wannacry | hxxp://tathli[.]com

Analysis

max time kernel
730s
max time network
698s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 09:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://tathli.com

Score

10^/10

wannacry defense_evasion execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 2 IoCs

Processes:

WannaCry.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD7A02.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD7A19.tmp	WannaCry.exe

Executes dropped EXE 25 IoCs

Processes:

WannaCry.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid	process
4604	WannaCry.exe
4688	!WannaDecryptor!.exe
1668	!WannaDecryptor!.exe
5116	!WannaDecryptor!.exe
984	!WannaDecryptor!.exe
4340	!WannaDecryptor!.exe
4760	!WannaDecryptor!.exe
1224	!WannaDecryptor!.exe
4688	!WannaDecryptor!.exe
2504	!WannaDecryptor!.exe
464	!WannaDecryptor!.exe
1524	!WannaDecryptor!.exe
5112	!WannaDecryptor!.exe
1208	!WannaDecryptor!.exe
2484	!WannaDecryptor!.exe
3892	!WannaDecryptor!.exe
4948	!WannaDecryptor!.exe
4796	!WannaDecryptor!.exe
3580	!WannaDecryptor!.exe
700	!WannaDecryptor!.exe
1176	!WannaDecryptor!.exe
812	!WannaDecryptor!.exe
2580	!WannaDecryptor!.exe
5064	!WannaDecryptor!.exe
3316	!WannaDecryptor!.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WannaCry.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

192 raw.githubusercontent.com
193 raw.githubusercontent.com

flow	ioc
192	raw.githubusercontent.com
193	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

!WannaDecryptor!.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exeWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 7 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

3740 taskkill.exe
2284 taskkill.exe
3736 taskkill.exe
780 taskkill.exe
4440 taskkill.exe
4568 taskkill.exe
1652 taskkill.exe

pid	process
3740	taskkill.exe
2284	taskkill.exe
3736	taskkill.exe
780	taskkill.exe
4440	taskkill.exe
4568	taskkill.exe
1652	taskkill.exe

Modifies registry class 3 IoCs

Processes:

msedge.exeOpenWith.exetaskmgr.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2539840389-1261165778-1087677076-1000\{8FE203C6-2FC6-4E01-8FFC-512A0E97FCA3}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings	taskmgr.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 525456.crdownload:SmartScreen msedge.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

3556 NOTEPAD.EXE
Runs regedit.exe 1 IoCs

Processes:

regedit.exe

pid process

4584 regedit.exe
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3820 WINWORD.EXE
3820 WINWORD.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 525456.crdownload:SmartScreen	msedge.exe

pid	process
3556	NOTEPAD.EXE

pid	process
4584	regedit.exe

pid	process
3820	WINWORD.EXE
3820	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exetaskmgr.exe

pid	process
2412	msedge.exe
2412	msedge.exe
5012	msedge.exe
5012	msedge.exe
3540	identity_helper.exe
3540	identity_helper.exe
4592	msedge.exe
4592	msedge.exe
940	msedge.exe
940	msedge.exe
940	msedge.exe
940	msedge.exe
888	msedge.exe
888	msedge.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

OpenWith.exe!WannaDecryptor!.exeregedit.exe

pid process

2520 OpenWith.exe
984 !WannaDecryptor!.exe
4584 regedit.exe

pid	process
2520	OpenWith.exe
984	!WannaDecryptor!.exe
4584	regedit.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

Processes:

msedge.exe

pid	process
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exevssvc.exesvchost.exeSystemSettingsAdminFlows.exeSystemSettingsAdminFlows.exetaskkill.exetaskkill.exetaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	2284	taskkill.exe
Token: SeDebugPrivilege	3740	taskkill.exe
Token: SeDebugPrivilege	4568	taskkill.exe
Token: SeDebugPrivilege	1652	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3756	WMIC.exe
Token: SeSecurityPrivilege	3756	WMIC.exe
Token: SeTakeOwnershipPrivilege	3756	WMIC.exe
Token: SeLoadDriverPrivilege	3756	WMIC.exe
Token: SeSystemProfilePrivilege	3756	WMIC.exe
Token: SeSystemtimePrivilege	3756	WMIC.exe
Token: SeProfSingleProcessPrivilege	3756	WMIC.exe
Token: SeIncBasePriorityPrivilege	3756	WMIC.exe
Token: SeCreatePagefilePrivilege	3756	WMIC.exe
Token: SeBackupPrivilege	3756	WMIC.exe
Token: SeRestorePrivilege	3756	WMIC.exe
Token: SeShutdownPrivilege	3756	WMIC.exe
Token: SeDebugPrivilege	3756	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3756	WMIC.exe
Token: SeRemoteShutdownPrivilege	3756	WMIC.exe
Token: SeUndockPrivilege	3756	WMIC.exe
Token: SeManageVolumePrivilege	3756	WMIC.exe
Token: 33	3756	WMIC.exe
Token: 34	3756	WMIC.exe
Token: 35	3756	WMIC.exe
Token: 36	3756	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3756	WMIC.exe
Token: SeSecurityPrivilege	3756	WMIC.exe
Token: SeTakeOwnershipPrivilege	3756	WMIC.exe
Token: SeLoadDriverPrivilege	3756	WMIC.exe
Token: SeSystemProfilePrivilege	3756	WMIC.exe
Token: SeSystemtimePrivilege	3756	WMIC.exe
Token: SeProfSingleProcessPrivilege	3756	WMIC.exe
Token: SeIncBasePriorityPrivilege	3756	WMIC.exe
Token: SeCreatePagefilePrivilege	3756	WMIC.exe
Token: SeBackupPrivilege	3756	WMIC.exe
Token: SeRestorePrivilege	3756	WMIC.exe
Token: SeShutdownPrivilege	3756	WMIC.exe
Token: SeDebugPrivilege	3756	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3756	WMIC.exe
Token: SeRemoteShutdownPrivilege	3756	WMIC.exe
Token: SeUndockPrivilege	3756	WMIC.exe
Token: SeManageVolumePrivilege	3756	WMIC.exe
Token: 33	3756	WMIC.exe
Token: 34	3756	WMIC.exe
Token: 35	3756	WMIC.exe
Token: 36	3756	WMIC.exe
Token: SeBackupPrivilege	768	vssvc.exe
Token: SeRestorePrivilege	768	vssvc.exe
Token: SeAuditPrivilege	768	vssvc.exe
Token: SeManageVolumePrivilege	3888	svchost.exe
Token: SeSystemtimePrivilege	3464	SystemSettingsAdminFlows.exe
Token: SeSystemtimePrivilege	3464	SystemSettingsAdminFlows.exe
Token: SeSystemtimePrivilege	4512	SystemSettingsAdminFlows.exe
Token: SeSystemtimePrivilege	4512	SystemSettingsAdminFlows.exe
Token: SeDebugPrivilege	3736	taskkill.exe
Token: SeDebugPrivilege	780	taskkill.exe
Token: SeDebugPrivilege	2284	taskmgr.exe
Token: SeSystemProfilePrivilege	2284	taskmgr.exe
Token: SeCreateGlobalPrivilege	2284	taskmgr.exe
Token: SeSecurityPrivilege	2284	taskmgr.exe
Token: SeTakeOwnershipPrivilege	2284	taskmgr.exe
Token: 33	2284	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2284	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe!WannaDecryptor!.exetaskmgr.exe

