badrabbit | hxxp://google[.]com

Analysis

max time kernel
523s
max time network
527s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://google.com

Score

10^/10

badrabbit wannacry defense_evasion discovery execution impact persistence ransomware worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD8AE6.tmp	[email protected]
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD8AED.tmp	[email protected]

Executes dropped EXE 23 IoCs

pid	Process
1544	taskdl.exe
4956	@[email protected]
5116	@[email protected]
5640	taskhsvc.exe
4960	taskdl.exe
3916	taskse.exe
5092	@[email protected]
892	taskdl.exe
5460	taskse.exe
5692	@[email protected]
4116	taskdl.exe
6068	taskse.exe
4484	@[email protected]
5004	3E01.tmp
1064	taskse.exe
412	@[email protected]
3948	taskdl.exe
1080	taskse.exe
2380	@[email protected]
1368	taskdl.exe
5932	taskse.exe
5636	@[email protected]
5988	taskdl.exe

Loads dropped DLL 8 IoCs

pid	Process
5640	taskhsvc.exe
5640	taskhsvc.exe
5640	taskhsvc.exe
5640	taskhsvc.exe
5640	taskhsvc.exe
5640	taskhsvc.exe
5640	taskhsvc.exe
5948	rundll32.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3696	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uotirwldkg084 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_WannaCrypt0r (1).zip\\tasksche.exe\""	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
447	camo.githubusercontent.com
453	camo.githubusercontent.com
468	raw.githubusercontent.com
469	raw.githubusercontent.com
470	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\infpub.dat	[email protected]
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\3E01.tmp	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2880	schtasks.exe
6064	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3571316656-3665257725-2415531812-1000\{A3AD1DE5-1BB0-480B-B7CD-2E8F4F59F23B}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings	OpenWith.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
5544	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 784184.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
4684	msedge.exe
4684	msedge.exe
1228	msedge.exe
1228	msedge.exe
5036	identity_helper.exe
5036	identity_helper.exe
6020	msedge.exe
6020	msedge.exe
6020	msedge.exe
6020	msedge.exe
1948	msedge.exe
1948	msedge.exe
5028	msedge.exe
5028	msedge.exe
5640	taskhsvc.exe
5640	taskhsvc.exe
5640	taskhsvc.exe
5640	taskhsvc.exe
5640	taskhsvc.exe
5640	taskhsvc.exe
4768	msedge.exe
4768	msedge.exe
5948	rundll32.exe
5948	rundll32.exe
5948	rundll32.exe
5948	rundll32.exe
5004	3E01.tmp
5004	3E01.tmp
5004	3E01.tmp
5004	3E01.tmp
5004	3E01.tmp
5004	3E01.tmp
5004	3E01.tmp

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 36 IoCs

pid	Process
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe

Suspicious use of AdjustPrivilegeToken 61 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3360	WMIC.exe
Token: SeSecurityPrivilege	3360	WMIC.exe
Token: SeTakeOwnershipPrivilege	3360	WMIC.exe
Token: SeLoadDriverPrivilege	3360	WMIC.exe
Token: SeSystemProfilePrivilege	3360	WMIC.exe
Token: SeSystemtimePrivilege	3360	WMIC.exe
Token: SeProfSingleProcessPrivilege	3360	WMIC.exe
Token: SeIncBasePriorityPrivilege	3360	WMIC.exe
Token: SeCreatePagefilePrivilege	3360	WMIC.exe
Token: SeBackupPrivilege	3360	WMIC.exe
Token: SeRestorePrivilege	3360	WMIC.exe
Token: SeShutdownPrivilege	3360	WMIC.exe
Token: SeDebugPrivilege	3360	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3360	WMIC.exe
Token: SeRemoteShutdownPrivilege	3360	WMIC.exe
Token: SeUndockPrivilege	3360	WMIC.exe
Token: SeManageVolumePrivilege	3360	WMIC.exe
Token: 33	3360	WMIC.exe
Token: 34	3360	WMIC.exe
Token: 35	3360	WMIC.exe
Token: 36	3360	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3360	WMIC.exe
Token: SeSecurityPrivilege	3360	WMIC.exe
Token: SeTakeOwnershipPrivilege	3360	WMIC.exe
Token: SeLoadDriverPrivilege	3360	WMIC.exe
Token: SeSystemProfilePrivilege	3360	WMIC.exe
Token: SeSystemtimePrivilege	3360	WMIC.exe
Token: SeProfSingleProcessPrivilege	3360	WMIC.exe
Token: SeIncBasePriorityPrivilege	3360	WMIC.exe
Token: SeCreatePagefilePrivilege	3360	WMIC.exe
Token: SeBackupPrivilege	3360	WMIC.exe
Token: SeRestorePrivilege	3360	WMIC.exe
Token: SeShutdownPrivilege	3360	WMIC.exe
Token: SeDebugPrivilege	3360	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3360	WMIC.exe
Token: SeRemoteShutdownPrivilege	3360	WMIC.exe
Token: SeUndockPrivilege	3360	WMIC.exe
Token: SeManageVolumePrivilege	3360	WMIC.exe
Token: 33	3360	WMIC.exe
Token: 34	3360	WMIC.exe
Token: 35	3360	WMIC.exe
Token: 36	3360	WMIC.exe
Token: SeBackupPrivilege	5968	vssvc.exe
Token: SeRestorePrivilege	5968	vssvc.exe
Token: SeAuditPrivilege	5968	vssvc.exe
Token: SeTcbPrivilege	3916	taskse.exe
Token: SeTcbPrivilege	3916	taskse.exe
Token: SeTcbPrivilege	5460	taskse.exe
Token: SeTcbPrivilege	5460	taskse.exe
Token: SeTcbPrivilege	6068	taskse.exe
Token: SeTcbPrivilege	6068	taskse.exe
Token: SeShutdownPrivilege	5948	rundll32.exe
Token: SeDebugPrivilege	5948	rundll32.exe
Token: SeTcbPrivilege	5948	rundll32.exe
Token: SeDebugPrivilege	5004	3E01.tmp
Token: SeTcbPrivilege	1064	taskse.exe
Token: SeTcbPrivilege	1064	taskse.exe
Token: SeTcbPrivilege	1080	taskse.exe
Token: SeTcbPrivilege	1080	taskse.exe
Token: SeTcbPrivilege	5932	taskse.exe
Token: SeTcbPrivilege	5932	taskse.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe
1228	msedge.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4956	@[email protected]
4956	@[email protected]
5116	@[email protected]
5116	@[email protected]
5092	@[email protected]
5092	@[email protected]
5948	OpenWith.exe
5692	@[email protected]
4484	@[email protected]
412	@[email protected]
2380	@[email protected]
5636	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1228 wrote to memory of 804	1228	msedge.exe	82
PID 1228 wrote to memory of 804	1228	msedge.exe	82
PID 1228 wrote to memory of 4280	1228	msedge.exe	83
PID 1228 wrote to memory of 4280	1228	msedge.exe	83
PID 1228 wrote to memory of 4280	1228	msedge.exe	83
PID 1228 wrote to memory of 4280	1228	msedge.exe	83
PID 1228 wrote to memory of 4280	1228	msedge.exe	83
PID 1228 wrote to memory of 4280	1228	msedge.exe	83
PID 1228 wrote to memory of 4280	1228	msedge.exe	83
PID 1228 wrote to memory of 4280	1228	msedge.exe	83
PID 1228 wrote to memory of 4280	1228	msedge.exe	83
PID 1228 wrote to memory of 4280	1228	msedge.exe	83
PID 1228 wrote to memory of 4280	1228	msedge.exe	83
PID 1228 wrote to memory of 4280	1228	msedge.exe	83
PID 1228 wrote to memory of 4280	1228	msedge.exe	83
PID 1228 wrote to memory of 4280	1228	msedge.exe	83
PID 1228 wrote to memory of 4280	1228	msedge.exe	83
PID 1228 wrote to memory of 4280	1228	msedge.exe	83
PID 1228 wrote to memory of 4280	1228	msedge.exe	83
PID 1228 wrote to memory of 4280	1228	msedge.exe	83
PID 1228 wrote to memory of 4280	1228	msedge.exe	83
PID 1228 wrote to memory of 4280	1228	msedge.exe	83
PID 1228 wrote to memory of 4280	1228	msedge.exe	83
PID 1228 wrote to memory of 4280	1228	msedge.exe	83
PID 1228 wrote to memory of 4280	1228	msedge.exe	83
PID 1228 wrote to memory of 4280	1228	msedge.exe	83
PID 1228 wrote to memory of 4280	1228	msedge.exe	83
PID 1228 wrote to memory of 4280	1228	msedge.exe	83
PID 1228 wrote to memory of 4280	1228	msedge.exe	83
PID 1228 wrote to memory of 4280	1228	msedge.exe	83
PID 1228 wrote to memory of 4280	1228	msedge.exe	83
PID 1228 wrote to memory of 4280	1228	msedge.exe	83
PID 1228 wrote to memory of 4280	1228	msedge.exe	83
PID 1228 wrote to memory of 4280	1228	msedge.exe	83
PID 1228 wrote to memory of 4280	1228	msedge.exe	83
PID 1228 wrote to memory of 4280	1228	msedge.exe	83
PID 1228 wrote to memory of 4280	1228	msedge.exe	83
PID 1228 wrote to memory of 4280	1228	msedge.exe	83
PID 1228 wrote to memory of 4280	1228	msedge.exe	83
PID 1228 wrote to memory of 4280	1228	msedge.exe	83
PID 1228 wrote to memory of 4280	1228	msedge.exe	83
PID 1228 wrote to memory of 4280	1228	msedge.exe	83
PID 1228 wrote to memory of 4684	1228	msedge.exe	84
PID 1228 wrote to memory of 4684	1228	msedge.exe	84
PID 1228 wrote to memory of 1376	1228	msedge.exe	85
PID 1228 wrote to memory of 1376	1228	msedge.exe	85
PID 1228 wrote to memory of 1376	1228	msedge.exe	85
PID 1228 wrote to memory of 1376	1228	msedge.exe	85
PID 1228 wrote to memory of 1376	1228	msedge.exe	85
PID 1228 wrote to memory of 1376	1228	msedge.exe	85
PID 1228 wrote to memory of 1376	1228	msedge.exe	85
PID 1228 wrote to memory of 1376	1228	msedge.exe	85
PID 1228 wrote to memory of 1376	1228	msedge.exe	85
PID 1228 wrote to memory of 1376	1228	msedge.exe	85
PID 1228 wrote to memory of 1376	1228	msedge.exe	85
PID 1228 wrote to memory of 1376	1228	msedge.exe	85
PID 1228 wrote to memory of 1376	1228	msedge.exe	85
PID 1228 wrote to memory of 1376	1228	msedge.exe	85
PID 1228 wrote to memory of 1376	1228	msedge.exe	85
PID 1228 wrote to memory of 1376	1228	msedge.exe	85
PID 1228 wrote to memory of 1376	1228	msedge.exe	85
PID 1228 wrote to memory of 1376	1228	msedge.exe	85
PID 1228 wrote to memory of 1376	1228	msedge.exe	85
PID 1228 wrote to memory of 1376	1228	msedge.exe	85

