wannacry | hxxps://www[.]bing[.]com/search?q=wannacry+download&qs=HS&pq=wannac&sc=10-6&cvid=122CFE8D5BC240D097B405A3C22560C9&FORM=QBRE&sp=1&ghc=1&lq=0#

Analysis

max time kernel
690s
max time network
615s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
08-08-2024 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.bing.com/search?q=wannacry+download&qs=HS&pq=wannac&sc=10-6&cvid=122CFE8D5BC240D097B405A3C22560C9&FORM=QBRE&sp=1&ghc=1&lq=0#

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 2 IoCs

Processes:

WannaCry.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD9952.tmp	WannaCry.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD9959.tmp	WannaCry.EXE

Executes dropped EXE 64 IoCs

Processes:

WannaCry.EXEtaskdl.exeWannaCry.EXE@[email protected]@[email protected]taskhsvc.exetaskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exeWannaCry.EXEtaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exe

pid	process
1864	WannaCry.EXE
2560	taskdl.exe
2956	WannaCry.EXE
1352	@[email protected]
764	@[email protected]
1516	taskhsvc.exe
2592	taskdl.exe
1036	taskse.exe
2436	@[email protected]
1300	taskdl.exe
4936	taskse.exe
3368	@[email protected]
1028	taskse.exe
1200	@[email protected]
4032	taskdl.exe
1288	taskse.exe
4984	@[email protected]
4596	taskdl.exe
800	taskse.exe
652	@[email protected]
2056	taskdl.exe
2492	taskse.exe
5212	@[email protected]
5220	taskdl.exe
5524	taskse.exe
5708	@[email protected]
5812	taskdl.exe
5392	taskse.exe
5804	@[email protected]
4892	taskdl.exe
5812	taskse.exe
5748	@[email protected]
5888	taskdl.exe
6040	taskse.exe
5636	@[email protected]
5608	taskdl.exe
4868	taskse.exe
1036	@[email protected]
5096	taskdl.exe
5384	taskse.exe
1552	@[email protected]
244	taskdl.exe
3932	taskse.exe
3816	@[email protected]
3360	taskdl.exe
3412	WannaCry.EXE
5284	taskse.exe
4700	@[email protected]
4948	taskdl.exe
1124	taskse.exe
5636	@[email protected]
5848	taskdl.exe
2844	taskse.exe
804	@[email protected]
5876	taskdl.exe
5080	taskse.exe
2968	@[email protected]
1664	taskdl.exe
5284	taskse.exe
8	@[email protected]
4232	taskdl.exe
1552	taskse.exe
2064	@[email protected]
4372	taskdl.exe

Loads dropped DLL 8 IoCs

Processes:

taskhsvc.exe

pid process

1516 taskhsvc.exe
1516 taskhsvc.exe
1516 taskhsvc.exe
1516 taskhsvc.exe
1516 taskhsvc.exe
1516 taskhsvc.exe
1516 taskhsvc.exe
1516 taskhsvc.exe
Modifies file permissions 1 TTPs 3 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exe

pid process

4732 icacls.exe
5040 icacls.exe
1180 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1516	taskhsvc.exe
1516	taskhsvc.exe
1516	taskhsvc.exe
1516	taskhsvc.exe
1516	taskhsvc.exe
1516	taskhsvc.exe
1516	taskhsvc.exe
1516	taskhsvc.exe

pid	process
4732	icacls.exe
5040	icacls.exe
1180	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\zlhkxyme508 = "\"C:\\Users\\Admin\\Downloads\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

1 raw.githubusercontent.com
15 raw.githubusercontent.com
35 camo.githubusercontent.com
40 raw.githubusercontent.com
1 camo.githubusercontent.com

flow	ioc
1	raw.githubusercontent.com
15	raw.githubusercontent.com
35	camo.githubusercontent.com
40	raw.githubusercontent.com
1	camo.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

WannaCry.EXE@[email protected]

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCry.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Drops file in Windows directory 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Windows\SystemTemp chrome.exe
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
defense_evasion

SIP and Trust Provider Hijacking
T1553.003

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier msedge.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2432 764 WerFault.exe @[email protected]
1048 764 WerFault.exe @[email protected]

description	ioc	process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier	msedge.exe

pid	pid_target	process	target process
2432	764	WerFault.exe	@[email protected]
1048	764	WerFault.exe	@[email protected]

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

@[email protected]@[email protected]taskdl.exe@[email protected]@[email protected]taskse.exetaskdl.exeicacls.exetaskse.exetaskdl.exetaskdl.exetaskse.exetaskdl.exetaskdl.exeWannaCry.EXEtaskse.exe@[email protected]taskse.exe@[email protected]attrib.exeWMIC.exetaskdl.exe@[email protected]cscript.exetaskdl.exetaskdl.exetaskse.exetaskdl.exetaskdl.exe@[email protected]WannaCry.EXE@[email protected]taskhsvc.execmd.exe@[email protected]taskdl.exe@[email protected]@[email protected]taskdl.exe@[email protected]taskse.exetaskse.exe@[email protected]@[email protected]taskdl.execmd.exetaskse.exeWannaCry.EXEattrib.exetaskdl.exereg.exetaskdl.exe@[email protected]taskse.exetaskdl.exetaskse.exetaskdl.exetaskse.exetaskse.exe@[email protected]attrib.exetaskse.exetaskse.exe@[email protected]

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exechrome.exemsedge.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133675819496799127"	chrome.exe

Modifies registry class 11 IoCs

Processes:

OpenWith.exefirefox.exeMiniSearchHost.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\WNCRY_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\WNCRY_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\WNCRY_auto_file\shell\open\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\WNCRY_auto_file\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\.WNCRY	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\.WNCRY\ = "WNCRY_auto_file"	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-970747758-134341002-3585657277-1000\{73938207-A1FC-417D-B925-9476854E727A}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\WNCRY_auto_file	OpenWith.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

688 reg.exe
NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier msedge.exe

pid	process
688	reg.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exetaskhsvc.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exeidentity_helper.exechrome.exemsedge.exe

pid	process
684	msedge.exe
684	msedge.exe
776	msedge.exe
776	msedge.exe
3052	msedge.exe
3052	msedge.exe
2440	msedge.exe
2440	msedge.exe
1880	identity_helper.exe
1880	identity_helper.exe
564	msedge.exe
564	msedge.exe
1516	taskhsvc.exe
1516	taskhsvc.exe
1516	taskhsvc.exe
1516	taskhsvc.exe
1516	taskhsvc.exe
1516	taskhsvc.exe
2276	msedge.exe
2276	msedge.exe
2460	msedge.exe
2460	msedge.exe
2940	msedge.exe
2940	msedge.exe
4764	msedge.exe
4764	msedge.exe
688	msedge.exe
688	msedge.exe
5180	msedge.exe
5180	msedge.exe
5376	identity_helper.exe
5376	identity_helper.exe
5440	chrome.exe
5440	chrome.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

@[email protected]OpenWith.exe

pid process

2436 @[email protected]
896 OpenWith.exe

pid	process
2436	@[email protected]
896	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs

Processes:

msedge.exemsedge.exemsedge.exechrome.exe

pid	process
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exevssvc.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exefirefox.exechrome.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1472	WMIC.exe
Token: SeSecurityPrivilege	1472	WMIC.exe
Token: SeTakeOwnershipPrivilege	1472	WMIC.exe
Token: SeLoadDriverPrivilege	1472	WMIC.exe
Token: SeSystemProfilePrivilege	1472	WMIC.exe
Token: SeSystemtimePrivilege	1472	WMIC.exe
Token: SeProfSingleProcessPrivilege	1472	WMIC.exe
Token: SeIncBasePriorityPrivilege	1472	WMIC.exe
Token: SeCreatePagefilePrivilege	1472	WMIC.exe
Token: SeBackupPrivilege	1472	WMIC.exe
Token: SeRestorePrivilege	1472	WMIC.exe
Token: SeShutdownPrivilege	1472	WMIC.exe
Token: SeDebugPrivilege	1472	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1472	WMIC.exe
Token: SeRemoteShutdownPrivilege	1472	WMIC.exe
Token: SeUndockPrivilege	1472	WMIC.exe
Token: SeManageVolumePrivilege	1472	WMIC.exe
Token: 33	1472	WMIC.exe
Token: 34	1472	WMIC.exe
Token: 35	1472	WMIC.exe
Token: 36	1472	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1472	WMIC.exe
Token: SeSecurityPrivilege	1472	WMIC.exe
Token: SeTakeOwnershipPrivilege	1472	WMIC.exe
Token: SeLoadDriverPrivilege	1472	WMIC.exe
Token: SeSystemProfilePrivilege	1472	WMIC.exe
Token: SeSystemtimePrivilege	1472	WMIC.exe
Token: SeProfSingleProcessPrivilege	1472	WMIC.exe
Token: SeIncBasePriorityPrivilege	1472	WMIC.exe
Token: SeCreatePagefilePrivilege	1472	WMIC.exe
Token: SeBackupPrivilege	1472	WMIC.exe
Token: SeRestorePrivilege	1472	WMIC.exe
Token: SeShutdownPrivilege	1472	WMIC.exe
Token: SeDebugPrivilege	1472	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1472	WMIC.exe
Token: SeRemoteShutdownPrivilege	1472	WMIC.exe
Token: SeUndockPrivilege	1472	WMIC.exe
Token: SeManageVolumePrivilege	1472	WMIC.exe
Token: 33	1472	WMIC.exe
Token: 34	1472	WMIC.exe
Token: 35	1472	WMIC.exe
Token: 36	1472	WMIC.exe
Token: SeBackupPrivilege	4512	vssvc.exe
Token: SeRestorePrivilege	4512	vssvc.exe
Token: SeAuditPrivilege	4512	vssvc.exe
Token: SeTcbPrivilege	1036	taskse.exe
Token: SeTcbPrivilege	1036	taskse.exe
Token: SeTcbPrivilege	4936	taskse.exe
Token: SeTcbPrivilege	4936	taskse.exe
Token: SeTcbPrivilege	1028	taskse.exe
Token: SeTcbPrivilege	1028	taskse.exe
Token: SeTcbPrivilege	1288	taskse.exe
Token: SeTcbPrivilege	1288	taskse.exe
Token: SeTcbPrivilege	800	taskse.exe
Token: SeTcbPrivilege	800	taskse.exe
Token: SeDebugPrivilege	1924	firefox.exe
Token: SeDebugPrivilege	1924	firefox.exe
Token: SeDebugPrivilege	1924	firefox.exe
Token: SeShutdownPrivilege	5440	chrome.exe
Token: SeCreatePagefilePrivilege	5440	chrome.exe
Token: SeShutdownPrivilege	5440	chrome.exe
Token: SeCreatePagefilePrivilege	5440	chrome.exe
Token: SeShutdownPrivilege	5440	chrome.exe
Token: SeCreatePagefilePrivilege	5440	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exemsedge.exefirefox.exe

pid	process
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
1924	firefox.exe
1924	firefox.exe
1924	firefox.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

msedge.exemsedge.exemsedge.exechrome.exe

pid	process
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
776	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
2276	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
4764	msedge.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe
5440	chrome.exe

Suspicious use of SetWindowsHookEx 47 IoCs

pid	process
1352	@[email protected]
1352	@[email protected]
764	@[email protected]
764	@[email protected]
2436	@[email protected]
2436	@[email protected]
3368	@[email protected]
1200	@[email protected]
4984	@[email protected]
896	OpenWith.exe
896	OpenWith.exe
896	OpenWith.exe
896	OpenWith.exe
896	OpenWith.exe
896	OpenWith.exe
896	OpenWith.exe
896	OpenWith.exe
896	OpenWith.exe
896	OpenWith.exe
896	OpenWith.exe
896	OpenWith.exe
896	OpenWith.exe
652	@[email protected]
1924	firefox.exe
1924	firefox.exe
1924	firefox.exe
1924	firefox.exe
1924	firefox.exe
1924	firefox.exe
1924	firefox.exe
5212	@[email protected]
1800	MiniSearchHost.exe
5708	@[email protected]
5804	@[email protected]
5748	@[email protected]
5636	@[email protected]
1036	@[email protected]
1552	@[email protected]
3816	@[email protected]
4700	@[email protected]
5636	@[email protected]
804	@[email protected]
2968	@[email protected]
8	@[email protected]
2064	@[email protected]
2176	@[email protected]
6076	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 776 wrote to memory of 2028	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 2028	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 2644	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 2644	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 2644	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 2644	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 2644	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 2644	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 2644	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 2644	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 2644	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 2644	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 2644	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 2644	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 2644	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 2644	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 2644	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 2644	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 2644	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 2644	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 2644	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 2644	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 2644	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 2644	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 2644	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 2644	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 2644	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 2644	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 2644	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 2644	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 2644	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 2644	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 2644	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 2644	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 2644	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 2644	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 2644	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 2644	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 2644	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 2644	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 2644	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 2644	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 684	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 684	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 3172	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 3172	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 3172	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 3172	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 3172	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 3172	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 3172	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 3172	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 3172	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 3172	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 3172	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 3172	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 3172	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 3172	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 3172	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 3172	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 3172	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 3172	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 3172	776	msedge.exe	msedge.exe
PID 776 wrote to memory of 3172	776	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 4 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

pid process

3960 attrib.exe
4848 attrib.exe
4760 attrib.exe
4860 attrib.exe

pid	process
3960	attrib.exe
4848	attrib.exe
4760	attrib.exe
4860	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.bing.com/search?q=wannacry+download&qs=HS&pq=wannac&sc=10-6&cvid=122CFE8D5BC240D097B405A3C22560C9&FORM=QBRE&sp=1&ghc=1&lq=0#
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd0dc23cb8,0x7ffd0dc23cc8,0x7ffd0dc23cd8
2⤵
PID:2028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,15684930548440047021,993828043380882062,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1832 /prefetch:2
2⤵
PID:2644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,15684930548440047021,993828043380882062,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,15684930548440047021,993828043380882062,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8
2⤵
PID:3172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,15684930548440047021,993828043380882062,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
2⤵
PID:4908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,15684930548440047021,993828043380882062,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
2⤵
PID:4152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,15684930548440047021,993828043380882062,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
2⤵
PID:4148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1888,15684930548440047021,993828043380882062,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4636 /prefetch:8
2⤵
PID:4572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1888,15684930548440047021,993828043380882062,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4644 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,15684930548440047021,993828043380882062,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4560 /prefetch:1
2⤵
PID:2404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,15684930548440047021,993828043380882062,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4576 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2440

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,15684930548440047021,993828043380882062,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,15684930548440047021,993828043380882062,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
2⤵
PID:4828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,15684930548440047021,993828043380882062,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
2⤵
PID:2484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,15684930548440047021,993828043380882062,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
2⤵
PID:4448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,15684930548440047021,993828043380882062,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
2⤵
PID:2168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,15684930548440047021,993828043380882062,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
2⤵
PID:1008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,15684930548440047021,993828043380882062,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
2⤵
PID:2024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,15684930548440047021,993828043380882062,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
2⤵
PID:4308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,15684930548440047021,993828043380882062,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3376 /prefetch:8
2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1888,15684930548440047021,993828043380882062,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6416 /prefetch:8
2⤵
PID:2604

C:\Users\Admin\Downloads\WannaCry.EXE
"C:\Users\Admin\Downloads\WannaCry.EXE"
2⤵
- Drops startup file
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:1864

C:\Windows\SysWOW64\attrib.exe
attrib +h .
3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4848

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:4732

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:2560

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 312061723108168.bat
3⤵
- System Location Discovery: System Language Discovery
PID:2760

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
4⤵
- System Location Discovery: System Language Discovery
PID:2144

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
3⤵
- Views/modifies file attributes
PID:4760

C:\Users\Admin\Downloads\@[email protected]
@[email protected] co
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1352

C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1516

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
3⤵
PID:1048

C:\Users\Admin\Downloads\@[email protected]
@[email protected] vs
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:764

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
5⤵
- System Location Discovery: System Language Discovery
PID:236

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 284
5⤵
- Program crash
PID:2432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 284
5⤵
- Program crash
PID:1048

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2592

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1036

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2436

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "zlhkxyme508" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
3⤵
PID:1800

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "zlhkxyme508" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
4⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:688

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1300

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4936

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3368

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1028

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1200

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4032

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1288

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4984

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4596

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:800

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:652

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:2056

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
PID:2492

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5212

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5220

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5524

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5708

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5812

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5392

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5804

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4892

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
PID:5812

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5748

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5888

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6040

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5636

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5608

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4868

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1036

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:5096

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5384

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1552

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:244

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
PID:3932

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3816

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3360

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5284

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4700

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4948

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
PID:1124

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5636

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5848

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2844

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:804

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:5876

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
PID:5080

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2968

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1664

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5284

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:8

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4232

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1552

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2064

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4372

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
PID:5696

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2176

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- System Location Discovery: System Language Discovery
PID:4636

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- System Location Discovery: System Language Discovery
PID:5300

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6076

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- System Location Discovery: System Language Discovery
PID:2960

C:\Users\Admin\Downloads\WannaCry.EXE
"C:\Users\Admin\Downloads\WannaCry.EXE"
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2956

C:\Windows\SysWOW64\attrib.exe
attrib +h .
3⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4860

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:5040

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4704

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3464

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 764 -ip 764
1⤵
PID:2752

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 764 -ip 764
1⤵
PID:2680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd0dc23cb8,0x7ffd0dc23cc8,0x7ffd0dc23cd8
2⤵
PID:1472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,4937734119798302837,6300098709939243783,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:2
2⤵
PID:2168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1868,4937734119798302837,6300098709939243783,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1868,4937734119798302837,6300098709939243783,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
2⤵
PID:4988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,4937734119798302837,6300098709939243783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
2⤵
PID:4944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,4937734119798302837,6300098709939243783,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
2⤵
PID:3084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,4937734119798302837,6300098709939243783,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4408 /prefetch:1
2⤵
PID:4804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,4937734119798302837,6300098709939243783,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3672 /prefetch:1
2⤵
PID:2092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1868,4937734119798302837,6300098709939243783,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3400 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2940

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4736

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2532

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:896

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Desktop\ClearDisable.xlt.WNCRY"
2⤵
PID:2748

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Desktop\ClearDisable.xlt.WNCRY
3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1924

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2240 -parentBuildID 20240401114208 -prefsHandle 2168 -prefMapHandle 2160 -prefsLen 21730 -prefMapSize 243020 -appDir "C:\Program Files\Mozilla Firefox\browser" - {297a4e10-cf50-4075-ad02-2623a84710c8} 1924 "\\.\pipe\gecko-crash-server-pipe.1924" gpu
4⤵
PID:1612

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2504 -parentBuildID 20240401114208 -prefsHandle 2496 -prefMapHandle 2484 -prefsLen 21730 -prefMapSize 243020 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c611d3eb-1937-488c-b41b-bb31d3fbc1af} 1924 "\\.\pipe\gecko-crash-server-pipe.1924" socket
4⤵
PID:4308

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3732 -childID 1 -isForBrowser -prefsHandle 3724 -prefMapHandle 3720 -prefsLen 22395 -prefMapSize 243020 -jsInitHandle 1404 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68628e58-4b3e-46dd-97db-d899fa8d52cc} 1924 "\\.\pipe\gecko-crash-server-pipe.1924" tab
4⤵
PID:2320

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4196 -childID 2 -isForBrowser -prefsHandle 3948 -prefMapHandle 4292 -prefsLen 23684 -prefMapSize 243020 -jsInitHandle 1404 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {29fa6c4f-ca19-4770-b0c9-12d948e10fb9} 1924 "\\.\pipe\gecko-crash-server-pipe.1924" tab
4⤵
PID:2316

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4380 -childID 3 -isForBrowser -prefsHandle 4352 -prefMapHandle 4348 -prefsLen 29292 -prefMapSize 243020 -jsInitHandle 1404 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {34250436-a9d9-4f95-96ba-591e61b39b0a} 1924 "\\.\pipe\gecko-crash-server-pipe.1924" tab
4⤵
PID:4980

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5124 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5092 -prefMapHandle 5072 -prefsLen 29756 -prefMapSize 243020 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9030c55-c2b1-423a-998e-e11c6ad66e76} 1924 "\\.\pipe\gecko-crash-server-pipe.1924" utility
4⤵
- Checks processor information in registry
PID:4268

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4692 -parentBuildID 20240401114208 -prefsHandle 4548 -prefMapHandle 4552 -prefsLen 30166 -prefMapSize 243020 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c73eb4c3-c82b-4fc8-9046-e30d488bcf70} 1924 "\\.\pipe\gecko-crash-server-pipe.1924" rdd
4⤵
PID:2268

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5940 -childID 4 -isForBrowser -prefsHandle 5964 -prefMapHandle 5960 -prefsLen 28332 -prefMapSize 243020 -jsInitHandle 1404 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {939b4dbc-06c4-4d2e-b809-ff40c1bdea11} 1924 "\\.\pipe\gecko-crash-server-pipe.1924" tab
4⤵
PID:4884

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6040 -childID 5 -isForBrowser -prefsHandle 3844 -prefMapHandle 5808 -prefsLen 28332 -prefMapSize 243020 -jsInitHandle 1404 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b0abc4e-ad90-4c78-88b6-d4ba913a3dfc} 1924 "\\.\pipe\gecko-crash-server-pipe.1924" tab
4⤵
PID:1524

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3700 -childID 6 -isForBrowser -prefsHandle 4012 -prefMapHandle 3752 -prefsLen 28332 -prefMapSize 243020 -jsInitHandle 1404 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a0932f91-7714-4342-985e-ea98940bd155} 1924 "\\.\pipe\gecko-crash-server-pipe.1924" tab
4⤵
PID:2008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:4764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffd0dc23cb8,0x7ffd0dc23cc8,0x7ffd0dc23cd8
2⤵
PID:2456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,13949203028551108525,6252434749575623093,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1872 /prefetch:2
2⤵
PID:988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1856,13949203028551108525,6252434749575623093,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1856,13949203028551108525,6252434749575623093,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2544 /prefetch:8
2⤵
PID:3824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,13949203028551108525,6252434749575623093,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
2⤵
PID:804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,13949203028551108525,6252434749575623093,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
2⤵
PID:3808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,13949203028551108525,6252434749575623093,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:1
2⤵
PID:2868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,13949203028551108525,6252434749575623093,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3084 /prefetch:1
2⤵
PID:904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1856,13949203028551108525,6252434749575623093,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3608 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5180

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1856,13949203028551108525,6252434749575623093,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4452 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,13949203028551108525,6252434749575623093,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3780 /prefetch:1
2⤵
PID:5896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,13949203028551108525,6252434749575623093,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4368 /prefetch:1
2⤵
PID:1300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,13949203028551108525,6252434749575623093,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4320 /prefetch:1
2⤵
PID:1816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,13949203028551108525,6252434749575623093,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5472 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1288

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:5440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcfa6fcc40,0x7ffcfa6fcc4c,0x7ffcfa6fcc58
2⤵
PID:5456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1736,i,13021372646967497843,18083571836677266460,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1764 /prefetch:2
2⤵
PID:5620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2120,i,13021372646967497843,18083571836677266460,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1296 /prefetch:3
2⤵
PID:5636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2188,i,13021372646967497843,18083571836677266460,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2208 /prefetch:8
2⤵
PID:5708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,13021372646967497843,18083571836677266460,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3132 /prefetch:1
2⤵
PID:5880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3348,i,13021372646967497843,18083571836677266460,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3368 /prefetch:1
2⤵
PID:5888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3552,i,13021372646967497843,18083571836677266460,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4444 /prefetch:1
2⤵
PID:5160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4760,i,13021372646967497843,18083571836677266460,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4680 /prefetch:8
2⤵
PID:5180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4868,i,13021372646967497843,18083571836677266460,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4884 /prefetch:8
2⤵
PID:5336

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:6088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5736

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1800

C:\Users\Admin\Downloads\WannaCry.EXE
"C:\Users\Admin\Downloads\WannaCry.EXE"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3412

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3960

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:1180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json

Filesize
102B

MD5
7d1d7e1db5d8d862de24415d9ec9aca4

SHA1
f4cdc5511c299005e775dc602e611b9c67a97c78

SHA256
ffad3b0fb11fc38ea243bf3f73e27a6034860709b39bf251ef3eca53d4c3afda

SHA512
1688c6725a3607c7b80dfcd6a8bea787f31c21e3368b31cb84635b727675f426b969899a378bd960bd3f27866023163b5460e7c681ae1fcb62f7829b03456477

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
61f7339c66a2b107a00f919bdba3270b

SHA1
7f0f7de3dd7beac5b74ee7f8dd6cdf0366dc6965

SHA256
4baff22c0c934615bccf35f06b4f3f04b883bae7a93dd395096ecbf97cc50ee1

SHA512
3f7835a14836de49c4a50477fe8092aff86fd9ac6c66abc8b855aecf2d9c66a2ddc0fad231807dc96c8e74e8d903ccfb98b94bc24e347ae49afd136e462a93b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
6661f7f393178dc380c1f832d031a099

SHA1
43b4c2a765aa0a5f35e30ce151d826c33de1f778

SHA256
fc23ba6bdd6c73604ffd307fe2ed14da8da4349b051aa405ac677f7480f94eb9

SHA512
a2ed98a2d7658fb0ed2fd52e8adbdb3c87c94dc100e3735f7ca894637182256737d056049a6e02d94f7bcebe5497f818a81acfd721e99c02e5511256684946cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
b3270212f429597d4e2542da2a4a7eb3

SHA1
55e9cc7d0dd6166890fe146d9b882ba12e8b0eea

SHA256
ccfdda2e3d9dfdf36a5d0d301034ac308d7650fbb987e393a97a93d94bfab417

SHA512
23d54e4e5e0f5cd2ff42576d1fbc87cdb3f6d5238b8c12cbce6b13a4c868a0a10997c0e56eb22a73add6d169ee26b3417a48e427bd6e1b8ed69016f8855305d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
c1e2842313c49f9348dca68b06b32014

SHA1
f12c74570bd5f63c5f099065f3b2f36b878588fd

SHA256
09e54a047e96ecffe2fbd2c26776a9f3d1f3aa984436f68b9bcbe6bdc276637a

SHA512
91d1c3be519e0f0f04654d545019b6882ce750892b7ec6ae8d0d73608a1c1b0b8e19239e9904f47be166ec226b98858f1253eb25ae0c4952d9db6c00b39c117a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
7fe4424421cb6fa0f8396b79ca0deb19

SHA1
a3078ac9817bf1cfa10cf72134e40fc1a2fb58e2

SHA256
6edb54ed4d9864106cccbb715210e47cf9ac5be3284df0c5364e3ac8bbdc3149

SHA512
cd6df8002f10b9ed5e1f9c9fd8a2599ea560b02c4c9f8596105e5eb60f74e46380218e13f8bf74577d4cc71e084a024583548e645fd56f1272e37b4a3a31251b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
d096ba58de8bb9a6105bfd677d896bbb

SHA1
3879dea746c55083f98eb24c4151960ba5e47062

SHA256
da5a0a51ca48e6f14c8436cbe01da9698336dbc79cccce2ca4bcbf133cd75ffe

SHA512
5bae88d7f7a8be61cc850a777e9a94ec0703a59bfef1f3ec3b1020de47021f58d28f87d333b83c02fb2103183f1c864522cc6a8cd50c3712e5e0c39ba8b9bae0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
1c2399a490e8f6ba6fa633d724a9b9e3

SHA1
4e86880d28ddd5c53c727c28be433bb62239a481

SHA256
07635c00520014eef74fd882fa07bae4a86e7a2b3c1741cb4265ed99c4310e3a

SHA512
1bf02261e7900ce1ccd9a59f34fb8ae41572b3bcfb6944e6c80895086ca576f8a1c618bd6747e64c772a4fc8ce2b234397147f7bac099a5143ea750858f12369

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
cf2fe3f009cb4baac81322e2e19e651e

SHA1
d6d316396a0cd68f63db3c60e706ee767d170f70

SHA256
32b96a5ab01e1975b94047e3f59a508e383fa7c3221098c83008c7cbf1e346b4

SHA512
e46040e92b115a3d258e6456d6aeda45aa5f22d8cc93208f8cc0d02b5f8009e37a865d83de31046ae01747df426420a62a693e117e07d574d73ef2f57beadaeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8276eab0f8f0c0bb325b5b8c329f64f

SHA1
8ce681e4056936ca8ccd6f487e7cd7cccbae538b

SHA256
847f60e288d327496b72dbe1e7aa1470a99bf27c0a07548b6a386a6188cd72da

SHA512
42f91bf90e92220d0731fa4279cc5773d5e9057a9587f311bee0b3f7f266ddceca367bd0ee7f1438c3606598553a2372316258c05e506315e4e11760c8f13918

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9ddfcad7f32786f1c023877d947e538d

SHA1
d896d7524429a97a845cdfbb667406b89471f6b0

SHA256
da78040e00e337dcc127dc0ebd75ad3c3cc6ca0bd68971fe2e215bac9c2d7392

SHA512
80ab822d13af557ff1c1009683f7d4be2681956d8008dabf073b1d832b65829af87ce1b93a1c80faaa32265f1d4cd7967e3417b01c0488e9305f22d447411133

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fd01ad1ec59993125f501d763d18aaac

SHA1
0cb578cc4798b0615e42d60cbfb615c74cc643b4

SHA256
f8b6c1472bb3be6826740d7a2677db7670ebe20d479a473d345ea6f819ee5139

SHA512
ca8de9b00cee6fce09df2fec02be55af7f9e01c634fba61b4b620971522eb235d3c5f90eaba9c5069a1c23749540ef9f0891486ac20036bb7b26a95346aa6985

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ec71aae4acbbfd779f564a14d9470e19

SHA1
76f7745ab6024e40b2314ae6f886de3197d9d64c

SHA256
54180aa99d9d405360ce115e24cacb9315a6701b75cdeb593c08fc91e1bd535d

SHA512
fed0fa74b67d4c357778af69974aec7ef29f69c9e18456f89d03eeacf1b42163f3cdcf04d12c2b4caa9330f23015949947c218cc8e2076fda10fac73ad66e51f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
058032c530b52781582253cb245aa731

SHA1
7ca26280e1bfefe40e53e64345a0d795b5303fab

SHA256
1c3a7192c514ef0d2a8cf9115cfb44137ca98ec6daa4f68595e2be695c7ed67e

SHA512
77fa3cdcd53255e7213bb99980049e11d6a2160f8130c84bd16b35ba9e821a4e51716371526ec799a5b4927234af99e0958283d78c0799777ab4dfda031f874f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0b1a7a3b-6d75-46a2-81d8-f1fb93df546d.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
96dd149d6ab705e295fe293d37bb52e8

SHA1
02531847aaf175e793e6067144cf9843372a77bb

SHA256
8ea4a62f476fe61fa1cd8719824a64c31485105b20a4fca4055f6fa74a347856

SHA512
2ae6fd6f92320b9f66a18240166e18a67e6de2ddab5b470f08713c9df5cf026b0b35027b202c127c14d6f50ee89ab54047eb8522e81866a9dcfa6631f195975b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
9e7f2a72c0c2fdeb9e24744f63cca814

SHA1
5ae1324f3d1c72faae8e8e2ae1916e98332cc1e1

SHA256
94bffbebb00a1f35bc3f0b4aa667f18ea365ca6477b0f7cc107727d978ac55cd

SHA512
187c78e70ecdbe60c99c867924e594f3c436a87708170c37f279f4ee6967ba813e76e47ef733522829ed8a8d8cc316b2144d0744528ed7cbf5e324f9d751232a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
880B

MD5
bace6ece7d281a7f42106fc27aace389

SHA1
70a5fd6c0127966ce95facfe4646ef92e459e62f

SHA256
f6b8e8215bdb3d524b91359ee1c36446e271cdb0d5146d5fc045f79d6642b8e3

SHA512
3389f2936248c8d3a75ba8b2de9d77472b02292a68b38e6bb1190358ab7816b6e1f132d775ccaa786f1032ec5cb00898a0fd363a8a133a24622124dda4f7e42e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
880B

MD5
f45a55f59cebc30050eeb8a5d222d7a8

SHA1
a00cdb66a7c7e3937e422f5af8fff997fe5073cb

SHA256
761dc44e7f4d56ed417f77c8090aac58d6951815f1272a8d32da8d9861181adc

SHA512
eeacac59bfdd57552db5ae1f9a5951b2865a7bdf7ed1b546238111daebb396ddd1787d8a01cc52cfb5d08e058e06c1830d2435832c206ee5310fd8dccd208d50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
880B

MD5
b8851f47e87fb757f6477a68124ecbbc

SHA1
a607d32ce8a9435cbe0f390ab130264a2e33a1a8

SHA256
abad0f5ef08c37b0ae509e0691487b73c22a2e2465f845e79d1ce9a1f4a1ea0f

SHA512
e777208a8f8348bc53b97cdf213323b328c390adc9c62e79fdbf827b56d92a560d202f218f7e18c1e11bca48a460bbebbcab41f873548dbc0ff73058121dccce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a8956885ea3d4eb03607c41b62b4c907

SHA1
ca5d9345b4a0a0bd9f6e4a851b6383a0be3a8e32

SHA256
2c050b2a8efb85e41ac746a0babc7f73cf1070e5bf6c40157c4ae65cd99c1c84

SHA512
ac013fad63423ae277a0fc1377d6ebaa5fce27fa82488d652590741d45626779616ba08e2f2eeef410e7de8d2aaa16701be0c6029c83c42af6fef5ab535d97cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d4eea15db6ecda5ee439e0c76d20cc6b

SHA1
9276dd509d8c0cf31f2d6d1b65a8b8b47c8d475f

SHA256
1ac26977d8e5db1741d5383607bb663537d5950ac97cfd84397317b4453c53db

SHA512
e8a1a3af982e68746cc457d7198c63a68f39c67ac3f7cb286daa8421a371fe9b5b40aae1e96334f3c57f5fe2836478962aef327b76cdd76a2afa35ce77ae0c0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a873e9cb2c90a87190a17ff2bd1ac6df

SHA1
822367120ea18a91b9b609b4a57f707b0b8a1645

SHA256
579aba0487bf07efd450b4927402cc3397133414504f05bf4ed2301e45dea59e

SHA512
076380af97b33b5a82cb335b53f6a995e3bd486613e0922fe25134aa36f6d9f9e82a9c7148d3aa486b9a6c9a2b9b6c462d847cf73c22b9c599214a97ce1af52b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d1b7ed5064a71d5fc20d2f6c0caec391

SHA1
c0ed009e453e3b86d7a2b22b237d98bddd6a3cb9

SHA256
1c043274ca90dfe44b069d3c6216c27036abac0ac93902af5bac904481fe60e0

SHA512
8647e2f59d02921480f06170b3ae6e6567282aed66d72d4511d85cf855e69ad4fdfa23adb565a3fba2ec7e7aeec5a914447a8cd301b328cc9ee9e924baa91754

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
fa019eb874c0b009302fb25886f02351

SHA1
c2d18ab568a56704f50c7b53f8ae0d6e4eebe7b2

SHA256
cad8500131f421c21a2fbab0b63e50696a5e24dbfd289dc97d2688d7dbb94132

SHA512
c50fa6697dfc86cdcf676fb162907dc477ed4c31e07712dccd56a073d414fd5bb9aacdc4c7de4d795ea7e3d2bf8f954330a848d3f7dfa3258962e8a45698b5dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
db3f6d9155a31816acb74005b5a17675

SHA1
7cf1e996323d7d2483c1470d71d3104a7591b1b5

SHA256
1f7e3699bdb2014e6e3631485e057f7af7d0f3012cf3859329e872ede2a31008

SHA512
015ce7940d2318336185ab480b92d94f3dcd3835c4effacd7b1c554525c292e7f2ad7d1561bb849dfaed09e39d15ef9cbb23ce59652b05c46f937256bfebff82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e07db6b3e82fb055106c298b132671a6

SHA1
63d485ee98862f8f94960360bd5d69ee79acca8f

SHA256
4f112ee84c852b6fa3b956b0ee17e7a9cc8e022de48f6e7fb833d255a7392d43

SHA512
ea849167c8d6b2b6ad6872efb964bf48798f0e38c1aa52e1ba133aa820302204834ebb6ddc90d8102ec56d80069cd0000decc0632ac3847fe3e0f94b81fe34e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0751d2ae63051aa593eae5451fb0efda

SHA1
ccca1d5ce5da7c9694d857511808b214066abf45

SHA256
a9efc90a013fd4ddd321b9f8f2c17d6e4bdf7e06c3aa3f64df65fafbed49100d

SHA512
56c1e41687d8349e07f8ece592cf4e3c5563a2811ee36e07eeb6a47049bb370a98f1c2df1fa2f4afade72c3b7150197ced771918bced2bb9a3ccd7656a50de40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4fb0d32c60052ca1e1aedd96d9eb5a63

SHA1
34e63610c9c3d302ad8fb8cadc291cd0432b790b

SHA256
ca5ab64c6a3b5bd7506a82c5a580d2925727b44035444471ef0b1c45e36a1f55

SHA512
71857b13ae0b16ff4dde1e975a1cdd441bc1a84d1c8e5e0f41bd319bad83a1b330489fb54a6be9f2c2fab0d020641a4288a70048d2ceb304e1a5d63d9979f84f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8f5fd8b9d74d8fa40b28eae711a1c00a

SHA1
2aba20ebb5944259f793a19e71e944e06082b61f

SHA256
40897850aed5eba5d20ecda6fbed7b145ccc7aded2c06331a2585ef99e8a7f4c

SHA512
5059b24089905cb55d25734a5c7561e46d769514318a6194ae38d4f9b3b23577a7d8e40bb1febe9ba94660da97707952c2db24f72ae4caa06c25d1d040bbd800

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58244c.TMP

Filesize
536B

MD5
9db04adf9366066302a7b7a4ae2bf687

SHA1
bae861fcb3162a8a3936e03149eb582029aa12d5

SHA256
d7f1231d7afcac7f769b0d6a345a88cbcd7ec45e98d3c174037a949f7aaea3d0

SHA512
d7fd3d463973f8ab4064858389c1531d73892e1b0e719a384b2c1ee156c54e9321efdaba5ad3e2d2fb3b309628fd650eed5e73782de074a06197db7872d49684

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d6ab144fb3e6fa3fbafc151944a23006

SHA1
5ec7c166ec8c934cb3d9779e7ca5e722b8094f73

SHA256
ac1f27ce79bcda09ca0eceb6c307547c60e1b3db543bf4f4134b2c3d75deb2e5

SHA512
1845dcf0a79780ab40ca26b82d0fcf042799848db29713d13ac3ce4d5c10bf421a19aa2dc8c61a034762fa17238198445b852329594688751390381762c321e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cf6fba5d0254d52a045f776e090f1528

SHA1
fb3a0a2e52c08e2810929e1369b7167b2e5f4995

SHA256
d51dbbf4b3c2a75b530380cfab2a9735f228677039bb7c7eb35f5b991928e3a5

SHA512
8b8072ebfcc825f08dcace83341f7f956e2b0ff5622766a16a14ca7c58b98ccee1203e5a6fd9b0aa4e72ab2863ef45a720e3708f092cdf5bcae82019f1a5ee87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bb3929b2bec60b2405d6eaa520f402e9

SHA1
58918f8ec0894e91d7912ca3964a2a6aa3d3d414

SHA256
cf512512d5e69ad257c28127fc40bb46067685630c482c14af9a10fcef378d29

SHA512
ec53f267dc0a2266007a429f0b6eda323b8884f4c2f5d82d1e535efc786eef03d7213c68123ae954bc1a69f6e490021001cf5d9d687b4541e94a8b4a8f5745c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
77a8d3d324c6c9ce2105b338191fed48

SHA1
caea0111008b6b30a05c46acd3c225a2900d74b5

SHA256
a1c03e05da8b9e0b7c3b3c5793463f70605737738ebfbc76c1aca23a7d9e72cb

SHA512
dac879e11fca25468bc5189b67625984ce7a898cb5fd393c319b8a4b165dfc8a1ca159098bfc9cbd404c8c9f1c07308edb3d7030395a080d0641ef91e7a35a41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ba84c995a79bc00c681a265509880bac

SHA1
5f6489cebd6c543d0f3fb97f91537398bfd014ef

SHA256
1bdc27565166613a78d92398236f9c456ad75383fa0cdd99f7cc3e65288404c4

SHA512
eea31599e83ceeecb6b627f1bce3d4a0aefe555531f0629bfd55a340beadf9ac7906b1bb2e789e51bf7ca7737666f5d6aa396780cb10efc6141475d7cf93d9a9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\zgr882s2.default-release\activity-stream.discovery_stream.json.tmp

Filesize
18KB

MD5
e529348a72ed32a402be4e1096e16fad

SHA1
6ec7256ccaed87e52d4dafeac5e2efac512c40c3

SHA256
dafccb6a11e6e1df59ea740b8b990c760a0a6415ff782398cdc6690b65ed8509

SHA512
3835f8cb34080b350001f16bc84e3a37a682c0303b93c4df4c8424ec6715e0f6852fd0838dedf3c9e6d888f92f18517affe79e4cf52932ad37a496c4f04db4be

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5LJDBC6NJXZVP2FG8Q3T.temp

Filesize
7KB

MD5
8973b8541cb2d01b136fc6410186a0be

SHA1
b3d4aabdd2c8a838ce79a99118c1a5783f5ddc9e

SHA256
8b14d981c53887914dd46b8ef2ec965f92be526273b66cd4b94771cae5d99be0

SHA512
216cf83b7d1204f5298fb596211f76c82b534b7ed619575ee5df28c38e231d905ba3ae574bfa48ed1510f6fb20381b7c10c8cb47d3011ec827f18bd8cd685278

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\AlternateServices.bin

Filesize
7KB

MD5
7860a98b9ac97a5d46a11d0fb8be01d7

SHA1
8484e4ef0283d1fa4cb9ff7fb8c9608369830bf3

SHA256
85042aeed66a9493bfb94e4f2ac2a9d63dcea9e0e989fa73dec25730a393b618

SHA512
000b74fd42e7238af931c963e27ca583419ac799d11bf8d550b3f256cedaed6098b06c9402490fc91bc60dd773c39d4c2ac56b5f9eadd256252986489c7c7572

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
d4af82c611d99e28037637feac0348ac

SHA1
8b6dba6ca995762353ac8caf7f83cba4547afe70

SHA256
0246c7e5e3b5d60a1368e50f5e28aa201ad62d88eaf7c1c3fabdf57a1a4b7539

SHA512
18ee1f49b9268055d20ab2b910552ac7b35a133e359d48bb8e79055f5fa4c144aeb825b5c41ce6dcb267cf6f745282e4891fb4e839b3558604e8e628cef1d3ee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
922c9b82f7054e373cdef44e93cee04c

SHA1
078a4872cba0ef23ac0c0c7ace2ce889a35e9ed0

SHA256
5e746c53c0827a06b04fa07af018bb3e63ae754d0618872cd4a94815d376f87d

SHA512
3062818e5f33de73d8961e2669e1a40fa33dc299408bdf2293aca5f3a15225660183f1dd7c4917a3eb3b0e7088ed5f0a2bc716c35c2823dd9f940989dbd7f768

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp

Filesize
27KB

MD5
283d090964bef2b5de4556a9fddfcf56

SHA1
1329254e7064aac7a038c73d16e679e606360a5c

SHA256
f6012d622f3f364bdafb55357c4ee145f8b17cad875418f81bf0e9bdfb734a03

SHA512
a3837cf4293e41ba15369307ea259d30b56f59b6ea8ea52372100b49db0b21187133c873cddfaf29b2076c2b50ab8415c481590b0186913df1e7e8272289cf12

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
c4ac815318df82139a5555c2ac572c6d

SHA1
0d3e750c26a029f05019de9ca2b9ef92be4d2ac8

SHA256
aaa11d030fba95ce82c2d3437afbe72bc18fe68426fdda869721065e11cc49b7

SHA512
7ad3e1e66bdc8bd539606f678d0d32605bfe0f7a1b7b07c2e064e87980baac0cb375f8411faab6fe39da4799af28f911ed6bc259942d3d8eef48bcfe224b974e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
5e74804c6c1a6421eb91d1c5a2a6e3e4

SHA1
eb740d4653bc91f424cfdc2daf3a20981edd19a0

SHA256
b68f649cd428055d6550b446615ad486df8973fb1b09fa9705b9c98982775ed8

SHA512
d96145c58ef3625a1ab25288d773c05b3b9187d971fdcd4296830054b14184e558d32de5d0b4ee871852574c4286d066aafa4fd7e62a027fe6fd553f8cb41265

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\772d570e-12db-4f2a-bf6f-b68a802adedb

Filesize
671B

MD5
23a9321ba6b8187e8c3253f514ba98a4

SHA1
2943e1e7a775f4e63e7c55036820abac1ecc558e

SHA256
c77e7ca33bea733bcbe24caae5fd70794e007ca93755376d186d30556d83c5f5

SHA512
6498db8e0f07fe043514510bc69d88fab3f507cc5f23121933f640a7967730482483c8a51579a412439c882172f91cf2abad1199effb6c131740f5f93797d84d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\b376f824-2a99-4c2f-96fc-da31b3b93842

Filesize
23KB

MD5
3ae4878738bd4490e5ca03b7b37031d2

SHA1
9f7028a358ca62b504a9d02a49800f11ac232ae9

SHA256
2e8ec8ec743a4e0de19530f01bff54b152ec1c671d33a32697bde7ee235caedd

SHA512
0bed13284d89042e296aaea12437fdb5bab69406328e9a06d7082bfee37f12b07b33e0f417a6913feae8c61f1997b502b73f60b35fadc1f7657f4a5006c6beeb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\datareporting\glean\pending_pings\f9f042f2-12c2-4222-96b9-47aaf73eac13

Filesize
982B

MD5
5a53e8f05d6a47bb6c75a53a5df98480

SHA1
aa151fa9d3557593f058aa4b91b87560216eadfd

SHA256
b24dbf6c309c7d8e23d29a846426756aafcc9a8ea03af47686263d22cf218dca

SHA512
b2bd403d83e02e47fc9fc0a2a4475842a065821fffd6d61ef3964cf0b2113a1af7f5e9146bffaffeb6f5cfacdde2b42687cf94d926957f4671589ccce5bfe7f0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\extensions.json

Filesize
37KB

MD5
730f6f039f77cf532e6b0e7107e4963f

SHA1
3022e5e59a703d49267f123eb3eefb3b8f81b618

SHA256
a66468cd7dcc4520cb8e73b4e37f921f44fa6c91ab318077e183a9b77840c465

SHA512
72cc097a55bd23079eb83c67219cdf5cceb96dd11ca202d1ec7b1be362c788bc711ab9ac44b88a3c852b61675de635be57c710edbb52e6ad1c3b230c5822b001

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\key4.db

Filesize
288KB

MD5
aff71e2fea174e0537934cb98283c7f9

SHA1
56a804c117e0df82384214a084e0f14b3609b719

SHA256
517412946c652b06cc546fd6b5a1f6e90f421fb8ef1f11b766775468998584f5

SHA512
0ac494d2836b98c6849d532a42ca1a075cf1f36ebcc77c5f75c5b671ffa29e647743e949fdf44b0900146538f36b5f63b6607883955e18f9dc3f6065b32d915f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\prefs-1.js

Filesize
11KB

MD5
bf64a8ac826cad31960addaa4973d3b7

SHA1
8c93adbf837193345d39a6150a39d5b2742860a0

SHA256
ce4cc4dc7f4f54e06244c1e725bbc9b9b5ed191e0fa4e4f8a19e7643ef5d38aa

SHA512
50f0f0c8c282ecf30977d80866fb089e7367858bc61f11379da0b3b1fc709940b4f9a7bd9bc93b6010a3b2287c9d83239ea3ff0be229a0e9029b2dc1cded9f71

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\prefs-1.js

Filesize
12KB

MD5
ade7e0f054d87d1d4785c1cb51be8653

SHA1
672102553528e9d0cd20881d7d5ce95304904f21

SHA256
b7d1c0aa6283779ac6e82c8ea6210529902e71391f16fe7f8be5aea03680c857

SHA512
ef43a3283e5efcc4923a1fff2ef0446b57487d84d1da6a231768054ca22116f16eb07778fcd3f79e06ffa2ea7f241903bd6e5b7b8d4968610f73b13ae57d35ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\prefs-1.js

Filesize
10KB

MD5
5c1daba2e280055216b6992f2f95a914

SHA1
daa76603490256365a18f05458dcdc2307c73c0e

SHA256
f388c09fe2943395e2a79e84733fb71060b1ff8414e59fd68a878d5cba4b2329

SHA512
5ded5ba0a157732261c25cc824d5978f515a316979259ac102c8f91eb2b0b99239aab4827c89d8bb0b4cd84559ecd592bf73e4c3af3178f113c4a239bc6e7a66

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\prefs.js

Filesize
1KB

MD5
5c84b1a6355515f865fcc2b7d9880126

SHA1
16f3aac5597f6040277082a8cdbbd1733c810d48

SHA256
512032835e415e2a67ff4273f7f65adf2a670c4c370fb23851b45336d3e3dc62

SHA512
999ba3e385e3384c29852d1026d0b2a4427c5d4f889d388da3814b041e9dd738a66b11dac6ba6f91a359cbec503574c305384175afffd161d5a0ca4527e8413a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zgr882s2.default-release\prefs.js

Filesize
5KB

MD5
c918d8545b72e3103a43661ffff65a13

SHA1
590978aaa5da9101e9593107362a8bf60659b97d

SHA256
2ca4fe4c970950684faba721ec588fa343faddad1d4b5238524d7420af2ef053

SHA512
9aea6d279c4bff77cd283e62fbd7de9524de715ce9ac9427698b4531c8550657bc62f4d14a3c1508f81d3193f709e59eff5a5e944d29988a91f49f81aa942bf8

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
8.8MB

MD5
4a114abfb7e4aaef22a08aa23b5f2611

SHA1
790e96fc9832b7ae79dc718d112b9f421a8dbd35

SHA256
0f4e496bf961a1ad7c92b90bf9e2b66c04805250a3d0634f3b9cee39640a6bcb

SHA512
ae3157931b1bc8671374bddacf00de5a691000820379c6f7b7046a2ca89c6a0f4cac668fee35a631b905a3e6d99147b9af38ca4656c6a21a5fc3d7397b19bb25

Download Submit
C:\Users\Admin\Downloads\312061723108168.bat

Filesize
322B

MD5
c719f3a51e489e5c9fbb334ecbb45ede

SHA1
5b5585065dd339e1e46f9243d3fe3cb511dc5ce6

SHA256
c67348cacc707decd859789c8ed1e8afdb6eb8753d3941d0ee9ecba2f00500b7

SHA512
b2b0ea3a3701b5d689a5cbcc5c16721cf807304ca02375f33c5b507c1a00655917354e32f6e2b96c081125751498484c974c2d3eaa754d6074c9d55aec8c0164

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
933B

MD5
7a2726bb6e6a79fb1d092b7f2b688af0

SHA1
b3effadce8b76aee8cd6ce2eccbb8701797468a2

SHA256
840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

SHA512
4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
585B

MD5
994014722150b6660a9d32ff83e95b89

SHA1
42f2dfd3ceb4e00dfddd1d9ca03aefdd16cf0930

SHA256
bde075c86c80202756fcfc0e3be7f9b9725af676eca31b9bdd02f713bba0f413

SHA512
b62c11d7b900df6e797eeaa54d16dec5c2081dcf59da9ea677492ae73deb494a54898971f46a1cbcc17201d8ade80477f8f57e0e7fa9dc5828845cd649457bb4

Download Submit
C:\Users\Admin\Downloads\CT1SpvYE.wncry.part

Filesize
501KB

MD5
5750ff562acc779ac95bdc5557224edd

SHA1
66ed804ab1a5f566164ec3dcfefd498494829d93

SHA256
65db9dfad4888c64b11c539e5e5ff1e820ee7b70a8458505d53012c0719e1615

SHA512
1255de26596b76bc06532403c8c864c931d75be4602ad637c1077b1300125ada9363a997ba701952b1e976328c790b1aa40a5158d8077f7da44ac050e09249f2

Download Submit
C:\Users\Admin\Downloads\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Downloads\WannaCry.EXE

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier

Filesize
174B

MD5
30325ae93a9d713b350753811fe4bc6f

SHA1
736454fb57f96c539bf45ccbfeb8c987a3ed2398

SHA256
12053752168040534e82ffbde0d4794fe1a9e82ffb3229265a58e3a67b0f1f1d

SHA512
4af907321825424380af6464f83728c253046defdf5de86a45d93b314817416236e7b2487109b7b194cbd1acb871048e027f8dc9d48198dfe092bf4f1d975a08

Download Submit
C:\Users\Admin\Downloads\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\Downloads\c.wnry

Filesize
780B

MD5
8124a611153cd3aceb85a7ac58eaa25d

SHA1
c1d5cd8774261d810dca9b6a8e478d01cd4995d6

SHA256
0ceb451c1dbefaa8231eeb462e8ce639863eb5b8ae4fa63a353eb6e86173119e

SHA512
b9c8dfb5d58c95628528cc729d2394367c5e205328645ca6ef78a3552d9ad9f824ae20611a43a6e01daaffeffdc9094f80d772620c731e4192eb0835b8ed0f17

Download Submit
C:\Users\Admin\Downloads\m.vbs

Filesize
201B

MD5
b067df716aac6db38d973d4ad1337b29

SHA1
541edd1ca3047ca46fef38bd810e5f0f938b8ae2

SHA256
3f7ded679522e917f30aacbfb7c688ef477d7886e722731c812dc486195e220f

SHA512
0cbc1b820abf13e225e7a7636ce1e336d758fa54a9ee6aa09dee7a9748a2cf890f45ba55a7a188b69972b396bac37ddb9a98ba202ff2e203b34a75e515c0759c

Download Submit
C:\Users\Admin\Downloads\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\Downloads\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\Downloads\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\Downloads\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\Downloads\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\Downloads\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\Downloads\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\Downloads\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\Downloads\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\Downloads\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Downloads\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\Downloads\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\Downloads\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\Downloads\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\Downloads\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\Downloads\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\Downloads\msg\m_korean.wnry

Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\Downloads\msg\m_latvian.wnry

Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\Downloads\msg\m_norwegian.wnry

Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\Downloads\msg\m_polish.wnry

Filesize
38KB

MD5
e79d7f2833a9c2e2553c7fe04a1b63f4

SHA1
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

SHA256
519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

SHA512
e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

Download Submit
C:\Users\Admin\Downloads\msg\m_portuguese.wnry

Filesize
37KB

MD5
fa948f7d8dfb21ceddd6794f2d56b44f

SHA1
ca915fbe020caa88dd776d89632d7866f660fc7a

SHA256
bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66

SHA512
0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

Download Submit
C:\Users\Admin\Downloads\msg\m_romanian.wnry

Filesize
50KB

MD5
313e0ececd24f4fa1504118a11bc7986

SHA1
e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d

SHA256
70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1

SHA512
c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730

Download Submit
C:\Users\Admin\Downloads\msg\m_russian.wnry

Filesize
46KB

MD5
452615db2336d60af7e2057481e4cab5

SHA1
442e31f6556b3d7de6eb85fbac3d2957b7f5eac6

SHA256
02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078

SHA512
7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f

Download Submit
C:\Users\Admin\Downloads\msg\m_slovak.wnry

Filesize
40KB

MD5
c911aba4ab1da6c28cf86338ab2ab6cc

SHA1
fee0fd58b8efe76077620d8abc7500dbfef7c5b0

SHA256
e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729

SHA512
3491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a

Download Submit
C:\Users\Admin\Downloads\msg\m_spanish.wnry

Filesize
36KB

MD5
8d61648d34cba8ae9d1e2a219019add1

SHA1
2091e42fc17a0cc2f235650f7aad87abf8ba22c2

SHA256
72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1

SHA512
68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

Download Submit
C:\Users\Admin\Downloads\msg\m_swedish.wnry

Filesize
37KB

MD5
c7a19984eb9f37198652eaf2fd1ee25c

SHA1
06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae

SHA256
146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4

SHA512
43dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020

Download Submit
C:\Users\Admin\Downloads\msg\m_turkish.wnry

Filesize
41KB

MD5
531ba6b1a5460fc9446946f91cc8c94b

SHA1
cc56978681bd546fd82d87926b5d9905c92a5803

SHA256
6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415

SHA512
ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9

Download Submit
C:\Users\Admin\Downloads\msg\m_vietnamese.wnry

Filesize
91KB

MD5
8419be28a0dcec3f55823620922b00fa

SHA1
2e4791f9cdfca8abf345d606f313d22b36c46b92

SHA256
1f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8

SHA512
8fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386

Download Submit
C:\Users\Admin\Downloads\r.wnry

Filesize
864B

MD5
3e0020fc529b1c2a061016dd2469ba96

SHA1
c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade

SHA256
402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c

SHA512
5ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf

Download Submit
C:\Users\Admin\Downloads\s.wnry

Filesize
2.9MB

MD5
ad4c9de7c8c40813f200ba1c2fa33083

SHA1
d1af27518d455d432b62d73c6a1497d032f6120e

SHA256
e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b

SHA512
115733d08e5f1a514808a20b070db7ff453fd149865f49c04365a8c6502fa1e5c3a31da3e21f688ab040f583cf1224a544aea9708ffab21405dde1c57f98e617

Download Submit
C:\Users\Admin\Downloads\t.wnry

Filesize
64KB

MD5
5dcaac857e695a65f5c3ef1441a73a8f

SHA1
7b10aaeee05e7a1efb43d9f837e9356ad55c07dd

SHA256
97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6

SHA512
06eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2

Download Submit
C:\Users\Admin\Downloads\taskdl.exe

Filesize
20KB

MD5
4fef5e34143e646dbf9907c4374276f5

SHA1
47a9ad4125b6bd7c55e4e7da251e23f089407b8f

SHA256
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

SHA512
4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

Download Submit
C:\Users\Admin\Downloads\taskse.exe

Filesize
20KB

MD5
8495400f199ac77853c53b5a3f278f3e

SHA1
be5d6279874da315e3080b06083757aad9b32c23

SHA256
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

SHA512
0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4

Download Submit
C:\Users\Admin\Downloads\u.wnry

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
\??\pipe\LOCAL\crashpad_776_GMPSPWMBPSVLLFIX

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1516-2112-0x0000000000FC0000-0x00000000012BE000-memory.dmp

Filesize
3.0MB

Download
memory/1516-2081-0x0000000073AC0000-0x0000000073ADC000-memory.dmp

Filesize
112KB

Download
memory/1516-2070-0x0000000000FC0000-0x00000000012BE000-memory.dmp

Filesize
3.0MB

Download
memory/1516-2068-0x0000000073A30000-0x0000000073AB2000-memory.dmp

Filesize
520KB

Download
memory/1516-2069-0x0000000073980000-0x00000000739A2000-memory.dmp

Filesize
136KB

Download
memory/1516-2066-0x0000000073AE0000-0x0000000073B62000-memory.dmp

Filesize
520KB

Download
memory/1516-2067-0x0000000073760000-0x000000007397C000-memory.dmp

Filesize
2.1MB

Download
memory/1516-2085-0x0000000073760000-0x000000007397C000-memory.dmp

Filesize
2.1MB

Download
memory/1516-2084-0x0000000073980000-0x00000000739A2000-memory.dmp

Filesize
136KB

Download
memory/1516-2083-0x00000000739B0000-0x0000000073A27000-memory.dmp

Filesize
476KB

Download
memory/1516-2082-0x0000000073A30000-0x0000000073AB2000-memory.dmp

Filesize
520KB

Download
memory/1516-2080-0x0000000073AE0000-0x0000000073B62000-memory.dmp

Filesize
520KB

Download
memory/1516-2079-0x0000000000FC0000-0x00000000012BE000-memory.dmp

Filesize
3.0MB

Download
memory/1516-2435-0x0000000073760000-0x000000007397C000-memory.dmp

Filesize
2.1MB

Download
memory/1516-2242-0x0000000000FC0000-0x00000000012BE000-memory.dmp

Filesize
3.0MB

Download
memory/1516-2248-0x0000000073760000-0x000000007397C000-memory.dmp

Filesize
2.1MB

Download
memory/1516-2250-0x0000000000FC0000-0x00000000012BE000-memory.dmp

Filesize
3.0MB

Download
memory/1516-2256-0x0000000073760000-0x000000007397C000-memory.dmp

Filesize
2.1MB

Download
memory/1516-2321-0x0000000000FC0000-0x00000000012BE000-memory.dmp

Filesize
3.0MB

Download
memory/1516-2327-0x0000000073760000-0x000000007397C000-memory.dmp

Filesize
2.1MB

Download
memory/1516-2414-0x0000000000FC0000-0x00000000012BE000-memory.dmp

Filesize
3.0MB

Download
memory/1516-2420-0x0000000073760000-0x000000007397C000-memory.dmp

Filesize
2.1MB

Download
memory/1516-2429-0x0000000000FC0000-0x00000000012BE000-memory.dmp

Filesize
3.0MB

Download
memory/1864-420-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download