440ad0eb014

SHA512
135c0a4596817eae789822b7183957bdf04ace3a5b494837a7a5b777810893f1f1d894717584c31c92d7ec4858f212f452c40eab92e1bb25789d5ae4d76f5397

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ad02bb5d80d7ba20c8cfa95fbcbf59c7

SHA1
f9a7d27745a2642e01ea6ce849975eb339e1a4d8

SHA256
4d3afa10442990ca651b61400cb9cfff76762e19968e24631d434b4f5bf70ff3

SHA512
aefb8c8f3808bdb40bfa845af9979dfba15184681770c247ebe6ced1048904263d891a778a2e2a56bd7994f100af4e4ae5089fa1bdb464533348996a3fe3e067

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d7e6ab2ff6efb25ff1a3cfe43080f22f

SHA1
4b80c312c4dd6f6e0a36df305f78a9d679c9f0bd

SHA256
88bb9b57293782f9368c4b7b4ea00367e30b46b39c420930b7aadb367e8e4ef2

SHA512
e2aacd0ea582797b1567cd1950bc7fe0676867ecd11809e06202a1719246f52b33e67e935e18940e31e377d0494775d304b30f30e24003c8d809100ffa1e32e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581e9f.TMP

Filesize
874B

MD5
38f06b27d272d479329a8875667abb9d

SHA1
f1bc788e2fff834fc5c0218a4a85f9d3e4c02bd5

SHA256
e3dfba71d15accb0519849617450453fd975fb3b8b1a8f8ed2b7a007022ff7e7

SHA512
aee05ef03492d3648868ad8b42c0be9917964a3773218eeef01022ba9260b9c21146bdbb25af1f3e22588bd01759cb7dd1ea336982c5d4c3544d4bfd1f446504

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
76KB

MD5
04b65d817c0ae77017d8c78019923af5

SHA1
c1934bff44ce67f52e230a1cbb85b2ed350f93b3

SHA256
51aa5f14d7a86711b464a454d583b119e673519db737f27c5e8167eb47232c8e

SHA512
625a1a2bf91f052fb3494712c714f8b915c84ac410258bc3a8e35712955848457f7a6d6d44084bdf5108a956035bdc15d11463875ebf567e2c1f91b438a09306

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
be047438ff661664ea02e25130eeda75

SHA1
4083dc4fe644a5a6195a07ec7d52c4e48c4811d1

SHA256
5b77d3a4a7f92a5cb678e2477441d04f8524e3e98873022d49dc01ebc09bd36b

SHA512
4fc58744fa71deb97b9c2b8134a2900f9404b343e0682ae3b9c619e3680b03964a9a83c52edc09d028f82700e44d1a1dca319b876eff35d749942cbea5c50aa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a343adf7a7454300a637812cf4da17c9

SHA1
f43814fd1b67920720c8f829242b90d713aa4801

SHA256
712a42e4031881e4749775c4e322d94b276f1ffce26e96bed50ed26affb0631d

SHA512
f6b7e24f5b8e9dac35e3c8809e87ae5cdb27500f953d9796c9922d5a6ad03346a038009f1d15699d0116e37e077dfbfeb4143dfa63570004b8612e41357c811c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cf214b072dfeef10aa644b7c14a34ca1

SHA1
f201763578f9819e6de4fa61a25872d067736718

SHA256
40739f556f454be28e3d84ce26776ff869ef812e08afb48991e43fce9a12ad0e

SHA512
021dc49f8dea985be9c6a5280cf4ed3a6504c25bde4d50a37849a2bb3368f27c3973abb29e6c3d46aaa93109bb54aae78b73e2b0ac1542ea24c855faa6663fdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
25591feefb52c05885eda6af88a96005

SHA1
b99e8bc49988d7a99abba13bc4a72b64ccd2e77d

SHA256
e106a8d6860bf047ffc43c57882c48142e3ccc2bdf00e7b8dc0bed1046bdd583

SHA512
fd96b2a1e4aca8889509e7d9628eba05cbf40b5dff6a3ddfa01495cbe8035001b1d9f8840bd30fb7fe0fc447d37db05f6655ce09b48c89d71207d1d6becd0808