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5920	attrib.exe
1960	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.com
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd7e2546f8,0x7ffd7e254708,0x7ffd7e254718
  2⤵
  PID:804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,17136495959368647682,3397383438612287370,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2
  2⤵
  PID:4280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,17136495959368647682,3397383438612287370,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,17136495959368647682,3397383438612287370,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:8
  2⤵
  PID:1376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17136495959368647682,3397383438612287370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17136495959368647682,3397383438612287370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17136495959368647682,3397383438612287370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
  2⤵
  PID:2272
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,17136495959368647682,3397383438612287370,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2196,17136495959368647682,3397383438612287370,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17136495959368647682,3397383438612287370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:4616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17136495959368647682,3397383438612287370,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:2024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17136495959368647682,3397383438612287370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:3780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17136495959368647682,3397383438612287370,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17136495959368647682,3397383438612287370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:5556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17136495959368647682,3397383438612287370,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:5564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17136495959368647682,3397383438612287370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:1
  2⤵
  PID:5728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,17136495959368647682,3397383438612287370,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=180 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17136495959368647682,3397383438612287370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
  2⤵
  PID:2408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17136495959368647682,3397383438612287370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2196,17136495959368647682,3397383438612287370,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3504 /prefetch:8
  2⤵
  PID:4516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2196,17136495959368647682,3397383438612287370,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5016 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17136495959368647682,3397383438612287370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1
  2⤵
  PID:5248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17136495959368647682,3397383438612287370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17136495959368647682,3397383438612287370,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
  2⤵
  PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17136495959368647682,3397383438612287370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
  2⤵
  PID:5560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17136495959368647682,3397383438612287370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:5828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17136495959368647682,3397383438612287370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
  2⤵
  PID:5548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17136495959368647682,3397383438612287370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17136495959368647682,3397383438612287370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6676 /prefetch:1
  2⤵
  PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17136495959368647682,3397383438612287370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:2244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17136495959368647682,3397383438612287370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:1
  2⤵
  PID:6064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17136495959368647682,3397383438612287370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6584 /prefetch:1
  2⤵
  PID:5260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17136495959368647682,3397383438612287370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7140 /prefetch:1
  2⤵
  PID:5308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17136495959368647682,3397383438612287370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7260 /prefetch:1
  2⤵
  PID:5488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17136495959368647682,3397383438612287370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7112 /prefetch:1
  2⤵
  PID:628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17136495959368647682,3397383438612287370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7592 /prefetch:1
  2⤵
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17136495959368647682,3397383438612287370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7932 /prefetch:1
  2⤵
  PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17136495959368647682,3397383438612287370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6568 /prefetch:1
  2⤵
  PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17136495959368647682,3397383438612287370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8332 /prefetch:1
  2⤵
  PID:2664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2196,17136495959368647682,3397383438612287370,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7308 /prefetch:8
  2⤵
  PID:5812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17136495959368647682,3397383438612287370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:1
  2⤵
  PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17136495959368647682,3397383438612287370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7500 /prefetch:1
  2⤵
  PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17136495959368647682,3397383438612287370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7588 /prefetch:1
  2⤵
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17136495959368647682,3397383438612287370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7048 /prefetch:1
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17136495959368647682,3397383438612287370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7808 /prefetch:1
  2⤵
  PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2196,17136495959368647682,3397383438612287370,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7472 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,17136495959368647682,3397383438612287370,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
  2⤵
  PID:3052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2196,17136495959368647682,3397383438612287370,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7900 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4768

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1412

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3776

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6112

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\[email protected]"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
PID:4016
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - Views/modifies file attributes
  PID:1960
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3696
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1544
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 221651715690208.bat
  2⤵
  PID:1888
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    PID:5176
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - Views/modifies file attributes
  PID:5920
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4956
- - C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:5640
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  PID:5980
- - C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5116
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      PID:876
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3360
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:4960
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3916
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - Suspicious use of SetWindowsHookEx
  PID:5092
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "uotirwldkg084" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\tasksche.exe\"" /f
  2⤵
  PID:2020
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "uotirwldkg084" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:5544
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:892
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5460
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5692
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:4116
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6068
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4484
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1064
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:412
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:3948
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1080
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2380
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1368
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5932
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5636
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5988

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\@[email protected]
1⤵
PID:1792

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5968

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5948

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\@[email protected]
1⤵
PID:5648

C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit.zip\[email protected]"
1⤵
- Drops file in Windows directory
PID:5048
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5948
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    PID:336
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      PID:4920
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1449581380 && exit"
    3⤵
    PID:4992
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1449581380 && exit"
      4⤵
      Creates scheduled task(s)
      PID:2880
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 12:56:00
    3⤵
    PID:552
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 12:56:00
      4⤵
      Creates scheduled task(s)
      PID:6064
- - C:\Windows\3E01.tmp
    "C:\Windows\3E01.tmp" \\.\pipe\{DE53E2AE-7D0B-4117-BCD5-2272274FE5B3}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

Filesize
1KB

MD5
26f40e4296f3dab1661228c60303923b

SHA1
4a8d627c2a3581552f65ab2a379f3e3206c208da

SHA256
4904f0048264380eb78f6d5bf70dbbec8c26bb6b7100be9b227d541724375e1b

SHA512
79ce49df1f4ff321e8f98cd60e62799d7efbf181847e5481de30a8fee704e4bf1c6ebf0ca60fb9950cefae6f8018452bf4255ee3541939120d70fe813fa1f6f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c9c4c494f8fba32d95ba2125f00586a3

SHA1
8a600205528aef7953144f1cf6f7a5115e3611de

SHA256
a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b

SHA512
9d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dc6fc5e708279a3310fe55d9c44743d

SHA1
a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2

SHA256
a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8

SHA512
5874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
39KB

MD5
842082b01724738200165d34b9d52a53

SHA1
0d83a0e70bf227fdde673672fe938023314e1185

SHA256
f5c0c205f644d9ec5ddd9516de5dbb1bc27e818de100431be15f595df1209485

SHA512
2ce64bb8d470294ab862ae850534774190966cb24c05239996721ba6a29ff8f1e50efb6378d72194d406b191d5a0f1d9b5ddd299981fdf7cddffdc9e5d590cde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
67KB

MD5
d2d55f8057f8b03c94a81f3839b348b9

SHA1
37c399584539734ff679e3c66309498c8b2dd4d9

SHA256
6e273f3491917d37f4dbb6c3f4d3f862cada25c20a36b245ea7c6bd860fb400c

SHA512
7bcdbb9e8d005a532ec12485a9c4b777ddec4aee66333757cdae3f84811099a574e719d45eb4487072d0162fa4654349dd73705a8d1913834535b1a3e2247dc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
1.2MB

MD5
b76a36f694fd69b229872393bd33b65c

SHA1
710ebf0e68bb65f2faa4356abe17f3d164e8b943

SHA256
1942ea4d2f0b066d0bbf102d25490e01e3843a204b2cc3cf2b721a7f7ddb9712

SHA512
8e4172f38b9b32658717de15c38f5b0c4dfcdbeb73424e6ba4f08981c868fdc240eb5776452f0a71395df2d0bc441f3f88ffaead5860fa672d992a94fb868a26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
32KB

MD5
bbc7e5859c0d0757b3b1b15e1b11929d

SHA1
59df2c56b3c79ac1de9b400ddf3c5a693fa76c2d

SHA256
851c67fbabfda5b3151a6f73f283f7f0634cd1163719135a8de25c0518234fc2

SHA512
f1fecb77f4cdfe7165cc1f2da042048fd94033ca4e648e50ebc4171c806c3c174666bb321c6dda53f2f175dc310ad2459e8f01778acaee6e7c7606497c0a1dea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
75KB

MD5
cf989be758e8dab43e0a5bc0798c71e0

SHA1
97537516ffd3621ffdd0219ede2a0771a9d1e01d

SHA256
beeca69af7bea038faf8f688bf2f10fda22dee6d9d9429306d379a7a4be0c615

SHA512
f8a88edb6bcd029ad02cba25cae57fdf9bbc7fa17c26e7d03f09040eb0559bc27bd4db11025706190ae548363a1d3b3f95519b9740e562bb9531c4d51e3ca2b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002c

Filesize
177KB

MD5
40c87b49b58a52fc6b2c11fcdfd1c375

SHA1
213b3defbac1822fc816d7a0130850fff6b95654

SHA256
11c364d10c4c3c950c829c49c4808a7fe18c1c4a7787facc406d0dec0207dbd2

SHA512
6749e76f90325d8ecc3057481bc7c509535bb7f54e005ccba4284c687a0703e3ed9ece16105dbb778c0ef4bd24b825c3b5aefcf802883bac8fefa8ac38cce173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002d

Filesize
197KB

MD5
3e6565cc9681eba259b73b13f834d8aa

SHA1
384f0a72d2027ff990dd36cdeed69df1334743ba

SHA256
5a5f3b613da4bffecbb79afb80415399d4953e066d6090810d6c09bf03aa321e

SHA512
0ed99d13de45f66477357f0cd84ea2e3b889ef57b8b1a3a9180b5babcf5fe77961f054976bced47f5576ebd8560c6a7277ce4a870a4f56fc3cdb99d6d8fc9599

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e

Filesize
136KB

MD5
8dc9ae6b595ffd64f2cc9309ac17cc62

SHA1
4b05f429d0b63c35291f7e1692d44608681063cd

SHA256
06e727404f5c77852a339b18b5c8b2abf803ba7d7c04322969f4e3cfa583559f

SHA512
a5eaea1f296f987a9d7ccfba09aa8e130413f97a906c10aa71940943a1546da044e452fa7234bcdf3b5215f7b7e2d2329d98534ff2d63b33cca05e06cef56af1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002f

Filesize
209KB

MD5
b14406147f5a4293482238be9369a304

SHA1
93413f8cc3f22c58b068d086d1c56f3c07b8c2d4

SHA256
080204e95d213c2f365442fd528d9f5aea7974ac1f1a98eaf8d45d14d70476f7

SHA512
4652422d63ba09a19dcf726bba1f91179cc659db043d8a76fe81564cf2920b5899083280233bc35e4271fc16e918e3f058d47d2c7544a8313d417a671801dddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000031

Filesize
171KB

MD5
97fce0e28d2544aa6168c67b41a2667f

SHA1
129bc53e8004da98b6fddaf33ef5d37159599b16

SHA256
03d0216f30391fa1993e07a886b010fc822622f28eb10a34ffddcca631078791

SHA512
99167f43deb9054ed92e102a62b19fb3854558390f084300b8280c9848b6474d103f1cfbad1c5c87f971551ecc6f7147e02ae795fc178d910dd5a67ab1097bbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000032

Filesize
174KB

MD5
85931056513284ac966270ded78ee2fe

SHA1
cdf316a91501a1a66f869623685e02668a9596ca

SHA256
0985711e35cb4994a0d51b9daa6151579f0a9fab9bff031ef0b9f30b850761d6

SHA512
4471537a741e4c4bc819d7fc4522751203dce7577712658c6a3dd306379eac0745caa3882ae6df8434a0944b8ab72f17d17d52b025d14af7f68639e0c221d9a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000033

Filesize
213KB

MD5
78989d2bca27dae626cf188019c64a69

SHA1
e38fd73231dcd68aa298967ba7fabda9e53f053c

SHA256
24fe457f908a22ddaf7383cafcc4dd07dc5354982762b4fdf2dcc44f29a5eb8d

SHA512
962b32fefde8d78f67c565dee2c3e86f449bcce53bf23884df9631d3aec9c131682607b24934da2f606375203d1dd6b49d527c175dade1e68bd81bddb6a0c835

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000076

Filesize
64KB

MD5
7dc744b67919bed7c6d10359ebe0add3

SHA1
0fd28d6a7332385e2730a0c6d247856fe5454761

SHA256
f2d6f6a97efc7476f2c9cfaa15354e80ab7993ebe545f1f8f2872206bdf9958e

SHA512
d930fe5b2a783f2ac047da7d3bd8239844c9fc8261aaaad79d694fd11edbdf2137bf52546a73eeda0cec5bead2702fdc82893f8d693ab6874a0f755e467c028a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
ba12f571e4f14d0989163918ebc97ac8

SHA1
f0253fd7971015f2b9feafc62d4b4f94a7a8e178

SHA256
2456d9f1dfa62eeffbf2bed7e51c80f14eae80265a31093c665aedf0e5c89741

SHA512
7219185e7656ae543dd657de41ef7d43f169a317f7e59405fb63942b47ba38121bdd1974ca0b06e4743c4f4e8986a937de65ececaf3526621112467802fa5488

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
bea095875356297c2ae7510f234e6c4a

SHA1
86cd95798402b96c214dd79ec1a82d1b55e9ea7e

SHA256
60b552bc18e0578efbf53d1600848ab59fdd9000666cc2c7ddde187a154f8e45

SHA512
bfc156d09a62a00dff495484ac3f7f83f55a5c0f559c877a112b55161a5fd5a21170b19d24d9dc309a8029ce32df48f35a630c70b9c951ddec15c117650ce3c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
57c48cb3f06e83b8df6364f68af69167

SHA1
8fbf3687145c3661108a66c2f819bf4083fb45ed

SHA256
7df5f9d639dd6fac90fd05c523ae85a0db6ec294ef49e7ddd3e2b2ac8fa5f765

SHA512
fc2da6754d7fad8749c141a7bb1d86893d7101d3e358ea5cb644314c57d7a55268926709ba73849c4b7c816f354062169a95109e9dbe3991e0b8cb47b102d542

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
399e6bea304c51f7a52de6b4ec99ff4a

SHA1
704adf85cb0c9565736f5829e7e0936c11c158a9

SHA256
5291c66012a971957d6bad7eb9b1abd574029cad6656889ceab1722aff5a0b28

SHA512
89a14ac9d8bd46aa15bec4f49bc31f47cc26eafa18efa02e5d9356d2ea6673ca8de6165b331e2a19586c903004dbaba597d08db68ebd167f3b419e6f6cb5978d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
6b775fe6305bc6c4a96d078840905519

SHA1
ff66701d2881485722861e00195aba5eca54f3ec

SHA256
ff33a053af5c6b15c1b0fb56bbcc211b72d2e603e3c62989ad499b647fb27013

SHA512
fab47879dca8c648d13f7c98a45bd76f40147802a9b804dc2efa341dafac219030a4f8bf6a14349b1b4f77dea1a0018e15b27f9e09384f9f0abbb0d12310a664

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
10KB

MD5
91e10aa11d1a91e4b53bf612da54526f

SHA1
2b6f59424a1862eaa013a70215ec8e2440b35afe

SHA256
58099d21e8627f5e06c936084a243990ab44c7335d44d2c981c19d41eef891ca

SHA512
01b19230321dc9fc621fb69cb0e4c440d61015090725accf6629a15d26a69b9892c2b1085c75c6a27b49e1cf375dd69f1fc00d524c7bc556b23e0137fa66391f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
42e886bed3906f48ff43aa344ab5025b

SHA1
35c11b23e17e7d2c312d70e0903283ec4e276a0e

SHA256
ee9a3864fca0277bd3d971cc0188558d45f6827daabe8d65f7ef52e177bb18d5

SHA512
5e221f4654100a05e330b5589510e1fc6c482c97479d6a81d2eabeb86f6dab1d8227273acba5efef71a4237fd43e53c47bce8a0839387ba2b28d7436bb9d0f04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
58d9186b8d4cc763e05473432554a94a

SHA1
baf7cd9322350122d5eaf65f564f1eb431069889

SHA256
ad80dafaf692e94acfef90903497d3632b3c7fdc1e278be1849b1fe8cff86d79

SHA512
78a73e7ef08a5288a690e0090b287420a903d91ad40714eb039a06ba1012708e0543d472b18b45c87707491fac2b8ca678c0ee138eb80438f360a53fc0380e92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3222b0927f252666fb96e4240e643584

SHA1
323e656a27ac350d64395432bab7dec9c6831674

SHA256
720b3113ad43e5ed99fbdda1832220d89e31c8542ce1b3f48d0f7e25dcc66d78

SHA512
0994b0e8c1ff98c2f9521dcda161972b76f91bd441b24c3dad4ecf5dfe69536a60a3b8587c0ae5bdcfbb55513421089d6a0d5d703e7a40d3f015587b7ee478cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
c1287e6a846db67e98d0a7168e466d64

SHA1
6871bd80bc6a2f3445e9e84c749977bc5dad5848

SHA256
76e977d8cbb5590f096d3a126ac22c514564e5bebad0773214a83c004db1d3db

SHA512
15619dc2e1f66f65f06d9e63b060a9627f0b0858af8c329cc3da9ab2d6e0c3d3d43f97acd0905a78fbcdade6eae6634d585638ba48df7ee02716399f262a9523

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
12641be83ee3898ffe9e793d3a454cda

SHA1
731b9d58668bf8323318ada816167511bc51ca98

SHA256
b83090acaaf5806c4ea4940466796d6941f279e64d5a7e86b249c9aa0eddc049

SHA512
e157505ba618207c4d8789e08c8ffc7afe818e55456ebc635870524a1c2d05d55ded333c026620f7e91dee7d49aa889c654a7c0c8cc9a66fa15f7bbad4b6009d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
7acbdf01a10b255ef881fa4592bd15a4