pid	process
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
984	!WannaDecryptor!.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exetaskmgr.exe

pid	process
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
5012	msedge.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe
2284	taskmgr.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exeOpenWith.exeWINWORD.EXESystemSettingsAdminFlows.exeSystemSettingsAdminFlows.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid	process
4688	!WannaDecryptor!.exe
4688	!WannaDecryptor!.exe
1668	!WannaDecryptor!.exe
1668	!WannaDecryptor!.exe
5116	!WannaDecryptor!.exe
5116	!WannaDecryptor!.exe
984	!WannaDecryptor!.exe
984	!WannaDecryptor!.exe
2520	OpenWith.exe
2520	OpenWith.exe
2520	OpenWith.exe
2520	OpenWith.exe
2520	OpenWith.exe
2520	OpenWith.exe
2520	OpenWith.exe
2520	OpenWith.exe
2520	OpenWith.exe
2520	OpenWith.exe
2520	OpenWith.exe
2520	OpenWith.exe
2520	OpenWith.exe
2520	OpenWith.exe
2520	OpenWith.exe
2520	OpenWith.exe
2520	OpenWith.exe
3820	WINWORD.EXE
3820	WINWORD.EXE
3820	WINWORD.EXE
3820	WINWORD.EXE
3820	WINWORD.EXE
3820	WINWORD.EXE
3820	WINWORD.EXE
3820	WINWORD.EXE
3820	WINWORD.EXE
3820	WINWORD.EXE
3820	WINWORD.EXE
3820	WINWORD.EXE
3464	SystemSettingsAdminFlows.exe
4512	SystemSettingsAdminFlows.exe
4340	!WannaDecryptor!.exe
4340	!WannaDecryptor!.exe
4760	!WannaDecryptor!.exe
4760	!WannaDecryptor!.exe
1224	!WannaDecryptor!.exe
1224	!WannaDecryptor!.exe
4688	!WannaDecryptor!.exe
4688	!WannaDecryptor!.exe
2504	!WannaDecryptor!.exe
2504	!WannaDecryptor!.exe
464	!WannaDecryptor!.exe
464	!WannaDecryptor!.exe
1524	!WannaDecryptor!.exe
1524	!WannaDecryptor!.exe
5112	!WannaDecryptor!.exe
5112	!WannaDecryptor!.exe
1208	!WannaDecryptor!.exe
1208	!WannaDecryptor!.exe
2484	!WannaDecryptor!.exe
2484	!WannaDecryptor!.exe
3892	!WannaDecryptor!.exe
3892	!WannaDecryptor!.exe
4948	!WannaDecryptor!.exe
4948	!WannaDecryptor!.exe
4796	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 5012 wrote to memory of 4640	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 4640	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2548	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2548	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2548	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2548	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2548	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2548	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2548	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2548	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2548	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2548	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2548	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2548	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2548	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2548	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2548	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2548	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2548	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2548	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2548	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2548	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2548	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2548	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2548	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2548	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2548	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2548	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2548	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2548	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2548	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2548	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2548	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2548	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2548	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2548	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2548	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2548	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2548	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2548	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2548	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2548	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2412	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2412	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2520	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2520	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2520	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2520	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2520	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2520	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2520	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2520	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2520	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2520	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2520	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2520	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2520	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2520	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2520	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2520	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2520	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2520	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2520	5012	msedge.exe	msedge.exe
PID 5012 wrote to memory of 2520	5012	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://tathli.com
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe24a846f8,0x7ffe24a84708,0x7ffe24a84718
2⤵
PID:4640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2252,15264852796170593403,13671850492743927304,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2384 /prefetch:2
2⤵
PID:2548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2252,15264852796170593403,13671850492743927304,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2440 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2252,15264852796170593403,13671850492743927304,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2980 /prefetch:8
2⤵
PID:2520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,15264852796170593403,13671850492743927304,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
2⤵
PID:4276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,15264852796170593403,13671850492743927304,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
2⤵
PID:1572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,15264852796170593403,13671850492743927304,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
2⤵
PID:4620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,15264852796170593403,13671850492743927304,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1
2⤵
PID:3320

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2252,15264852796170593403,13671850492743927304,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8
2⤵
PID:1908

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2252,15264852796170593403,13671850492743927304,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,15264852796170593403,13671850492743927304,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
2⤵
PID:780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,15264852796170593403,13671850492743927304,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
2⤵
PID:2500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,15264852796170593403,13671850492743927304,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
2⤵
PID:3552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,15264852796170593403,13671850492743927304,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
2⤵
PID:1228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,15264852796170593403,13671850492743927304,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
2⤵
PID:1016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,15264852796170593403,13671850492743927304,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
2⤵
PID:2296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,15264852796170593403,13671850492743927304,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
2⤵
PID:3544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2252,15264852796170593403,13671850492743927304,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5108 /prefetch:8
2⤵
PID:3020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2252,15264852796170593403,13671850492743927304,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5440 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,15264852796170593403,13671850492743927304,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
2⤵
PID:1824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,15264852796170593403,13671850492743927304,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
2⤵
PID:2812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,15264852796170593403,13671850492743927304,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
2⤵
PID:4292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,15264852796170593403,13671850492743927304,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
2⤵
PID:2004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,15264852796170593403,13671850492743927304,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
2⤵
PID:1576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,15264852796170593403,13671850492743927304,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
2⤵
PID:2624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2252,15264852796170593403,13671850492743927304,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1896 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2252,15264852796170593403,13671850492743927304,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5948 /prefetch:8
2⤵
PID:2708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,15264852796170593403,13671850492743927304,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
2⤵
PID:1224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2252,15264852796170593403,13671850492743927304,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6456 /prefetch:8
2⤵
PID:3376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2252,15264852796170593403,13671850492743927304,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6316 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:888

C:\Users\Admin\Downloads\WannaCry.exe
"C:\Users\Admin\Downloads\WannaCry.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
PID:4604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 44911715420446.bat
3⤵
PID:1544

C:\Windows\SysWOW64\cscript.exe
cscript //nologo c.vbs
4⤵
PID:3524

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe f
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4688

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im MSExchange*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4568

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Microsoft.Exchange.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlserver.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlwriter.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe c
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1668

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b !WannaDecryptor!.exe v
3⤵
PID:2456

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe v
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5116

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
5⤵
PID:2648

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3756

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe
3⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:984

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4340

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4760

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1224

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4688

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2504

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:464

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1524

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5112

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1208

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2484

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3892

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4948

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4796

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe
3⤵
- Executes dropped EXE
PID:3580

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe
3⤵
- Executes dropped EXE
PID:700

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe
3⤵
- Executes dropped EXE
PID:1176

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe
3⤵
- Executes dropped EXE
PID:812

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe
3⤵
- Executes dropped EXE
PID:2580

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe
3⤵
- Executes dropped EXE
PID:5064

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe
3⤵
- Executes dropped EXE
PID:3316

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1304

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:768

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3888

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2520

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\RequestComplete.easmx
2⤵
- Opens file in notepad (likely ransom note)
PID:3556

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\SwitchPublish.rtf" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3820

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetDateTime
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3464

C:\Windows\System32\Upfc.exe
C:\Windows\System32\Upfc.exe /launchtype periodic /cv n18Ceb/a9UiWJvxEf5ddHA.0
1⤵
PID:3412

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask
1⤵
PID:1800

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetDateTime
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4512

C:\Windows\System32\Upfc.exe
C:\Windows\System32\Upfc.exe /launchtype periodic /cv ds0o8KPBH0Kmmp6HfdzbPw.0
1⤵
PID:3376

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask
1⤵
PID:3820

C:\Windows\regedit.exe
"C:\Windows\regedit.exe"
1⤵
- Runs regedit.exe
- Suspicious behavior: GetForegroundWindowSpam
PID:4584

C:\Windows\system32\taskkill.exe
"C:\Windows\system32\taskkill.exe" /f /im wanna_decryptor.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\Windows\system32\taskkill.exe
"C:\Windows\system32\taskkill.exe" /f /im !WannaDecryptor!.exe
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:780

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2284

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe"
1⤵
- Kills process with taskkill
PID:4440

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\96.png.WCRY
Filesize
6KB

MD5
a3b9ffabd0405cfd87972fdec50f343f

SHA1
8d9c672053f892c5af1d9184eb464bbf82baf76f

SHA256
1a639d5c3a4ac93f77ae1c0e2cf60cd90a4b239aad4c189abb43830f32630962

SHA512
e43f7cbe64d6c08c44d92625c7b89a069303cf79e3dcbc7ac000a4a87b68052142c6c90701c43740a270bc57ec4e390b505a0b40d0801f9e0d8e31f43a895db6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\mpnpojknpmmopombnjdcgaaiekajbnjb\Icons\96.png.WCRY
Filesize
1KB

MD5
296ac43a4971f6370a2a91f30bedc647

SHA1
8967a1f34a0960bb6e3ae9245d8acc5b3b0c896d

SHA256
d25441bbe3612071e95f62c2ee40681617e79ac8359ca42965403c8f39362a69

SHA512
bc2cb73cce5a838a4fcdef6adb995a41851af3cc5830e781e6fab2a44863e83912b7b578ddbaf48130a9304ac32d328807af48d6e87a048bd9bee43cd5b60e32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
56641592f6e69f5f5fb06f2319384490

SHA1
6a86be42e2c6d26b7830ad9f4e2627995fd91069

SHA256
02d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455

SHA512
c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
612a6c4247ef652299b376221c984213

SHA1
d306f3b16bde39708aa862aee372345feb559750

SHA256
9d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a

SHA512
34a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010
Filesize
31KB

MD5
70f9a1aef01e3ee0259d4cf8b50ccea0

SHA1
1bd2b79d4ef77c0570c170590b1b3c18007422a8

SHA256
4d8f397ff7f9a0932910377a528282e01fd8a912a117451cb4c0b02e741b197f

SHA512
97ebb3fc8c4d4b481b031806e2307b276b0e7f897933ad5fa2d9f0950214cd0a4f6e08ea7663a97c99b942dacf36b231d9b02c788ed25df7c79782c156d72ab0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c
Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d
Filesize
39KB

MD5
8facf4d1ac6ff2520d3f9536ec0ba688

SHA1
05a661afe1d0f83e9566498cb4b895f1c90beae7

SHA256
a7d8fbd8a9794a97d9ea3752e450a700c2e295a681b4fa7a21affedc4fdb1a9c

SHA512
2cf271954eae3bc8766c3e19215732ee46591cbc3492b24d96cd26376be64dedb711c5d4962377b559b37c097aa267992ef380ad02bd5706435679076805a1d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e
Filesize
69KB

MD5
aac57f6f587f163486628b8860aa3637

SHA1
b1b51e14672caae2361f0e2c54b72d1107cfce54

SHA256
0cda72f2d9b6f196897f58d5de1fe1b43424ce55701eac625e591a0fd4ce7486

SHA512
0622796aab85764434e30cbe78b4e80e129443744dd13bc376f7a124ed04863c86bb1dcd5222bb1814f6599accbd45c9ee2b983da6c461b68670ae59141a6c1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f
Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020
Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021
Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022
Filesize
1.2MB

MD5
be529a907c265364aea60b32d2a6b43f

SHA1
4e36681dc58aaaa130238083d0aa43d4604019e8

SHA256
1790bffabda47de3ac63c09728874fec01d03bd240361e81dbef964f8ed179bd

SHA512
37e65201a514127811d0f92dce4ca096401af92b4c90441d1e0673c1829cdf5d47f513a63f8ee1593987ac3dd542f197654423b0fe24d50aea4794001356004b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000034
Filesize
24KB

MD5
6165a7c774d104653fee619b4ea77fdc

SHA1
214fe3e58449f886e78f2a101844acead3502236

SHA256
e6cbb4d443cab3632935bc1284e7691409e4a17d5e67c8b401b831c8dedcd773

SHA512
0d95446139983a568f9cd3d18f12eca05fca44257c6644d6e894a13d94e654a2c19accdb5baa4c513a69bd3ec97dbccd143f1290915f13c5c39d0fab478f1034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000035
Filesize
48KB

MD5
675c3cc9eeb511d43db6635bf1b515f9

SHA1
b5a3bc916093bf35af9cb26f45f79c229db4d70b

SHA256
827caf07904c9ca524acf5d97bcaf1f11c84ffdb1fc2e7f683e1dc80648ed58c

SHA512
6e82a416ca6d79ed2402382326d8621d9828b420daad5ff0a93f2de13598213b52ed7fc9f6a59dc6bb71bfb6a1bb13be3d54581e2d26ecb0dbf0bb2ecc894197

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000037
Filesize
43KB

MD5
46b6ef2093b07b6333a72ab5113b6452

SHA1
566e4accbc76afb673614f4c8b0c2ffe281e89fd

SHA256
51be6ba8611f6a3bf95002fba48da012cd9559e0667ff19176a08150e429aa9e

SHA512
b19712a582fbb03f57ec1c91e28403076fd7aedf6c7b64cd255b3ea6cfd806df919423da236fd78aa39e78b5f4ef567e41c5d56002bccdc9338857d64cb24ae7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000042
Filesize
21KB

MD5
12b3b06a215a92b61047d4d676009d5c

SHA1
bfaffa1420406892f96c14563413c12b22d5578d

SHA256
ebddde1fdfe55665db44af96d9a914ea833d5c74b510150b0aafcc6598c8ec72

SHA512
5f597b93c1bd9e9be7d7aa42ec1a69d1183d164096046af276546f907c7796cd5d1ea80d152ac8cab76f1ddf3a6e3d51ed74c6dc97d467a4f5519dbad8d42ea8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
5KB

MD5
4a4b2341b3765ff447e8fa1edfbf2656

SHA1
f4b480665b7edb4a8832b8e2224ed443ff1af389

SHA256
9c45e525e3e1a2013fe50f742c4fccde26827bcac89fc668eb9f646a957cf487

SHA512
ef7865731316af346bd216fb1891438b31e0db5bbf528cd434e808d96f1e1fbfc1fa0c795132d7266810fca0c6a7a4580572b8b100a1abc5b54572b90a487c6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
23cb2774d554502374b634a0db9f8911

SHA1
6de94a814fcea06db2ad499962fe80639c80efa2

SHA256
91a6cc32b99588e3a24a3d8ddb35b52990e500a57db35272ff2eaca4f7cb387e

SHA512
b8b774d95cacf37e987c85404b301fd4150821786fa159437f0e4bd898f8ba1437072cddf3cbdf4aaf76ebf7213753437da55fa920392d4f1e6bd12acc1be624

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
5KB

MD5
84b05bf0bb765405c62d747f0aa5d774

SHA1
1b0a61f9662d6b0280b37e4a2cb61cb1c4db574a

SHA256
551e1397a9c437bc4f863a4806cafe0b530feb90ff0e219841f67d8b7edca0e3

SHA512
a9938b7ef3894b6256f470eb96db6de0347ca65a3dac0969c3fbae801fe4680e7ef910ce72d30fc5ce1b7509ef4636d91e6ee022df09a9ed65ddf08de6765a14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
4KB

MD5
d9444485b344908f0e171f149c0680b8

SHA1
09e718d4f843e73650cbd2e6b1126ad36e96df6f

SHA256
c607762658254813598a4381dd08b9e41ca6e22ec7dc65494be5a1834e26807a

SHA512
1922c4297e07c70b32456ab24067fb588739faed442550f39c01753bb04a9202de6c31e5016bd656e8cb716559d53d32f155ff00af4d85ab431b716759765cb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
4KB

MD5
c3718f573ed22960162749d7cd3832b7

SHA1
f12a197d4dda6efc01a70d88c0e2f58914556f7b

SHA256
c9a9378d35c6964d891baa5105e372357ed4ffa5e7051c095f659e368430aeb6

SHA512
87ce672f2f39da8e2aa3c27fa00c8f0bdd08084c0770b905ea3964394a3fab012bd42d10dd4d14c806741a61b10d2e11311fa94e8e7fc54150e823e1a7289ec5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
3KB

MD5
6142c2295fa04d93d0585f276cb520ec

SHA1
c8b041252320ec6cd2d77210a1238f293b670dab

SHA256
8278e5af17a7eb7534a15958dffcb7e652295a51d8ac5a6649a40c3b1c7b6966

SHA512
fc357b3919bdaf006a970ddae89f60774f8574c94d57b3757e9501ec749baf47dea27258de24b09ef146d5653f808c3f5541c3d33a6de30c1f750027b25ab0b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
c1b766a5353b194e9300905f1b64bf24

SHA1
21b2689eec20880996f7f046cffc6a8794e098d1

SHA256
7df0be3e9075e4b298f9908a9c425af2b0bb7ba5c6d27e7d2c5ea082fd3f4eab

SHA512
4f249a4c42ae498852d28557348d45f1c1bd7ddc1e171a24e82ea2d20e3bf21683a398428ea4c03b84c00169433b9689764ff768f887ce3c1afa06400eaaf31f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
5f2dbe22b22907691e12d3498399ae44

SHA1
b8453d47d3ff4433d2641a48cc1339a540982e9d

SHA256
617d2dd7c7cdd2a7904bd2c5e8a63bedffe40c2d4cb17e1c1873654c7c2734f3

SHA512
ca7d41a9edddda25cb135ae3e393a6f439dc7104745aad5f3b1acb4a85f791b5b84a8c0c7b25c46e0cfa434528e4ca54880e56da18a9ecc53686c2f39a7ef6fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
1a3ee15c7319c286e56aa34c5548bf19

SHA1
7279de94a80602de11249199629250c2be7a7208

SHA256
21f444b6e0dfe35659e8267f50f29d1b29214d4e1e9404823dcad6dd4822a718

SHA512
edf9cf3883fa905b99e9c056e9fcfee38be124d8bee6a9fad3dff8fa256044fda69d5f3970ebdd46ce22c898ab97242642b3631462a564851dcea954cbbde631

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
f2c7d540fd33175c604fde055d5f8053

SHA1
08c5d5af462b8c443198935c4e82160d1cf0a826

SHA256
6e3c818bb828e3be85c19050b38a5209e923e0865e822b01aebe057ba8e9d485

SHA512
6f822268160bcd96e1ce027c29b014e682c0a1d6e67f30a844fadab561592e3b7996336757e9ce9e0670348357f7404dddee6e543afce99ba7c89032a38bfd9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
2e40016f38c1957a483c9cba60b55855

SHA1
b1f4fe6b096a14d7c96e545fb3e1cf439a32458e

SHA256
b2dda724c37f67048a435468e2c1f2c9fffbe19901b93c9b8b5b4c5b3c66d1cb

SHA512
20550b2607a6ae961836de43722c53854b753916032af286e6bac2c7b3d09a6bc9b6425d327c7d5cfe4e350c7bff06dcc51bcec8411409b319c52c7d99c97050

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
bf3f282be5cea149f6eb989f975539b3

SHA1
76f60c76a91964d5766be82a4dcf514d2e3611ef

SHA256
b759e24172fc54e019afef8ac21fd13494e5c808107f45c962e1bad2851fd83f

SHA512
e0118b97a2469369110c0ff89b634bb49cf66eecbe0bb15b98d91e3cec95bf0412f4823c185290e3d6c3e6d27d2ea87e754a9d4ded26a5ee4962f534c8b308fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
ae4cd2b8c5e781aa22a4ad7bf9749f5f

SHA1
bc97586f0352f9e8ce80b809fba26a6ce4c412e5

SHA256
e8403ac5af333d8fdabf7ec3fbdc42941d8641fb410de0f41618938357f8f591

SHA512
197c56ff4a489fb0420b3dbfca6cb45cdb74912e81c22024ae9b76d3c85ab2104f94edfa5c8a6e787746b82ad39776f303be49eba29d3535f982e814f48769ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
66839b8175463f4dc302c556bc8defb0

SHA1
af374bbd89bb607291a77dd02821cd79d914a3a3

SHA256
d63354980dcaaaf9f24a8ed698ac5d23b47d43e641f946474b263332f23ce8a1

SHA512
2c128a2e2756584b02933a78172fd4c28ae810b0e0e4b512509009df960d6b278177ee23f5da9fcc39a5360249d2920573faa1d2b65d707758325b3c2ff35564

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
899d5ef55f3d995ff9a08fd61a3cf7d5

SHA1
74ed084f8444f9f52c914d2dbae55898d4226901

SHA256
af72e133288cf8e610c1b535fd02642e89c0d6b6d256dd5343a77b56e547280f

SHA512
7a3f2990014895583dbb452ffd2a6d7ec8b6048a3cb2ca23010c5a7a9b1e2679c4a97bb25a583651e525d5df38e2d052d384956065d528277daabed47a03833a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
9KB

MD5
dab99ebf70f50a47e0ccef146c173bcc

SHA1
55d8a71a57115696a7fc03b940a1fbf6d2ff766e

SHA256
71428dff9f40aa7e4a15a24a3da445278c6f9c2cced372bb2d31123e8968d7fd

SHA512
08651913d1a9cb2fde565d15378e0a19791c82363da260bf869ba3562a752569f59ef802b000404337e022e9ec0eaa5db0a7eff5ae54ab1c35114c28f6b8e9f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
91cadd9e30af7258e52867521f5c537c

SHA1
f0c81632aa3812653dacfc85cee63f24f8dcecbb

SHA256
534e7dcf2cbe00c89693a8cf82558ebb73f6d6ce8d6fb76c5dba7d4ff9a6e536

SHA512
22b8d0a332ad70deacb2fbbe26d142beb7f8721526c7affdb86724c116b73ce0f4bedd0f94208b21b5099bc31dfffcf20f626511f35811b20802c9e96b9e3bb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
d37cdc2fa9c0c0dc7317e9004ec1c166

SHA1
daccf3ccd47adb59613b2f13bfa046dd64085b84

SHA256
8a7d8e1cdf32186ed087eb745a130426489137fa200bd1c5a98c9fac609f1f65

SHA512
61b13b7d9ab6f6a6a0021826a98396641df6a3d0a33716fc88709606e96a90e7ca1fe5e57002da9f857732d7b734a4f1a0b88a2e7872d9cd409617043f061517

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
ad7721285cfdce00e36940eb1921070f

SHA1
1ea1021336a579464c426ca9307a4cc74059ac15

SHA256
c77a8c6f831c87a5307681eb28c10cb9ba3354e876f826d2a08d7e9077a4d835

SHA512
9d68bff6710273843adf3275e4e82aab77f440b024eead44b2fe3cc2e68a969787bdbf49a13ff4ce6fcd48f7d612e20b4fa2c103677d672f60c86f482d6ba423

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
d853bf5070f963c37945834d68722584

SHA1
280dbeb3d0feead1d8c2dd31f35dba13d68948e2

SHA256
62f36a7168d00d28a16c876c793d063c4512958f0c7d65e2b47198bc20c7174f

SHA512
c29baa295af718ee6f7a46f6ee5f240e3d02c806371026e4992608a2b665f835652f8699bc4e1aaabb39835ea0f3d52e78bc12fd79ff79fc755b67a7ff7d184f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
752c0a038120c5b81444647c5fc7fccd

SHA1
d1d292359ab37ccc42a00445940667717c3c436a

SHA256
b92492cbdd638286d92b11164e78fe905393461844b96098b64d630e73075ce1

SHA512
14f3a08608b00116431bd254e1301ff421386fb087001d6332dbc5a04130b320ddee4a0ff4160702d581889ac27448b61e915960ca9e76a3c929bed10b5dc254

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
f9e246234596cfeb78910e6e095e4783

SHA1
9318c7ce7adfbb8e0b1b36c2d6ef6c7b464e2ea6

SHA256
b82a83a1d7f00e878e31fc514456140dfcbc1c2f05cf9caf95cec4a7dad0d92c

SHA512
9dfb14eb306708d5f91bae8f059773298c8ea9508abfab6e835c9849075eb200488d330e71d066b851ce040c2d45afbe61dfba98cf2c3f556c63aaa2286aee6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
9ef4bc185d09686dec4ed8f6275d6f40

SHA1
251722e58d0caf76333246d149c8b0d405bc82c0

SHA256
cd3efb31298b3727d8ade083bb4e065129427fa36bfaac43ede3e55789a0d0f9

SHA512
f838ea9478cc9a36b72e13725238577d411a4ea94d2b14c9fea9ff7ab997d48dd3ee0b3b9bbf83b32d22ae82c887affb3649a02d7b96d8305b60a74830fe64ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
ebff7776459c939d8cc814793a7394fa

SHA1
a8ff16f35edbed460554c04fa32e3857e04970fd

SHA256
37428152eca07f4bf742507535e3c2c9d63c193ccf3c1d739fa7f6228d07e84b

SHA512
3d28fc5ab66a1fb21809ba5911f8571cdcb7e6cd098ca116e19a95eced0cf8c55ce7f96a5c3064d452e39a0e44618444fe9d99ff3cceaf55829ae12e6d7b6664

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
254a461dc3f1c6038e2ed1692271cbf5

SHA1
43d46c4eef9270e12477df6bd7a0e8b85a35578d

SHA256
ddfc38072ac35a591148551a594b5810ffbd1d67a2ebd969938467181fb2e88e

SHA512
4a8321c6c10540942eb7f029c368cad08f65a26a94d27665378229d86affdea3e8adfb696b54989cf51864278d724ad9c4cfa927754d0bfe24852ef1674d1aa7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
50c37e8075d7e8440f0ffe7ab83ea11b

SHA1
9296018ee1b1cf2b2cf2afecce58546db5f8e78f

SHA256
91d64bd2563bcf08c6a3b87c7c23a815e2939525d71575294b9a98e59e604342

SHA512
425cffbc3e2812f0a56f65d1e4c6e2b611eca486db6990f38506f22fbc3ffc2057e6983cc6d9e4c01375e84f2c9c392e6c3123c55a93dd5495f360fc2b932b30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57b2b6.TMP
Filesize
706B

MD5
6eef2efc5c87afb4aedf6b8bd187f632

SHA1
d0059b54c02e6e7f0f5f29c5fe426afaa9c6945f

SHA256
7804bfa7e1f15b3268e25a7ee3f2c1ede33671c60c64cc7abb04902162874163

SHA512
8115fd408fd6982b7029c1c47dcad79e1d041e03a7783bbe604f48d7f2ded7125d0cca5f932df3aa994354fbcd640d05e0c60088b306616e3d1803f20063bcf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db
Filesize
16KB

MD5
9e02552124890dc7e040ce55841d75a4

SHA1
f4179e9e3c00378fa4ad61c94527602c70aa0ad9

SHA256
7b6e4ce73ddd8b5e7a7c4a94374ac2815d0048a5296879d7659a92ee0b425c77

SHA512
3e10237b1bff73f3bb031f108b8de18f1b3c3396d63dfee8eb2401ce650392b9417143a9ef5234831d8386fc12e232b583dd45eada3f2828b3a0a818123dd5cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db
Filesize
84KB

MD5
d86c6634df99bd6122ad15c47d4cb248

SHA1
a4c2ef57e35ccb56b3b1fae96ad02cb9cb0c4990

SHA256
bf1653b0a2778efb4d74f9530cafc7f534407ae174e35fdfc9007792c66db94f

SHA512
6c94f61617e0cbca4f6b89d65a61a29696d4fd4482e389e6f353d3b17a04101308830c66df52fcb41dd3b3a0ca34c0e87133ce52292c59078ad88628d928cb3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
b446c2ae78c2fcf2ecb556d68de12df9

SHA1
3ae3b71211c642765f7c6b092e0a38f079f6081f

SHA256
91448d4beb926316fc4297d1cf2beea42dc3d4f262294e633ee1a388e7931743

SHA512
03141fc394b8b6aed8d22c3f18795d1223e5d262d84661be49c9e411426fabdf1d310135847e954937d1790101e22eb13b30ea35402845ec70eb320f0a761dda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
416bfaa2c0ae5e4fa96c9f1909e57318

SHA1
25599935c900f02de175a8f8c23efa348ae3b79f

SHA256
3b8a4c3d42512960174beffc30e3e1a6a4c2bf9a17430e0f62f873f7e2a5b92d

SHA512
bb89e5c2097c085d59eff7aeac91b408e23a2afadcb7c9637ed06e5a1c7327556d5f4987ea882c088fafdb13144bf2dea9dbe85ce1b9e908de83d6edc1712791

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
22ed293719eaab1fe60c4cf1ce3678da

SHA1
2e76576cbea772d0dc794e925864003da0c4b16d

SHA256
228b230504f0dab212dcd2c097d4e9e14c64060359911221335cb69814b0b012

SHA512
cbcc7f9876e8977a232aee72f0d4c4a235d4565a2e44d8f468c14e1f8f3ee67c4bc215436dd9a3862356b904785a1beb94acb8161f984634a3240acb6edec147

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres
Filesize
4KB

MD5
36c6656d48a3031e664244dc00e8c05e

SHA1
0c5913a49e4f99eb98b86ad4807eeaced5c4eb2c

SHA256
2ee313da03e43aed00ec068f2219d324fd5c21b52975e64e5951a6ff436a79a7

SHA512
a92b12eeb14c0bb422a1ec2792a6c9feb8c5cf5b4674c6be458f991bd26eaad421289952c854a5d8971a3bf2f5216586f457718c97c0809727f8d85b5bf586ca

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\AU7PMNK6\2\IJn_0fYO_7cUb--OQ-amF2MQCOo.br[1].js.WCRY
Filesize
72KB

MD5
9be48f833eebdc8b33d26df69b50a90d

SHA1
64e887d343f90eb49985afae8cb0150986e89280

SHA256
4be951085d0d723b2c4fd73e14f614a84e7052804593b8e2a9cf1b3a3ba19551

SHA512
558929d417b3728bdfd5c52eabc5db166d02baee0cb66ab1a59e537839a305d19eb61076c37169d99961a96b177770949c4f653346e8e6f8bbcbda7e31d9bf4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
18KB

MD5
50ba1ed889bf103acb845c6901909471

SHA1
25f9c68bce2bfb8f0b41f4aacedcc696f54950a3

SHA256
638712cadff77a3544c67ea9b8c46b6764570b7ccae0cc495210688eb301baad

SHA512
a00802a79fc1f41df96a3ce5b8d08ac769fea16e97127c9e9a83ef5293679b4b4fd83750e057ebf552d4da7a00476310f7c015cc4fff47bb2d1b2d50366ba517

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
13KB

MD5
709976ab80ebac50b755fcd70eb11d22

SHA1
5bc254915ad664ed1ce131469b88829167d3a2f2

SHA256
6208ce107a28ada55f9068797d90043e1ee4d1ee774c074c0131c20bb962edc0

SHA512
fae9cad4740a10b885c9ca09b55ab32d9f5ae347530a15198edd01d86ca36643447f83e0e1ad9725a4cc0f14706c68e012f56605978f786852211d5ebdbad637

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
13KB

MD5
d0bff7d16c98916c4c3adac2cefa7977

SHA1
f55a13ab345bafaf5e9ceceeb4243ac2e032ba89

SHA256
f4b0bb205a129c4567a62847799b77ab8e2aeebca1df877479361a12a88ab473

SHA512
582923e8d7faee125f4f1f7857b8ba74e420273ec729eaf075cead6efe6542bae57f27fd842ef809dab7999734d6bd56133ecb99b9e0e01b37ec2a2d8a05743a

Download Submit
C:\Users\Admin\Desktop\RevokeCopy.kix
Filesize
666KB

MD5
74c79d342438951381bed335f41a4ad9

SHA1
016389519fe13dfc9fb9e1c1afced4aac3b82ea5

SHA256
60469d01fe5f427d2c193b1217ceb6a5a623cf418c6ac3faecc8f13958b30aa1

SHA512
d8509279e0e97ce9fdc9d85ab1ebdf71658599f1c93d859f6058f6080c2b1c4e784b0c3bd7d179ba06d46ed2748eba5dc6a32fab804a11acd9c48ba647647c91

Download Submit
C:\Users\Admin\Desktop\SelectWrite.ini
Filesize
626KB

MD5
d0f10fa554dfd026aa13262d78180068

SHA1
065d796b845661c656004f6d9181240f751101e2

SHA256
877062bd31579ff0f51f835d67e86e618f571482289ee1b5fe05724ac02d28f1

SHA512
75b1ec5f26ac8ed1bc0ad379255eb48820b0abefd134ed22b6ffecd59238ba6dd23796e9d7efaf362fede5115a351a00f8e4732369648076ec388021c674734c

Download Submit
C:\Users\Admin\Desktop\SwitchPublish.rtf
Filesize
685KB

MD5
90239db56adcd892f0886bcc1cdd7cb1

SHA1
0c4d64a04303de66c2450ea4f7feb2c13612e0e9

SHA256
9d7e2503b561e0de5806635558418eabf22b1e38f40366626181399c6fcb49b7

SHA512
bcab12a36fb28b18a24c552d04d3e84842ddf03839297437056aaa465a7b53539ae6daef5593169889cfa898ee404bedc936936df57c68b3ef00741e81a76d9f

Download Submit
C:\Users\Admin\Desktop\SyncSubmit.dib
Filesize
293KB

MD5
21c364b8a37ad33d9ee29ef509863fed

SHA1
257715c555117c60e91d51cf06b9d435c6353512

SHA256
8494709cc51ce739c56ca0e25e7fb06bb58331eaa7d1c8c922573d972fa93426

SHA512
4824b12497c64ad85b9f3d827ae6fc56fcc7f808e64db46108208e1e0be7f0e431803cb1e49dd9dd17d59727bce12a17f43863775d53d94efb44fa9a1f1b2d1c

Download Submit
C:\Users\Admin\Desktop\TraceFormat.rmi
Filesize
607KB

MD5
6689bf89e0952685351ad68dadbd325b

SHA1
57e008cde871a310b0808016dc32aa8f3151c36a

SHA256
ed3fffc1da542b9eb363eca4cd205523553cb38113474de070595e3744dab7fd

SHA512
595252865113e18d95fd98baff09bc95549d3a2676c038df24d2f5978d5fdad97fbb40fb2db16befbd7d510e833dbcdc15cbbe4721c59af4b7786fe838cc09b6

Download Submit
C:\Users\Admin\Desktop\UnblockBlock.midi
Filesize
411KB

MD5
a5f9983b497d152a8db6e400901600bd

SHA1
35fc6054a7ef2fcdd56b24a25aca83a4062ee51b

SHA256
d54e6d9e4d74550dc6d5315bb11c7d4e0ae3d19a38181c1c4942dc8120e23e91

SHA512
19e9433bc91f23bff4be73e3d485420483c70b4e510b263a6ad8ad59a9016a2d34e3710ae980fc95a99c0e05bfd802df8744407033494e7e7a054db28083df3d

Download Submit
C:\Users\Admin\Desktop\UnlockSubmit.js.WCRY
Filesize
450KB

MD5
ae481083dbf9447b922de5e9a5342e68

SHA1
fc9b299ae92b55a0005209d34858d756f0f3bbdd

SHA256
11649ae0df1fab747eb6b62b0422d509231e9554d0499bbedf25fa2d02c33114

SHA512
ab1e0a95d85aa8b3c8f43655fd2b3d58d281f9cde9e02945212404b7511627d27ae096cf597b658f1a4da53befed25bd57a6e9d8300cd3b688d9273f1fc33594

Download Submit
C:\Users\Admin\Desktop\UseDismount.rle
Filesize
764KB

MD5
d8071dfbe231cf2c1732db94ff958e83

SHA1
3cc84bf2045aa773663dab2fe4b8d81b053f7de6

SHA256
7090f74ce12798bd2928fd3cc2aed351b941ebe67eb6600a0697768922589a8a

SHA512
bdf87404e3d8475ca4996194b977748158bd8cd28be345b6af7b805710bb322fb669ee0b0133be93dfbc11cc20c93669c24abd13f3e06bd203f434ba3f9cb461

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt
Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnk
Filesize
590B

MD5
ab06f471d2bc139a13954faf68b0a745

SHA1
0f58b2098060818ca9859bbc70337d42316ba9fd

SHA256
dc469afc8bf378e8356784f0f52af1989e1ecaac887fec3e8e844d072b0e7bba

SHA512
a0a34f764bae9238075124f9c102cf047a1877dd5875a32363df18d60e95a16d75f246c886198cf70f35ba9bf77d65738eb1d022f9caa5991a6f6874c57e37b8

Download Submit
C:\Users\Admin\Downloads\00000000.res
Filesize
136B

MD5
75e1af32a47c6874ebf394a6220e91bc

SHA1
4fb96f89d40f30aa90cd90d334c24b586c585e3e

SHA256
6c29515ca893ef0867f5e919a730d6814f6805379191a5c3b1704723d3d8164b

SHA512
1d2c7a22bdab1334b05534c1a1e38599ab832f54e7eab2cf7cc5b6a39dd028d6dde0fe0e8372ac433e8e60be7b21cf62a6402da7dbce8c05c12eba84ff61143b

Download Submit
C:\Users\Admin\Downloads\00000000.res
Filesize
136B

MD5
e456e541b664832b7e228a912ad33a55

SHA1
94a70c5f00581c18e76879e723e1e959b3bf8673

SHA256
9d05fde3d008dffee4914eedc1af585f17d24c280418a04d3b10c430a9be464e

SHA512
83e2d18c685184058cde2ea99557a2759f72e45bff504067249458402f645296a5c1c34d9b01c6d0304072ea04642bc7c47e7531e2062819fcf7f825ccb03a0f

Download Submit
C:\Users\Admin\Downloads\00000000.res
Filesize
136B

MD5
462d4ecf5303648744d260acd1157ec8

SHA1
d7160b8f9bce1c77e1bdd01c6fc49ddc7e9fdccc

SHA256
9e79b7378f0666efa060e7af6c2e2a7ceb664007214dc7031956fd585aa1a413

SHA512
2417108f76a1ce040c19c2174c96c806263bb62947e5ff5ebd3c33e25fc95b71bfc33d371fde1505c4a9e842e2f0b02477938f7b36d969d051420916ad1db399

Download Submit
C:\Users\Admin\Downloads\00000000.res
Filesize
136B

MD5
275b108bf639a0d8ca2e1ad304d6765a

SHA1
d2c7f58e3a2d834675497cf63f000f41cb0a640e

SHA256
b34445ddf3804dad8eb1817709512308db2f10944865d97ddecad603a9dca2f8

SHA512
91a969c7205256a50fd98227b590c34c755a915b85dd03f46df6c672abfef277ad4ed0ed08a9ebcafb0fc73d6cc7b88008af6851e3f0c9cab58042fc0e448ae4

Download Submit
C:\Users\Admin\Downloads\44911715420446.bat
Filesize
318B

MD5
a261428b490a45438c0d55781a9c6e75

SHA1
e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e

SHA256
4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44

SHA512
304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 525456.crdownload
Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\c.vbs
Filesize
201B

MD5
02b937ceef5da308c5689fcdb3fb12e9

SHA1
fa5490ea513c1b0ee01038c18cb641a51f459507

SHA256
5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1

SHA512
843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

Download Submit
C:\Users\Admin\Downloads\c.wry
Filesize
628B

MD5
21016902333de0ba1d275418f5a71ca9

SHA1
c835262bebaa4968e536af3e8b7acd6590b9adb6

SHA256
797d6fc3deae834879ba177e71adcb5737bc534458d600a18005ef839c1b4b01

SHA512
682fca67c2ca4c9cc9e6d87aede2211f698eeac8d75d39893fcb457082c89a05901c613ce0e51075e3f763facd55c24baa2a7203b2c619fee467bd9024847255

Download Submit
C:\Users\Admin\Downloads\f.wry
Filesize
441B

MD5
5e06249612654088e3f7e175d10d6866

SHA1
4122df9f0eedf8efe5c39c51d8a48553b873d9f7

SHA256
dbf25370ad28a1e80b690ee6eccee52dc9a9aa9bc77808795b6118afaa3c271e

SHA512
2ef4fa5e022fc66d76dcb374fd0e292e88052971edb128fe6f55179bd821ab5bec6a129a4a493b4b8577824e29bca01067c63eebdfedf37e8b830a9b44f3ee8f

Download Submit
C:\Users\Admin\Downloads\m.wry
Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Downloads\u.wry
Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
\??\pipe\LOCAL\crashpad_5012_MEKUOTDBWOJFEYFI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2284-3012-0x0000022BEC970000-0x0000022BEC971000-memory.dmp

Filesize
4KB

Download
memory/2284-3002-0x0000022BEC970000-0x0000022BEC971000-memory.dmp

Filesize
4KB

Download
memory/2284-3003-0x0000022BEC970000-0x0000022BEC971000-memory.dmp

Filesize
4KB

Download
memory/2284-3004-0x0000022BEC970000-0x0000022BEC971000-memory.dmp

Filesize
4KB

Download
memory/2284-3014-0x0000022BEC970000-0x0000022BEC971000-memory.dmp

Filesize
4KB

Download
memory/2284-3013-0x0000022BEC970000-0x0000022BEC971000-memory.dmp

Filesize
4KB

Download
memory/2284-3011-0x0000022BEC970000-0x0000022BEC971000-memory.dmp

Filesize
4KB

Download
memory/2284-3010-0x0000022BEC970000-0x0000022BEC971000-memory.dmp

Filesize
4KB

Download
memory/2284-3009-0x0000022BEC970000-0x0000022BEC971000-memory.dmp

Filesize
4KB

Download
memory/2284-3008-0x0000022BEC970000-0x0000022BEC971000-memory.dmp

Filesize
4KB

Download
memory/3820-2924-0x00007FFDF2FF0000-0x00007FFDF3000000-memory.dmp

Filesize
64KB

Download
memory/3820-2922-0x00007FFDF2FF0000-0x00007FFDF3000000-memory.dmp

Filesize
64KB

Download
memory/3820-2977-0x00007FFDF2FF0000-0x00007FFDF3000000-memory.dmp

Filesize
64KB

Download
memory/3820-2976-0x00007FFDF2FF0000-0x00007FFDF3000000-memory.dmp

Filesize
64KB

Download
memory/3820-2975-0x00007FFDF2FF0000-0x00007FFDF3000000-memory.dmp

Filesize
64KB

Download
memory/3820-2974-0x00007FFDF2FF0000-0x00007FFDF3000000-memory.dmp

Filesize
64KB

Download
memory/3820-2928-0x00007FFDF08A0000-0x00007FFDF08B0000-memory.dmp

Filesize
64KB

Download
memory/3820-2927-0x00007FFDF08A0000-0x00007FFDF08B0000-memory.dmp

Filesize
64KB

Download
memory/3820-2926-0x00007FFDF2FF0000-0x00007FFDF3000000-memory.dmp

Filesize
64KB

Download
memory/3820-2925-0x00007FFDF2FF0000-0x00007FFDF3000000-memory.dmp

Filesize
64KB

Download
memory/3820-2923-0x00007FFDF2FF0000-0x00007FFDF3000000-memory.dmp

Filesize
64KB

Download
memory/3888-2919-0x0000019046740000-0x0000019046741000-memory.dmp

Filesize
4KB

Download
memory/3888-2918-0x0000019046630000-0x0000019046631000-memory.dmp

Filesize
4KB

Download
memory/3888-2917-0x0000019046630000-0x0000019046631000-memory.dmp

Filesize
4KB

Download
memory/3888-2915-0x0000019046600000-0x0000019046601000-memory.dmp

Filesize
4KB

Download
memory/3888-2899-0x000001903E290000-0x000001903E2A0000-memory.dmp

Filesize
64KB

Download
memory/3888-2883-0x000001903E190000-0x000001903E1A0000-memory.dmp

Filesize
64KB

Download
memory/4604-1307-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download