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
16fcb9d60d893b2b917fdbcfde0541d6

SHA1
d11594951818e1cf7ac8c778d74f2f6e4e5a84c7

SHA256
393bad421c737356fcfaf34a1b9b9399bec4319919a3b1b4fdcca9d1043075d0

SHA512
24de899a095d1a4c3af86a51e15272e1d663d41f06ca99d1953844a40da441aad2dcbc1d66f1a2d1e3abca7dcbd1911cd5b3c26e5df04b5cc9ed13985fbb18b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36762\VCRUNTIME140.dll

Filesize
91KB

MD5
7942be5474a095f673582997ae3054f1

SHA1
e982f6ebc74d31153ba9738741a7eec03a9fa5e8

SHA256
8ee6b49830436ff3bec9ba89213395427b5535813930489f118721fd3d2d942c

SHA512
49fbc9d441362b65a8d78b73d4fdcf988f22d38a35a36a233fcd54e99e95e29b804be7eabe2b174188c7860ebb34f701e13ed216f954886a285bed7127619039

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36762\_ctypes.pyd

Filesize
123KB

MD5
b74f6285a790ffd7e9ec26e3ab4ca8df

SHA1
7e023c1e4f12e8e577e46da756657fd2db80b5e8

SHA256
c1e3e9548243ca523f1941990477723f57a1052965fccc8f10c2cfae414a6b8a

SHA512
3a700638959cbd88e8a36291af954c7ccf00f6101287fc8bd3221ee31bd91b7bd1830c7847d8c2f4f07c94bc233be32a466b915283d3d2c66abed2c70570c299

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36762\_socket.pyd

Filesize
78KB

MD5
0df2287791c20a764e6641029a882f09

SHA1
8a0aeb4b4d8410d837469339244997c745c9640c

SHA256
09ab789238120df329956278f68a683210692c9bcccb8cd548c771e7f9711869

SHA512
60c24e38ba5d87f9456157e3f4501f4ffabce263105ff07aa611b2f35c3269ade458dbf857633c73c65660e0c37aee884b1c844b51a05ced6aed0c5d500006de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36762\base_library.zip

Filesize
767KB

MD5
7ece4ca42658ba2a669af5ba31c127f1

SHA1
eec81105b210e4a2cf576c7438647d5df2aa6169

SHA256
5dcbab6e1b53994dc71aa9b91f16d686387ba3b63c3e6acdf0b6bdf611271986

SHA512
818d550ee80d02a928a849383f588ba3f4e8031a5e0f46eabc075cfc8b5833c802740e48a055bab700a7961059fe53eddb487b2f306333f0c9e89a53d6a0f110

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36762\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36762\python39.dll

Filesize
4.2MB

MD5
c4b75218b11808db4a04255574b2eb33

SHA1
f4a3497fb6972037fb271cfdc5b404a4b28ccf07

SHA256
53f27444e1e18cc39bdb733d19111e392769e428b518c0fc0839965b5a5727a2

SHA512
0b7ddbe6476cc230c7bdd96b5756dfb85ab769294461d1132f0411502521a2197c0f27c687df88a2cd1ab53332eaa30f17fa65f93dac3f5e56ed2b537232e69c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36762\select.pyd

Filesize
27KB

MD5
a2a4cf664570944ccc691acf47076eeb

SHA1
918a953817fff228dbd0bdf784ed6510314f4dd9

SHA256
b26b6631d433af5d63b8e7cda221b578e7236c8b34b3cffcf7630f2e83fc8434

SHA512
d022da9e2606c5c3875c21ba8e1132ad8b830411d6ec9c4ddf8ebd33798c44a7e9fe64793b8efb72f3e220bb5ce1512769a0398ecc109f53f394ea47da7a8767

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
11KB

MD5
451d802521f264c425b6e0c798ffeea2

SHA1
a0e496cd3372f23f767fc74d762d0a4f507c4d6c

SHA256
b772cdd070fea35bfa1832489f0a4a4cc7661fe98c4e841920aaa38d33587e7b

SHA512
a4b775b47c0e827e63ffc0ea4f7d2d9f8e956a79309a703a2a79daf92332d9aa4bca68b4d1d3fedc445569cc2c7442c838af32dbe480a79d36628345ed654b24