SHA1
d7d0b95dd6bdc163a4343cc7e40fd6f77172be55

SHA256
f4a20b94abf5fc4eb5ead72def7c5b85ab4592ecfc813c4dbdfd92e8af87bf87

SHA512
d71ba4399c6819b3fadc24c707d8452980a6c888680b060d15737b81173ec7a3256fc51a4175bb8b61567dd2aeae2208bd923ee63f871ff924b7b97c60c8e106

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8b7daf564c97e3f62d0b79d87e5e267e

SHA1
9e0b2e4bfafc7ce0c7938b6390dd61003761c92d

SHA256
0b78e4c9d6cd65ea2c29c93c28ae59fceb73ea64ce3f4ab940f7cb482c85877d

SHA512
7234484d6245d1d59ac4f4dd7fcb1e6fdc7fb913ed1899df97eaf54468424c0dcecbf6931d0dedc47126dee57f91d89833434d88912708f837fda14ec58d4bb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
2e3d1fb4196a94bae9797173b21af2be

SHA1
6e43e285c97922e3a500f53801596e875039ce10

SHA256
df3d4882d28743bcfed3573302fb62a3b3c974e7068bcea60a64dd0cdf269662

SHA512
8ece251a70aed1eb5fa5a1807e13a84192ee9628bf5158bc07d1abce6390653fb61833fb85011ee1515f058c944dfe9f93f3c105d4e1552c8a15a6296b0c643c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dce5ed69cd48d76b0ab9266b8e51da46

SHA1
6e2713bcef6c1b533a227f93fecd84d9abb1cf05

SHA256
d7e597f2b91b454514cd2cef90d6425ea233420138bc4a0a7b554b96d5a653c6

SHA512
50a1aa50ca6063e9717b047d53500c67a348b139498201025f6e23086a392620e0cb9c1a45c4365f10ebeef0bb3240c61080bffe736dfd92ac8dc8d990fb09f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
23380c6df9baf73d5579a1fb4618f1a1

SHA1
5c6ba19f53ef2ce4bfcf854aa085f79ea31f60ed

SHA256
0aaddc7547f032fa8d67f16bafbd0cdbebddf31abc39ef27d7a69b85b77d8f85

SHA512
eda89d95ca6bb26e60813d5b11031becced77b9e5c3c8842196a01b3fae892879f79ec6f2117bc65fa8e69d3e4faf970af752d537ae955837ea7374b41220417

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
4178d192a6ac78bd938d4c153536c9a4

SHA1
b5ab46e0cc6a6ed17b4b3564b8ad074b95a90feb

SHA256
9b2b437aff9336bd5f644d313b779f7dd56d1991f32aa3959a7e5f0075ada1d0

SHA512
d30c102dba8c5d08c00a6e6cc1dfcb8f49185ff0ff77da4ddb2a06c695b69ac6ae5569cbaa644a1cd914b6ba53e1b3dbc24053966fc8ce7d1bcf5616a6579d20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
46c8ec3b8178ace66f9e9cf122b6be12

SHA1
658e609347b68e18e269e9de5e871d1f13c7e020

SHA256
0a868e0e5362190ca5d48b7f793315bfcc8929bdfd20abff43f41f558104fe0c

SHA512
afc35ef43854b93622c62c3ef89989ab633d8c9a2814e0d1c354a6ff8825b2fa6be0376ed02e5614e6f43c245f2623f2fcb0cf9c1b85d7e59843ec3e5a489a8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
9dcc813c0da3bb6b05c69ed07c30841a

SHA1
6ffd555a5f592c1aaa89fb085ded85b0cedd87ab

SHA256
0aed3991a492ea17e428cc68ed36a1164eebf891b0f35966ece08b1d2ba08d14

SHA512
c4ca76a737717f0b10d03128fce7135e78a547a29d593d23b09204e415c5e4c49f48e63bf009a3d4982a9f6f6b7ac1368058e8bb3971e6d0507c04b73ab62ba8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
704B

MD5
cd70811f9f68844c0f3133d222924541

SHA1
e1c6834519affd87753ef15d86afd5d13574f257

SHA256
f02565426a696aa76b8f0ebe05521d1614fbcad20def940ba9fd17891beaa812

SHA512
73d170df981692470f9953f71dcb6c47db1de4d74f689fb12098ed23750a04e179e6d3ce32bf349e1e069d357367aac5fbd02cc005ab3fe00c50b8e1f2f0c432

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0ded957804acd85cd17195361c633259

SHA1
4c5cee8f28382aa25c61e6513230612de6a92c3d

SHA256
2e26d6482f82e7c81ed01c6e133b90a684d005eb43b0371485cf72460499a555

SHA512
ce5092bb41473ceced35fafd2972a775300bc8ed6c714a008b84480cb48bb5f4686d777b87cecc43e4fee88cdb39c49c43564aad8bf308e3f3dcd436c1e9ed15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
005ceaa1b25a798ff00f9b715c00bccb

SHA1
9585f9ec0170cbec295b929d927de70a6cb66cbd

SHA256
a90622607c21e41b3ec5d5c0d28c43d8621b828e95e303b6ee4f4bd4cc9cc734

SHA512
a1975c214ab3b33431ba53bfe7cc4a9e30a49206f9558256cc49f01f133fc04eee4cf5675233cb959d5394e037d12af0a2be9f33af76c3f4cb184fcbf0f4b76d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
5c091596967dc6242e41bb20b50d1e19

SHA1
e512dcf53600040bb5b127beccff38ff4ad86547

SHA256
8a5f992be1dd1180d03cb10d76b90163dac800ed309695e1ba276a8c5a830e76

SHA512
3215449383a5171a99cc75722ddfa8d78ab053d310a8a44b7220e5e44ba154117e0d091ed82407d7f5e0a48e61260f2721a37f2505cc775a717b1001c36dcbf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
393c7479fd350571c75f9b8d75ef36e4

SHA1
4c89e1e166cde2f143c4d57c42ad2beb30d21b7b

SHA256
4c54e73cd6fd977d5b595606d67ee8058dd1535d5e1847eb637d259a63b58589

SHA512
80109df813204294d9aebb196e756a19fc3af2005803a2d5c854b6110bdbb72bdb27e8a13455e8b48d31348088a3eeb7b2f4fd0a9bbfdda95e0549c9f7f7124c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
e37b25fb865ac282e66e29ca3c3b0853

SHA1
36348b57830538cced6f7b15aef5d387b372acfe

SHA256
8c50e7c8606b318c3c9a0fde7e91591a631773692f380e7bd5e4c71f19d193b2

SHA512
ded5738fed7b146e68349192c1fb6ae37328ec5a8d1a1db7b1831a4002688517adbcfd783156da1f4d906ba51b04fd74003637b1aae3d46c4c4b2a414369f365

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
2a97cbc36e90ec80ab42bcd5dd940224

SHA1
78df9074b635e31e0accfcb01456aedf8624ab91

SHA256
8157d4c4b5e5fcc6e9ebbf0f8e78a84abfe065da3cd0710156fa2b192a3166f0

SHA512
e0e73890ce48c1738dfd770ceaa4f52776feb7b273eaadd5c03af023e4d54942dde7cef2be0a00882e9b6b77afaadd122935664855b9110c58bcd4fa5ca83100

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
238a8cf5b3214e43692d3ffec07786ce

SHA1
45a898c5234e75091fdcc7ade30822bd90e17cab

SHA256
a95c961c99305788266cd890e6f4a1b9479860d5ae068fc91768882915da54fe

SHA512
788d36da2f0a175e78cd103e4a69b5cf46bca6bac6763591a6f6108315b28792965c26bcbcda8c634ef8c4d0eb8d027736fac2b10d99b7faabb4efca6cdf9894

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
b6a1b79210bd2d47e970ba00cc27511c

SHA1
d43228ef05ffcd25f4bb5d8ba4121f4fed225e9a

SHA256
015ff2d5398f324bca7d27bd407cabc40b64c7d7192452e1ae6f2db6b4d1e8c4

SHA512
b614d5d12546b3c297895392febff74269ce32b7ab3ba01b3b93bb1bd0c3c9feb48dc2de74faab84e17d300fb6fd5ff0f8a4683d4c11f9581a6dd2c9e42ee5f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
4ffdd9d97b0c23a53e771e07edf1bbd0

SHA1
1e23db7bf810df2937ebc0e4969f80b912679012

SHA256
c22de8c0b2e6d80365d4a669ce9c01018602dca74fba1cc341607c395bd43cf8

SHA512
a11f337d6df450b6d825f74c8eb419829ced388e65c3cd658671a3b1362af980aa5e90ea5dde46f6ffb6079b6642eeebb5b7568a527960141bca61817691da6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
2825c7f0de450221215f2733f763d045

SHA1
330bcaa6456bce83e12cb5fe83dae33297b9d7f0

SHA256
875a155eb3c53ff62a0f316dd522fa1a404f66ef81183929f285841ad9b4985f

SHA512
fb99725f5a35f2872a4a3ca514676829a1fd9e1345fa19c68a252aef8e68e0ea97f393b917abfbdcd93933b56bea556f81c6d02319e3d9670de5f479c712eea8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
704B

MD5
fd4d8f34a1a30ede0c5dad01231de646

SHA1
eb89c0409b4e7a1fd0d545272310a421d1170e56

SHA256
7f09b851c1c80162bbb809e813ab871165b79a6bab07853f0f92e1400098f3bb

SHA512
ee3a3550aeb9f6157b4bcf84eaae2685fc06b99a9195618cd0826fdd8fd00b7e03a4692ff41b675783fef458728b713bf97555e41a0e0be76440b4dcaa16e223

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe598488.TMP

Filesize
204B

MD5
03cb58cf5fbc8981efb6adaab85e1910

SHA1
65710fa93ae435029e49c0e3de2e56e7329331a9

SHA256
4d51f20a4d74a484163f6543fd088a9b081eaa0438028c379468dacd8df40e85

SHA512
fe21124c1217f9bc7fac97c2add23709618504fc080da2ed0d08902351880c5e9f4da2240b671982688e91a0bb66089cf77a7eb6a0de987ec5a28e0ad2b730ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c8d7b85d-a269-4384-a7d6-43ffeaaae5f7.tmp

Filesize
13KB

MD5
e4ed69155b3eadf2a93d6eca3f723ff3

SHA1
f3a0fa5a2f5c718ffa6f8c78402e89f70debc8c0

SHA256
72452c4dc0215ddee47d0f1b6e154b309a1804e8410ebf0a3d44875d17cf7f91

SHA512
800a4706b76c9f1fe5db6ee7bee62c3c9f95a78fabfc6a1d390c1a3f830168d8c690b0e3f89957b3ec430e98904e184072fcb922aaa6065d4b9ef7fd4b405c0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
34561f0187c3d601b32246b3bcfcf3af

SHA1
11395429413455c2a8a2f9c10817522b1a3ce7bb

SHA256
74a0a4faf541cea731c9aabdf66e4f7d5ee537739ba5c33321fa67c9df320383

SHA512
0e90f0f8df34dbff05c4db50f2940c1fe8598c0bedcd3b37427039adc35bba7229e38ddd282ecdcd03dd211802e5684de8261e4bfc3112eafd1f8968c8040c0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
72ba369e37775de53da7687be722609d

SHA1
0cd127f523a809d8dd754f953c95d3b077db79f5

SHA256
b8c81a38ef06b1edf7ff101cd67681e6420944775d3ff55dd859e709188a0121

SHA512
297809030aa3dce483e3c555d523ceb8b579d5d31fb0e9da1ee167a67d3081566a2522bdb3b12671f9fec55864c5ef83d93aa53e50a2d38115a188eead7b7291

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9361418e1204058b43675c3fdee0e273

SHA1
63eb3412068d0b48b23659819693c1f54f5d3019

SHA256
f68a4171c6ac7eff4c0572e96375272c4e2b84d1aa832f13dfe3cfa4363c3fb2

SHA512
6b72ede0a082f7f27a0b34520cc16f54e3b78724dfd09976e9ea18d06dcbcbc2fd58713590642bea8c5bab317b5a6811e3b0a6d32dabdfebe06d3162bd12a4e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
55c7e3272ef0150def0d8eeb0b5dc27a

SHA1
d221a281def60c9c4d4a0329323c8985309fe334

SHA256
def224070e4380c8c71e71eb3aa1465b429f74c6e2ba1c19dd35e9c88d39a9e6

SHA512
14916c20142404872e6c59ad95e6d1c5bebb5a0d3c4158131b95c16114ccb7abf6eca3f5f6ec3ba604df2fa047c7d5fa66326ebbc69d9a98eafcc7dd803af345

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\@[email protected]

Filesize
933B

MD5
f97d2e6f8d820dbd3b66f21137de4f09

SHA1
596799b75b5d60aa9cd45646f68e9c0bd06df252

SHA256
0e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a

SHA512
efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\c.wnry

Filesize
780B

MD5
383a85eab6ecda319bfddd82416fc6c2

SHA1
2a9324e1d02c3e41582bf5370043d8afeb02ba6f

SHA256
079ce1041cbffe18ff62a2b4a33711eda40f680d0b1d3b551db47e39a6390b21

SHA512
c661e0b3c175d31b365362e52d7b152267a15d59517a4bcc493329be20b23d0e4eb62d1ba80bb96447eeaf91a6901f4b34bf173b4ab6f90d4111ea97c87c1252

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\msg\m_korean.wnry

Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\msg\m_latvian.wnry

Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r (1).zip\msg\m_norwegian.wnry

Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 136366.crdownload

Filesize
223KB

MD5
65352137c12fa2cd687210fc850161f9

SHA1
78473ba72c82005e6b0577847b90ff8c2b5d301f

SHA256
f66acc85b3d75c93672f70b8ccf5348daa101945d71eac58f5788ed57cfed9fc

SHA512
72829e528cf91536b118421a8a68587c8c0b1aaf9e3900a2fc261e6bad965fb050fbc433197d0b9b5a199419255a20d6be0296213495b7acaf05435127529f53

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 741589.crdownload

Filesize
393KB

MD5
61da9939db42e2c3007ece3f163e2d06

SHA1
4bd7e9098de61adecc1bdbd1a01490994d1905fb

SHA256
ea8ccb8b5ec36195af831001b3cc46caedfc61a6194e2568901e7685c57ceefa

SHA512
14d0bc14a10e5bd8022e7ab4a80f98600f84754c2c80e22a8e3d9f9555dde5bad056d925576b29fc1a37e73c6ebca693687b47317a469a7dfdc4ab0f3d97a63e

Download Submit
memory/4016-1611-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/5640-3081-0x0000000073780000-0x000000007399C000-memory.dmp

Filesize
2.1MB

Download
memory/5640-3044-0x0000000073780000-0x000000007399C000-memory.dmp

Filesize
2.1MB

Download
memory/5640-3042-0x00000000739C0000-0x0000000073A42000-memory.dmp

Filesize
520KB

Download
memory/5640-3031-0x0000000000660000-0x000000000095E000-memory.dmp

Filesize
3.0MB

Download
memory/5640-3063-0x0000000073780000-0x000000007399C000-memory.dmp

Filesize
2.1MB

Download
memory/5640-3060-0x0000000000660000-0x000000000095E000-memory.dmp

Filesize
3.0MB

Download
memory/5640-3067-0x0000000000660000-0x000000000095E000-memory.dmp

Filesize
3.0MB

Download
memory/5640-3078-0x0000000000660000-0x000000000095E000-memory.dmp

Filesize
3.0MB

Download
memory/5640-3041-0x0000000000660000-0x000000000095E000-memory.dmp

Filesize
3.0MB

Download
memory/5640-3107-0x0000000000660000-0x000000000095E000-memory.dmp

Filesize
3.0MB

Download
memory/5640-3118-0x0000000000660000-0x000000000095E000-memory.dmp

Filesize
3.0MB

Download
memory/5640-3043-0x00000000739A0000-0x00000000739BC000-memory.dmp

Filesize
112KB

Download
memory/5640-3028-0x0000000073780000-0x000000007399C000-memory.dmp

Filesize
2.1MB

Download
memory/5640-3152-0x0000000000660000-0x000000000095E000-memory.dmp

Filesize
3.0MB

Download
memory/5640-3155-0x0000000073780000-0x000000007399C000-memory.dmp

Filesize
2.1MB

Download
memory/5640-3161-0x0000000000660000-0x000000000095E000-memory.dmp

Filesize
3.0MB

Download
memory/5640-3029-0x00000000736C0000-0x0000000073742000-memory.dmp

Filesize
520KB

Download
memory/5640-3030-0x0000000073750000-0x0000000073772000-memory.dmp

Filesize
136KB

Download
memory/5640-3027-0x00000000739C0000-0x0000000073A42000-memory.dmp

Filesize
520KB

Download
memory/5640-3045-0x0000000073750000-0x0000000073772000-memory.dmp

Filesize
136KB

Download
memory/5640-3046-0x0000000073640000-0x00000000736B7000-memory.dmp

Filesize
476KB

Download
memory/5640-3047-0x00000000736C0000-0x0000000073742000-memory.dmp

Filesize
520KB

Download