wannacry | dd20448ad589cfb83ddb1643f548033a0fefe59ebca479424917e415e946fead

Analysis

max time kernel
273s
max time network
277s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2024 23:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IY35VO.html
Size

15KB
MD5

8d27924e4af22ab10b19f58e971b09ff
SHA1

a67a8e66ebff33ba66ebca7a227b254557728313
SHA256

dd20448ad589cfb83ddb1643f548033a0fefe59ebca479424917e415e946fead
SHA512

923576493b7428618f0b1d49dfca77754407d751a008051358cc15883dc38866deeda857310dcdd2506d084a4c74310708610e24bde9418fc2ae307b1d1efda5
SSDEEP

192:PNxyShvK9moqTJkNrv23kgMWDLO/u+HF04JfaS5r2Ygc79S1oymN:yShi9boJkNz9W2DiNVcA0N

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 2 IoCs

Processes:

WannaCry.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD225A.tmp	WannaCry.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD2261.tmp	WannaCry.EXE

Executes dropped EXE 22 IoCs

Processes:

CryptoFileLight.exeCryptoFileLight.exetaskdl.exe@[email protected]@[email protected]taskhsvc.exetaskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exe@[email protected]taskse.exe@[email protected]taskdl.exe

pid	process
508	CryptoFileLight.exe
5012	CryptoFileLight.exe
3392	taskdl.exe
1240	@[email protected]
4832	@[email protected]
3012	taskhsvc.exe
2844	taskdl.exe
4732	taskse.exe
1988	@[email protected]
3224	taskdl.exe
1436	taskse.exe
1288	@[email protected]
3576	taskse.exe
436	@[email protected]
4636	taskdl.exe
3912	taskse.exe
4856	@[email protected]
3476	taskdl.exe
4592	@[email protected]
2340	taskse.exe
4504	@[email protected]
4044	taskdl.exe

Loads dropped DLL 7 IoCs

Processes:

taskhsvc.exe

pid process

3012 taskhsvc.exe
3012 taskhsvc.exe
3012 taskhsvc.exe
3012 taskhsvc.exe
3012 taskhsvc.exe
3012 taskhsvc.exe
3012 taskhsvc.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4764 icacls.exe

pid	process
3012	taskhsvc.exe
3012	taskhsvc.exe
3012	taskhsvc.exe
3012	taskhsvc.exe
3012	taskhsvc.exe
3012	taskhsvc.exe
3012	taskhsvc.exe

pid	process
4764	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cmkaqiluwluphj236 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_WannaCry-main.zip\\WannaCry-main\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

103 camo.githubusercontent.com
104 camo.githubusercontent.com
105 raw.githubusercontent.com

flow	ioc
103	camo.githubusercontent.com
104	camo.githubusercontent.com
105	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 3 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

WannaCry.EXE@[email protected]@[email protected]

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCry.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Drops file in Windows directory 1 IoCs

Processes:

mspaint.exe

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

System Location Discovery: System Language Discovery 1 TTPs 31 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

taskdl.exe@[email protected]taskse.execscript.exe@[email protected]@[email protected]cmd.exetaskse.exetaskdl.exeWannaCry.EXEattrib.exetaskse.exe@[email protected]@[email protected]@[email protected]taskdl.exetaskdl.execmd.exeWMIC.exetaskdl.exereg.exeattrib.exetaskse.exeicacls.exetaskhsvc.exe@[email protected]cmd.exe@[email protected]taskdl.execmd.exetaskse.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exeWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 64 IoCs

Processes:

CryptoFileLight.exeCryptoFileLight.exeOpenWith.exemsedge.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	CryptoFileLight.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	CryptoFileLight.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	CryptoFileLight.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	CryptoFileLight.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	CryptoFileLight.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	CryptoFileLight.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}	CryptoFileLight.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	CryptoFileLight.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	CryptoFileLight.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	CryptoFileLight.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	CryptoFileLight.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	CryptoFileLight.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	CryptoFileLight.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	CryptoFileLight.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	CryptoFileLight.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	CryptoFileLight.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f80cb859f6720028040b29b5540cc05aab60000	CryptoFileLight.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2392887640-1187051047-2909758433-1000\{62136478-4686-4263-8AAA-033F46628E57}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	CryptoFileLight.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	CryptoFileLight.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	CryptoFileLight.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	CryptoFileLight.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	CryptoFileLight.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	CryptoFileLight.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	CryptoFileLight.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	CryptoFileLight.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	CryptoFileLight.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	CryptoFileLight.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	CryptoFileLight.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1"	CryptoFileLight.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:PID = "2"	CryptoFileLight.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	CryptoFileLight.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	CryptoFileLight.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	CryptoFileLight.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	CryptoFileLight.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	CryptoFileLight.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\Mode = "6"	CryptoFileLight.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	CryptoFileLight.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	CryptoFileLight.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	CryptoFileLight.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	CryptoFileLight.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	CryptoFileLight.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\LogicalViewMode = "2"	CryptoFileLight.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	CryptoFileLight.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	CryptoFileLight.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\Sort = 0000000000000000000000000000000002000000f4eec83032a8e241ab32e3c3ca28fd29030000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	CryptoFileLight.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	CryptoFileLight.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	CryptoFileLight.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	CryptoFileLight.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	CryptoFileLight.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	CryptoFileLight.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:FMTID = "{30C8EEF4-A832-41E2-AB32-E3C3CA28FD29}"	CryptoFileLight.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	CryptoFileLight.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff	CryptoFileLight.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	CryptoFileLight.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	CryptoFileLight.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	CryptoFileLight.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	CryptoFileLight.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	CryptoFileLight.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "3"	CryptoFileLight.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	CryptoFileLight.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	CryptoFileLight.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{24CCB8A6-C45A-477D-B940-3382B9225668}\IconSize = "48"	CryptoFileLight.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4592 reg.exe
NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 487261.crdownload:SmartScreen msedge.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1588 NOTEPAD.EXE
Suspicious behavior: AddClipboardFormatListener 4 IoCs

Processes:

WINWORD.EXEvlc.exevlc.exe

pid process

2724 WINWORD.EXE
2724 WINWORD.EXE
2828 vlc.exe
1872 vlc.exe

pid	process
4592	reg.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 487261.crdownload:SmartScreen	msedge.exe

pid	process
1588	NOTEPAD.EXE

pid	process
2724	WINWORD.EXE
2724	WINWORD.EXE
2828	vlc.exe
1872	vlc.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exetaskhsvc.exemsedge.exemspaint.exe

pid	process
4252	msedge.exe
4252	msedge.exe
4752	msedge.exe
4752	msedge.exe
1312	identity_helper.exe
1312	identity_helper.exe
3184	msedge.exe
3184	msedge.exe
2320	msedge.exe
2320	msedge.exe
404	msedge.exe
404	msedge.exe
3012	taskhsvc.exe
3012	taskhsvc.exe
3012	taskhsvc.exe
3012	taskhsvc.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
3012	taskhsvc.exe
3012	taskhsvc.exe
4656	mspaint.exe
4656	mspaint.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

Processes:

CryptoFileLight.exevlc.exevlc.exe@[email protected]

pid process

508 CryptoFileLight.exe
2828 vlc.exe
1872 vlc.exe
1988 @[email protected]

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 31 IoCs

Processes:

msedge.exe

pid	process
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

Processes:

WMIC.exevssvc.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3828	WMIC.exe
Token: SeSecurityPrivilege	3828	WMIC.exe
Token: SeTakeOwnershipPrivilege	3828	WMIC.exe
Token: SeLoadDriverPrivilege	3828	WMIC.exe
Token: SeSystemProfilePrivilege	3828	WMIC.exe
Token: SeSystemtimePrivilege	3828	WMIC.exe
Token: SeProfSingleProcessPrivilege	3828	WMIC.exe
Token: SeIncBasePriorityPrivilege	3828	WMIC.exe
Token: SeCreatePagefilePrivilege	3828	WMIC.exe
Token: SeBackupPrivilege	3828	WMIC.exe
Token: SeRestorePrivilege	3828	WMIC.exe
Token: SeShutdownPrivilege	3828	WMIC.exe
Token: SeDebugPrivilege	3828	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3828	WMIC.exe
Token: SeRemoteShutdownPrivilege	3828	WMIC.exe
Token: SeUndockPrivilege	3828	WMIC.exe
Token: SeManageVolumePrivilege	3828	WMIC.exe
Token: 33	3828	WMIC.exe
Token: 34	3828	WMIC.exe
Token: 35	3828	WMIC.exe
Token: 36	3828	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3828	WMIC.exe
Token: SeSecurityPrivilege	3828	WMIC.exe
Token: SeTakeOwnershipPrivilege	3828	WMIC.exe
Token: SeLoadDriverPrivilege	3828	WMIC.exe
Token: SeSystemProfilePrivilege	3828	WMIC.exe
Token: SeSystemtimePrivilege	3828	WMIC.exe
Token: SeProfSingleProcessPrivilege	3828	WMIC.exe
Token: SeIncBasePriorityPrivilege	3828	WMIC.exe
Token: SeCreatePagefilePrivilege	3828	WMIC.exe
Token: SeBackupPrivilege	3828	WMIC.exe
Token: SeRestorePrivilege	3828	WMIC.exe
Token: SeShutdownPrivilege	3828	WMIC.exe
Token: SeDebugPrivilege	3828	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3828	WMIC.exe
Token: SeRemoteShutdownPrivilege	3828	WMIC.exe
Token: SeUndockPrivilege	3828	WMIC.exe
Token: SeManageVolumePrivilege	3828	WMIC.exe
Token: 33	3828	WMIC.exe
Token: 34	3828	WMIC.exe
Token: 35	3828	WMIC.exe
Token: 36	3828	WMIC.exe
Token: SeBackupPrivilege	1160	vssvc.exe
Token: SeRestorePrivilege	1160	vssvc.exe
Token: SeAuditPrivilege	1160	vssvc.exe
Token: SeTcbPrivilege	4732	taskse.exe
Token: SeTcbPrivilege	4732	taskse.exe
Token: SeTcbPrivilege	1436	taskse.exe
Token: SeTcbPrivilege	1436	taskse.exe
Token: SeTcbPrivilege	3576	taskse.exe
Token: SeTcbPrivilege	3576	taskse.exe
Token: SeTcbPrivilege	3912	taskse.exe
Token: SeTcbPrivilege	3912	taskse.exe
Token: SeTcbPrivilege	2340	taskse.exe
Token: SeTcbPrivilege	2340	taskse.exe

Suspicious use of FindShellTrayWindow 63 IoCs

Processes:

msedge.exevlc.exevlc.exe

pid	process
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
2828	vlc.exe
2828	vlc.exe
2828	vlc.exe
1872	vlc.exe
1872	vlc.exe
1872	vlc.exe
1872	vlc.exe
2828	vlc.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe

Suspicious use of SendNotifyMessage 38 IoCs

Processes:

msedge.exevlc.exevlc.exe

pid	process
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
2828	vlc.exe
2828	vlc.exe
1872	vlc.exe
1872	vlc.exe
1872	vlc.exe
2828	vlc.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe
4752	msedge.exe

Suspicious use of SetWindowsHookEx 30 IoCs

Processes:

CryptoFileLight.exeCryptoFileLight.exe@[email protected]@[email protected]WINWORD.EXE@[email protected]vlc.exevlc.exeOpenWith.exemspaint.exe@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]

pid	process
508	CryptoFileLight.exe
508	CryptoFileLight.exe
508	CryptoFileLight.exe
5012	CryptoFileLight.exe
1240	@[email protected]
1240	@[email protected]
4832	@[email protected]
4832	@[email protected]
2724	WINWORD.EXE
2724	WINWORD.EXE
2724	WINWORD.EXE
2724	WINWORD.EXE
2724	WINWORD.EXE
2724	WINWORD.EXE
2724	WINWORD.EXE
1988	@[email protected]
1988	@[email protected]
2828	vlc.exe
1872	vlc.exe
3996	OpenWith.exe
4656	mspaint.exe
4656	mspaint.exe
4656	mspaint.exe
4656	mspaint.exe
1288	@[email protected]
436	@[email protected]
4856	@[email protected]
4592	@[email protected]
4592	@[email protected]
4504	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4752 wrote to memory of 1896	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 1896	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 4976	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 4976	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 4976	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 4976	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 4976	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 4976	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 4976	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 4976	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 4976	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 4976	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 4976	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 4976	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 4976	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 4976	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 4976	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 4976	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 4976	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 4976	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 4976	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 4976	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 4976	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 4976	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 4976	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 4976	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 4976	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 4976	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 4976	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 4976	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 4976	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 4976	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 4976	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 4976	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 4976	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 4976	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 4976	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 4976	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 4976	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 4976	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 4976	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 4976	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 4252	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 4252	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 2204	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 2204	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 2204	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 2204	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 2204	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 2204	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 2204	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 2204	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 2204	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 2204	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 2204	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 2204	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 2204	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 2204	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 2204	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 2204	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 2204	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 2204	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 2204	4752	msedge.exe	msedge.exe
PID 4752 wrote to memory of 2204	4752	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

2252 attrib.exe
1696 attrib.exe

pid	process
2252	attrib.exe
1696	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\IY35VO.html
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8e44346f8,0x7ff8e4434708,0x7ff8e4434718
2⤵
PID:1896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,15805490827998775992,2569117254395347282,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
2⤵
PID:4976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,15805490827998775992,2569117254395347282,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,15805490827998775992,2569117254395347282,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
2⤵
PID:2204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,15805490827998775992,2569117254395347282,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
2⤵
PID:1380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,15805490827998775992,2569117254395347282,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
2⤵
PID:1500

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,15805490827998775992,2569117254395347282,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:8
2⤵
PID:1276

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,15805490827998775992,2569117254395347282,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5184 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,15805490827998775992,2569117254395347282,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
2⤵
PID:2740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,15805490827998775992,2569117254395347282,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
2⤵
PID:116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2172,15805490827998775992,2569117254395347282,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5288 /prefetch:8
2⤵
PID:1504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2172,15805490827998775992,2569117254395347282,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5412 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,15805490827998775992,2569117254395347282,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
2⤵
PID:4080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,15805490827998775992,2569117254395347282,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:1
2⤵
PID:1660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,15805490827998775992,2569117254395347282,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
2⤵
PID:3860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,15805490827998775992,2569117254395347282,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
2⤵
PID:1224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,15805490827998775992,2569117254395347282,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1
2⤵
PID:2372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,15805490827998775992,2569117254395347282,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
2⤵
PID:2200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,15805490827998775992,2569117254395347282,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
2⤵
PID:2296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,15805490827998775992,2569117254395347282,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
2⤵
PID:2240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,15805490827998775992,2569117254395347282,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
2⤵
PID:532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,15805490827998775992,2569117254395347282,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
2⤵
PID:4432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,15805490827998775992,2569117254395347282,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:1
2⤵
PID:3548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2172,15805490827998775992,2569117254395347282,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6748 /prefetch:8
2⤵
PID:4936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,15805490827998775992,2569117254395347282,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6804 /prefetch:1
2⤵
PID:1512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,15805490827998775992,2569117254395347282,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1808 /prefetch:1
2⤵
PID:1696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,15805490827998775992,2569117254395347282,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
2⤵
PID:1296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,15805490827998775992,2569117254395347282,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
2⤵
PID:2096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,15805490827998775992,2569117254395347282,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:1
2⤵
PID:4652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,15805490827998775992,2569117254395347282,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
2⤵
PID:4440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,15805490827998775992,2569117254395347282,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:1
2⤵
PID:1912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,15805490827998775992,2569117254395347282,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
2⤵
PID:2176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2172,15805490827998775992,2569117254395347282,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6024 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2172,15805490827998775992,2569117254395347282,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5728 /prefetch:8
2⤵
PID:4880

C:\Users\Admin\Downloads\CryptoFileLight.exe
"C:\Users\Admin\Downloads\CryptoFileLight.exe"
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,15805490827998775992,2569117254395347282,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6432 /prefetch:1
2⤵
PID:216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,15805490827998775992,2569117254395347282,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6816 /prefetch:1
2⤵
PID:3608

C:\Users\Admin\Downloads\CryptoFileLight.exe
"C:\Users\Admin\Downloads\CryptoFileLight.exe"
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,15805490827998775992,2569117254395347282,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
2⤵
PID:1304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,15805490827998775992,2569117254395347282,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:1
2⤵
PID:3100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,15805490827998775992,2569117254395347282,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7356 /prefetch:1
2⤵
PID:532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,15805490827998775992,2569117254395347282,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
2⤵
PID:1096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2172,15805490827998775992,2569117254395347282,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7548 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,15805490827998775992,2569117254395347282,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6180 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,15805490827998775992,2569117254395347282,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2636 /prefetch:1
2⤵
PID:4428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,15805490827998775992,2569117254395347282,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
2⤵
PID:2252

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1888

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4344

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3396

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\WannaCry.EXE
"C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\WannaCry.EXE"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:1648

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2252

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:4764

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 129501722639741.bat
2⤵
- System Location Discovery: System Language Discovery
PID:4268

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
3⤵
- System Location Discovery: System Language Discovery
PID:3052

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
2⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1696

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
@[email protected] co
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1240

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3012

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
2⤵
- System Location Discovery: System Language Discovery
PID:3756

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
@[email protected] vs
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4832

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
- System Location Discovery: System Language Discovery
PID:3756

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3828

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2844

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4732

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1988

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "cmkaqiluwluphj236" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\tasksche.exe\"" /f
2⤵
- System Location Discovery: System Language Discovery
PID:3584

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "cmkaqiluwluphj236" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\tasksche.exe\"" /f
3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4592

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3224

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1288

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3576

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:436

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4636

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3912

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4856

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3476

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4504

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4044

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\UnblockRestart.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2724

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2828

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\AssertTrace.mpg"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1872

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\InitializeRevoke.ps1xml
1⤵
- Opens file in notepad (likely ransom note)
PID:1588

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3996

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\RenameNew.ico"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:1092

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\a553a0fd35cc424ea1b0c9f37a0dd0a5 /t 3192 /p 1988
1⤵
PID:4068

C:\Users\Admin\Desktop\@[email protected]
"C:\Users\Admin\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=how+to+buy+bitcoin
2⤵
PID:3576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8e44346f8,0x7ff8e4434708,0x7ff8e4434718
3⤵
PID:424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

Filesize
1KB

MD5
ef3ac55322160fbddee8b1a6b0c7564c

SHA1
43a1569f83872a280c3402fdbf639ab15371f63d

SHA256
776d0b0dc61dbeb0601ea5172ea44daeee2a6d6b1d1a0d070ca1c464dd68203d

SHA512
a9e9ed7be34ba4d94fddfa0e1fa121be508e845d0b8bd0773466531cc745bc6c80fe72d24e9028f8849eed3307546251d521eb2366961bc62e25357896a74c3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eeaa8087eba2f63f31e599f6a7b46ef4

SHA1
f639519deee0766a39cfe258d2ac48e3a9d5ac03

SHA256
50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

SHA512
eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2072727a-81da-4b18-890a-c7b89e3e4a37.tmp

Filesize
8KB

MD5
e2ab127c0573131227810e54b0bfa897

SHA1
1d2214be19641e1488c7dd65de340038b1c546a3

SHA256
a49ee9d363360cb2cb8066ad6046eeba6e533213a24c645da17c5948fc965b22

SHA512
4911ef72780e7693d999484967b6c61509d368b3f0033bb964669550877580ea5573d3fdbf6cd420148cdf2975cfbc2c4edff8a02c9c705f4bd34290f6d84860

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
67KB

MD5
1d9097f6fd8365c7ed19f621246587eb

SHA1
937676f80fd908adc63adb3deb7d0bf4b64ad30e

SHA256
a9dc0d556e1592de2aeef8eed47d099481cfb7f37ea3bf1736df764704f39ddf

SHA512
251bf8a2baf71cde89873b26ee77fe89586daf2a2a913bd8383b1b4eca391fdd28aea6396de3fdff029c6d188bf9bb5f169954e5445da2933664e70acd79f4e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
41KB

MD5
ed3c7f5755bf251bd20441f4dc65f5bf

SHA1
3919a57831d103837e0cc158182ac10b903942c5

SHA256
55cbb893756192704a23a400bf8f874e29c0feee435f8831af9cbe975d0ef85d

SHA512
c79460ded439678b6ebf2def675cbc5f15068b9ea4b19263439c3cca4fa1083dc278149cde85f551cd2ffc2c77fd1dc193200c683fc1c3cdac254e533df84f06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
1.2MB

MD5
027a77a637cb439865b2008d68867e99

SHA1
ba448ff5be0d69dbe0889237693371f4f0a2425e

SHA256
6f0e8c5ae26abbae3efc6ca213cacaaebd19bf2c7ed88495289a8f40428803dd

SHA512
66f8fbdd68de925148228fe1368d78aa8efa5695a2b4f70ab21a0a4eb2e6e9f0f54ed57708bd9200c2bbe431b9d09e5ca08c3f29a4347aeb65b090790652b5c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
65KB

MD5
d93f5aec28f3e9917240858e83d83080

SHA1
2386fad06825205b67d071dc765a3ed453e07bc3

SHA256
7ff9513f2abfa421f6a0a70d918db91200290c2eecc06d5ace11794f528e9412

SHA512
2329809f44ecb81e3e019954fb83fecfebc8aa1e882430cc6a7a66c3693a3517417649dae937f500fe62397df6f2e555f731a7e9a340fadb9f462d5d4bb8aa89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
93KB

MD5
51ae200253c6a2a0d0a3e1e02c980cb4

SHA1
a0bf83264e2a11a1df2e250087169c03cc936995

SHA256
12ee3e4578063d1bfa45f2f3bce69f8f793ae7f2be65d83ac0d23d701568c4b9

SHA512
b0c7267fe6e27f334972ab76be869ec6104a7871919ed0006843cc610a5a801c1596ff7593841755480027713391c0913d12b282bd20c811a82c6b5ce5a665d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
17KB

MD5
dd638bed934416fb787aab4a7502ff3c

SHA1
25b37648f6c7ac9f2c83b513a0d12eb62308a920

SHA256
ad588aea02d9cff981acae85a608830230a879bf1e27c6897c4ee5e1187d04b5

SHA512
da47d6c9f900b9b93abef2e222392aed7812df3cb5f7585a3c716cc42401792cff5a8bb6a41b2f43a893e9a81bd8633ed897f7c09db7243e09ae631f533954bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
31KB

MD5
fa857889602949f54e541685afecd559

SHA1
838feb97829b6fbd32462a3647e6e5f856206478

SHA256
f0f63e17dee39afac308b67f81b6049c9205e71675fd37b12314449cc4b3db83

SHA512
89b21db49a8fcba13670601263e7668bcb8e5038e766809583d68f427b1305f2f40139cea01d6334700eab1840f7f5a9931ee94b5b3cd0d627603e59ed4c4c4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
147KB

MD5
10a8a83c6230c12a4890329a352f3617

SHA1
6e3aa832e17bea6716802ee1ce873271349251a1

SHA256
3876ec1287afebfe3ade64a0fc5d75b99a2273b37c90309cb0b5ef4b056bc1b4

SHA512
49dd17a22eabc653394aa5a6c4eaf28d3d61cec7b7f835555d72a47b75d4983a98b0dcfd15abe426b83c29ccc6df062a46d972a66656872ae43b82286d3f859c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

Filesize
62KB

MD5
f9f305e10bd8ea1432b9fd1d355ecc90

SHA1
934ce6d59f903d145519d1066bb574c82a25edf9

SHA256
01d35e181e0a373c0fae013280a79616dbb1fc2d2f892b3215c941c098e0c9c6

SHA512
9efb67bfc44f6c31137e0387bac74880f9b93d3645837805ac6ffed7e7fad5be7c3812cd11c9172b767ff4cc258fa140663c33892ba8f28ac2ef7686b3bee0aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
20KB

MD5
4b2026d30018fb08216cad5165da2a9e

SHA1
c689f4dcfcaf371494da6384254698ba3a1466f1

SHA256
64bb69d41b5874df1ee2f5695056990120355a7cc124ddfe577574574657de5c

SHA512
f73986bc249a29d32fb601a286420868819850901495f3521af993f7733fc2f9ce7069d7d963c5407e13358416a905f8e56558729e6500761c7671c45a051936

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

Filesize
20KB

MD5
6931123c52bee278b00ee54ae99f0ead

SHA1
6907e9544cd8b24f602d0a623cfe32fe9426f81f

SHA256
c54a6c3031bf3472077c716fa942bd683119dc483b7e0181e8a608fa0b309935

SHA512
40221fe98816aa369c45f87dc62e6d91fcdb559d9756cb6a05819f1cde629e23a51803e71371f4e4f27112a09489d58ed45b2b901a5f2f00c69c082b3576057f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022

Filesize
186KB

MD5
8e0650f8a662647e55dabecc398ebe48

SHA1
1acfa69d68ddbe39ecd5857cb2a2f4eb31251eb2

SHA256
35b1ef55f0dded4409e033fe762908019223206b09e2a51697795151ae972bb5

SHA512
3ed395f8a97eae9d2cda4a6e13140bedbb8bfb075af1c6c578280968d80498a8f351fa3a3391232e20707b4594dc456ee061797394421c776477668ce599761e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002d

Filesize
23KB

MD5
ce3cc830b1e038999dd41be7ae9e1718

SHA1
ebed20a6d1e3b98b2293a90880d6e9bd5a503bf3

SHA256
5bfb0304c3a1d1128796a32c3da1b1d773dbdebecd7947364553b201300b2445

SHA512
74e649b2ebc3c5443feaa548e5f55e403bf99f27a8c5709e0247e89090c53b0d084903d57ac2e69135325ba7d97f9b7d8284df49fb42b28d53dd51b41bd21578

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000041

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
04552ec2301d6346c6b272cfdfd6cb70

SHA1
a3b367820ff77d31e4304f5a692702ae0ea1c3c1

SHA256
b79ef72a71731df28c306988162fc56196106c7d9dcc829d7e78b05df90c424e

SHA512
10bec02708870c02fd55026c46958e1e22cc19fd1608c9f19282ee710fac4ad8bd7b1dce432800eb99c369b0e155ed8373a86a6265ea4e19f89bf3d2c6c85dd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
09e3e56ca2a00844b439e2a2c994d7dd

SHA1
18f0ef2ff01dd1ba5f43b419a4e054e22f537cf8

SHA256
018bd285a59da5790166299c67acf32a45b7a1ee1441a9182a06c1ccd29bef6e

SHA512
d99efc4655e1fde6a303d36984b8289468bbe221617e9e5a4155d22e6c4c56d0e967855fb770eca7139052e7400af60f4cbd7bf386121f7b4d66d7c100fddf22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
00d816a48989ad4153caab79a70b0f57

SHA1
696f67e18488600cba489c4cf8d805511ce679b3

SHA256
8c79465fa55b1296be054d6f5ee17d6b14242db5fb15194684cb4fed6f2d32bf

SHA512
111019a2885bbf1fc4cf607c0331fa160def6aba416002788ec06d2de8a9dd1070ed85f52b3a359adc4be930dc2600f49933ecbfad1a0e85df3edd3f432c3472

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
6f06f01fe38788dca91a937d56b57f69

SHA1
8840ef3e5d66f1fa144a96054b91c6b42501fa22

SHA256
34a1777edf1ae87306a86db4a29b037e2c06f297d88ea3d6f2310f8ce9e7edc8

SHA512
1e50f53720640ad9aad7f8e5bd3262d6383bb9e4caa6584f8ea936591c6946f081c7a3382a30be35a01392a4e4b73d5bab04871ba8dd63630a4e795d6426ca99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
dc981e01df0754dd5e94dad57dc8a7af

SHA1
31fdc8cbfb7b5b043e407762a523970fc0da2c62

SHA256
6954900a64cc0352f5b1310f2ecd725c113882ffdfc8dc981b1bfd68eebe094a

SHA512
ffb4600ff3e231479d3ae280585d6b828bdc4060943e2156b2de1c4681a501343e563ec8b7e21f444c305a6fbc8091b1e11eb66b159843bbcec9622c35fade7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
63a29829507743fec29a4b3fa100a2a3

SHA1
a52ce11abad38c61fd47d2da9026b499c814be2f

SHA256
5257a0b230c11617751418d0ab55d368095d5ac8130faea85b84173be3632203

SHA512
fa0d49c7bfb2a0010971ce83e34ab2b13b2622c9b4bf4a334fef84440755fadca435eb1cbdf69a9058696eac88d4bd5e0ca53704379c5f9345151b3d4d05c586

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dde851d4e1dd9a02ccd480980c7fd123

SHA1
6e4ef127acd6daba7e2190b8a3189e9907413981

SHA256
875cb283835307177b60b4ce62ce0410709431cc2bfb956876bd9504cc3a748d

SHA512
ed6bd8fb0418e50446a866b17122181e02cfd746a32c7b4fd05fcbf1a65c21d4df97b65944b74752213f61d536442f96dfb94cec7d44bb65eb8c3b8055c7397a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2d18588d53cc2aa66ee7767009067893

SHA1
7c644e3285d2816a0e9b9b33d930415603dcb5a7

SHA256
a13d5dcb94863c45dd4529de407fab760479fcd49708252b6e4196480c859bc1

SHA512
efee0eb7ae83507bd5197ef60ed32098bb0117c5da44499d3b9c101d2cd3078626995a505d25166b8a9541f1ec5afbff75ef35b78b93162fc55a145897557eb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
4e854f5db782f55dca60d5d36204b3ab

SHA1
ebf37780306df33159ac6ce54de873ae10c8f8b6

SHA256
637c127a6d31391f36696b86ee0dc81c7b785bc162a88fa4ed4a5fc8e5e6ad99

SHA512
2af8f9171d7df2fa5e43e58bf9e1505d655050b43525c324e83940d015759dabc791682df73614b4e3a665224d25ec8e4aa48caa093989f37fc144c89469b650

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b6e8aed1b5b1f1d9a99dc25aaca8ef83

SHA1
ab5e2ae63e5ae2e3f7d89afcea2da74fd5f3e08a

SHA256
dc48c8bd46898702e680c9899ce4a144d497ac4dc7befe37f0b6b77b511b8010

SHA512
fdbb2e0fa27ccdcd7cc1dfadee10293bb76194a24440a3a8c57717abb263a2fcc17bd85ac0e7c6f89e35141e1df17af579e9d8f8378d79aa223363860b8960fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e7847644e8f3a3da283efc83ffe938c6

SHA1
20f1b6ab4cde01d1d7d47c7dee60c2fb171ce7d2

SHA256
6fe6b628439a1257e6cbc46b5dbc6e73972205cf4ff405ef92a5c98d4607e78c

SHA512
d073a08e7ae70c3759ec59106b3efaca98285702f271cf7ac793063193c71e670da86a8d107dcb63d37065facb7f66f21c7cbbd452c02d6e209951c68d63f961

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
17798390de4aa65b2904feb0b0f9d6d6

SHA1
ef801bef3c409d1fe48c7389cf72234252e20a49

SHA256
2c724c534c7bda4759bfbe70bd2eb460a472cf847367e0035b89b45373457e38

SHA512
875d13effbbbcbaa236799ba1d819afb0f885688edbc558257cfaa71e19d3ed27f2950e361025f4af598068dd907af695b86e1011aafe3088e5748303c0a8a38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
eb1ffdba27cd96420c6747ba701b428e

SHA1
7d1ab2f34f181bacafe23586952cdeef6111dfd6

SHA256
e70c8825628db57b7974cbce597f4fe47cfd2b1eec72f928d47495a7fa9e3829

SHA512
1753ad7a8e597adfecbd347620203deb8f5c4f6a97cd8e51139024be21d06efc553ed20a6e3f09f253ec243ddf9c8db549126a3d183bf3df7f2fc7210a10a151

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
42232accea74d676fcb437f37b030847

SHA1
5d1bb68fd5b58f6a637cfacb6620588df5fd11bf

SHA256
dcadf69d7e50efb36f4152f6f722374793462f66d400cdbc4c6dfd5528848124

SHA512
f8b362ec3c99f1dc1f041eb46e9e1087e95c12567add3853e454d3496c6cf9a691f047cdbd86a2a48cdee7c6a3b003814586e9f71c3415525bf5e708dea5da2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
87487d7fbc09c35dec05d573c23c2ca8

SHA1
25f036a9da9afde4ce12a487beaa14e5aab2769e

SHA256
a939d50747c493f7db3e9b7d803a4ce04f208e08345265a895558678e6936cee

SHA512
1fae4ccaf8450696628c5fd5c5db882e5e138a5f1ded18f45ea009932c2893c559fa29a82c32a540548421b70ff8e6697a44f401781bddd9339c7c9b6967ade0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
a254fa4adcf70914cad3d94cf2003cc7

SHA1
8832f7937d096e1abae7572590b4749e3b1946f5

SHA256
e7347e678b01778be9de4f983adb2dba2d59334fb744ea5f81861d0f3ebc7389

SHA512
dad5ed862ccf576bb71eb1bda339a9bb253f206a20994cd5949715099089e3f97d276df254a64e80d21eac37985260c142a0711101bce0408eba1a8956289e66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
61f8701575a58f067a4ebf5c760cbbf4

SHA1
847e04b9779f0557c50015014c2dcf7c8ea48acd

SHA256
c46ec2f314c49c9499544fe0e9f325de9bac68295b53ac20a5b3be891ecf886f

SHA512
d0c8949f42585b264c618e30c9d99d57f4b1f1bb374f558c60ce9b97f9f6ad93af35c167fde75665637ef29e907f14570d6b23487a65ae745e58325cc56c832b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4ee622c3b70d9d1cee3bbdc08e5067b3

SHA1
eb40393be9c211ccba394513fe3547251b8b0f4f

SHA256
f1dea14e7dac71c7b1cd81bac2ccb79e00a24fb2efd4962cbc04eccb84b3b35a

SHA512
ba798846970a52e3013de3ad34d1c9c729fc422ad854dc69519dac7f682df9b36c64f6aa64a4ce9aa76e29a2c0bf29b8cbf1c74e9e9440adef25342098679a52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
4e61cdc8d71322fff515d7a243b56e8f

SHA1
51d44c14cfa73bf3d78a9d86825f01d8dbf4e74f

SHA256
665f0b52b099426fcb15e1eda83602e73cfd0cae71cdcc3b5aaaf18cdd640c44

SHA512
bad7328ba738092ec8c59a3cf49a82e5082fca657d0205f5c5249bce39720b14925fbc6bfdf08a6260c9b63e05716aaa9427a035d87b0eda83830d1f12c9d783

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
870B

MD5
d9f9340276a283d2b6b6f3f92c2c1188

SHA1
0cf20114966e15611ae9acae54c1e6a928aa4a8c

SHA256
e1e93afd75d27782516cb43fc68a3c5dcac66762fa49ae1a77f263c1207192d3

SHA512
62617b76631df23d93dfb810210444fff31abac4f8f85b8570d2bc8d4bb462a7ceb8d44027fc8ce50c996d88aea4f322cd9738b31623c59911118a2456511103

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4b2fab919d534cd47ad269fcba4c5744

SHA1
70f1af71a1e4bd24b809f489046601fd405b28b6

SHA256
528e706e7d4f845978d662e5272c20aab19814a63d065d5c89fe7958d89e0cf4

SHA512
2033619b3717b67465db105fb3771bc172245215660aa21768ea643ac992d3bcd4389a1a86fcb96ba3c73f5c235574cb91fc0b8ae9c2e9d112aae035b589b569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e290.TMP

Filesize
870B

MD5
6cb89d44d3261f7bd3aacaefc973acef

SHA1
648cdc32f00e9e393f1ce740f56c7bd947ffaa5d

SHA256
1671b7235482179233d2dd8160c0570ffbd41b412d7b3e5efa33aa7d437de989

SHA512
b8f274d7ce28c5e7c703722a9b07f63f0f8dc90312731182baff48611c621084539f7f78e4c0a94913f3caef86c2fde039f7a4d3a9db2308d4aac24c5c0ac60e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
09703c5c7a984278fe94f744602cd3e0

SHA1
80f04053f3f19795a23d11fc1c5a332955f80a19

SHA256
41fc9e00dd40cddfd16a87122616802e6ef1d5bb02c950ef34d912bb7bead016

SHA512
b216499875d1fda243c4c3852e301eb2cdb35ba1ef81134660ce13e9bf0d7f5cce2ef229e9e37da32b3fb3ffecedc22868c0568d8cfca5c3cfc3ad1bc081e18b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a6272f9cd44a0b425942d51e6fe94b0d

SHA1
9dd1f4eab1c075953e0664635a72bc548ba9b5ab

SHA256
0030ab4b946d8189946793e1193b6c554617d6002333ad5b0a3bcdc7f54032da

SHA512
52088c52796ebe6a63013fb8cad4a1c3b1bfc2bf5b5123c774080f52df1ed296172991e10a3ac652da6432e4cb6b46337936f97a364d15d13aab572d17951ddd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2935a51b1d3c345848fe9f3b78a2fd20

SHA1
41b5c6b60a6dd7db2621f30fae82241be80c4f6c

SHA256
c2fda78c325a703321f1ba6b6aa7c8e1d7cdef0e7517a285e0fc3f343c2c9b26

SHA512
a7f499deb07bb9262383d73d6eb13adcfde404035eba7c8f1189ebaa1af07857f3ebb19d9303c283bccdb162222f2d4ab8fc0eb36272af6a43f541e81bca0657

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b5736f2d8dc8cb5b727bf907e8ec705e

SHA1
e27b790d1351f49dbdb36f4e60fb2e81cb808c68

SHA256
c4fdd7801bf02dfd1dee943c4e3deddbbf9b7443414e23536ed8dacdd1b4a935

SHA512
3e390a9034e8548ac3e0dd0c075c391745d81233b655e0a9359e93aaf7805efbb5927a96771a7cbc8681be5001cb0346ae674377364fee5ad5d6564e508173d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]

Filesize
933B

MD5
7e6b6da7c61fcb66f3f30166871def5b

SHA1
00f699cf9bbc0308f6e101283eca15a7c566d4f9

SHA256
4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e

SHA512
e5a56137f325904e0c7de1d0df38745f733652214f0cdb6ef173fa0743a334f95bed274df79469e270c9208e6bdc2e6251ef0cdd81af20fa1897929663e2c7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\c.wnry

Filesize
780B

MD5
93f33b83f1f263e2419006d6026e7bc1

SHA1
1a4b36c56430a56af2e0ecabd754bf00067ce488

SHA256
ef0ed0b717d1b956eb6c42ba1f4fd2283cf7c8416bed0afd1e8805ee0502f2b4

SHA512
45bdd1a9a3118ee4d3469ee65a7a8fdb0f9315ca417821db058028ffb0ed145209f975232a9e64aba1c02b9664c854232221eb041d09231c330ae510f638afac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_korean.wnry

Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_latvian.wnry

Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_norwegian.wnry

Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_polish.wnry

Filesize
38KB

MD5
e79d7f2833a9c2e2553c7fe04a1b63f4

SHA1
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

SHA256
519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

SHA512
e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCry-main.zip\WannaCry-main\msg\m_portuguese.wnry

Filesize
37KB

MD5
fa948f7d8dfb21ceddd6794f2d56b44f

SHA1
ca915fbe020caa88dd776d89632d7866f660fc7a

SHA256
bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66

SHA512
0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
19.7MB

MD5
4f77ffa692e7050575f0e37b47300271

SHA1
7c0e9b323131aa0cc46f43b133f92bb0f7ce8b63

SHA256
ca9a8a435dcea19104330390ecf9d8cf97058eaaaa46714321892263dff0ecb6

SHA512
d9fe35805ece836140c00ec46f5938f61479cc361d80772d5e5a3eb72bcaa4a0a853b1a84245d1328a4fa5c8e5091832d1dc48891693fb1a8a5e8e5cf39c953c

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\ml.xspf.tmp2828

Filesize
304B

MD5
781602441469750c3219c8c38b515ed4

SHA1
e885acd1cbd0b897ebcedbb145bef1c330f80595

SHA256
81970dbe581373d14fbd451ac4b3f96e5f69b79645f1ee1ca715cff3af0bf20d

SHA512
2b0a1717d96edb47bdf0ffeb250a5ec11f7d0638d3e0a62fbe48c064379b473ca88ffbececb32a72129d06c040b107834f1004ccda5f0f35b8c3588034786461

Download Submit
C:\Users\Admin\Downloads\WannaCry-main.zip

Filesize
3.3MB

MD5
3c7861d067e5409eae5c08fd28a5bea2

SHA1
44e4b61278544a6a7b8094a0615d3339a8e75259

SHA256
07ecdced8cf2436c0bc886ee1e49ee4b8880a228aa173220103f35c535305635

SHA512
c2968e30212707acf8a146b25bb29c9f5d779792df88582b03431a0034dc82599f58d61fc9494324cc06873e5943f8c29bffd0272ca682d13c0bb10482d79fc5

Download Submit
\??\pipe\LOCAL\crashpad_4752_HLHQHHXZPKEGXYUZ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/508-623-0x0000000000CF0000-0x0000000000D24000-memory.dmp

Filesize
208KB

Download
memory/1648-1196-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1872-2787-0x00007FF8CF780000-0x00007FF8CFA36000-memory.dmp

Filesize
2.7MB

Download
memory/1872-2785-0x00007FF647C00000-0x00007FF647CF8000-memory.dmp

Filesize
992KB

Download
memory/1872-2786-0x00007FF8E81B0000-0x00007FF8E81E4000-memory.dmp

Filesize
208KB

Download
memory/1872-2788-0x00007FF8CD920000-0x00007FF8CE9D0000-memory.dmp

Filesize
16.7MB

Download
memory/2724-2715-0x00007FF8AEF90000-0x00007FF8AEFA0000-memory.dmp

Filesize
64KB

Download
memory/2724-2759-0x00007FF8AEF90000-0x00007FF8AEFA0000-memory.dmp

Filesize
64KB

Download
memory/2724-2721-0x00007FF8ACF30000-0x00007FF8ACF40000-memory.dmp

Filesize
64KB

Download
memory/2724-2717-0x00007FF8AEF90000-0x00007FF8AEFA0000-memory.dmp

Filesize
64KB

Download
memory/2724-2716-0x00007FF8AEF90000-0x00007FF8AEFA0000-memory.dmp

Filesize
64KB

Download
memory/2724-2718-0x00007FF8AEF90000-0x00007FF8AEFA0000-memory.dmp

Filesize
64KB

Download
memory/2724-2758-0x00007FF8AEF90000-0x00007FF8AEFA0000-memory.dmp

Filesize
64KB

Download
memory/2724-2719-0x00007FF8AEF90000-0x00007FF8AEFA0000-memory.dmp

Filesize
64KB

Download
memory/2724-2761-0x00007FF8AEF90000-0x00007FF8AEFA0000-memory.dmp

Filesize
64KB

Download
memory/2724-2760-0x00007FF8AEF90000-0x00007FF8AEFA0000-memory.dmp

Filesize
64KB

Download
memory/2724-2722-0x00007FF8ACF30000-0x00007FF8ACF40000-memory.dmp

Filesize
64KB

Download
memory/2828-2804-0x00007FF647C00000-0x00007FF647CF8000-memory.dmp

Filesize
992KB

Download
memory/2828-2805-0x00007FF8E81B0000-0x00007FF8E81E4000-memory.dmp

Filesize
208KB

Download
memory/2828-2806-0x00007FF8CF780000-0x00007FF8CFA36000-memory.dmp

Filesize
2.7MB

Download
memory/2828-2807-0x00007FF8CD920000-0x00007FF8CE9D0000-memory.dmp

Filesize
16.7MB

Download
memory/3012-2659-0x0000000074340000-0x0000000074362000-memory.dmp

Filesize
136KB

Download
memory/3012-2762-0x0000000000F80000-0x000000000127E000-memory.dmp

Filesize
3.0MB

Download
memory/3012-2789-0x0000000000F80000-0x000000000127E000-memory.dmp

Filesize
3.0MB

Download
memory/3012-2735-0x0000000074420000-0x00000000744A2000-memory.dmp

Filesize
520KB

Download
memory/3012-2736-0x0000000074400000-0x000000007441C000-memory.dmp

Filesize
112KB

Download
memory/3012-2737-0x0000000074370000-0x00000000743F2000-memory.dmp

Filesize
520KB

Download
memory/3012-2738-0x0000000074340000-0x0000000074362000-memory.dmp

Filesize
136KB

Download
memory/3012-2739-0x00000000742C0000-0x0000000074337000-memory.dmp

Filesize
476KB

Download
memory/3012-2740-0x00000000740A0000-0x00000000742BC000-memory.dmp

Filesize
2.1MB

Download
memory/3012-2821-0x0000000000F80000-0x000000000127E000-memory.dmp

Filesize
3.0MB

Download
memory/3012-2827-0x00000000740A0000-0x00000000742BC000-memory.dmp

Filesize
2.1MB

Download
memory/3012-2849-0x0000000000F80000-0x000000000127E000-memory.dmp

Filesize
3.0MB

Download
memory/3012-2734-0x0000000000F80000-0x000000000127E000-memory.dmp

Filesize
3.0MB

Download
memory/3012-2657-0x00000000740A0000-0x00000000742BC000-memory.dmp

Filesize
2.1MB

Download
memory/3012-2658-0x0000000074370000-0x00000000743F2000-memory.dmp

Filesize
520KB

Download
memory/3012-2660-0x0000000000F80000-0x000000000127E000-memory.dmp

Filesize
3.0MB

Download
memory/3012-2656-0x0000000074420000-0x00000000744A2000-memory.dmp

Filesize
520KB

Download