wannacry | 7f24f5683e7a2150082fb39e073d4931c2e2849046fca6afa0a9694c94d14b92

Analysis

max time kernel
254s
max time network
255s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
07-08-2024 16:06

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

123121.rar
Size

9.4MB
MD5

dfa4c8a2509faf5a36a9cfd9596247c1
SHA1

550c1f00748d4a57758b0d3d74954d69b273f20e
SHA256

7f24f5683e7a2150082fb39e073d4931c2e2849046fca6afa0a9694c94d14b92
SHA512

f0ff7adcadd59dc32451a8816d88c2a2b5d1ff7fd559f37900c24f849f3bd6b66a3d8d3bd5f969806c58d42350aabd798ca80dd125deec52d2a706c084ff0d23
SSDEEP

196608:H4pC7pue6rDd+s8crp2KLrXlEpg41KmECjltuVgfvWmLAx5R:H4YtFef8QTrX+pgeXECZtWgfvWxN

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 2 IoCs

Processes:

WannaCry.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD999B.tmp	WannaCry.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD99B1.tmp	WannaCry.EXE

Executes dropped EXE 8 IoCs

Processes:

winrar-x64-701.exetaskdl.exe@[email protected]@[email protected]taskhsvc.exetaskdl.exetaskse.exe@[email protected]

pid	process
3376	winrar-x64-701.exe
1468	taskdl.exe
5940	@[email protected]
6060	@[email protected]
6128	taskhsvc.exe
6092	taskdl.exe
5600	taskse.exe
5780	@[email protected]

Loads dropped DLL 8 IoCs

Processes:

taskhsvc.exe

pid process

6128 taskhsvc.exe
6128 taskhsvc.exe
6128 taskhsvc.exe
6128 taskhsvc.exe
6128 taskhsvc.exe
6128 taskhsvc.exe
6128 taskhsvc.exe
6128 taskhsvc.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

4568 icacls.exe
5568 icacls.exe

pid	process
6128	taskhsvc.exe
6128	taskhsvc.exe
6128	taskhsvc.exe
6128	taskhsvc.exe
6128	taskhsvc.exe
6128	taskhsvc.exe
6128	taskhsvc.exe
6128	taskhsvc.exe

pid	process
4568	icacls.exe
5568	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ygzaujjoyuxvv282 = "\"C:\\Users\\Admin\\Downloads\\WannaCry-main\\WannaCry-main\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

6 camo.githubusercontent.com
64 camo.githubusercontent.com

flow	ioc
6	camo.githubusercontent.com
64	camo.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

WannaCry.EXE@[email protected]

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCry.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
defense_evasion

SIP and Trust Provider Hijacking
T1553.003

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier msedge.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier	msedge.exe

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cscript.exeWMIC.exe@[email protected]attrib.exeicacls.exetaskdl.exe@[email protected]taskhsvc.exeattrib.exeicacls.execmd.exeWannaCry.EXEcmd.exetaskse.exereg.exeDllHost.exeattrib.exe@[email protected]cmd.exeWannaCry.EXEtaskdl.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "244"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Modifies registry class 48 IoCs

Processes:

OpenWith.execontrol.exeexplorer.exeOpenWith.exemsedge.exemsedge.execmd.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings	control.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000030000000200000001000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	OpenWith.exe
Key created	\Registry\User\S-1-5-21-131918955-2378418313-883382443-1000_Classes\NotificationData	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1"	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 8c0031000000000002598e7e110050524f4752417e310000740009000400efbec552596102598e7e2e0000003f0000000000010000000000000000004a00000000004bfc7d00500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-131918955-2378418313-883382443-1000\{50B6AFBA-E24E-4132-A34A-467BEE817BA7}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-131918955-2378418313-883382443-1000\{63468862-C012-4F68-A4AE-6B836E6671A4}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4128 reg.exe

pid	process
4128	reg.exe

NTFS ADS 3 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 306303.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCry-main.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exetaskhsvc.exemsedge.exe

pid	process
1504	msedge.exe
1504	msedge.exe
4828	msedge.exe
4828	msedge.exe
3244	msedge.exe
3244	msedge.exe
4896	msedge.exe
4896	msedge.exe
4752	identity_helper.exe
4752	identity_helper.exe
2064	msedge.exe
2064	msedge.exe
2320	msedge.exe
2320	msedge.exe
2120	msedge.exe
2120	msedge.exe
3616	identity_helper.exe
3616	identity_helper.exe
1504	msedge.exe
1504	msedge.exe
4044	msedge.exe
4044	msedge.exe
3608	msedge.exe
3608	msedge.exe
6128	taskhsvc.exe
6128	taskhsvc.exe
6128	taskhsvc.exe
6128	taskhsvc.exe
6128	taskhsvc.exe
6128	taskhsvc.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe
5916	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

OpenWith.exeOpenWith.exe

pid process

3512 OpenWith.exe
3504 OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 28 IoCs

Processes:

msedge.exemsedge.exe

pid	process
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

control.exeWMIC.exevssvc.exetaskse.exe

description	pid	process
Token: SeShutdownPrivilege	3476	control.exe
Token: SeCreatePagefilePrivilege	3476	control.exe
Token: SeIncreaseQuotaPrivilege	4092	WMIC.exe
Token: SeSecurityPrivilege	4092	WMIC.exe
Token: SeTakeOwnershipPrivilege	4092	WMIC.exe
Token: SeLoadDriverPrivilege	4092	WMIC.exe
Token: SeSystemProfilePrivilege	4092	WMIC.exe
Token: SeSystemtimePrivilege	4092	WMIC.exe
Token: SeProfSingleProcessPrivilege	4092	WMIC.exe
Token: SeIncBasePriorityPrivilege	4092	WMIC.exe
Token: SeCreatePagefilePrivilege	4092	WMIC.exe
Token: SeBackupPrivilege	4092	WMIC.exe
Token: SeRestorePrivilege	4092	WMIC.exe
Token: SeShutdownPrivilege	4092	WMIC.exe
Token: SeDebugPrivilege	4092	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4092	WMIC.exe
Token: SeRemoteShutdownPrivilege	4092	WMIC.exe
Token: SeUndockPrivilege	4092	WMIC.exe
Token: SeManageVolumePrivilege	4092	WMIC.exe
Token: 33	4092	WMIC.exe
Token: 34	4092	WMIC.exe
Token: 35	4092	WMIC.exe
Token: 36	4092	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4092	WMIC.exe
Token: SeSecurityPrivilege	4092	WMIC.exe
Token: SeTakeOwnershipPrivilege	4092	WMIC.exe
Token: SeLoadDriverPrivilege	4092	WMIC.exe
Token: SeSystemProfilePrivilege	4092	WMIC.exe
Token: SeSystemtimePrivilege	4092	WMIC.exe
Token: SeProfSingleProcessPrivilege	4092	WMIC.exe
Token: SeIncBasePriorityPrivilege	4092	WMIC.exe
Token: SeCreatePagefilePrivilege	4092	WMIC.exe
Token: SeBackupPrivilege	4092	WMIC.exe
Token: SeRestorePrivilege	4092	WMIC.exe
Token: SeShutdownPrivilege	4092	WMIC.exe
Token: SeDebugPrivilege	4092	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4092	WMIC.exe
Token: SeRemoteShutdownPrivilege	4092	WMIC.exe
Token: SeUndockPrivilege	4092	WMIC.exe
Token: SeManageVolumePrivilege	4092	WMIC.exe
Token: 33	4092	WMIC.exe
Token: 34	4092	WMIC.exe
Token: 35	4092	WMIC.exe
Token: 36	4092	WMIC.exe
Token: SeBackupPrivilege	5152	vssvc.exe
Token: SeRestorePrivilege	5152	vssvc.exe
Token: SeAuditPrivilege	5152	vssvc.exe
Token: SeTcbPrivilege	5600	taskse.exe
Token: SeTcbPrivilege	5600	taskse.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exemsedge.exe

pid	process
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exemsedge.exe

pid	process
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe

Suspicious use of SetWindowsHookEx 32 IoCs

Processes:

OpenWith.exeOpenWith.exewinrar-x64-701.exe@[email protected]@[email protected]@[email protected]LogonUI.exe

pid	process
3512	OpenWith.exe
3512	OpenWith.exe
3512	OpenWith.exe
3512	OpenWith.exe
3512	OpenWith.exe
3512	OpenWith.exe
3512	OpenWith.exe
3512	OpenWith.exe
3512	OpenWith.exe
3512	OpenWith.exe
3512	OpenWith.exe
3512	OpenWith.exe
3504	OpenWith.exe
3504	OpenWith.exe
3504	OpenWith.exe
3504	OpenWith.exe
3504	OpenWith.exe
3504	OpenWith.exe
3504	OpenWith.exe
3504	OpenWith.exe
3504	OpenWith.exe
3376	winrar-x64-701.exe
3376	winrar-x64-701.exe
3376	winrar-x64-701.exe
5940	@[email protected]
5940	@[email protected]
6060	@[email protected]
6060	@[email protected]
5780	@[email protected]
5780	@[email protected]
1108	LogonUI.exe
1108	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4828 wrote to memory of 2960	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 2960	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 2772	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 2772	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 2772	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 2772	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 2772	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 2772	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 2772	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 2772	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 2772	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 2772	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 2772	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 2772	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 2772	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 2772	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 2772	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 2772	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 2772	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 2772	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 2772	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 2772	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 2772	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 2772	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 2772	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 2772	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 2772	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 2772	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 2772	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 2772	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 2772	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 2772	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 2772	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 2772	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 2772	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 2772	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 2772	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 2772	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 2772	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 2772	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 2772	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 2772	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1504	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1504	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1044	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1044	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1044	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1044	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1044	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1044	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1044	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1044	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1044	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1044	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1044	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1044	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1044	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1044	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1044	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1044	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1044	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1044	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1044	4828	msedge.exe	msedge.exe
PID 4828 wrote to memory of 1044	4828	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exe

pid process

5260 attrib.exe
2840 attrib.exe
3048 attrib.exe

pid	process
5260	attrib.exe
2840	attrib.exe
3048	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\123121.rar
1⤵
- Modifies registry class
PID:3776

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3512

C:\Windows\system32\control.exe
"C:\Windows\system32\control.exe" SYSTEM
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3476

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:4616

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2332

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff54fe3cb8,0x7fff54fe3cc8,0x7fff54fe3cd8
2⤵
PID:2960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1984,17627924242464365580,13995411377627780013,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1996 /prefetch:2
2⤵
PID:2772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1984,17627924242464365580,13995411377627780013,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1984,17627924242464365580,13995411377627780013,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
2⤵
PID:1044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,17627924242464365580,13995411377627780013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
2⤵
PID:4896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,17627924242464365580,13995411377627780013,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
2⤵
PID:2456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,17627924242464365580,13995411377627780013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
2⤵
PID:4360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,17627924242464365580,13995411377627780013,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
2⤵
PID:3248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,17627924242464365580,13995411377627780013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
2⤵
PID:4544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,17627924242464365580,13995411377627780013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:1
2⤵
PID:3688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1984,17627924242464365580,13995411377627780013,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=1884 /prefetch:8
2⤵
PID:3476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1984,17627924242464365580,13995411377627780013,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4680 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,17627924242464365580,13995411377627780013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
2⤵
PID:4688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,17627924242464365580,13995411377627780013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
2⤵
PID:1384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,17627924242464365580,13995411377627780013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:1
2⤵
PID:1900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1984,17627924242464365580,13995411377627780013,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4896

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1984,17627924242464365580,13995411377627780013,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,17627924242464365580,13995411377627780013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
2⤵
PID:4636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1984,17627924242464365580,13995411377627780013,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6300 /prefetch:8
2⤵
PID:3492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1984,17627924242464365580,13995411377627780013,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6156 /prefetch:8
2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2064

C:\Users\Admin\Downloads\winrar-x64-701.exe
"C:\Users\Admin\Downloads\winrar-x64-701.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,17627924242464365580,13995411377627780013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
2⤵
PID:3688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,17627924242464365580,13995411377627780013,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2964 /prefetch:1
2⤵
PID:2120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,17627924242464365580,13995411377627780013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
2⤵
PID:4988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,17627924242464365580,13995411377627780013,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1
2⤵
PID:2808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1208

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff54fe3cb8,0x7fff54fe3cc8,0x7fff54fe3cd8
2⤵
PID:416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,13544603039812767242,9146503417260024308,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
2⤵
PID:2248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,13544603039812767242,9146503417260024308,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2004 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,13544603039812767242,9146503417260024308,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2512 /prefetch:8
2⤵
PID:4720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,13544603039812767242,9146503417260024308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
2⤵
PID:4840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,13544603039812767242,9146503417260024308,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
2⤵
PID:3360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,13544603039812767242,9146503417260024308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
2⤵
PID:4780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,13544603039812767242,9146503417260024308,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
2⤵
PID:2076

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,13544603039812767242,9146503417260024308,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,13544603039812767242,9146503417260024308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1
2⤵
PID:3636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,13544603039812767242,9146503417260024308,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:1
2⤵
PID:2392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,13544603039812767242,9146503417260024308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
2⤵
PID:4128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,13544603039812767242,9146503417260024308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
2⤵
PID:4060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,13544603039812767242,9146503417260024308,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4280 /prefetch:1
2⤵
PID:1804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1884,13544603039812767242,9146503417260024308,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4020 /prefetch:8
2⤵
PID:4780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1884,13544603039812767242,9146503417260024308,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4980 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,13544603039812767242,9146503417260024308,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,13544603039812767242,9146503417260024308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
2⤵
PID:1928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,13544603039812767242,9146503417260024308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
2⤵
PID:4540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1884,13544603039812767242,9146503417260024308,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6128 /prefetch:8
2⤵
PID:5032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,13544603039812767242,9146503417260024308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
2⤵
PID:3440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,13544603039812767242,9146503417260024308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1
2⤵
PID:1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,13544603039812767242,9146503417260024308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6544 /prefetch:1
2⤵
PID:976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,13544603039812767242,9146503417260024308,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2960 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,13544603039812767242,9146503417260024308,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5180 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5916

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5100

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4060

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\b7d4a585bccf477caddca3e386e85219 /t 1124 /p 3376
1⤵
PID:4608

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1472

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\WannaCry.EXE
"C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\WannaCry.EXE"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:4880

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2840

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:4568

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1468

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 34581723047023.bat
2⤵
- System Location Discovery: System Language Discovery
PID:4412

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
3⤵
- System Location Discovery: System Language Discovery
PID:4664

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
2⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3048

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected] co
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5940

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:6128

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
2⤵
- System Location Discovery: System Language Discovery
PID:6000

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected] vs
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6060

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
- System Location Discovery: System Language Discovery
PID:5348

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6092

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5600

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5780

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ygzaujjoyuxvv282" /t REG_SZ /d "\"C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\tasksche.exe\"" /f
2⤵
- System Location Discovery: System Language Discovery
PID:5768

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ygzaujjoyuxvv282" /t REG_SZ /d "\"C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\tasksche.exe\"" /f
3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4128

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5152

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\WannaCry.EXE
"C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\WannaCry.EXE"
1⤵
- System Location Discovery: System Language Discovery
PID:5268

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:5260

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:5568

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38da855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

Filesize
813B

MD5
96051182ad32b7a74750bf675150afe2

SHA1
4453f4ee45464d0aa32ac683627fc8c6ca430491

SHA256
ef9aac929536ffcbabd625545394ea1b298a0d9d0ef4fc11046a53140941ed8a

SHA512
9feada9ed7743f2564686248d092db96d799dca2396d74489aa51b7e14e910f4dd49ff151b36397084a37c90e7eff389ecf1705bb13caab02e7d2ee1607d2023

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9f081a02d8bbd5d800828ed8c769f5d9

SHA1
978d807096b7e7a4962a001b7bba6b2e77ce419a

SHA256
a7645e1b16115e9afec86efa139d35d5fecc6c5c7c59174c9901b4213b1fae0e

SHA512
7f3045f276f5bd8d3c65a23592419c3b98f1311c214c8e54a4dfe09122a08afb08ab7967b49bd413bc748ce6363658640bc87958d5e0a78974680a8f9beadf44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e681bda746d695b173a54033103efa8

SHA1
ae07be487e65914bb068174b99660fb8deb11a1d

SHA256
fee5f7377e5ca213c1d8d7827b788723d0dd2538e7ce3f35581fc613fde834c2

SHA512
0f4381c769d4ae18ff3ac93fd97e8d879043b8ec825611db27f08bd44c08babc1710672c3f93435a61e40db1ccbf5b74c6363aaaf5f4a7fc95a6a7786d1aced8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a79b769136e0f49b610fdb93ff8617c5

SHA1
eaf0e9bae914904a93905eb40fcb2c8ed1800c75

SHA256
22ba405080c8957dcf55576af7399e5dc7e855cae90bf48950b536f16043e3d9

SHA512
1550feac224a13fc428120bb10e33778270224b7c1c8b6faedeeaf1b3908bb803a12c95ff77696a36f06f16a82fab9873a92744a6204f9e414d48d355e3d03ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
d913f11e3503e1ccef996277b741c69a

SHA1
6d09f24f412d83f728665b562f65c1e089bf39eb

SHA256
0fb80b73f46474558826bfb0ebfe845c24c4a8367b5139827fe350160a82ad8c

SHA512
b51f6ddcecf9f165555b15ab4434e7c751b792de758758703c1c143c19ca9ff0aba29f4b8846007b3dd6120db4b68898a3e73299dec18906abb18a85a14d7f55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
617fba2a1adbe7a08edef29fdeb7e84c

SHA1
324fe512860b2813f832f91851355952169abf5e

SHA256
bce719230b6b70634a52f3d740b727e80339c154a59e9a559515e225c597b5b0

SHA512
a3d46e833d93188f4aed431ea9be05c01109190efc1d180c9329011fc7c0bcf20e22e78bceabd8d92fce8f9b4cd05ce2b0fc449c44ea07d7c3124a018f7875a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

Filesize
1.0MB

MD5
fd5071338d7edd6ac91e2c954813bc60

SHA1
fbe3546f98a154ddac100fd98af020e0c774d1fb

SHA256
752cae8d74ad9c904506fa2443f36f4bf10b9b0d4fead94762cd4d0c55b9103b

SHA512
01ca7ee9bee4c200a015bf540383b53c2b17beb56b08d5cf03f16d8ccc15ed495274126df4de236c224b210b0dee887ac600ba3721afbd35ea92d1e845bc7cc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
4.0MB

MD5
de83eaac7855e18cf6a9789d5f86974a

SHA1
96ab7c490a3ec8b680150505eda51a8147323006

SHA256
4d6b33fc7e65c13815dad222bb703a39f35a8fadcad9f61103946d95f8bfb632

SHA512
051958988a2261b95d57d7c791d7f569d5312802cf71d1f9874b009f8d0bb4aa8309526dda81bc64b184f2dcf72e2f9b2deb68e6826eb80c42aa79e2fa8bf274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
08d1780efda6d95ab9384e60aa3a92f9

SHA1
bbb45ccd9d0cebc960b1121a079e46dfbf3b5e21

SHA256
830ec83a40ca62597fbbb7bffb763aaf0b95f692f71839cd1cd3875bc2d0d724

SHA512
abeb70ae2600f9da367f3d920d3928c2f7368e5512c993587f28d9b870451bdab41657e6aaeca4280f2761ec760e8b638283d3a7343a945316f842a7e99072e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
0a17eda0131c8ce8facb9136bfd23bfa

SHA1
a838bb1f33d530402e86a4f001cc7e6e107a93ba

SHA256
81011072300256ae8d7d4480e8191b589b477ada6a3b67cbb9905fde77dcd4ed

SHA512
18eda658f3583c0dba7f8105c0f1a42122e905d22d606c19886acff3cecff957b20673428162021dbf056c782fade9995df86a48f37eda090064a8dcd5656b6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
28KB

MD5
6b5d051de063f03f3628622d7d9250fa

SHA1
87373be541cd24471b81d0ee91b4030454cfa51c

SHA256
fe4aee72fb58801fa736c92d954db63d30c6f865f17c0f2452bdeb0b8ac93437

SHA512
bc2fca18343badeff829aab03b38870f89891bee82a0c2edf3c849b4972310719ba72e65ad6493217bb00303fd6ca2b72b29e4fe67a4e25ab688026aa599e377

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
28KB

MD5
3ee3cc514f280c6e0a8921ceb912fb98

SHA1
303aa682a71866b4ca5a24401e7255761aa2973b

SHA256
5b3f274a653dea4ca17ac5bbcbfea35256c25e86c8a76539499f0d9800a86240

SHA512
deb10c3a2bbdc8442ceff33b121ca2769a0100def1a236192627020c280a202fc3dd85d4441a0a3fc22490229cb8943f6f03278cb14423d3af8c2c47b6a2620d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
12d23a89a586a01c159236237abc2c11

SHA1
2f92c9f63dc8f2f2f0c1a5fca1bdc3cfdf5e5b95

SHA256
91e62a6cb5dd430d4764fc43f6915d063f0c16c08112315acfb91fd73c94af3d

SHA512
cf6ad60a2f53d70ee0a9c5137d98acac1babaeabb80d0bb6f04126eab50586e3dafb9da25edcedc802182155ac52bf48ed2b839184e7db4db1e0398c9ffe16e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
004f42ce6da213926914c1939436e999

SHA1
1663dc15eed2d353ce035e2c618f2d2432014d38

SHA256
96864f7de0e2a1d3876fa293ac8d41c16e61fdfc03bd98bf5aa03013f5c36c45

SHA512
d4ac62365de15e8a7dd7cfc9a35c5cd0d00bf9acd268f74d5c97a187aee311887531b536777f1239b0e978970f7c0676736b86759733d3e223eae5e4d463056c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
3KB

MD5
60294250a828b2090850997ec5f5b79c

SHA1
bee6411230edb035e0a9ad8087f5a0e45cc6d00d

SHA256
7596eb6f86cc92a4a9cc17b9b2f4e6b43fcecd40f13dc1a61637ee089ec839cf

SHA512
7e114dae4d252d777c93194c2f7f0c507d346b7c15bf2d67665d1d41aef4dda4ff97bbfb42f22e556031667b67dd6888ae67be5be8de2b66cd05c38c869db9c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
186B

MD5
19f82de6628ce9982ddf0f8b7b0d02da

SHA1
77f433797aa9f2ca1ba852a3ffa4c0c133bd6251

SHA256
a10ab19ae20577daef5c5da220fce5d8e1f9014fcae2f44e2257eb1b9b44c4ca

SHA512
887282c9d7314ae522ebaf9617548bce11a0e22b039b273b13ce87d853dd7623440b9ecac9f03b48a20749c251b1976bde39a37b0156a77d0f75bb16bef68b83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
334B

MD5
af071a0497bb574db9596c1b6153cc60

SHA1
20c6bcef04470a57d96e8cf87b3620fa4eb9f334

SHA256
96e4c26ff50d1219b617cd9d9226f113f52f334f1e0dee362fb0c35f526e19f1

SHA512
f2e96e5790b6e9d4e5ac72d2539e70d66b771beb83e51ab335f65e4178ba5688ba9db5cd84c6d8728a0c6074c942e9aa176d152051f245e53e21ca8ba3bb3aaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
469B

MD5
15ef6a96b9413513fbcfdfb6fc5d8e5d

SHA1
dd23964aff64f685103cb4cf346a912895ece8da

SHA256
40710150b97045f85fbf534144349d7ea0a9e472b3baacd4710fb7c2ca21ee52

SHA512
dcef582317db1f5f10f474e371c446c66466134318a959d008cd8f6afb2ce24ef1efbc99b1f0cc06f78c907780bf409075f2f5bc36c1b3af142d281eb6f20174

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
3a693c869927f4a1a1fd75bbc548a281

SHA1
17d8d4ea15a8ce0b41c5ad99bc43423b3025fc4b

SHA256
15a8b9055eff377a399e12d8e114a8fdfadb69729cef248f9495140d11e3b326

SHA512
92a82363c007310e04f474bb03cf4c16977365e79600b1d0377ed3e7726a69b323d6e905ebaebf73fba6de53afca573dc56023817410e9a51ed42eec3b10efb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8df381dc9a1d978344bb9ced28837ce1

SHA1
f7f13abbaae5b1eb8ccd0aa4aeeb8475be26cd8c

SHA256
f016a573702cbde210397c356150173eb52ea684a0d162b72a18121bc4e70bad

SHA512
f849626a65c92ac06a7da210988827ef324fcac23e0caef3b15dd59816488b119e3682ff7521b0915893f7e0bfbe678107528672b8c01b7ba7d37499d40d9cba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
13c3083c9b0ecf9aaf8843f64c74eb6a

SHA1
6264663c9532fd7f65ce151c01b41875dbaf47cb

SHA256
222ec564e04aaa6e777a9191ad9d0438d3efdc2efa6a10817caff2ca8fc369ab

SHA512
45edb17f44ee6e4facfb172583c3eaaff9ae1f408f0c5d8fc5a29b82be766c44a092e45e3f848d88eabc921684addc79e49f0640d9af06c5a274112c45ef51bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
38746fd393ae2557a71a82bd1a77d8b1

SHA1
8d4a03b64b673ffe53e6a1dbca1151f6957e9c3e

SHA256
52cd8a327a08035a59f278e2d160264fbb4a4a3ecf86762d91e3f7ce171f58dd

SHA512
85647a818f74e6651698598dc05a8adc0519704cf701c97fd41753906c546f55e80ba18515c8cc932fd4c613e78f33f9b6cfcad38a36e8d189026f0599b2c437

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
091996ca464f3644262141bc90528f68

SHA1
5d5ff0bcac4cc530a6458f08ba6f35ee47ad3fd9

SHA256
95a9d997b9f73b73d334e4bddda490b5ecf27fe93f3bb1062baa80ba1a3410c1

SHA512
777c7d5a250946b16a0d9dd74fa21470b3f56fd39b0d0d411d90b55c46cddc06e33b66d856f2e830aa4e4ba1120a084db49d4660ff17d9f55a5a7f7f6442582c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
719332e798ba1cca16b0f505eb33ffa9

SHA1
86504bbd4488ddae94c8ae33aaf908863aaf0048

SHA256
ca75e4da5cac861f81fdac7dec09a7835682e57db01a91655aec3c384b7c88fb

SHA512
8eee37d2888e9bdf5caac569520f26a03f360158609d16b9491c9b756db4d4a8672ba6e655008f241ca81008b89c35796ca7a9d69e7233e27bf957dd256d7083

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
34a5a78714d6054855a810283c54918d

SHA1
799dc72e9d2b3a07789f6fb4406aa659f657c1b7

SHA256
fd0d2282ee98ad3c6037f176af63c4f245d0f1a22cc704f78517494081117e79

SHA512
a3f5243ecdb14010a199c8a8ab6a284ff5ecf93ecfd4cf2f7caf0f2bed8d1a69644d86eca5edc949c11cb4b3a310c056af397a508ef7d71cd5e2d3d051638df9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
49175c4d0059ada6c4e94c815c57fd7a

SHA1
4b40f5b5036faa62846d32882da31850b7f0f9d3

SHA256
c4f8cc26baf15ba456032171f7cfdde29184e0286203898ead9de9931bc6a1a2

SHA512
062fd854b90907648594095f01697c50b886f288108c8fe76733d2457cb95a8c3e7abea0c757ef532921d62f05f7b814fea067e7cb280229db5349569b18b627

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
111e352bc3d48fa15f0de7d7a75bee34

SHA1
ccb0fae5f9dc32c0b611ffa291ba360a3b539b67

SHA256
7842e710b72d4a743b60a950bbe99842d2cc58fc989396db6d1d0837d522de2a

SHA512
0762a2eef9b25db5d6e149394b928c59cd2c880cc6968658c36956225f6829eba054af11f80743a9a5e9bd2f26777e7e03ec2a12dde2ff4285fb341ce4543028

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c88fb1150fd4500bdd78e68a5e6192f5

SHA1
218a398fe40f40a5a6b34f230f08a7ee2394a199

SHA256
87669fdac5ed6b4a44cce4f9bc5f1c6ac403bcc49faef12603705139033f8c21

SHA512
685e88c890c950e3816630dfc7bd66a7b659a483be8c7a04e9e0733299f6f83857373d41cf1ad6c0ffbc3b43facf96c33e692407b6356a23373b74f931388e0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3166bad70ec6abb95449170b6f94f913

SHA1
7bb01a2781c6068368ef38d2df119575f6d4afc0

SHA256
36afabbb6189ef04cc9255ec2fd86384289c5567b90bddf26646337e41b77b77

SHA512
d64e80f8bfb005141e706533cf74e24d44d1297632253430e9008a61c0223b925113d41dda2111d46bb715ff0e256543ea6a049585753a12b9f549fe71268c20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
404B

MD5
7a1b57ff49a765c0ed6bc8c52d5cc8e8

SHA1
52924d14bfb500bf0634b984b28bfb9c236cf390

SHA256
9c6e39b7b21f0a04d9c54cf029c366101d074dcb5d632a2cf349fae0969cf5bc

SHA512
ff4cd5ad172a33ed4a60b77da1bb6add6968e0a3df96c81e426d4bfdb3173e64a74f22c209ab43421d2aafcacd12554bcc73e129b6bdc2760674cd091f7cf824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
198db63517fa3345550479f61e7ced27

SHA1
33dab5ad7f95e15954f733f6c0a6883023449885

SHA256
10577840f776bb5ef15afc17d01b6f8400a87cde08ca9a178632533d8a9efa90

SHA512
25f70e03e5d7b6f5c647f69c0852715e8354a6c1084c3b436ca0ce6d6391370c5af6dcd2885af5febf47fec37aaaef1767824f84ccdd1f209bb17337167af444

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13367520500715674

Filesize
14KB

MD5
57b6c4d079f08709bac399f7924b4c15

SHA1
d1f947fd4423bdfbb4ab2b1656039a926cbfb480

SHA256
60f2c7353003be7ce34a91d6323f664d7bdbd1b645e8f8adf49ddac6b775ec1a

SHA512
9537f12cae6d1adc894d8b6146c2aa17cfd6388650a0bb09f2524d4d5ffe7ebca5f1eab8f6e80133726cc9548f0f1dca07c3b407629c6f10932da972964a86a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
184B

MD5
2bb4cda050552078334a870cbbbcc40f

SHA1
5874d31d90c45fc15fd91d784b347b63e05afb52

SHA256
95c1d4fd1ca4efc7e4b0d24be2c3610dfa2f964c365aaee7e18863e504f4d735

SHA512
2561fcb8cd6f67a7eeb312dbb55575ce912cfe7083dd22a7094b782834d4caa3b6a426ee75da90cad3331856208e342d1abd458c73c7904b46946d390ccfa3e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
6d46f4d5435f8729fc68eee77188b1a7

SHA1
ef98d8e8048611de5c4ab742a7dda18bf0ae0fd8

SHA256
df11ca856efea3e2774c345d556a81004720a06c8ea431130a2fb95da8e5449e

SHA512
36481a816ebf6887b1cc4444b2976cbd58f202f6d824f7e0a1cb02698f9769445febe77bf419adcc0e915309b2cff29a4c211fea707c4b163ec9498345810c99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
84c0c3edc5c1cbae17f6f5110dc86a5c

SHA1
4c66af50125d9ed73a5c1054e589d8c7443ec88f

SHA256
f3befd24ea9ab180b0203ae18c3655423e56b3258ed5c6b6803c562d0b20cc07

SHA512
da77a39a1e6a0907dadb6c80d60c366182df04b05006fa953e0b00207b29f03c5883a6915bf1c6952e250c04f4ba502f78581999dea7c405f0d721605f303031

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
703B

MD5
7685f03dfcb5a2fbdfe9a66d37e2d643

SHA1
591c553e48b7f75c25b9c9e06e11eb290cce2f4b

SHA256
d7bf7118c2ce52a9663b968ace39230316599bec77b59a4a91b710a833197c21

SHA512
685d2d2387d19ffc95164df355cb35a83d7946195c3411b0b331e25e59f8cb5d19e08380c7358558ac2d6154f5cc09fef996b8c0b88039c969cc23116641c0e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
703B

MD5
147f786188618237a0210d40b14d0bcf

SHA1
8b03a673d8482621178420455d26ff417b93189e

SHA256
31ff54b96892c89b7c540d1728820ad17e1d0b1d1d7f312b532e567e4ee13e36

SHA512
b97cb6689f4d32696934ed3b01159c4965702fd4cb676585f118bd607388ab1e581ba048f70a4514dc407593c52cc08eed5fdb94afb21769d0b859155a08b1dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6483cb2450086ba1034b546db94a73d6

SHA1
7cf55fc6a856f48524ac1f14efa66afe09262fab

SHA256
f53d971dcec398172fd19616eef1f620766223671e4e78ddba1b58cc1a6a5bf0

SHA512
9a795cb60682cbb4b5e899a0366e957b884f5c0b98a2f51f5ca73fcd9a716cfe94b964e966d28a106bdf4f6ec12df6b0ec34f6381c667104ee7d995d2bd2e711

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
efec2fda3945bbe4de3418945d6ba839

SHA1
980c2090d337994fc7ec71ca4b9468ddc94ef933

SHA256
df91ebabb2880bf27557ae6e5bb3fa3b86603cf7fa4dfe9d4049a113b91605b2

SHA512
efe3cca4396d1a7b83c5e3c91db12394418d1b03f9baef903f5e52c0da4095d3ff09e77f7d1f16b8dee8f67693a3628742fbe6dfeeeeb605cb48674f9d0e0059

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
753f6e4a2927eee09e2447be91aa4b49

SHA1
5f53b69ee4f1ef3aea6b0e191ddedffd9d44e471

SHA256
3c3e4312cee0a2c16dc83b17f659c2661ffa950ca495f5847357b03020dc3f39

SHA512
63a9dbed195d177ff3d432ec962ba24d91e1ac14d6bdc6e0fe3c6e8c72b7435939b987e3296e150c4f9e84ceadddf3e2ecd9cd007a8227d8283d421f2f5254ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f62c8cb58afd31a7282f96b0a2ddb79b

SHA1
3d683f690bc8daafe0b05297a8d51517c9c4ab02

SHA256
40ea88b9d1b455b4a7925d71be0247526ea505c8c64ccacd307f8a61466eaa87

SHA512
0a14e4dfaf9811ac1a4b20afacbece6d1af17dede6845ebe3063f08ac65b9a5f2b4439fab5045f48162b6dad9fa1225c58a5717aae681cac8b58945c8dae026e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ed0858e26587d2be27a69e13adc8045a

SHA1
fe80c155db9ad298b9378a394d841ebad60e2608

SHA256
8e4c62022f64991fad66b7684692450291d486a2784a805c78d1ac464e86dbbd

SHA512
22ae433e31e3f23051064b6af26c38ff41fb6bf547b9e9f87354cf8e038a3d6b7a11d3603256ddc00a09567567829b886ecf34d4d1bb9767bbb824e4f26fdf80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59117b.TMP

Filesize
703B

MD5
65b6443941b423c61e84fc9616760022

SHA1
4876181e5a745b6c24b50e9f4e3d6c4d86cd9785

SHA256
731b39f377d7d60bb6e11b81012e655b6ce6a9492e3e9a15eed2636f13bf9182

SHA512
e579b8dadd8d8f88830710597e0424513c5c3e0605e63291d06bc985c81f8a13256ac2d18c417a9c8efe3209251387b91e9c56e895de24faa5dc28d55cd2532e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
7179faca19db2495d9f146e96ef1c628

SHA1
36a526b21e3c4c73cc00778ce0b913d5b30e07a2

SHA256
bee052f5926fc04d07c9372ea969e8685ce325d39e2930aa7bedc58038447530

SHA512
e3dae763271fc2c9c44e317f03b9076efbbd597442b72891c1a0d2c0fb71cbc78df7468a5099ab76adb2075259cd5a21e29fb68c07bcb9affb9815d590add75d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
112KB

MD5
ddafd4159e14b3c3fea751ebdef4782a

SHA1
8e4396363273a0f7993f859a0036eca8a5d45718

SHA256
cd2015c61880017f91198fefe16afbeeab3317421669674229a7274dda8d6ece

SHA512
348b720e1bcbd3854ee2926f074e5e250e8aa58252fbca5f54858ea09c5a321ca60255a6d115bd3e83f87660f09e49bcbc8bf588162cec4781470bb70cc4f376

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
b296684ea6f9940a35e4e512c34c580d

SHA1
f5111ee2a1afce928b5c28adbcc936ff73de4503

SHA256
b74e536645bc3465b33c0218dd6c149153101ac7fdca83bb70abe1b41e7dc40b

SHA512
1ecbd99fb936ad932559d19a1fd755d22bfc633e0bdc1922e37cccd0bfac011139f4fef6a933ce7a393e5e3d840e563036adc4bd9d6bed4f48b547ff16fd11a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
4KB

MD5
732f82bce1ccfe65a9682659c692fa21

SHA1
d09cc14223ebf5749014f11b29660903ba8198b8

SHA256
18f5275878e216c8f17ed368f6195ca86a1dd22d6ad51ef8192a15140ac87ff5

SHA512
aadec033fb0e38f81a2362ccf8b9ded8788d7f070b851104aeb80988501454af9538b1578b2a648d9610e813824ad68257b09200732e696d24be21688e2f1a46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
aa2472fde78798add6cd0cbb5a70771c

SHA1
5d749f22a13bdf7345fc4359cc35aa5cd932cf3a

SHA256
549b04070088ebc7c09623d5bc23892022fedc0ca1ebcf2e9901c56600d2ada9

SHA512
3c29e2659a311268ea0e1d4005d5c3ae24da23742826ac03c3cbfd81249d2af1198969b48b00a04bf284f610406b5d9acf7e14fa773f28727435fd404ac05c2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
318B

MD5
d5340f27fd619d269b4b3923908a9f31

SHA1
7c3a36bc152889464469e0e7745386dd011af34e

SHA256
fd2bb5374a8436e36ab338a2864b6436b2a640bbbf1ef00f18fbe4513273f080

SHA512
6d863256d415c000a180a15d558f135ab687772c5a8ed62e41cae52c3dd7e4534f4560f836d62983b3ece69e8d327012eeb4a23f684c32c3a7a18f784d20297c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
bcffa9d5c810a77195cf7e5331fce33d

SHA1
13ab5118bfb8a515dfdefe46b9442a161cacea52

SHA256
02b68aa25e960c7b8967fc91a38f5acff926c4424a85c74bad7bd87ba1861f8d

SHA512
7ebc84221d5913596c427d278968ab590449e8f1b9002290a67553c3e67fb02991acbe314b71d0d37cfa282d54ece83a45114573720df08e62f12077d8486c00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
c7c9dba650a1f49b3ffd7190e248471a

SHA1
29f10b3353472162347ec312f6c5ab2acc98e1ff

SHA256
706d16b27b13ab2ad0fbffc0ac8cf00bdc524cbf39ff9574fb3a093373f56c09

SHA512
d4d51b6414561f73cff0368e9623bc38094ea3b645618158ee5de4f227d76f0edb9607900135b556f9ed6b65de07a6fb145292ea45aa1c3a93e4600ceed6b9ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
42eb54a8475f48eb76a6b75b45f64f27

SHA1
b0c3a802bd14f79bbd375dc8b6d6e9ce0e661e4a

SHA256
7efca3c7bf3e9cfef5fe59678954f4de8f6e08b9cfbb831aa7e6664b6104171d

SHA512
175047bccd720004f70af90177876909992624259c78c57b3d9380536481c75f2bec3af48498a69f5346eaadfb55adfe3560e531ed2772e006f659e4549ae0c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
54cec970fb82b0d06fdc846c52497c03

SHA1
2f5010527f68a8ef4844e19ffd641a04bc6074a4

SHA256
7487be801852acad9d781c53b64915e86895d3ab0bc43e6060e98adbfb8a69b5

SHA512
657e9cea3376036bd5775e48e3922101700a52b1672fa44319ff4bf3fd1df887a52a6bca0def1008e95eb3cc5dbc6783103f4ee3bf726ff2e15a2306a0658b25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
149b86dc58e3b3955cfd65b09812ab9c

SHA1
5a6376582816a9239b218e39d930770cdc26d7f6

SHA256
7a42cd202a2a245bf71f13ddc75756e305e19e53b33fcf15adc51fd6086295b1

SHA512
9b43b493c258692e4698509fcfed0ea191f3cf7919a3612141226014487334ec0067895899654b03bebfb8d7315da89764dbaff5d6f0e90743f548469f2e94a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d4d4eeb69b637b0f3f72eaca40667047

SHA1
e7852255800c1fcf24582c6b2806eed6e04733e0

SHA256
09692aa1278ae399270b6eb5b0b2e39d032932ed22ea7a36e3a0775ed5503a38

SHA512
c622321525eaa367aed49453103a1051c7d12893329417dcb31992f356130103b528c892ff96852a5b8e25b262274e4e742a429349e8fbe0b94f4f6bc33e1da3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
472b02f86818cb450f08594b4eda4856

SHA1
c836b3ff9bc36c899875f5457bd1ff7d4dccaf5d

SHA256
9d848c05129051ab631a3815c0b08c98f2853fb5d14153ec500f33c19928e3e8

SHA512
2e0c711a7f2fa84be5374c7ecb912b0542df17e4847e95628b3264afbfda9b4b066874eddf613cea8dc79e6c97daaa748b39de50bbd304be89b4289c609b9fbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6f1a870fed27d284475126167a7db7ff

SHA1
afc35e34c8f92b1dfaf8aba87be2eaecafc3fc23

SHA256
9101625db4c6535b8468797a2ba4b9758c2def53c02aaff20fda0d84498fb7b7

SHA512
3e40b915fc95412710c5278b9bd84a6bfce2eb8637ad8afbe9b19d1d87008a942ff281f2089a06730efc335532deaefe0f8200ed850cdc85c6ef09d774f9dc7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
376767bdffadaefd9b255ab52b5505f6

SHA1
acca1569d7b45bf1e27d2a8a5c15726a7de0c9ab

SHA256
d3944b3aecd8cb139dec354ac61f723707b816e9cd12e32e80994cc5b0d1315e

SHA512
1667c93ec0d14dc43bb8d3866e5860f37a721f88fece61dd8001a59806b82415f0c551dc1e7fb3647ec38115877181f2e145aa3703906919ec4cb71ad83e6b35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
53e043ec5f3eabc5a2b39df4f6effd4b

SHA1
2d7f770ac7de828af96839d8693986dbbfe6c10f

SHA256
1b5fe4bcc29737420aa009f5678ee4ef450ee4df150c7e6c70b198121593ab91

SHA512
6a40faef2fea6b6b9225ba306cec77f274ec7e18c4490abc51e67e6e34627206d534b2d836cdd2fd31e85fe64d6931af87844fc7752940e5a8d62a4e42ebee1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
97213d4b630219a9594e63c7ef8d7d97

SHA1
f7f9c6bffcd060850ba2b3bd56c31f61dff8190f

SHA256
b742d073c8c12fd39882ebdf29ff256388426dd2b881e7110df6676a34197e8b

SHA512
0068bafd5195df4ff498298211e56f6da7d42de720bc98d2db73d14910a24ba13ac9d20a52bd3126ce5effcb3f96ba92120bc5dcf7c31023d74cfaa53e3c3ebd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
36d369a55b9680a24fc8e65fefd367c6

SHA1
71bcbd489431c4f8604a862cefeed261b8ab38e7

SHA256
c2c2ee5a143c4210f5731b0883d70aa3bc2cec9cd36e4eba8fbd8a5230c9393c

SHA512
df2cd1cff9093cf76ef8dd643d31b201b69663832a1039c3738fbd8c99bc9d2d83cb1973fcd691bf63cb753b0ed1009d49d934b0366f1e368da05bc1ac31bf9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
ed967cbf92aa02822e07172779ef1430

SHA1
e78d1d3302559483ffb6001e7df447a8cb342535

SHA256
ab6b6a28902ba3da67a257a76f4a5345295f4ad96daa159e21b1b7da64e37404

SHA512
34df72678a6c570e2eba161e62ba5e473c34501b7ae2baf2cca70efcc6f616ae860c451f57edfa363b9af1ac64b7a315dc2c9d9757df4e473dd6fad5b270bafc

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
6.4MB

MD5
7e83a50958b7e5420ccfb8542874a64c

SHA1
5c5955d52969465a39ed7fab278aa8e28c8ac45e

SHA256
481d8d313f16c9379a314e1a4f1cf5a8aeb986d7a008ded26cefde45a245bec9

SHA512
a5e384d750c434e19785c5197f6c2490501199e28b3709fd5fbbe85dce01b67143d866c32288d42d21b4b55089f73979bfddaa41c5225601ffa52f921e5f8c68

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 306303.crdownload

Filesize
3.8MB

MD5
46c17c999744470b689331f41eab7df1

SHA1
b8a63127df6a87d333061c622220d6d70ed80f7c

SHA256
c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a

SHA512
4b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 319468.crdownload

Filesize
3.3MB

MD5
3c7861d067e5409eae5c08fd28a5bea2

SHA1
44e4b61278544a6a7b8094a0615d3339a8e75259

SHA256
07ecdced8cf2436c0bc886ee1e49ee4b8880a228aa173220103f35c535305635

SHA512
c2968e30212707acf8a146b25bb29c9f5d779792df88582b03431a0034dc82599f58d61fc9494324cc06873e5943f8c29bffd0272ca682d13c0bb10482d79fc5

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]

Filesize
933B

MD5
7a2726bb6e6a79fb1d092b7f2b688af0

SHA1
b3effadce8b76aee8cd6ce2eccbb8701797468a2

SHA256
840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

SHA512
4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Default\Desktop\@[email protected]

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
\??\pipe\LOCAL\crashpad_4828_GCFGPOHJDSSZVGDX

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4880-1231-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/6128-2683-0x0000000074060000-0x00000000740E2000-memory.dmp

Filesize
520KB

Download
memory/6128-2688-0x0000000073D60000-0x0000000073F7C000-memory.dmp

Filesize
2.1MB

Download
memory/6128-2687-0x0000000073CE0000-0x0000000073D57000-memory.dmp

Filesize
476KB

Download
memory/6128-2686-0x0000000073F80000-0x0000000073FA2000-memory.dmp

Filesize
136KB

Download
memory/6128-2685-0x0000000073FB0000-0x0000000074032000-memory.dmp

Filesize
520KB

Download
memory/6128-2684-0x0000000074040000-0x000000007405C000-memory.dmp

Filesize
112KB

Download
memory/6128-2682-0x0000000000690000-0x000000000098E000-memory.dmp

Filesize
3.0MB

Download
memory/6128-2658-0x0000000074060000-0x00000000740E2000-memory.dmp

Filesize
520KB

Download
memory/6128-2662-0x0000000000690000-0x000000000098E000-memory.dmp

Filesize
3.0MB

Download
memory/6128-2746-0x0000000000690000-0x000000000098E000-memory.dmp

Filesize
3.0MB

Download
memory/6128-2752-0x0000000073D60000-0x0000000073F7C000-memory.dmp

Filesize
2.1MB

Download
memory/6128-2660-0x0000000073FB0000-0x0000000074032000-memory.dmp

Filesize
520KB

Download
memory/6128-2661-0x0000000073F80000-0x0000000073FA2000-memory.dmp

Filesize
136KB

Download
memory/6128-2659-0x0000000073D60000-0x0000000073F7C000-memory.dmp

Filesize
2.1MB

Download
memory/6128-2787-0x0000000000690000-0x000000000098E000-memory.dmp

Filesize
3.0MB

Download
memory/6128-2798-0x0000000000690000-0x000000000098E000-memory.dmp

Filesize
3.0MB

Download
memory/6128-2804-0x0000000073D60000-0x0000000073F7C000-memory.dmp

Filesize
2.1MB

Download
memory/6128-2812-0x0000000000690000-0x000000000098E000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads