wannacry | ea8ccb8b5ec36195af831001b3cc46caedfc61a6194e2568901e7685c57ceefa

Analysis

max time kernel
556s
max time network
557s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2023 14:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BadRabbit.zip
Size

393KB
MD5

61da9939db42e2c3007ece3f163e2d06
SHA1

4bd7e9098de61adecc1bdbd1a01490994d1905fb
SHA256

ea8ccb8b5ec36195af831001b3cc46caedfc61a6194e2568901e7685c57ceefa
SHA512

14d0bc14a10e5bd8022e7ab4a80f98600f84754c2c80e22a8e3d9f9555dde5bad056d925576b29fc1a37e73c6ebca693687b47317a469a7dfdc4ab0f3d97a63e
SSDEEP

12288:KPd6ZnyRPZJhKymLkH+yDXZEyfMrvDca6:Koy5ZJ7BeeXmb8a6

Score

10^/10

wannacry discovery persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\WannaCrypt0r\@Please_Read_Me@.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

taskmgr.exe

description pid process target process

PID 4396 created 3388 4396 taskmgr.exe @WanaDecryptor@.exe
PID 4396 created 3388 4396 taskmgr.exe @WanaDecryptor@.exe
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Downloads MZ/PE file

description	pid	process	target process
PID 4396 created 3388	4396	taskmgr.exe	@WanaDecryptor@.exe
PID 4396 created 3388	4396	taskmgr.exe	@WanaDecryptor@.exe

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

Endermanch@WannaCrypt0r.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\UseGrant.raw.WNCRY	Endermanch@WannaCrypt0r.exe
File created	C:\Users\Admin\Pictures\ResetTrace.raw.WNCRYT	Endermanch@WannaCrypt0r.exe
File opened for modification	C:\Users\Admin\Pictures\StopRename.tif.WNCRY	Endermanch@WannaCrypt0r.exe
File renamed	C:\Users\Admin\Pictures\UseGrant.raw.WNCRYT => C:\Users\Admin\Pictures\UseGrant.raw.WNCRY	Endermanch@WannaCrypt0r.exe
File renamed	C:\Users\Admin\Pictures\StopRename.tif.WNCRYT => C:\Users\Admin\Pictures\StopRename.tif.WNCRY	Endermanch@WannaCrypt0r.exe
File created	C:\Users\Admin\Pictures\UseGrant.raw.WNCRYT	Endermanch@WannaCrypt0r.exe
File renamed	C:\Users\Admin\Pictures\ResetTrace.raw.WNCRYT => C:\Users\Admin\Pictures\ResetTrace.raw.WNCRY	Endermanch@WannaCrypt0r.exe
File opened for modification	C:\Users\Admin\Pictures\ResetTrace.raw.WNCRY	Endermanch@WannaCrypt0r.exe
File created	C:\Users\Admin\Pictures\StopRename.tif.WNCRYT	Endermanch@WannaCrypt0r.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

downloadly_installer.tmpx2s443bc.cs1.tmpx2s443bc.cs1.tmpMassiveInstaller.tmpDownloadly.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	downloadly_installer.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	x2s443bc.cs1.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	x2s443bc.cs1.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	MassiveInstaller.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	Downloadly.exe

Drops startup file 2 IoCs

Processes:

Endermanch@WannaCrypt0r.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDE238.tmp	Endermanch@WannaCrypt0r.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDE24E.tmp	Endermanch@WannaCrypt0r.exe

Executes dropped EXE 61 IoCs

Processes:

Endermanch@WannaCrypt0r.exetaskdl.exe@WanaDecryptor@.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskhsvc.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exe@WanaDecryptor@.exetaskse.exetaskdl.exex2s443bc.cs1.exex2s443bc.cs1.tmpDownloadly.exeMassiveInstaller.exeMassiveInstaller.tmptaskse.exe@WanaDecryptor@.exetaskdl.exeMassive.execrashpad_handler.exedownloadly_installer.exedownloadly_installer.tmptaskse.exe@WanaDecryptor@.exetaskdl.exex2s443bc.cs1.exex2s443bc.cs1.tmptaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exe

pid	process
1228	Endermanch@WannaCrypt0r.exe
4876	taskdl.exe
4892	@WanaDecryptor@.exe
1068	@WanaDecryptor@.exe
1556	taskdl.exe
4432	taskse.exe
3388	@WanaDecryptor@.exe
1172	taskhsvc.exe
5668	taskdl.exe
5812	taskse.exe
5820	@WanaDecryptor@.exe
1844	taskdl.exe
5276	taskse.exe
5304	@WanaDecryptor@.exe
2396	taskse.exe
2296	@WanaDecryptor@.exe
5936	taskdl.exe
524	taskse.exe
3240	@WanaDecryptor@.exe
816	taskdl.exe
4500	@WanaDecryptor@.exe
936	taskse.exe
3560	taskdl.exe
5164	x2s443bc.cs1.exe
2696	x2s443bc.cs1.tmp
5284	Downloadly.exe
6012	MassiveInstaller.exe
4372	MassiveInstaller.tmp
5540	taskse.exe
5864	@WanaDecryptor@.exe
3460	taskdl.exe
5404	Massive.exe
5536	crashpad_handler.exe
5816	downloadly_installer.exe
6060	downloadly_installer.tmp
5476	taskse.exe
6036	@WanaDecryptor@.exe
768	taskdl.exe
2476	x2s443bc.cs1.exe
5700	x2s443bc.cs1.tmp
2536	taskse.exe
4876	@WanaDecryptor@.exe
6072	taskdl.exe
1072	taskse.exe
1664	@WanaDecryptor@.exe
4860	taskdl.exe
1012	taskse.exe
2348	@WanaDecryptor@.exe
4112	taskdl.exe
4580	taskse.exe
1596	@WanaDecryptor@.exe
3816	taskdl.exe
1716	taskse.exe
776	@WanaDecryptor@.exe
5616	taskdl.exe
5664	taskse.exe
4568	@WanaDecryptor@.exe
5696	taskdl.exe
5828	taskse.exe
3020	@WanaDecryptor@.exe
6056	taskdl.exe

Loads dropped DLL 16 IoCs

Processes:

taskhsvc.exeDownloadly.exeMassive.exe

pid	process
1172	taskhsvc.exe
1172	taskhsvc.exe
1172	taskhsvc.exe
1172	taskhsvc.exe
1172	taskhsvc.exe
1172	taskhsvc.exe
1172	taskhsvc.exe
1172	taskhsvc.exe
1172	taskhsvc.exe
5284	Downloadly.exe
5284	Downloadly.exe
5404	Massive.exe
5404	Massive.exe
5404	Massive.exe
5404	Massive.exe
5404	Massive.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

3956 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3956	icacls.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

x2s443bc.cs1.tmpdownloadly_installer.tmpx2s443bc.cs1.tmpreg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	x2s443bc.cs1.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Downloadly = "\"C:\\Users\\Admin\\Programs\\Downloadly\\Downloadly.exe\""	x2s443bc.cs1.tmp
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	downloadly_installer.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Downloadly = "\"C:\\Users\\Admin\\Programs\\Downloadly\\Downloadly.exe\""	downloadly_installer.tmp
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	x2s443bc.cs1.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Downloadly = "\"C:\\Users\\Admin\\Programs\\Downloadly\\Downloadly.exe\""	x2s443bc.cs1.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cveybzquncem713 = "\"C:\\Users\\Admin\\Downloads\\WannaCrypt0r\\tasksche.exe\""	reg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Sets desktop wallpaper using registry 2 TTPs 3 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Endermanch@WannaCrypt0r.exe@WanaDecryptor@.exe@WanaDecryptor@.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@WanaDecryptor@.bmp"	Endermanch@WannaCrypt0r.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@WanaDecryptor@.bmp"	@WanaDecryptor@.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@WanaDecryptor@.bmp"	@WanaDecryptor@.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\913572a4-3c8a-431b-814c-3cb3aced5d37.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230604150152.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 5 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

5548 taskkill.exe
1664 taskkill.exe
6084 taskkill.exe
5580 taskkill.exe
5860 taskkill.exe

pid	process
5548	taskkill.exe
1664	taskkill.exe
6084	taskkill.exe
5580	taskkill.exe
5860	taskkill.exe

Modifies registry class 12 IoCs

Processes:

taskmgr.exemsedge.exex2s443bc.cs1.tmpfirefox.exedownloadly_installer.tmp

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	taskmgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	x2s443bc.cs1.tmp
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0000000001000000ffffffff	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	downloadly_installer.tmp
Set value (data)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	taskmgr.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4860 reg.exe

pid	process
4860	reg.exe

NTFS ADS 2 IoCs

Processes:

firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\WannaCrypt0r.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Downloadly.zip:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

3900 NOTEPAD.EXE

pid	process
3900	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskhsvc.exemsedge.exemsedge.exeidentity_helper.exemsedge.exex2s443bc.cs1.tmpMassiveInstaller.tmpMassive.exedownloadly_installer.tmpx2s443bc.cs1.tmptaskmgr.exe

pid	process
1172	taskhsvc.exe
1172	taskhsvc.exe
1172	taskhsvc.exe
1172	taskhsvc.exe
1172	taskhsvc.exe
1172	taskhsvc.exe
1556	msedge.exe
1556	msedge.exe
1068	msedge.exe
1068	msedge.exe
1012	identity_helper.exe
1012	identity_helper.exe
5276	msedge.exe
5276	msedge.exe
5276	msedge.exe
5276	msedge.exe
2696	x2s443bc.cs1.tmp
2696	x2s443bc.cs1.tmp
4372	MassiveInstaller.tmp
4372	MassiveInstaller.tmp
5404	Massive.exe
5404	Massive.exe
5404	Massive.exe
5404	Massive.exe
5404	Massive.exe
5404	Massive.exe
5404	Massive.exe
5404	Massive.exe
5404	Massive.exe
5404	Massive.exe
6060	downloadly_installer.tmp
6060	downloadly_installer.tmp
6060	downloadly_installer.tmp
6060	downloadly_installer.tmp
6060	downloadly_installer.tmp
6060	downloadly_installer.tmp
6060	downloadly_installer.tmp
6060	downloadly_installer.tmp
6060	downloadly_installer.tmp
6060	downloadly_installer.tmp
6060	downloadly_installer.tmp
6060	downloadly_installer.tmp
5700	x2s443bc.cs1.tmp
5700	x2s443bc.cs1.tmp
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

4396 taskmgr.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

1068 msedge.exe
1068 msedge.exe
1068 msedge.exe
1068 msedge.exe
1068 msedge.exe
1068 msedge.exe
1068 msedge.exe
1068 msedge.exe
1068 msedge.exe

pid	process
4396	taskmgr.exe

pid	process
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

firefox.exe7zG.exe7zG.exetaskse.exeWMIC.exevssvc.exetaskse.exetaskse.exe

description	pid	process
Token: SeDebugPrivilege	1876	firefox.exe
Token: SeDebugPrivilege	1876	firefox.exe
Token: SeDebugPrivilege	1876	firefox.exe
Token: SeRestorePrivilege	4432	7zG.exe
Token: 35	4432	7zG.exe
Token: SeSecurityPrivilege	4432	7zG.exe
Token: SeSecurityPrivilege	4432	7zG.exe
Token: SeRestorePrivilege	4608	7zG.exe
Token: 35	4608	7zG.exe
Token: SeSecurityPrivilege	4608	7zG.exe
Token: SeSecurityPrivilege	4608	7zG.exe
Token: SeTcbPrivilege	4432	taskse.exe
Token: SeTcbPrivilege	4432	taskse.exe
Token: SeIncreaseQuotaPrivilege	3256	WMIC.exe
Token: SeSecurityPrivilege	3256	WMIC.exe
Token: SeTakeOwnershipPrivilege	3256	WMIC.exe
Token: SeLoadDriverPrivilege	3256	WMIC.exe
Token: SeSystemProfilePrivilege	3256	WMIC.exe
Token: SeSystemtimePrivilege	3256	WMIC.exe
Token: SeProfSingleProcessPrivilege	3256	WMIC.exe
Token: SeIncBasePriorityPrivilege	3256	WMIC.exe
Token: SeCreatePagefilePrivilege	3256	WMIC.exe
Token: SeBackupPrivilege	3256	WMIC.exe
Token: SeRestorePrivilege	3256	WMIC.exe
Token: SeShutdownPrivilege	3256	WMIC.exe
Token: SeDebugPrivilege	3256	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3256	WMIC.exe
Token: SeRemoteShutdownPrivilege	3256	WMIC.exe
Token: SeUndockPrivilege	3256	WMIC.exe
Token: SeManageVolumePrivilege	3256	WMIC.exe
Token: 33	3256	WMIC.exe
Token: 34	3256	WMIC.exe
Token: 35	3256	WMIC.exe
Token: 36	3256	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3256	WMIC.exe
Token: SeSecurityPrivilege	3256	WMIC.exe
Token: SeTakeOwnershipPrivilege	3256	WMIC.exe
Token: SeLoadDriverPrivilege	3256	WMIC.exe
Token: SeSystemProfilePrivilege	3256	WMIC.exe
Token: SeSystemtimePrivilege	3256	WMIC.exe
Token: SeProfSingleProcessPrivilege	3256	WMIC.exe
Token: SeIncBasePriorityPrivilege	3256	WMIC.exe
Token: SeCreatePagefilePrivilege	3256	WMIC.exe
Token: SeBackupPrivilege	3256	WMIC.exe
Token: SeRestorePrivilege	3256	WMIC.exe
Token: SeShutdownPrivilege	3256	WMIC.exe
Token: SeDebugPrivilege	3256	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3256	WMIC.exe
Token: SeRemoteShutdownPrivilege	3256	WMIC.exe
Token: SeUndockPrivilege	3256	WMIC.exe
Token: SeManageVolumePrivilege	3256	WMIC.exe
Token: 33	3256	WMIC.exe
Token: 34	3256	WMIC.exe
Token: 35	3256	WMIC.exe
Token: 36	3256	WMIC.exe
Token: SeBackupPrivilege	3452	vssvc.exe
Token: SeRestorePrivilege	3452	vssvc.exe
Token: SeAuditPrivilege	3452	vssvc.exe
Token: SeDebugPrivilege	1876	firefox.exe
Token: SeDebugPrivilege	1876	firefox.exe
Token: SeDebugPrivilege	1876	firefox.exe
Token: SeTcbPrivilege	5812	taskse.exe
Token: SeTcbPrivilege	5812	taskse.exe
Token: SeTcbPrivilege	5276	taskse.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

firefox.exe7zG.exe7zG.exeNOTEPAD.EXE@WanaDecryptor@.exemsedge.exe7zG.exex2s443bc.cs1.tmpDownloadly.exeMassiveInstaller.tmpdownloadly_installer.tmpx2s443bc.cs1.tmptaskmgr.exe

pid	process
1876	firefox.exe
1876	firefox.exe
1876	firefox.exe
1876	firefox.exe
1876	firefox.exe
1876	firefox.exe
4432	7zG.exe
4608	7zG.exe
1876	firefox.exe
3900	NOTEPAD.EXE
3388	@WanaDecryptor@.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1876	firefox.exe
1876	firefox.exe
3240	7zG.exe
2696	x2s443bc.cs1.tmp
5284	Downloadly.exe
4372	MassiveInstaller.tmp
6060	downloadly_installer.tmp
1068	msedge.exe
5700	x2s443bc.cs1.tmp
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

firefox.exeDownloadly.exetaskmgr.exe

pid	process
1876	firefox.exe
1876	firefox.exe
1876	firefox.exe
1876	firefox.exe
1876	firefox.exe
1876	firefox.exe
1876	firefox.exe
5284	Downloadly.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe
4396	taskmgr.exe

Suspicious use of SetWindowsHookEx 33 IoCs

Processes:

firefox.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exeDownloadly.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe

pid	process
1876	firefox.exe
1876	firefox.exe
1876	firefox.exe
1876	firefox.exe
1068	@WanaDecryptor@.exe
3388	@WanaDecryptor@.exe
4892	@WanaDecryptor@.exe
4892	@WanaDecryptor@.exe
3388	@WanaDecryptor@.exe
1068	@WanaDecryptor@.exe
5820	@WanaDecryptor@.exe
5304	@WanaDecryptor@.exe
2296	@WanaDecryptor@.exe
3240	@WanaDecryptor@.exe
1876	firefox.exe
1876	firefox.exe
1876	firefox.exe
1876	firefox.exe
1876	firefox.exe
1876	firefox.exe
4500	@WanaDecryptor@.exe
5284	Downloadly.exe
5284	Downloadly.exe
5864	@WanaDecryptor@.exe
6036	@WanaDecryptor@.exe
4876	@WanaDecryptor@.exe
1664	@WanaDecryptor@.exe
2348	@WanaDecryptor@.exe
2348	@WanaDecryptor@.exe
1596	@WanaDecryptor@.exe
776	@WanaDecryptor@.exe
4568	@WanaDecryptor@.exe
3020	@WanaDecryptor@.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 916 wrote to memory of 1876	916	firefox.exe	firefox.exe
PID 916 wrote to memory of 1876	916	firefox.exe	firefox.exe
PID 916 wrote to memory of 1876	916	firefox.exe	firefox.exe
PID 916 wrote to memory of 1876	916	firefox.exe	firefox.exe
PID 916 wrote to memory of 1876	916	firefox.exe	firefox.exe
PID 916 wrote to memory of 1876	916	firefox.exe	firefox.exe
PID 916 wrote to memory of 1876	916	firefox.exe	firefox.exe
PID 916 wrote to memory of 1876	916	firefox.exe	firefox.exe
PID 916 wrote to memory of 1876	916	firefox.exe	firefox.exe
PID 916 wrote to memory of 1876	916	firefox.exe	firefox.exe
PID 916 wrote to memory of 1876	916	firefox.exe	firefox.exe
PID 1876 wrote to memory of 2664	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 2664	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 4584	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 680	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 680	1876	firefox.exe	firefox.exe
PID 1876 wrote to memory of 680	1876	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

2900 attrib.exe

pid	process
2900	attrib.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\BadRabbit.zip
1⤵
PID:1020

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3592

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:916

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1876

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1876.0.412968176\24854303" -parentBuildID 20221007134813 -prefsHandle 1820 -prefMapHandle 1812 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a59af40-e93e-46eb-8f64-dd499a015824} 1876 "\\.\pipe\gecko-crash-server-pipe.1876" 1900 1a16a2a5858 gpu
3⤵
PID:2664

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1876.1.1587541846\485299603" -parentBuildID 20221007134813 -prefsHandle 2288 -prefMapHandle 2284 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7808170-d0e6-43cc-9262-718ce9d8604b} 1876 "\\.\pipe\gecko-crash-server-pipe.1876" 2300 1a15c270a58 socket
3⤵
PID:4584

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1876.2.1469348318\867530394" -childID 1 -isForBrowser -prefsHandle 3124 -prefMapHandle 2880 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e67e6117-abbc-479d-8798-7ddd5f0c3436} 1876 "\\.\pipe\gecko-crash-server-pipe.1876" 2988 1a16cf08f58 tab
3⤵
PID:680

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1876.3.1237268798\545873923" -childID 2 -isForBrowser -prefsHandle 2328 -prefMapHandle 1460 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {202ea481-9522-4edf-9889-77aaedcb0d6c} 1876 "\\.\pipe\gecko-crash-server-pipe.1876" 1444 1a15c25eb58 tab
3⤵
PID:976

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1876.4.1702235261\640450804" -childID 3 -isForBrowser -prefsHandle 3876 -prefMapHandle 3872 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d1f6aae-91c9-4e55-ad43-dbb303594290} 1876 "\\.\pipe\gecko-crash-server-pipe.1876" 3888 1a15c262e58 tab
3⤵
PID:752

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1876.7.1969929083\2074147955" -childID 6 -isForBrowser -prefsHandle 5360 -prefMapHandle 5364 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d93a256-4f10-4684-b5f6-ff52d7213d7b} 1876 "\\.\pipe\gecko-crash-server-pipe.1876" 5352 1a16f597858 tab
3⤵
PID:1140

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1876.6.142408882\1739733256" -childID 5 -isForBrowser -prefsHandle 5168 -prefMapHandle 5172 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a88b7be0-7392-459e-8090-da2dc05c9840} 1876 "\\.\pipe\gecko-crash-server-pipe.1876" 5160 1a16f58b658 tab
3⤵
PID:1360

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1876.5.1660358891\611575128" -childID 4 -isForBrowser -prefsHandle 4800 -prefMapHandle 5016 -prefsLen 26578 -prefMapSize 232675 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7996876-c62c-43c2-830a-2a6aa8e363e8} 1876 "\\.\pipe\gecko-crash-server-pipe.1876" 4788 1a16f58a458 tab
3⤵
PID:2392

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1876.8.1489176063\1977901937" -childID 7 -isForBrowser -prefsHandle 5848 -prefMapHandle 5864 -prefsLen 26753 -prefMapSize 232675 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11086b61-05a2-421a-bf61-641f75a8465d} 1876 "\\.\pipe\gecko-crash-server-pipe.1876" 4880 1a1694afe58 tab
3⤵
PID:3964

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1876.9.1403947711\120015935" -childID 8 -isForBrowser -prefsHandle 4788 -prefMapHandle 3872 -prefsLen 26770 -prefMapSize 232675 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d246a096-2dd6-4d97-a337-88ebbd75100f} 1876 "\\.\pipe\gecko-crash-server-pipe.1876" 5720 1a1712c4358 tab
3⤵
PID:4916

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1876.10.676047308\620361602" -childID 9 -isForBrowser -prefsHandle 4420 -prefMapHandle 4416 -prefsLen 27299 -prefMapSize 232675 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7687c17a-e2c4-4bab-9e68-f87e0564fa91} 1876 "\\.\pipe\gecko-crash-server-pipe.1876" 4328 1a16deb1558 tab
3⤵
PID:5312

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1876.11.881275761\823979691" -childID 10 -isForBrowser -prefsHandle 2684 -prefMapHandle 4328 -prefsLen 27299 -prefMapSize 232675 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3bed1aa-49b5-4bdb-a701-76b0694bb7c1} 1876 "\\.\pipe\gecko-crash-server-pipe.1876" 4420 1a168bde058 tab
3⤵
PID:4092

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1876.12.305509453\916743813" -childID 11 -isForBrowser -prefsHandle 5592 -prefMapHandle 5432 -prefsLen 27299 -prefMapSize 232675 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb3d3bf7-eb67-4fbb-bfca-87a3c89c3e25} 1876 "\\.\pipe\gecko-crash-server-pipe.1876" 4412 1a16f595d58 tab
3⤵
PID:5444

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1876.13.442408765\1767187487" -parentBuildID 20221007134813 -prefsHandle 6796 -prefMapHandle 5544 -prefsLen 27299 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ea21050a-0e87-4e0e-9d4c-a6e59ca0e383} 1876 "\\.\pipe\gecko-crash-server-pipe.1876" 6736 1a168d9c158 rdd
3⤵
PID:3940

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1876.14.1385717510\680824234" -childID 12 -isForBrowser -prefsHandle 7004 -prefMapHandle 7000 -prefsLen 27299 -prefMapSize 232675 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79de6813-cb75-4f30-8c23-0b1de8c09042} 1876 "\\.\pipe\gecko-crash-server-pipe.1876" 7016 1a16dd4f558 tab
3⤵
PID:5320

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\WannaCrypt0r\" -spe -an -ai#7zMap8634:86:7zEvent31968
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4432

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\WannaCrypt0r\" -spe -an -ai#7zMap21685:86:7zEvent11754
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4608

C:\Users\Admin\Downloads\WannaCrypt0r\Endermanch@WannaCrypt0r.exe
"C:\Users\Admin\Downloads\WannaCrypt0r\Endermanch@WannaCrypt0r.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Executes dropped EXE
- Sets desktop wallpaper using registry
PID:1228

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- Views/modifies file attributes
PID:2900

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:3956

C:\Users\Admin\Downloads\WannaCrypt0r\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4876

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 259511685890850.bat
2⤵
PID:232

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
3⤵
PID:3704

C:\Users\Admin\Downloads\WannaCrypt0r\@WanaDecryptor@.exe
@WanaDecryptor@.exe co
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4892

C:\Users\Admin\Downloads\WannaCrypt0r\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1172

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @WanaDecryptor@.exe vs
2⤵
PID:4980

C:\Users\Admin\Downloads\WannaCrypt0r\@WanaDecryptor@.exe
@WanaDecryptor@.exe vs
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1068

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
PID:4784

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3256

C:\Users\Admin\Downloads\WannaCrypt0r\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1556

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "cveybzquncem713" /t REG_SZ /d "\"C:\Users\Admin\Downloads\WannaCrypt0r\tasksche.exe\"" /f
2⤵
PID:4872

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "cveybzquncem713" /t REG_SZ /d "\"C:\Users\Admin\Downloads\WannaCrypt0r\tasksche.exe\"" /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:4860

C:\Users\Admin\Downloads\WannaCrypt0r\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=how+to+buy+bitcoin
3⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:1068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffba08b46f8,0x7ffba08b4708,0x7ffba08b4718
4⤵
PID:3812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,6860862637554530609,15390687646761817001,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2
4⤵
PID:2776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,6860862637554530609,15390687646761817001,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,6860862637554530609,15390687646761817001,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
4⤵
PID:5204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6860862637554530609,15390687646761817001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
4⤵
PID:5360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6860862637554530609,15390687646761817001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
4⤵
PID:5380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6860862637554530609,15390687646761817001,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
4⤵
PID:5908

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,6860862637554530609,15390687646761817001,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:8
4⤵
PID:5888

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
4⤵
- Drops file in Program Files directory
PID:5900

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x240,0x244,0x248,0x21c,0x24c,0x7ff683935460,0x7ff683935470,0x7ff683935480
5⤵
PID:5296

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,6860862637554530609,15390687646761817001,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:8
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6860862637554530609,15390687646761817001,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
4⤵
PID:5472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6860862637554530609,15390687646761817001,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
4⤵
PID:5692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6860862637554530609,15390687646761817001,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:1
4⤵
PID:5688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6860862637554530609,15390687646761817001,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1956 /prefetch:1
4⤵
PID:4964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6860862637554530609,15390687646761817001,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
4⤵
PID:4724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,6860862637554530609,15390687646761817001,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2672 /prefetch:2
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:5276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6860862637554530609,15390687646761817001,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3668 /prefetch:1
4⤵
PID:1580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://en.wikipedia.org/wiki/Bitcoin
3⤵
PID:5672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffba08b46f8,0x7ffba08b4708,0x7ffba08b4718
4⤵
PID:5808

C:\Users\Admin\Downloads\WannaCrypt0r\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCrypt0r\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4432

C:\Users\Admin\Downloads\WannaCrypt0r\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:5668

C:\Users\Admin\Downloads\WannaCrypt0r\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5820

C:\Users\Admin\Downloads\WannaCrypt0r\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCrypt0r\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5812

C:\Users\Admin\Downloads\WannaCrypt0r\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1844

C:\Users\Admin\Downloads\WannaCrypt0r\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5304

C:\Users\Admin\Downloads\WannaCrypt0r\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCrypt0r\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5276

C:\Users\Admin\Downloads\WannaCrypt0r\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCrypt0r\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
PID:2396

C:\Users\Admin\Downloads\WannaCrypt0r\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2296

C:\Users\Admin\Downloads\WannaCrypt0r\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:5936

C:\Users\Admin\Downloads\WannaCrypt0r\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCrypt0r\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
PID:524

C:\Users\Admin\Downloads\WannaCrypt0r\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3240

C:\Users\Admin\Downloads\WannaCrypt0r\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:816

C:\Users\Admin\Downloads\WannaCrypt0r\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4500

C:\Users\Admin\Downloads\WannaCrypt0r\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCrypt0r\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
PID:936

C:\Users\Admin\Downloads\WannaCrypt0r\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:3560

C:\Users\Admin\Downloads\WannaCrypt0r\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5864

C:\Users\Admin\Downloads\WannaCrypt0r\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCrypt0r\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
PID:5540

C:\Users\Admin\Downloads\WannaCrypt0r\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:3460

C:\Users\Admin\Downloads\WannaCrypt0r\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCrypt0r\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
PID:5476

C:\Users\Admin\Downloads\WannaCrypt0r\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6036

C:\Users\Admin\Downloads\WannaCrypt0r\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:768

C:\Users\Admin\Downloads\WannaCrypt0r\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCrypt0r\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
PID:2536

C:\Users\Admin\Downloads\WannaCrypt0r\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4876

C:\Users\Admin\Downloads\WannaCrypt0r\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:6072

C:\Users\Admin\Downloads\WannaCrypt0r\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCrypt0r\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
PID:1072

C:\Users\Admin\Downloads\WannaCrypt0r\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1664

C:\Users\Admin\Downloads\WannaCrypt0r\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4860

C:\Users\Admin\Downloads\WannaCrypt0r\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCrypt0r\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
PID:1012

C:\Users\Admin\Downloads\WannaCrypt0r\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:2348

C:\Users\Admin\Downloads\WannaCrypt0r\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4112

C:\Users\Admin\Downloads\WannaCrypt0r\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1596

C:\Users\Admin\Downloads\WannaCrypt0r\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCrypt0r\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
PID:4580

C:\Users\Admin\Downloads\WannaCrypt0r\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:3816

C:\Users\Admin\Downloads\WannaCrypt0r\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:776

C:\Users\Admin\Downloads\WannaCrypt0r\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCrypt0r\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
PID:1716

C:\Users\Admin\Downloads\WannaCrypt0r\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:5616

C:\Users\Admin\Downloads\WannaCrypt0r\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4568

C:\Users\Admin\Downloads\WannaCrypt0r\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCrypt0r\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
PID:5664

C:\Users\Admin\Downloads\WannaCrypt0r\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:5696

C:\Users\Admin\Downloads\WannaCrypt0r\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCrypt0r\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
PID:5828

C:\Users\Admin\Downloads\WannaCrypt0r\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3020

C:\Users\Admin\Downloads\WannaCrypt0r\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:6056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\ConvertToWait.bat" "
1⤵
PID:3704

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ConvertToWait.bat
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:3900

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3452

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5172

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Downloadly\" -spe -an -ai#7zMap91:82:7zEvent7865
1⤵
- Suspicious use of FindShellTrayWindow
PID:3240

C:\Users\Admin\Downloads\Downloadly\x2s443bc.cs1.exe
"C:\Users\Admin\Downloads\Downloadly\x2s443bc.cs1.exe"
1⤵
- Executes dropped EXE
PID:5164

C:\Users\Admin\AppData\Local\Temp\is-HE6J1.tmp\x2s443bc.cs1.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HE6J1.tmp\x2s443bc.cs1.tmp" /SL5="$204C6,15784509,779776,C:\Users\Admin\Downloads\Downloadly\x2s443bc.cs1.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:2696

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im Downloadly.exe
3⤵
- Kills process with taskkill
PID:5548

C:\Users\Admin\Programs\Downloadly\Downloadly.exe
"C:\Users\Admin\Programs\Downloadly\Downloadly.exe" EnablePro
3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5284

C:\Users\Admin\Programs\Downloadly\MassiveInstaller.exe
C:\Users\Admin\Programs\Downloadly\MassiveInstaller.exe /SP- /VERYSILENT /NOICONS /SUPPRESSMSGBOXES /AllowStatusPage=false /ShowUI=false /DIR="C:\Users\Admin\Programs\Massive"
4⤵
- Executes dropped EXE
PID:6012

C:\Users\Admin\AppData\Local\Temp\is-OB9V2.tmp\MassiveInstaller.tmp
"C:\Users\Admin\AppData\Local\Temp\is-OB9V2.tmp\MassiveInstaller.tmp" /SL5="$404FC,10474064,1082880,C:\Users\Admin\Programs\Downloadly\MassiveInstaller.exe" /SP- /VERYSILENT /NOICONS /SUPPRESSMSGBOXES /AllowStatusPage=false /ShowUI=false /DIR="C:\Users\Admin\Programs\Massive"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:4372

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im Massive.exe
6⤵
- Kills process with taskkill
PID:1664

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im MassiveUI.exe
6⤵
- Kills process with taskkill
PID:6084

C:\Users\Admin\Programs\Massive\Massive.exe
"C:\Users\Admin\Programs\Massive\Massive.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5404

C:\Users\Admin\Programs\Massive\crashpad_handler.exe
C:\Users\Admin\Programs\Massive\crashpad_handler.exe --no-rate-limit --database=C:\Users\Admin\AppData\Local\Massive\crashdumps --metrics-dir=C:\Users\Admin\AppData\Local\Massive\crashdumps --url=https://o428832.ingest.sentry.io:443/api/5375291/minidump/?sentry_client=sentry.native/0.4.9&sentry_key=5647f16acff64576af0bbfb18033c983 --attachment=C:\Users\Admin\AppData\Local\Massive\crashdumps\4e70bfd4-0d01-440d-68e2-0699c98651d7.run\__sentry-event --attachment=C:\Users\Admin\AppData\Local\Massive\crashdumps\4e70bfd4-0d01-440d-68e2-0699c98651d7.run\__sentry-breadcrumb1 --attachment=C:\Users\Admin\AppData\Local\Massive\crashdumps\4e70bfd4-0d01-440d-68e2-0699c98651d7.run\__sentry-breadcrumb2 --initial-client-data=0x3f4,0x3f8,0x3fc,0x3d4,0x404,0x7ff6efef2fe0,0x7ff6efef2fa0,0x7ff6efef2fb0
7⤵
- Executes dropped EXE
PID:5536

C:\Users\Admin\AppData\Local\Temp\Update-505b9394-dbb2-4308-8223-f83d81671041\downloadly_installer.exe
"C:\Users\Admin\AppData\Local\Temp\Update-505b9394-dbb2-4308-8223-f83d81671041\downloadly_installer.exe" /SP- /VERYSILENT /NOICONS /SUPPRESSMSGBOXES /LOG
4⤵
- Executes dropped EXE
PID:5816

C:\Users\Admin\AppData\Local\Temp\is-3481M.tmp\downloadly_installer.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3481M.tmp\downloadly_installer.tmp" /SL5="$504E2,15992205,779776,C:\Users\Admin\AppData\Local\Temp\Update-505b9394-dbb2-4308-8223-f83d81671041\downloadly_installer.exe" /SP- /VERYSILENT /NOICONS /SUPPRESSMSGBOXES /LOG
5⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:6060

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im Downloadly.exe
6⤵
- Kills process with taskkill
PID:5580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\EnterAdd.html
1⤵
PID:2108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0x11c,0x12c,0x7ffba08b46f8,0x7ffba08b4708,0x7ffba08b4718
2⤵
PID:4016

C:\Users\Admin\Downloads\Downloadly\x2s443bc.cs1.exe
"C:\Users\Admin\Downloads\Downloadly\x2s443bc.cs1.exe"
1⤵
- Executes dropped EXE
PID:2476

C:\Users\Admin\AppData\Local\Temp\is-BAI32.tmp\x2s443bc.cs1.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BAI32.tmp\x2s443bc.cs1.tmp" /SL5="$40568,15784509,779776,C:\Users\Admin\Downloads\Downloadly\x2s443bc.cs1.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:5700

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im Downloadly.exe
3⤵
- Kills process with taskkill
PID:5860

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4396

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\c1b5dcf0064f4422bde6a73042bb6524 /t 3472 /p 3388
1⤵
PID:2488

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

File Deletion

T1107

File Permissions Modification

T1222

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@WanaDecryptor@.exe.lnk
Filesize
696B

MD5
93bd5cff69fdf03046ef2bcb734fabe8

SHA1
c86aa60146801d50ef551332e5842ac78a8f1bac

SHA256
945fb994937a444ac00ff18b655e57e66d1e9283e2d9b473f67e6ce533bb3e99

SHA512
cae2c3dd5c12ff3f4088737752d0270a6d184ba70890f7c795fb3f8ed057e3a94d5651cc1947fa5a7b09fbabb757bf1ea5e54973c86d46a032147ef8b4d644e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
aaeb1f5e097ab38083674077b84b8ed6

SHA1
7d9191cb2277c30f1147c9d29d75fc8e6aa0a4f2

SHA256
1654b27bfaeee49bfe56e0c4c0303418f4887f3ea1933f03cafce10352321aef

SHA512
130f1b62134626959f69b13e33c42c3182e343d7f0a5b6291f7bb0c2f64b60885f5e6331e1866a4944e9b7b2e49fe798e073316fde23927ede2c348ba0e56eda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
29c6575764d6d1753c87f0f6450869ac

SHA1
53650588448863b30d3342393d76bdd3a3da8252

SHA256
8c9c88f32da11188f713c882c76b55d942aae48e80891cdd4d83d0eed74d7dce

SHA512
0b836719643fe0623d485a7a84b6cd36c6138156cf6d2ea24c71667810fec65b089e9e070b866fde000fb0f749025fbd652012bcd3589feb2b302f020c1f24b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
48B

MD5
7889911c3b4ba8794393aabe72b4c3c2

SHA1
c22a74d1bb93b528a3cbde9a918ee36ee1bff45e

SHA256
2a3f1046c3ffc8000aef337c8074c37b830cad760cc06100087be3e6a48eb790

SHA512
9fbc63bc06424f433001f1ec1dcdb02b821e5ba6d9b60a16b58f8305e6d6fe5ff530eeaf80211b399b1a537d6e1f49746a166adb3dd178231fd09fdd4bcc1777

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
408B

MD5
5b35bc4785aebeba7ca1f0dfe4530e64

SHA1
41892a188d97045e90473108012a7dbc9e5e6107

SHA256
9393305cbc95399dcca41137469526801f98b5fd2df2cfd09d71f2bb163d7234

SHA512
555c8223cdbc051a63e4e5f3beb95d8228471610b0af0645ce14b2be01f8371df02cbe7a807924bcfcd757989c3fd3c3f70cc9350270f824fa99210adff6fdf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
d060184d1ae5d9a27183013570ebd5d7

SHA1
0be435cd834c20cdf9caacbe0d935aa0f32e36e5

SHA256
c2834136da99534adb5c84196cb0f2a1e913b9b32aa0c0e1e3f5bd78b06bcf19

SHA512
4677208645488d4d5f312dc725dd9a0a894e407170b723180b5aee8a18f598edcdbba0c88580f73e4ff35e521d4568eebf984c62a3a6ab9c90ee995e8ec89c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk
Filesize
2KB

MD5
bf1a1caf88f58f3f298f9ffa8d062219

SHA1
8ec68fb7a96b70a5823ef9415da09253ccc7d469

SHA256
0c67e3323bb86015c22ea2d02a6813ec453ce0623abbf31918afe69f2a45000b

SHA512
2b9bc08db2776ce6fe9012e388b9d586232dacd382dddd6934c8a87d2fd2b78491724bf25a879e6a28b4cbadf62b2a6816d13927191d98e470ba16b8ee803008

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
f3a38c2942f808bff3b6e2e74433de03

SHA1
0ca5bff235cc308f8bceb0bd7b5a0d9cc7d5bcaf

SHA256
3419c63640b19abda3ef7b463ca47763c76466eafb393ede2ee36192fe2ca806

SHA512
5a25646ce4ca5a6b8cf26d208f8a31cd489746d237890bb0fd737f8c618e35c825dd32850ae42d7ef84db602c74f115afa1b2182472ae3953cd4c06269c6f59e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
77f3058a8c780e748d177fc93101b5aa

SHA1
d7a86f2550100710b8b6e957adb6cfa6623e8505

SHA256
ed8815ab792d1b4829170f70bafed90b9004b36840fe5cc66f9f3c18e9e4c6aa

SHA512
cabe79b3bd508b8d655f0cad8599cbe6729f944fa3ed3b583c6cf2a3014b25224fb8ad871f0e567ec1e6621871260e82550f40756bba9835147545f94bc7b961

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
4KB

MD5
47a87fab109e0b456d5cfa6dfddddad8

SHA1
de3490ccb10f5dd98a4718e5942401ac2382ce77

SHA256
f68e67cdf0c55c17efd8b2b44c0a13ab0b7ea201cb4cdc5012c950154f475114

SHA512
1c1174c492cf4185d8240377368d988d2cb68bedd6e86c03a066c2eda2a1f53a7f793f7a3b085cbc0034084dfbcc80d5e7f57ca280c66ac4035a0e52742ce321

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
9c874e5644265c9c40c2e31e678f41c7

SHA1
c1e317c8d30e9919741ae5d0335fd98cf78db7eb

SHA256
e83ba4bb4d7a23889e19b1348ac7cf0e999c47675ce3917fdce0c12b674828c1

SHA512
598e08c39d1fe3bb13264b0ace1e72e3ace29b080bbf90e5839c5d8ce253bd42c5dc8a34aca4adac38893bb5392ca47df2fe993cb10e1ba20efbb4b75eb6e26c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
bef35500211242f9dfb192a3cbb94d64

SHA1
6d1a08bec372c4d4cca21156d09957e010c7c788

SHA256
6ce8eaecb9afc28a73bb66fc1a41c1754f56a45e67d3424b88d0ce39fd6ec323

SHA512
6d8e6ecc1ae1f4bbc70c0c50d715655d81efb9dcf12a44cb1b3a971798f37e8a7ce7b70330be3bf17e84e6b17c4d39bef39d8860bc7dacdb5ae1f83495a31937

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
97c092eb06698626cc1b72024fa929ff

SHA1
d8372b266ee48d6f6a44bc35ac5a6012e1355f14

SHA256
67f59673c78ee05f92f3e1e27ca3d057314ce8f7238d399a36417cdfedf72c5e

SHA512
a17e5184b7f986cf2bafcda1537c5b50218b1930407afead67ba95195ba3d65f873d9004c8d4cacfa48939e6b5ce72c31901368ff99efbd7600a2ca7e7852f2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
80e19ebe8e7ff39472bef51c1d61c112

SHA1
15b25eac570c2cc101a7d253d09879e51a305157

SHA256
d20701a8366dc93f5581d303ea70331f7d5f3f0b81b9c52c1228ccb1c91d8ce5

SHA512
7acf3780a8abd696da4b7c4a81d76492772b971d56affdb42d512244b3dcf0cb0b67e308b158e3f94cf9fefb86ec9ecddcc0204033d861b112ec974f073db5bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
47e94a96372e6f095b8a3fd7edc48ec0

SHA1
377b68f34e5964ca8be1b1b0c1507dd7f0e5f005

SHA256
15c77bafd922bd085317fd544d0fa129e3b8c814e3ba0d48936366004427732e

SHA512
5bd63de2e831805b723d7ddf1343c3b721ef5b757d9ab01bf8554ef8e29ac2cc09fa104fc85d530f27d66b67280774b3ebbef6729ea3ab61ce8028ab4ba5bdad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
3d874cbf2372e29aa7bde5be5e1db4b3

SHA1
a9214d4e1ddfd7f4cbe8fc61f838f9f2a2f2f26f

SHA256
84c9c0c31f068bcdc2258102ef25547073b785cfedc7345f510de21dd6096000

SHA512
8f90c381382b2a95c3ba3fe941429cc70094c92e78668a54ac88ed3e030c14ee7c3ba8ee7f450533456fd1933663b4c300f265da972fc0493aa409cc17b9fe10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
872B

MD5
46022bd22fa66ee39a1e8b72e43d550a

SHA1
8c3c1909c945fa5fc8f6fb74858ebc57083ede04

SHA256
09c83a77749ebd6447c436a688fdf1c5f1a3aed2f7559ec0476576d98d6ee9e2

SHA512
085188858c9dfc64ef86cb5b4bd77e97cce99800d1e02e4a08f94e2fa1b8a676aa6da2a31dea01d003046aebb3d29b3a0a0fbb2c94b2dcea111c1a8d73975650

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58e2ca.TMP
Filesize
538B

MD5
c6c5ec47ffb1e8767fdf64f31aa50e0d

SHA1
4011762764a11378a3cbeb2ac66a08fc29b60b9a

SHA256
20fc2d6b5fe705950b4729fa9632e802f90eb481cabb757d1f79f4220ed8742a

SHA512
f2222c9bbd2ff211acb293b37f3d0a0e3c72a45c0a48ba839007b84102e74b64539d76862cbd6945f0b965ab4e22abdf9d2d38897a315905aa7ceb5cb2143d3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
9KB

MD5
6707aa31fa22ca1a9df17979d1dfb5b5

SHA1
f69e22c744cf655ddb333353f3e8cd151902e360

SHA256
aba8876ad0cd44d2f94eb3c1b5744cafabeee7fa9adf169adf87752ffaff3e4a

SHA512
21d68a194a6bce96f9a8fc14253d1275897f0528b8530f0e21fbad4a919250deaeeb3d19221a72c4d59423b95c6fc2b8de6a3682a7c0d9f2b05dd2422c8c4424

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
13KB

MD5
abb7dddb5747746c88b5cbefe696c8eb

SHA1
86c109b3add63a10b455a239a9450a63087f182c

SHA256
756763336614201586ca18b62c7d5d58896dd1df5ad4226c3eb652f5d17f4142

SHA512
947bf978d88d2778727d244d0ba852fe519f2adee6894454449846f2c168d866bab2393e172a309515099a9b395311e6ee1dcb17114a277375e54df8edecb735

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
13KB

MD5
5834dd12595bd7e6c780fccaa9060fdc

SHA1
ebba5ef01ddfd214134017256f9ec3e076eca756

SHA256
455a910eb18490209dcdf11286dfc11c62f56a5256bd7b85003eba808685c5d7

SHA512
f5fee4a0113e350b5d101835ba2d58e50bcaeb7fc1ad31a1b966ee67050ff2d31d3201a38ccb3697853b8e979fb050885c68e124644b98d47da9c76b357791b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
13KB

MD5
2048df1183df9ced64f093460696f028

SHA1
9e85232ea8231e2652a4c83f1bc2ff5d39c36248

SHA256
ee670fc022a3b53624191475e6ee88ddf6ce5f7a3007dc252a2e445c7ce8b459

SHA512
7e72ee1a79624eedf77fdeeb2d2a0df3203718dbb6ab487e12dba837c276ef513a7ef3a2d563e413121d4e41c12e1ffdb6d1f7223979178121835d43fec1cd62

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6exu9k4v.default-release\activity-stream.discovery_stream.json.tmp
Filesize
144KB

MD5
b259b3196b27ca892ca8d1864b15e389

SHA1
18770e5a65f05343da09d8901e3fd5bbfc0f6507

SHA256
5fc35c8476f7610e2b9957b50e7b934a31d7c42d890bfbd9aab6dd73e0b8b150

SHA512
20e9742be2d8cd2c1bb777136fddf2c60f5e5c5dad48949f687a8753d436ae71ca915058d67bcc3dfb6d23e2a53420289c76b331e278dd5b6359ba781100a6ba

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6exu9k4v.default-release\cache2\doomed\1255
Filesize
50KB

MD5
60ea3376371c16f85fc22c861c6cdd43

SHA1
6e992f55ff61659718900b9288561854a5d7f9fd

SHA256
c7e835b03cbd23bd3f62d3b9f8101466a826f6b7a08ea49c0d12b94766164ba2

SHA512
47eaebbee1962c9b0881b446e322e5ef2d34d47cb81ebc30da3362302e43f6f4645b36b867f8448905e75f21c473119223135829df82231c464b0bda4068e11c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6exu9k4v.default-release\cache2\doomed\13331
Filesize
12KB

MD5
93d3cc3f1e027b5f0db9154a89061cbb

SHA1
5de6ca341b1a65e40ec8da2b422e14d79f170a3e

SHA256
68839c66b628187d77e3bfd927074c3a6b3cf5201516408485c162c2cb4041a5

SHA512
78c571d3597e04addefa907a4ad5b5230bf3cd1e8051f285224e121951e836245bffa1add7ee188ce99191a73528f137b4a6f0e8237465733cc3e29a52689f1b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6exu9k4v.default-release\cache2\doomed\13532
Filesize
12KB

MD5
4682aaac09408542e390c329601af493

SHA1
30a3a6651841a53406f84755f3377066f8c594e0

SHA256
62422a7357fa9706afbbf68d12de4186913678fce5d477f07f94020fb90ff2d3

SHA512
bcbf873c7935bcf3b9465d701e7cde95c08237bf634e83a3e7fd07f50402676f9dedf96e0c7778ff0e2ef4e1fbdeae41a8cc6b3141906b7b3cd99143a38ea557

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6exu9k4v.default-release\cache2\doomed\18558
Filesize
22KB

MD5
6e11278be1e9cda437d4e6ce8ba9fdc8

SHA1
ac17c2d4f5597abcb513394bc3f39a39bc06fb3f

SHA256
592b99afd5d2c45fcde624ef7265d1b0faf85718f1869e589a57d6833efc82c3

SHA512
9ecabceedd9dd062cb467bd14bd5753d41456ddf9eb3de6e34af5bf0ad3dc846b8e70aab995f6dbda1dd5ab10b58c111b12c69149ba3b0f2b978a17b81750a0d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6exu9k4v.default-release\cache2\doomed\21320
Filesize
12KB

MD5
1ebe7e7d011a10d89431d1a2186544d5

SHA1
3951ac7eff8e5f25248b070cc5491822918ba218

SHA256
687b6685ec38f69c252f579606dde45665d744f379ad3940d10766ca884e0100

SHA512
297750a268cd7546724851814370038ee606ef2d5890bf3de35707d39dae779fa455222fbf9f18ea9b54cae5f8055f545083f5ee2b9ede1ab0c0731a1f3582f0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6exu9k4v.default-release\cache2\doomed\23032
Filesize
15KB

MD5
fb5b1101e5cebaa843c0a6d41568551a

SHA1
23541024da15797e0e4ad6bfb84a1e802a8677a6

SHA256
722913b270ce49c9a1094cfdbfd56ad7ed06d6d69f4c9b1f83ec09152fbee13f

SHA512
17616c567a9cdf9f553f8f7b970d5cbc1160a3b00a47c8b9c211fff6732a4a436540a67faeaff7dec89253eeaba92626b57410e4f99da53baef0c17a22da6acd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6exu9k4v.default-release\cache2\doomed\2758
Filesize
15KB

MD5
84c96b57579e586ed4caf5cb85896775

SHA1
187726a3c92ace776a8e377f03674895ae1babe0

SHA256
ad45c14860db57c4f6def57fb2d7edf47a28c82eadebbf7504eaa6fa452c2381

SHA512
97211f79fa31c01c8abe03d46fac14d50a094eb39a819dfa30141c36143029396fe5ab2dbc66fcb2f5e0911d9a03fa990993b38d3d44db341c9a64d0111bfa82

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6exu9k4v.default-release\cache2\doomed\9521
Filesize
15KB

MD5
dbcdd0e41183611c594bc93fe338a9ce

SHA1
e0580f0f54000e36845b50cc5b18d7799460ff88

SHA256
5b7090b5340709bc09ae068633b83dfa386a0ac7ad67127db9ca93dcbbade4cf

SHA512
58aac1cec07b7c99e70f7523911eedac00d79cb031785dcdb25a77077a328692de1b99ff52a6f2e931692fe62509d269183e6d66eddd43bb6e96febccc1c4c4f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6exu9k4v.default-release\cache2\entries\0AEB33F7365F0B5639E064BE5481E9CC67AC6613
Filesize
74KB

MD5
1a0643bd5089c8dc9e5ac9114332c63b

SHA1
de5ff71796e5f2d010d8d14a127e2f319e5780ba

SHA256
2ea4cbd8443a578836e332af36f382b2edd8aa77e8ef427741f33fe055c14c32

SHA512
c803b2ebd03671f364f98afcae33fc78b205240d88f17565958f6ef37cf372eeacf622acb318ac51064356980ecff12e108b36366fad1f55d020e36e848ff92f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6exu9k4v.default-release\cache2\entries\58D46C4012E4AD3623A4EA72BB3C1CDD25B3FF87
Filesize
14KB

MD5
cb7343edee103672f1bb1bd31c334064

SHA1
a36b80a5bd72ccd7b87f2b046c1b1050141a9d64

SHA256
c8667da045d77f28699b023cba6174b137ce606d3e4e8812224e10e8f274b154

SHA512
373b612c845cb165815d7e67560fabc8116b0523b2da92b8e5cba86e367da12c39044d88823ea7247d18cb3a6c494358e73c7ce3cfe90dbf4c96b20d2cf66ca3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6exu9k4v.default-release\cache2\entries\83694C4B0C983BDAFFBCCD945F9254E4CA2AF6FA
Filesize
47KB

MD5
312999556d49e7d3a258497e916667b7

SHA1
97bd30ddebb8023517b1cf116bec7c9eb4d1c84c

SHA256
d4468406cabbe183490815acd4773192c698324e4964b397b2616184a26be8a1

SHA512
5295d60a8746de46686d3fd3ad4bba113c65e112cb59c340383c72a98b133e95566752fa9fb2de822d532183b744078978c9bf3a41adc96971f697d75acee005

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6exu9k4v.default-release\cache2\entries\917E41E135032D6BD66E5D6F84F0988D37234A33
Filesize
14KB

MD5
e5ef4393615a3cb3163851209e8486e1

SHA1
d5153016997ec3d98f5efe54510ec32581fc4964

SHA256
9957b3d04672c86562f1ee938e3b7883873ff4f35591e7769c9d99c23900cf85

SHA512
6cc04f1f24e473527afc301e080f304a945a468f34623c88f02dca1eecb3f962ca8db4e558e064994ad5bb7e0ba3373fe8f7fb299c52967ec7a842f50decbca3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6exu9k4v.default-release\cache2\entries\A6C74BC2260EAFF823C7AED38BBA607C962CCB55
Filesize
40KB

MD5
d522bfb8125f0dcdb037f158a9f8c21a

SHA1
aa0228f79276545c2306dbca1b7499139987118b

SHA256
385417e42b45bbc334e53f0fd13f48276b61f6221a3ffcc882b7aa65a140cbd5

SHA512
b23fa9bb61b4678bc54c7c8709a805c554636e8be74e7535d7072e03d379587b9f3fb5f324157f5a734cabeed5d2923104582a4b3e4cc830033cce71ded3aa3d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6exu9k4v.default-release\cache2\entries\B0985743595C953E243D1553684FEF0F659DC28E
Filesize
32KB

MD5
be59eec2c4c5b1ea52497527b5ac82b2

SHA1
c8ec09391290137d44ac19dbe4722df7a4875d98

SHA256
fb055d37c216a2d54fc18977810bc335d1c8e39f9e452c07f568c5b74a8d1ff5

SHA512
3b97eec36f790b6e8eeee5e30212be16183a7e1312a2ee64567ac4b3993237c4f86258ffa48ec1a8f00d832f10fadfa12a6bbef9b11be0998726a33c4c2b2c50

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6exu9k4v.default-release\cache2\entries\BD0F19A1CE1B0EF872A9FBAF619A5671CBC80974
Filesize
20KB

MD5
cfd311064222eeff1b1496db793bd26c

SHA1
e87eae28591aa696469060508973fbbcc13c2062

SHA256
23d9f1ea50a2bc9a49c6be1c566f7cb65ce9a683241f3623301a44e428cfe5ce

SHA512
e971c2991ef3c73ed49a9bfca8dff5a0610c1db2383d9dade986aa54a64d9aab8c6e757835dfdf82c697991935c74a967e9b420c751f600c733ffef4fce3bfd9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6exu9k4v.default-release\jumpListCache\Lg5p5Z92_zEzqS_TXoqTQg==.ico
Filesize
25KB

MD5
6b120367fa9e50d6f91f30601ee58bb3

SHA1
9a32726e2496f78ef54f91954836b31b9a0faa50

SHA256
92c62d192e956e966fd01a0c1f721d241b9b6f256b308a2be06187a7b925f9e0

SHA512
c8d55a2c10a2ef484dedded911b8f3c2f5ecb996be6f6f425c5bd4b4f53eb620a2baccd48bac1915a81da9a792971d95ff36c3f216075d93e5fd7a462ecd784f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update-505b9394-dbb2-4308-8223-f83d81671041\downloadly_installer.exe
Filesize
16.1MB

MD5
61016d79751db97b3908e31a438d89aa

SHA1
668c2f50db94be4d8f4f1b9a3719a1741f5bb802

SHA256
1b8a0d83673e2e5df870918d436ae62a7d65dae9351fbf59e3ca20902a5c33e0

SHA512
7e8b8bd34cda535052c57e6b5535e88546399d68be3ac1426c398d4a4fa63efdc9b5c32074478401dbe06e49f144bde2927fb9225b00f805427725c11519ad73

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BAI32.tmp\x2s443bc.cs1.tmp
Filesize
3.0MB

MD5
0d5dc73779288fd019d9102766b0c7de

SHA1
d9f6ea89d4ba4119e92f892541719c8b5108f75f

SHA256
0a3d1d00bfdbded550d21df30275be9bca83fb74ca3b2aabd4b0886a5d7cc289

SHA512
b6b1cf77bcb9a2ad4faa08a33f54b16b09f956fa8a47e27587ad2b791a44dc0bd1b11704c3756104c6717abcaffc8dd9260e827eccd61551b79fcedd5210fe61

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon
Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1
Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize
15KB

MD5
9087e21965b4458e6de7b74680a8bd9f

SHA1
d0e93e21339a52bcb6a8bd0a30b077530f33d0fd

SHA256
dd038f2a8e55710531751f9b6ae4bf8f4ce431b679eed7349ef662658bffa13f

SHA512
85f3b93b3f7e4956938b26d89037582e088fed2bf31e487320d60e3849a275acfd41abf10693918374b8c738304fc2780931334d1e5a78921bf986fb244b0371

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize
20KB

MD5
86de326a68286ecac90cf2566f457e6b

SHA1
1d32bf2953ab8489694eedabfce50dcafcfa39b0

SHA256
81f34cb1fb7807c0f7d51eb7d8691f2ec72618355875a3cd9eba9024b72f4ae6

SHA512
b952fa6d497a0bd2f9c5393063408789ad362c3115e2c6c66ecc8bd0353f41bf9d3ee081cec9beda8213cd89f677a1dd100bd45bc0f73caa428f88a0aba113ac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms
Filesize
19KB

MD5
03198c56ff06cb171ef521c5403b321a

SHA1
c99742d39e8e498bca283e362640e9198a80c5e5

SHA256
159c2485129c5c587b77b4e24468443327399edd93253c89fbd5a5051ed0a3d0

SHA512
87feb5123da634ed92de42bfe5f9be124caad1938d2244949e305382b140a0a0ee2a01afee5aa3cfac023ade8cf39e07d7761d60ae9d40e561fc40acaab6845f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
3KB

MD5
1577f66286f81f6b1108ea132d30ef5f

SHA1
4dea87488d5ffffc3cd7339bea77952d3f5ddfb3

SHA256
3ff908d087ac7998092fea388c1c8a265aa6aef629eeee353e92e064f858bb9a

SHA512
61f5678d45fb2a8bafde688c467ef4a82b28389f13f340a7abbeec6894278de0fdf57650f8b48d7ae07b3f891c5cebdafd9bff9a105cc30d8f9eb2e84a554a47

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Downloadly.lnk
Filesize
1KB

MD5
7fb01d35eedb6e1f6394ee92c88fcfb1

SHA1
c6dddffa2c7568698b4c85a1695d53e1ce69f5d7

SHA256
41ab406f4096ed3b9e4faf0f01c02959fdeb57b7f89ca022c3c78bfb992553db

SHA512
6cd4d25b824dc918dd22007e11b6b36a085b39d1303594defa98033edf82c94306006b12ea2f86ef409ffa1197c89bf8a943841750e83a0d4c76493a1f95c127

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Downloadly.lnk
Filesize
1KB

MD5
aaf2ff746bd4883214a62aec3e31bddb

SHA1
f245727467cab97c88dcdc7727de6b9f047c24c7

SHA256
504323c52def55b7eca8902aed67912cae400fa6f8e42e29eb1691f3d8b6b018

SHA512
db78120b5711bbfd874e43fdaaf230469634256255d3be0d539f7c7e119635e4a490c6e26be8c54f8b26a7a4b72d0c27bf0d2b8aa34982ef9df95d97197944b5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\cert9.db
Filesize
224KB

MD5
71a59b467e28ad13b5b773c04e9d7c66

SHA1
b187f0a57e793593cc09638efbce33697fd055dd

SHA256
54b7ffef8a623399df63beb5b6fa440fa4a2a5c3a56b6fcdc3b5f0b5a6c51e2a

SHA512
6a0647eb9797227071d30ed7c1b1ea4be31b6bdc141d7c5808d32325b654a1683435529044ed05b426fb67c2ff0dc4532de574bf3e5eb04d009086ca23ca73a5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll
Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info
Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt
Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json
Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll
Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib
Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig
Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js
Filesize
7KB

MD5
42ecdd39625e90fcac975d39a0bfead4

SHA1
07b0561195dfe8af6fce599879e1a9ac8921409a

SHA256
a61300ced3d0f0ac45aa01f3df8a8ff987d3f92dda3de6fd6c383c4d3f0dbfcc

SHA512
791cb9846edd20b2f9b24ade9d688788aa49d13436a5eb43db017c7b1ff06ea62290d1392a40e39edf024d8818c78321c3a3c8e9da2f7222be8f01c666b6ea74

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js
Filesize
6KB

MD5
1b8f8a0b9f411b732f28b4106eedd04d

SHA1
40da54faf86c2efa5ed02dc0bad82185d24a99ae

SHA256
a01b1e033ceceba1b7a9555cf75463cea67bfaf0ec14c73079616ec988eca70d

SHA512
89b59ea6b7c615c7be64f290c47004b8c43ea4429b350344604ba515b2a32b7fc03c32169968dc070744a3fd1e4eabfbd1e71dedb8214fdda7992a9fbc30297b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js
Filesize
6KB

MD5
e84fac732c64ee99cfb450f8aa094563

SHA1
45da78a760e34cfd73db378f68edd6876a304f5f

SHA256
550e96a493ad93be10c5594291fde1fe2aaf947d7fcb71cc4171d83fc8ae2f62

SHA512
99b89e51d68e8e35d4d4dfcbe049880dfb19663029fcd6b325abd33fdcba2d3d72a3d6fce02128d65f6574706bd1877487bc3d8d97576a483d3d42ac34cd7542

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js
Filesize
7KB

MD5
ca0018f13d1bb03e68e26a4ff4177363

SHA1
3af945b2a4949e65ff2be5342eac8a97751e7a45

SHA256
f7615edb45d1d0a125f01dfa4a469327c82c4f5bb16c76bcee0e3878b5f4565c

SHA512
b2b8f65b82fe82d602da71fff9d884fc39db0392b5fc61b809ce4680c8452d4818bba6918bf20bab92fd6ee3de786a5e29978078fb84b57154119e3050e64f23

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js
Filesize
7KB

MD5
aea318f2511690f5572ee5d017d0491c

SHA1
4fb4197f843aaf3d3d676075b2f273aca19e2ace

SHA256
4b4a3f659e8352624a8a80de1ae219da128dfa96ed411c8427bb75409babdbc7

SHA512
d9607aa8da0b38e84473ca431ccc5bbcccc02b534c23c2fe1e99e980573f3119d43dd808db0f2e4f0fef45cd3e03ee04a3644fae049ede6e7acfa4f3ffd4d0b0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js
Filesize
7KB

MD5
d46504a9956c1e1669022055566287e7

SHA1
60871d5197fd5439e1f415cda27b3ce2b8bb31fa

SHA256
01ed9e74b1ef3d67d331e74e1d14c3b8d2fdc2290c84e31a6418eb1359e08e67

SHA512
3365d656cf467a20208a0e893ee606c32716598714b6bc77d35d14507cbbd4bdcae7f52707033bec09f629002da3fffe28758c96dd8cca37d6c623a2f8cf0b2e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js
Filesize
7KB

MD5
017339a8ec864a86dfd26a57155cde91

SHA1
d2e984499efdb4057e45ef5af584658077de5596

SHA256
852b433edc16db0e5f7eef187d6412d32e42d6234dc099703a3079b01ec599a6

SHA512
bc85decb3190c48a73b154add95546c866e13482bf787dd6d7d16e9dbbe39ee430698243735766f8863d3a80e15cfdf4e0777a530693860969ea3d7a57c6a404

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js
Filesize
9KB

MD5
69eaae32be13651fcaac0acc35605b4f

SHA1
549787ea4a3626c76ad5f6f871b1ff25d9158a13

SHA256
a258c7f834c81589c74d1c5a8c1270c86a6a433ff3f486efa5799bfdc23c444f

SHA512
dee29871f6f673822ae39ee3ae26cc77c7fce42e09b580e7e5eedba5929377a74ce40d4ecedf044409ea0e192192167caf0851d1e0dd87a492ad8ffb6edc4e4b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js
Filesize
7KB

MD5
1ed67ed1cfa14bc8c87c56d4daafc0f6

SHA1
0ffdef60df9c64bbb6799e79495d83944133228b

SHA256
5b0768eae5985f7a4b742db26c5b010eaea687bb0ba5aa0ddb4a374e40fe9402

SHA512
2de479766939e8df0a5663f26b035028fba9bfc19f9988640340a05d7a73db93593083c85f5a89973f2d213db9f0b59e14a8429e2497b5d5c4a0422416c0de63

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs-1.js
Filesize
8KB

MD5
a339b7d37076c1a8511818efb902cef9

SHA1
17a265f2388a9558d7caf95d6a67f16b26f70297

SHA256
0b12c3b3a24ffcff8eb7608fa4548f7998a937ae97248233a6fdbfb202ef8901

SHA512
534f6dc7704eb7ba00291121d0bc7b401c17ced40c8ab574fb8afef5164f34bbd7484f63534cae0a0cf16ce728fffe699a2945cdbf342c967d0f9ee271fe4bbd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs.js
Filesize
6KB

MD5
108b97b1ff7efbdb1aecce96d55ff2e5

SHA1
bb72b2e0c3d859fe5e821632307a32df331b55e1

SHA256
c5e19d4313b524fffc4859f4fac05ea3dcf408714a736dbd0bb7fcdf5131f80e

SHA512
e0f7678424e68957a1cb521786e9e4e54c179f9a263b04d0c6a96147cb1e242b58bda3e74e6f142dcd9b6dd313a0061c3050af334b149eab9a8040f923da84dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\prefs.js
Filesize
6KB

MD5
108b97b1ff7efbdb1aecce96d55ff2e5

SHA1
bb72b2e0c3d859fe5e821632307a32df331b55e1

SHA256
c5e19d4313b524fffc4859f4fac05ea3dcf408714a736dbd0bb7fcdf5131f80e

SHA512
e0f7678424e68957a1cb521786e9e4e54c179f9a263b04d0c6a96147cb1e242b58bda3e74e6f142dcd9b6dd313a0061c3050af334b149eab9a8040f923da84dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
391a6e29892b0beec412271849f8e345

SHA1
8c56abf90b9dcf31f5a0e734a5fab82b084d1953

SHA256
acf271c748ae49dbe9dde622d91642542e674665119560ee2943c94eda4834d2

SHA512
ce2e5e540b01459993724db16495021658d1e6a8ef5013fcb0267af848863c02149cdf14adc408a58b99239f0b95f5825dc75d61f2d9382a7db423e7c1ad029d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6exu9k4v.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
3KB

MD5
ad04bc7ade9ade07f1a4c13a1879c652

SHA1
4ad78c683c5748b4a4f9d59a64cf8a9d359572bf

SHA256
eb0ca0a287ec40db7b92c9eb0e3332f15e756f4e0b3ed1a439a4a4b588e07a3c

SHA512
5a6b7ddfe23db781265d55efcf05fe6e3522edee7b8b78ac02c93ef4e0c46f8b134ef7678b83c2dd3ad2257b6d60c452eb8cced04e026e2edb891aef55d3a7a8

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
Filesize
13.7MB

MD5
2e72d3f95fc4b54dea556f1e2334bf6c

SHA1
d2c6eef99919ace077396e10ce4f8bf7797ffdf6

SHA256
8af0ee8d6a4fac89b0c38584af76ffdeae0faaffebe5a4d91a321f107abc205d

SHA512
e7ddc71982457713cbd4378129a1739b5f7f6fe1620c38ce01f9ef0aeaf0bb5a3473fdf6ffc534a2136e086485bfecc091784017b32adcc5d8266e37b81686ae

Download Submit
C:\Users\Admin\Desktop\@WanaDecryptor@.bmp
Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\Desktop\ConvertToWait.bat
Filesize
404KB

MD5
0f71f0c2cecffdc8c75b08190a2fd90f

SHA1
dd2c2f9c03925a49af36d9cf62ef8ad5aabb42c6

SHA256
fab75fd7889785d1a40c581b951d25c96903626740b30ecc8d44f4e1bfad3bd8

SHA512
2fc24a839506cfda893f305ba93a618cd511db0d7750627f055c1d0b162898c34f7af842802b60882424d79627329d3313849384e097c05d6c01418c83ad096a

Download Submit
C:\Users\Admin\Downloads\Downloadly.PYg0vSFW.zip.part
Filesize
15.4MB

MD5
fa4f62062e0cec23b5c1d8fe67f4be2f

SHA1
0735531f6e37a9807a1951d0d03b066b3949484b

SHA256
a88edca3b030046fe82e7add6da06311229c5c4f9396c30c04ab3f0b433eac6e

SHA512
0ffd333dc84ab8e4905fb76b3be69c7b9edba7f4eb72cc10efc82f6ae62d06c36227f4e8ada4f896e359e5ffc664d08caf76e15a40bd17e9384e73842e845995

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r.0Lg1zX7m.zip.part
Filesize
3.3MB

MD5
e58fdd8b0ce47bcb8ffd89f4499d186d

SHA1
b7e2334ac6e1ad75e3744661bb590a2d1da98b03

SHA256
283f40e9d550833bec101a24fd6fd6fbd9937ed32a51392e818ffff662a1d30a

SHA512
95b6567b373efa6aec6a9bfd7af70ded86f8c72d3e8ba75f756024817815b830f54d18143b0be6de335dd0ca0afe722f88a4684663be5a84946bd30343d43a8c

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r.zip
Filesize
3.3MB

MD5
e58fdd8b0ce47bcb8ffd89f4499d186d

SHA1
b7e2334ac6e1ad75e3744661bb590a2d1da98b03

SHA256
283f40e9d550833bec101a24fd6fd6fbd9937ed32a51392e818ffff662a1d30a

SHA512
95b6567b373efa6aec6a9bfd7af70ded86f8c72d3e8ba75f756024817815b830f54d18143b0be6de335dd0ca0afe722f88a4684663be5a84946bd30343d43a8c

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\00000000.res
Filesize
136B

MD5
d1b6ca3e0e4d42bbf138209a3d9ad409

SHA1
5e1273243e1c8b2ed7962c34a1cb091d28565f3e

SHA256
9e4ca8acc2ae9113cd9b1858c8f1941e9c0737a5e895f6870f1c15ff5060f6c3

SHA512
db25199f605456aa7461092455b0bb30e90a49f6a562d7e3551f003893d5918620565b4ef9475f9e6b218de3f2f9de5de2f3f58bfdb8743277bbedcdb5fb9126

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\259511685890850.bat
Filesize
348B

MD5
16a4cb5a158a7f698730b0b63fe9c53f

SHA1
c22fe5bbf3ee4509c185e493a799c0a9ac779c7e

SHA256
0d0541fff4b5c257cfa41cf2aab38ca207804e7bc3251d3aade104beca73b137

SHA512
4a8049b0ace11a074b8648ef9515fc06fb771ade4ab11fb6f123d6ff76cb581295f01de4c8b6c5eeb445d9f7c0dfcb1ebd6fadb08f56b4239d168d4bd1106afe

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\@Please_Read_Me@.txt
Filesize
933B

MD5
7e6b6da7c61fcb66f3f30166871def5b

SHA1
00f699cf9bbc0308f6e101283eca15a7c566d4f9

SHA256
4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e

SHA512
e5a56137f325904e0c7de1d0df38745f733652214f0cdb6ef173fa0743a334f95bed274df79469e270c9208e6bdc2e6251ef0cdd81af20fa1897929663e2c7d3

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\@WanaDecryptor@.exe
Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\@WanaDecryptor@.exe
Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\@WanaDecryptor@.exe
Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\@WanaDecryptor@.exe
Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\@WanaDecryptor@.exe
Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\@WanaDecryptor@.exe.lnk
Filesize
696B

MD5
93bd5cff69fdf03046ef2bcb734fabe8

SHA1
c86aa60146801d50ef551332e5842ac78a8f1bac

SHA256
945fb994937a444ac00ff18b655e57e66d1e9283e2d9b473f67e6ce533bb3e99

SHA512
cae2c3dd5c12ff3f4088737752d0270a6d184ba70890f7c795fb3f8ed057e3a94d5651cc1947fa5a7b09fbabb757bf1ea5e54973c86d46a032147ef8b4d644e4

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\Endermanch@WannaCrypt0r.exe
Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\Endermanch@WannaCrypt0r.exe
Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\TaskData\Tor\LIBEAY32.dll
Filesize
3.0MB

MD5
6ed47014c3bb259874d673fb3eaedc85

SHA1
c9b29ba7e8a97729c46143cc59332d7a7e9c1ad8

SHA256
58be53d5012b3f45c1ca6f4897bece4773efbe1ccbf0be460061c183ee14ca19

SHA512
3bc462d21bc762f6eec3d23bb57e2baf532807ab8b46fab1fe38a841e5fde81ed446e5305a78ad0d513d85419e6ec8c4b54985da1d6b198acb793230aeecd93e

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\TaskData\Tor\SSLEAY32.dll
Filesize
694KB

MD5
a12c2040f6fddd34e7acb42f18dd6bdc

SHA1
d7db49f1a9870a4f52e1f31812938fdea89e9444

SHA256
bd70ba598316980833f78b05f7eeaef3e0f811a7c64196bf80901d155cb647c1

SHA512
fbe0970bcdfaa23af624daad9917a030d8f0b10d38d3e9c7808a9fbc02912ee9daed293dbdea87aa90dc74470bc9b89cb6f2fe002393ecda7b565307ffb7ec00

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\TaskData\Tor\libevent-2-0-5.dll
Filesize
702KB

MD5
90f50a285efa5dd9c7fddce786bdef25

SHA1
54213da21542e11d656bb65db724105afe8be688

SHA256
77a250e81fdaf9a075b1244a9434c30bf449012c9b647b265fa81a7b0db2513f

SHA512
746422be51031cfa44dd9a6f3569306c34bbe8abf9d2bd1df139d9c938d0cba095c0e05222fd08c8b6deaebef5d3f87569b08fb3261a2d123d983517fb9f43ae

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\TaskData\Tor\libssp-0.dll
Filesize
90KB

MD5
78581e243e2b41b17452da8d0b5b2a48

SHA1
eaefb59c31cf07e60a98af48c5348759586a61bb

SHA256
f28caebe9bc6aa5a72635acb4f0e24500494e306d8e8b2279e7930981281683f

SHA512
332098113ce3f75cb20dc6e09f0d7ba03f13f5e26512d9f3bee3042c51fbb01a5e4426c5e9a5308f7f805b084efc94c28fc9426ce73ab8dfee16ab39b3efe02a

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\TaskData\Tor\ssleay32.dll
Filesize
694KB

MD5
a12c2040f6fddd34e7acb42f18dd6bdc

SHA1
d7db49f1a9870a4f52e1f31812938fdea89e9444

SHA256
bd70ba598316980833f78b05f7eeaef3e0f811a7c64196bf80901d155cb647c1

SHA512
fbe0970bcdfaa23af624daad9917a030d8f0b10d38d3e9c7808a9fbc02912ee9daed293dbdea87aa90dc74470bc9b89cb6f2fe002393ecda7b565307ffb7ec00

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\TaskData\Tor\taskhsvc.exe
Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\TaskData\Tor\taskhsvc.exe
Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\TaskData\Tor\tor.exe
Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\TaskData\Tor\zlib1.dll
Filesize
105KB

MD5
fb072e9f69afdb57179f59b512f828a4

SHA1
fe71b70173e46ee4e3796db9139f77dc32d2f846

SHA256
66d653397cbb2dbb397eb8421218e2c126b359a3b0decc0f31e297df099e1383

SHA512
9d157fece0dc18afe30097d9c4178ae147cc9d465a6f1d35778e1bff1efca4734dd096e95d35faea32da8d8b4560382338ba9c6c40f29047f1cc0954b27c64f8

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\b.wnry
Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\c.wnry
Filesize
780B

MD5
93f33b83f1f263e2419006d6026e7bc1

SHA1
1a4b36c56430a56af2e0ecabd754bf00067ce488

SHA256
ef0ed0b717d1b956eb6c42ba1f4fd2283cf7c8416bed0afd1e8805ee0502f2b4

SHA512
45bdd1a9a3118ee4d3469ee65a7a8fdb0f9315ca417821db058028ffb0ed145209f975232a9e64aba1c02b9664c854232221eb041d09231c330ae510f638afac

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\c.wnry
Filesize
780B

MD5
30e0f36674ee9d40d3d1842444767e20

SHA1
b7f964a71f1f92d605a78e7dc4113109ea464c80

SHA256
a07e7790a92060d62c7a5adc0cf8a9c1fed4ce8b17db589eaa02985dde44c4fe

SHA512
2e103bad68bea935f0538c04cc8556b3453774f90995f2aa7262ad42636246c91b3a20f754cde89d752bce77227dad42427a6e70e527db6f41bce75e488abde7

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\m.vbs
Filesize
227B

MD5
93e7789ba451ff2677469765ae70f4c5

SHA1
ae58d6905d8de2541de0b54bc405bba0d04072c7

SHA256
365e4a23210e544d4b0df2cc58b74595d5bf19d7b42097da13f5abf6472d5bbe

SHA512
1417fa2c57b3abc4a8c545835cfb623a38d1fcb7e81f6065d0fd80ab70dd6a3f4a104037a6f6212d4e61115e74792acc1d56836c2f7d228b595650f5be39debc

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_bulgarian.wnry
Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_chinese (simplified).wnry
Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_chinese (traditional).wnry
Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_croatian.wnry
Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_czech.wnry
Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_danish.wnry
Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_dutch.wnry
Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_english.wnry
Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_filipino.wnry
Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_finnish.wnry
Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_finnish.wnry
Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_french.wnry
Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_german.wnry
Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_greek.wnry
Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_indonesian.wnry
Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_italian.wnry
Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_japanese.wnry
Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_korean.wnry
Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_latvian.wnry
Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_norwegian.wnry
Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_polish.wnry
Filesize
38KB

MD5
e79d7f2833a9c2e2553c7fe04a1b63f4

SHA1
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

SHA256
519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

SHA512
e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_portuguese.wnry
Filesize
37KB

MD5
fa948f7d8dfb21ceddd6794f2d56b44f

SHA1
ca915fbe020caa88dd776d89632d7866f660fc7a

SHA256
bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66

SHA512
0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_romanian.wnry
Filesize
50KB

MD5
313e0ececd24f4fa1504118a11bc7986

SHA1
e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d

SHA256
70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1

SHA512
c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_russian.wnry
Filesize
46KB

MD5
452615db2336d60af7e2057481e4cab5

SHA1
442e31f6556b3d7de6eb85fbac3d2957b7f5eac6

SHA256
02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078

SHA512
7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_slovak.wnry
Filesize
40KB

MD5
c911aba4ab1da6c28cf86338ab2ab6cc

SHA1
fee0fd58b8efe76077620d8abc7500dbfef7c5b0

SHA256
e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729

SHA512
3491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_spanish.wnry
Filesize
36KB

MD5
8d61648d34cba8ae9d1e2a219019add1

SHA1
2091e42fc17a0cc2f235650f7aad87abf8ba22c2

SHA256
72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1

SHA512
68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_swedish.wnry
Filesize
37KB

MD5
c7a19984eb9f37198652eaf2fd1ee25c

SHA1
06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae

SHA256
146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4

SHA512
43dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_turkish.wnry
Filesize
41KB

MD5
531ba6b1a5460fc9446946f91cc8c94b

SHA1
cc56978681bd546fd82d87926b5d9905c92a5803

SHA256
6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415

SHA512
ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_vietnamese.wnry
Filesize
91KB

MD5
8419be28a0dcec3f55823620922b00fa

SHA1
2e4791f9cdfca8abf345d606f313d22b36c46b92

SHA256
1f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8

SHA512
8fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\r.wnry
Filesize
864B

MD5
3e0020fc529b1c2a061016dd2469ba96

SHA1
c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade

SHA256
402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c

SHA512
5ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\s.wnry
Filesize
2.9MB

MD5
ad4c9de7c8c40813f200ba1c2fa33083

SHA1
d1af27518d455d432b62d73c6a1497d032f6120e

SHA256
e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b

SHA512
115733d08e5f1a514808a20b070db7ff453fd149865f49c04365a8c6502fa1e5c3a31da3e21f688ab040f583cf1224a544aea9708ffab21405dde1c57f98e617

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\t.wnry
Filesize
64KB

MD5
5dcaac857e695a65f5c3ef1441a73a8f

SHA1
7b10aaeee05e7a1efb43d9f837e9356ad55c07dd

SHA256
97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6

SHA512
06eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\taskdl.exe
Filesize
20KB

MD5
4fef5e34143e646dbf9907c4374276f5

SHA1
47a9ad4125b6bd7c55e4e7da251e23f089407b8f

SHA256
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

SHA512
4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\taskdl.exe
Filesize
20KB

MD5
4fef5e34143e646dbf9907c4374276f5

SHA1
47a9ad4125b6bd7c55e4e7da251e23f089407b8f

SHA256
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

SHA512
4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\taskdl.exe
Filesize
20KB

MD5
4fef5e34143e646dbf9907c4374276f5

SHA1
47a9ad4125b6bd7c55e4e7da251e23f089407b8f

SHA256
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

SHA512
4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\taskse.exe
Filesize
20KB

MD5
8495400f199ac77853c53b5a3f278f3e

SHA1
be5d6279874da315e3080b06083757aad9b32c23

SHA256
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

SHA512
0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\taskse.exe
Filesize
20KB

MD5
8495400f199ac77853c53b5a3f278f3e

SHA1
be5d6279874da315e3080b06083757aad9b32c23

SHA256
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

SHA512
0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\u.wnry
Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Programs\Downloadly\AppIcon\is-22DVA.tmp
Filesize
1KB

MD5
ef3196810ccbb9b420984f639e0a009e

SHA1
fe7c82725b85f1222dd5181194c72796e110853b

SHA256
36d760a90fb9c1fd039a03f5edcb3c73189923fbdc5485c9c26a05ba5d5459fe

SHA512
1504cb248cc13ecf6211ca0fe406a84f33361c8dc8098d7cb6b5e1fd52e581a56269795585de5c3eadcc2b314a4d98f13cd3ac0c66be5fea10e8b32993d39977

Download Submit
C:\Users\Admin\Programs\Downloadly\AppIcon\is-2353J.tmp
Filesize
1KB

MD5
f4b7c9c507af6d9de20ed78582a90a91

SHA1
0a98c88184c94a2f992d9e3401b4e4c83b8eed10

SHA256
4924b23542aacdc3b38983c81f72e638e2a4b7f9ea6d6d592f245f9dee3410c5

SHA512
7fbf5254977ff71ddcbb5a7e1a81b2fde056016948f844c1362909a2e5b24838ed08c2615a1a7ee2b5b00f217250dfbd5cf8669a3b09c257ee9e8b516d00103d

Download Submit
C:\Users\Admin\Programs\Downloadly\AppIcon\is-3BP28.tmp
Filesize
12KB

MD5
2e8e308b5c901c0aa0290a3b30e6bed1

SHA1
608d7afd5e546e017095f47fda446dcbbcc6a4d9

SHA256
f8f05802c5c2a03e92036e9a643d86e78d16dbc117cd533d6d67ddec2f39221b

SHA512
f28b0401a2d97f30593153b43301b4eca481be290358b639720414dcfa9194140b744d153e0136c674ff811bb1493e5c9800c0c61e7b115b27f916c61b65d144

Download Submit
C:\Users\Admin\Programs\Downloadly\AppIcon\is-8LA8D.tmp
Filesize
16KB

MD5
d955bdc7b17178da128b59d6ad83ae32

SHA1
6d4cc087ba1f878e08b3d7b1c6f58ae27958b805

SHA256
f0dda9fae609e34cf1aa88b2b4cead5a799dca805709ed706d01616c68659d09

SHA512
9155b79de55c35485d58a00507ba8bf9d384808572fe40a6c2e019a05dcbf0a767cf20d6937f0c4b847c4d41a945b4778a38e6b72f280655dd72b4073036c502

Download Submit
C:\Users\Admin\Programs\Downloadly\AppIcon\is-BAJCB.tmp
Filesize
2KB

MD5
01de5d686677df544a6fd70a7b90a8fd

SHA1
5af89e63f317417e19e28fd37accf33c445b15f9

SHA256
0396c1757a062004134f1ac8454beecdd744a9491562da29b11c8458ca5610fb

SHA512
d17b9188013997dd567ea88028d180ac6f4701c39b9e96ad7ce1c7ac1fd1f81bd24a854ca1df72b57794da0d4d29d8340851b9f5e02870e6ae27f74a81104767

Download Submit
C:\Users\Admin\Programs\Downloadly\AppIcon\is-C5BHR.tmp
Filesize
16KB

MD5
228fa270f6301a9a90146144e2619404

SHA1
aa763e31e971dcf9d5a66283feaa5e20dbb3e645

SHA256
9cf75299ed7bd8acf23833948871556c64b1042d9cb83157f3fc478cf0e27e15

SHA512
800cfb7dc4def975652fda898c70afa3f4b039e038b0d4fbee71bf7ef4e13f3920483aac9ec381b1292448afd8a3c3aef3f5395f5a49b6855bf39111335d5c47

Download Submit
C:\Users\Admin\Programs\Downloadly\AppIcon\is-DDRO3.tmp
Filesize
18KB

MD5
1ec846839f3ae089b3f561285f0ba4ab

SHA1
6d58a7d6b4ad438ead6a34350e22e65440ab66db

SHA256
a980deeb7c5eaf533ff9175a6d81eeedd4bb00847ec8b01368ceb1584de7e2ca

SHA512
ba2fa3477355e96176138cddc55c76850ece290700e5f83670986f5a2c9a4e47cc56fccd3cb4eb5c9d48658b2bf89c76be6824cd619a98d7746024514b74e567

Download Submit
C:\Users\Admin\Programs\Downloadly\AppIcon\is-DUI6C.tmp
Filesize
1KB

MD5
ecc683bddac2a274b3822fb299623815

SHA1
ccd065a5e4343404a98b5cc551928dc8ae1e3940

SHA256
c5bbff25e522b7312ee967dbe7ec18a289394d2a77fe46a8517087a01ce6d9de

SHA512
d1c442858fcd9866d31a412a3686ca34fe0ce7f15a00328b1686110d1fc1671cb862a18cfd71f6e7da1019db111610aae0ac4ad562b1cc5419981405d4c33b19

Download Submit
C:\Users\Admin\Programs\Downloadly\AppIcon\is-KJD8P.tmp
Filesize
14KB

MD5
cf12a1da8373b2c90361cc1f13f9e6aa

SHA1
e9d8de8b53220868723657425142a5c8d2954a05

SHA256
8dc598a59dffa5b6024811cf467fe9d88bdab4dce3e94de245f19d2273f7050e

SHA512
1fbc3fd3b30314b4233bb76fd97abf2452d05cbc66e104ab77a6a2a2d5bd2adc9196fe8a80110ffc7bdde181e7283d10438fdb43a9ec9505f38b61a09113e102

Download Submit
C:\Users\Admin\Programs\Downloadly\AppIcon\is-N3GO4.tmp
Filesize
3KB

MD5
3387dda8a9109717168b2691a8c5bdd9

SHA1
ede213dc7dc627177aca420745a883b4cc1fde13

SHA256
99c2bab37ee04bc9dc210bef0365120ceb55f7d2f859eb1823c1a9d23ad75482

SHA512
581f0fe668584b5872cbc64e03296090ba323d83d250cee9aa65430cffb35c1dc367c04245f7f89643c752cfc3b8a681fa7a842355d52da1e98e1708c6749ff9

Download Submit
C:\Users\Admin\Programs\Downloadly\AppIcon\is-O6O1B.tmp
Filesize
3KB

MD5
245e584e67c2032c660d66ed102eb68d

SHA1
9cfad8ad3a515b06b65a1b07eced8ad5b376c7b5

SHA256
ad3344c9b740e7e7bace6945672d5c4da2274f9aecde21dd461e6ba5d14c08ec

SHA512
44afd1841157f205eaa3921e328fc31c6a61f2b6eb0e92b8526bda22998e1969ec302cc6c04dea9e5eb7b821ee8bacb4024b37a9457a24c81ada8a3268c5625a

Download Submit
C:\Users\Admin\Programs\Downloadly\AppIcon\is-Q0DVH.tmp
Filesize
11KB

MD5
0419ffcb2cd483e86b2d412336d470fe

SHA1
9bce4c7515051617152bd55bdd478729abbe9150

SHA256
9f01dbde78d4f798d181920f98d050d9a685f3daa2662523a821f27021b7195d

SHA512
ba5894eb0313124125341c8c6699d7f5932d8054ad1ce04bd5a7190bc2707a7cb275118b5c31acade2fd921abb3c403cc83d99f80ace30116e53986ebcf93d22

Download Submit
C:\Users\Admin\Programs\Downloadly\AppIcon\is-SEU81.tmp
Filesize
2KB

MD5
e965d25284a2df1c52484417fc3d3c4e

SHA1
c50d815e8556390e2a8a0f2f4e7e74db91f9fd6c

SHA256
08a0b016fe0670b579f9c99edfaa58b67241d32fa15a65cf0f0f88ed6bc15f49

SHA512
c80f49c1d4b8ecd7d6b9ad71e05a3ae062b23eaf93473f88e0b6be342b15a4c6ba08e6ec477fddb8ec88e2193baddb4f423efe9973519aa2f8ed407aec1d9d46

Download Submit
C:\Users\Admin\Programs\Downloadly\Downloadly.exe
Filesize
526KB

MD5
c64463e64b12c0362c622176c404b6af

SHA1
7002acb1bc1f23af70a473f1394d51e77b2835e4

SHA256
140dcfc3bde8405d26cfe50e08de2a084fb3be7cf33894463a182e12001f5ce7

SHA512
facd1c639196d36981c89048c4e9ccf5f4e2a57b37efc4404af6cafb3ec98954fe5695b0d3a3ee200b849d45d3718b52cce0af48efba7c23b1f4613bcaa35c0a

Download Submit
C:\Users\Admin\Programs\Downloadly\Downloadly.exe
Filesize
536KB

MD5
9e1e1786225710dc73f330cc7f711603

SHA1
b9214d56f15254ca24706d71c1e003440067fd8c

SHA256
bd19ac814c4ff0e67a9e40e35df8abd7f12ffaa6ebefaa83344d553d7f007166

SHA512
6398a6a14c57210dc61ed1b79ead4898df2eb9cea00e431c39fc4fb9a5442c2dc83272a22ca1d0c7819c9b3a12316f08e09e93c2594d51d7e7e257f587a04bef

Download Submit
C:\Users\Admin\Programs\Downloadly\MassiveInstaller.exe
Filesize
10.8MB

MD5
df851a46df574a7ddf3d79f20b3a8d70

SHA1
99ab5b3959ee37fcff5145f120c4d2f6c2c2c388

SHA256
02bdde9831c72990fad44ee43602215ec1a66f2cf25c8b012772be5af8142904

SHA512
3b67917c3473e8fcd7bd6a026315927f552a00ba170cb1e5a5f355fca2238ccef3e1baf019411bd0a9ab4090a085733e58ea56acec4fbf90b60c05b06ba0feb6

Download Submit
C:\Users\Admin\Programs\Downloadly\is-GH204.tmp
Filesize
4KB

MD5
894f0bab00555ff07b8a97a05ef659fc

SHA1
e3a469e2654ab2630e13243b432abdbcd269836c

SHA256
6b56cc5c8bbc5cad7f55212643ed4a7408b43fa297642f250a05d3a59be21a8f

SHA512
697673191d1491652d0d42ca727b1be11cdf59ab11fe3330bdea8134de3ae32f4e83482c09e588b5b542ed869e1e5dc9e1094533b666d30f28b298f9046e8785

Download Submit
C:\Users\Admin\Programs\Downloadly\is-NCGBH.tmp
Filesize
3.0MB

MD5
8097152e93a43ead7dc59cc88ea73017

SHA1
b21d9f73ecf57174ce8ec5091e60c3a653f97ecd

SHA256
5a522e16c4b9be7d757585c811e2b7b4eab6592aed1fbc807d4154974b7bb98f

SHA512
d885a2ecba46c324c05d63b5482d604429556fe864202b1127866f2798ead67228390fb730d44ccef205c8103129d89d88a9541a4657d55c01373f8db50f7b23

Download Submit
C:\Users\Default\Desktop\@WanaDecryptor@.bmp
Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
memory/1172-3398-0x00000000004F0000-0x00000000007EE000-memory.dmp

Filesize
3.0MB

Download
memory/1172-3800-0x00000000004F0000-0x00000000007EE000-memory.dmp

Filesize
3.0MB

Download
memory/1172-3504-0x00000000004F0000-0x00000000007EE000-memory.dmp

Filesize
3.0MB

Download
memory/1172-3401-0x0000000073B10000-0x0000000073B2C000-memory.dmp

Filesize
112KB

Download
memory/1172-4322-0x0000000073180000-0x000000007339C000-memory.dmp

Filesize
2.1MB

Download
memory/1172-4317-0x00000000004F0000-0x00000000007EE000-memory.dmp

Filesize
3.0MB

Download
memory/1172-3402-0x0000000073150000-0x0000000073172000-memory.dmp

Filesize
136KB

Download
memory/1172-3404-0x00000000730D0000-0x0000000073147000-memory.dmp

Filesize
476KB

Download
memory/1172-4002-0x00000000004F0000-0x00000000007EE000-memory.dmp

Filesize
3.0MB

Download
memory/1172-3334-0x0000000073430000-0x00000000734B2000-memory.dmp

Filesize
520KB

Download
memory/1172-3741-0x00000000004F0000-0x00000000007EE000-memory.dmp

Filesize
3.0MB

Download
memory/1172-3746-0x0000000073180000-0x000000007339C000-memory.dmp

Filesize
2.1MB

Download
memory/1172-3403-0x0000000073180000-0x000000007339C000-memory.dmp

Filesize
2.1MB

Download
memory/1172-3400-0x0000000073430000-0x00000000734B2000-memory.dmp

Filesize
520KB

Download
memory/1172-3399-0x00000000733A0000-0x0000000073422000-memory.dmp

Filesize
520KB

Download
memory/1172-3805-0x0000000073180000-0x000000007339C000-memory.dmp

Filesize
2.1MB

Download
memory/1172-3513-0x0000000073180000-0x000000007339C000-memory.dmp

Filesize
2.1MB

Download
memory/1172-3337-0x0000000073150000-0x0000000073172000-memory.dmp

Filesize
136KB

Download
memory/1172-3335-0x0000000073180000-0x000000007339C000-memory.dmp

Filesize
2.1MB

Download
memory/1172-3336-0x00000000733A0000-0x0000000073422000-memory.dmp

Filesize
520KB

Download
memory/1172-3338-0x00000000004F0000-0x00000000007EE000-memory.dmp

Filesize
3.0MB

Download
memory/1172-4116-0x00000000004F0000-0x00000000007EE000-memory.dmp

Filesize
3.0MB

Download
memory/1172-3882-0x00000000004F0000-0x00000000007EE000-memory.dmp

Filesize
3.0MB

Download
memory/1172-3887-0x0000000073180000-0x000000007339C000-memory.dmp

Filesize
2.1MB

Download
memory/1228-1609-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2696-5440-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/4372-5747-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/5284-5661-0x000001C6F7540000-0x000001C6F7586000-memory.dmp

Filesize
280KB

Download
memory/5284-5703-0x000001C6F9060000-0x000001C6F9098000-memory.dmp

Filesize
224KB

Download
memory/5284-5718-0x000001C6F7F70000-0x000001C6F7F80000-memory.dmp

Filesize
64KB

Download
memory/5284-5695-0x000001C6F9030000-0x000001C6F9052000-memory.dmp

Filesize
136KB

Download
memory/5284-5720-0x000001C6F7F70000-0x000001C6F7F80000-memory.dmp

Filesize
64KB

Download
memory/5284-5702-0x000001C6F8110000-0x000001C6F8118000-memory.dmp

Filesize
32KB

Download
memory/5284-5672-0x000001C6F7F70000-0x000001C6F7F80000-memory.dmp

Filesize
64KB

Download
memory/5284-5694-0x000001C6F90E0000-0x000001C6F9190000-memory.dmp

Filesize
704KB

Download
memory/5284-5678-0x000001C6F75C0000-0x000001C6F75D0000-memory.dmp

Filesize
64KB

Download
memory/5284-5655-0x000001C6F5850000-0x000001C6F58D4000-memory.dmp

Filesize
528KB

Download
memory/5284-5671-0x000001C6F7F70000-0x000001C6F7F80000-memory.dmp

Filesize
64KB

Download
memory/5284-5704-0x000001C6F8120000-0x000001C6F812E000-memory.dmp

Filesize
56KB

Download
memory/5700-6676-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/5700-6446-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/6060-5867-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download