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
81a8269ca6a3486733908107e1e1ff1e

SHA1
bf29472725f0bca0d4c06a6e24512442d339fa87

SHA256
6364942720770a8959dacd615f742a1a23e5e2232c43c15f5c5ed41cb8d78e72

SHA512
876c21df3459dd65137ac55eae3fda3c39adbe19bb262a28e8fb22ca3beca9c6e0126caabbbde6aef8297ad210c10fd1f8e53ad4ba251f3d1251cdd2f60a7fca

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
95849929f8207a010fe00f793eddf63c

SHA1
85f6748128c3eefebe28d49b1e50c47d8c576526

SHA256
2ebfa78ce813f1f2ad79dc4e263f50d7a17004a30cd2770b07d074ac07542a55

SHA512
2527344cf7fadfd8953394bc512ab5c7e956d45e885fbf970a9205d8f183402ff747083bcfeb8278a9bb998943010feb31a9a6acccecc0286a6d69191bb85f1e

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
4c95d5fcea668ebc3a5b2d41bce883b3

SHA1
5f7b7d85fb23c207b61aad3e60df9f2ee625b106

SHA256
ece91d5489984ff9f368057063e31dd9660b3390f70e3906ff3f760047a8ceb1

SHA512
86d8ca3b642903e0fc6e470d3882ba4eaf423193a03529a2ec704a7501c089aef6049e18af1cc8bfa0abea9b1eea1bef2efb4c693ad102b841f1c5cdd2973134

Download Submit
C:\Users\Admin\Downloads\230131726880906.bat

Filesize
318B

MD5
a261428b490a45438c0d55781a9c6e75

SHA1
e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e

SHA256
4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44

SHA512
304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\Downloads\TaskHost\t477E.tmp.locked

Filesize
16B

MD5
553dda8f9d6b50d4b2087d9b908e5ac5

SHA1
b5f9dbf4646ab7aea0fdadd4ce6e528b96f5a57b

SHA256
8288480cd94c59fce9ac64396943716caf1d0d20b21e459fed07abc490117909

SHA512
5c9a0d9e19ef8cc5994957b947cf8a6b0cc3997ea7f0535bed223866d7ccd26622ac1a9e72d46802af81b30fb204f5b4d36ff96158afa5e13b7feab89e7c1eb4

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 378507.crdownload

Filesize
6.5MB

MD5
ca968d3a6dea5e46716281ceb6cd575c

SHA1
792ef05b2262577e39b0c91d57874c2326ef0dc5

SHA256
6023ea55d3ff78b3642367375c276bbde744636c1d485b5bf7cf3d4609936bef

SHA512
b4b62663e9f08b29569cae12b8184366dd38004c574c3c33fe7a5859700277dc66f5d52184dd1a0d4ecac583909be10fe1f5bce250a86685b588edcea792035b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 390036.crdownload

Filesize
132KB

MD5
919034c8efb9678f96b47a20fa6199f2

SHA1
747070c74d0400cffeb28fbea17b64297f14cfbd

SHA256
e036d68b8f8b7afc6c8b6252876e1e290f11a26d4ad18ac6f310662845b2c734

SHA512
745a81c50bbfd62234edb9788c83a22e0588c5d25c00881901923a02d7096c71ef5f0cd5b73f92ad974e5174de064b0c5ea8044509039aab14b2aed83735a7c4

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 653080.crdownload

Filesize
1.2MB

MD5
e0340f456f76993fc047bc715dfdae6a

SHA1
d47f6f7e553c4bc44a2fe88c2054de901390b2d7

SHA256
1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887

SHA512
cac10c675d81630eefca49b2ac4cc83f3eb29115ee28a560db4d6c33f70bf24980e48bb48ce20375349736e3e6b23a1ca504b9367917328853fffc5539626bbc

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 653080.crdownload:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 705824.crdownload

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\c.vbs

Filesize
201B

MD5
02b937ceef5da308c5689fcdb3fb12e9

SHA1
fa5490ea513c1b0ee01038c18cb641a51f459507

SHA256
5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1

SHA512
843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

Download Submit
C:\Users\Admin\Downloads\c.wry

Filesize
628B

MD5
d48e2299f6d66d513f12cd3e037c81ad

SHA1
57de6750286886a8bd477c26fd2ed5b6cd9a7cb1

SHA256
e8cf7c04c360a1219129b4c013ceb6f408d8d2cba7572c0a04ebba0d26456899

SHA512
ca53b89aab811372a7e81ce8ebd47fbbf2ff2bdab93d28a5db60035d4a2cdee4c63cb4f1f66f98125a999d355baf098f03de4aee4860540c47835420863f357c

Download Submit
C:\Users\Admin\Downloads\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Downloads\r.wry

Filesize
729B

MD5
880e6a619106b3def7e1255f67cb8099

SHA1
8b3a90b2103a92d9facbfb1f64cb0841d97b4de7

SHA256
c9e9dc06f500ae39bfeb4671233cc97bb6dab58d97bb94aba4a2e0e509418d35

SHA512
c35ca30e0131ae4ee3429610ce4914a36b681d2c406f67816f725aa336969c2996347268cb3d19c22abaa4e2740ae86f4210b872610a38b4fa09ee80fcf36243

Download Submit
C:\Users\Admin\Downloads\t.wry

Filesize
68KB

MD5
5557ee73699322602d9ae8294e64ce10

SHA1
1759643cf8bfd0fb8447fd31c5b616397c27be96

SHA256
a7dd727b4e0707026186fcab24ff922da50368e1a4825350bd9c4828c739a825

SHA512
77740de21603fe5dbb0d9971e18ec438a9df7aaa5cea6bd6ef5410e0ab38a06ce77fbaeb8fc68e0177323e6f21d0cee9410e21b7e77e8d60cc17f7d93fdb3d5e

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\Music\!Please Read Me!.txt.locked

Filesize
800B

MD5
4ee8197971ae89eda4db73527bced207

SHA1
9e222bb6fc333a50d2b46088e3f2d18d2934de84

SHA256
31497f6f572511a8f0b3ee7d108d808357fef8767eb8dbd773b635de4a6e1323

SHA512
c7ad85d0df596f22954b9d3eddb75f058d5062f83d38ea2403b9ec7bf7da370b573c69dad628132544c502e9da34c99a5f802ceb2c72b56932d55b09de9fb6f3

Download Submit
C:\Users\Admin\Music\!WannaDecryptor!.exe.lnk.locked

Filesize
592B

MD5
56009b9a773efa2d82ba4e9cf9b2a002

SHA1
eb72042f031aa6e6906466a4fb6851d9b0d8051d

SHA256
68c70d67d7f0821b40ba6a6c705484b3ac3ce9a89e348cbda599f0a10f8b5312

SHA512
868c44b81c49e2f90a889885618be40977a82fd222415a7934f76a3f80493473d710350a376d05d7e4bd3e48e8bcb0f1fc6a09645fe386dff671e0b724182a0b

Download Submit
memory/1248-798-0x00000000009D0000-0x00000000009F5000-memory.dmp

Filesize
148KB

Download
memory/1248-835-0x00000000009D0000-0x00000000009F5000-memory.dmp

Filesize
148KB

Download
memory/1432-2894-0x0000000000750000-0x0000000000775000-memory.dmp

Filesize
148KB

Download
memory/1432-802-0x0000000000750000-0x0000000000775000-memory.dmp

Filesize
148KB

Download
memory/3512-2893-0x0000000000C50000-0x0000000000EDE000-memory.dmp

Filesize
2.6MB

Download
memory/3512-2644-0x0000000000C50000-0x0000000000EDE000-memory.dmp

Filesize
2.6MB

Download
memory/3948-894-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/7896-2671-0x0000000000400000-0x000000000049B000-memory.dmp

Filesize
620KB

Download
memory/9056-2673-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads