wannacry | 7910a5eae315df5b9298954d69d92d2b6705ad01fb28da68d9521670d5eb825f

Analysis

max time kernel
429s
max time network
434s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
05-10-2024 22:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Boxel 3D/index.html
Size

12KB
MD5

33ab28c68e61e809299305fc196776d0
SHA1

3360b64728f37ba9c5a783e368789b043c8b7557
SHA256

b1dafd006f7c57bdc7bf34a704f23fee0c7e8ff5a4ab7304789b727600618fa5
SHA512

85db8763700fd82f4c6e74544121450a03e1e6207dd1fd81ba978a9ed34ae49ed115052fd22d2ca6c432b4545029f41391c8522b4ff8818f2b95bcc77ab23af8
SSDEEP

384:gSJG/6Wq39hbALFXoV6VYFnGlXxaxkx0sHHjF:gcDW8bQhVgIgmnF

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD8C75.tmp	WannaCry.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD8C7C.tmp	WannaCry.EXE

Executes dropped EXE 44 IoCs

pid	Process
2224	taskdl.exe
5956	@[email protected]
1680	@[email protected]
1052	taskhsvc.exe
6480	taskdl.exe
6500	taskse.exe
6508	@[email protected]
6952	taskdl.exe
7024	taskse.exe
6976	@[email protected]
2780	taskdl.exe
5828	taskse.exe
2108	@[email protected]
2032	taskse.exe
3464	@[email protected]
5400	taskdl.exe
6156	taskse.exe
6164	@[email protected]
4564	taskdl.exe
6088	taskse.exe
5348	@[email protected]
5804	taskdl.exe
5008	taskse.exe
2308	@[email protected]
5664	taskdl.exe
2616	@[email protected]
4608	taskse.exe
6372	@[email protected]
6456	taskdl.exe
6768	@[email protected]
6612	taskse.exe
4328	@[email protected]
7032	taskdl.exe
6864	taskse.exe
7060	@[email protected]
2872	taskdl.exe
5368	@[email protected]
4656	@[email protected]
5832	@[email protected]
5044	@[email protected]
5556	@[email protected]
6728	@[email protected]
2360	@[email protected]
2376	@[email protected]

Loads dropped DLL 7 IoCs

pid	Process
1052	taskhsvc.exe
1052	taskhsvc.exe
1052	taskhsvc.exe
1052	taskhsvc.exe
1052	taskhsvc.exe
1052	taskhsvc.exe
1052	taskhsvc.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
956	icacls.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nktegbozss876 = "\"C:\\Users\\Admin\\Downloads\\WannaCry-main\\WannaCry-main\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
105	camo.githubusercontent.com
11	camo.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCry.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 55 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.xrf5200eafd3ad904629cbb0f87a78a3c7211081fe	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2904698490-2540843659-2047741361-1583039222-628509060-1343416660-4183458959\DisplayName = "Chrome Sandbox"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2904698490-2540843659-2047741361-1583039222-628509060-1343416660-4183458959\Children	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.xrf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2904698490-2540843659-2047741361-1583039222-628509060-1343416660-4183458959	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-2904698490-2540843659-2047741361-1583039222-628509060-1343416660-4183458959\Moniker = "cr.sb.xrf5200eafd3ad904629cbb0f87a78a3c7211081fe"	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
6572	reg.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WannaCry-main.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master (1).zip:Zone.Identifier	msedge.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
5844	vlc.exe
856	vlc.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
4444	msedge.exe
4444	msedge.exe
2476	msedge.exe
2476	msedge.exe
4664	msedge.exe
2988	msedge.exe
2988	msedge.exe
3392	identity_helper.exe
3392	identity_helper.exe
5712	msedge.exe
5712	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
1052	taskhsvc.exe
1052	taskhsvc.exe
1052	taskhsvc.exe
1052	taskhsvc.exe
1052	taskhsvc.exe
1052	taskhsvc.exe
6576	msedge.exe
6576	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
6508	@[email protected]
5844	vlc.exe
856	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 37 IoCs

pid	Process
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	4464	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4464	AUDIODG.EXE
Token: SeIncreaseQuotaPrivilege	6204	WMIC.exe
Token: SeSecurityPrivilege	6204	WMIC.exe
Token: SeTakeOwnershipPrivilege	6204	WMIC.exe
Token: SeLoadDriverPrivilege	6204	WMIC.exe
Token: SeSystemProfilePrivilege	6204	WMIC.exe
Token: SeSystemtimePrivilege	6204	WMIC.exe
Token: SeProfSingleProcessPrivilege	6204	WMIC.exe
Token: SeIncBasePriorityPrivilege	6204	WMIC.exe
Token: SeCreatePagefilePrivilege	6204	WMIC.exe
Token: SeBackupPrivilege	6204	WMIC.exe
Token: SeRestorePrivilege	6204	WMIC.exe
Token: SeShutdownPrivilege	6204	WMIC.exe
Token: SeDebugPrivilege	6204	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6204	WMIC.exe
Token: SeRemoteShutdownPrivilege	6204	WMIC.exe
Token: SeUndockPrivilege	6204	WMIC.exe
Token: SeManageVolumePrivilege	6204	WMIC.exe
Token: 33	6204	WMIC.exe
Token: 34	6204	WMIC.exe
Token: 35	6204	WMIC.exe
Token: 36	6204	WMIC.exe
Token: SeIncreaseQuotaPrivilege	6204	WMIC.exe
Token: SeSecurityPrivilege	6204	WMIC.exe
Token: SeTakeOwnershipPrivilege	6204	WMIC.exe
Token: SeLoadDriverPrivilege	6204	WMIC.exe
Token: SeSystemProfilePrivilege	6204	WMIC.exe
Token: SeSystemtimePrivilege	6204	WMIC.exe
Token: SeProfSingleProcessPrivilege	6204	WMIC.exe
Token: SeIncBasePriorityPrivilege	6204	WMIC.exe
Token: SeCreatePagefilePrivilege	6204	WMIC.exe
Token: SeBackupPrivilege	6204	WMIC.exe
Token: SeRestorePrivilege	6204	WMIC.exe
Token: SeShutdownPrivilege	6204	WMIC.exe
Token: SeDebugPrivilege	6204	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6204	WMIC.exe
Token: SeRemoteShutdownPrivilege	6204	WMIC.exe
Token: SeUndockPrivilege	6204	WMIC.exe
Token: SeManageVolumePrivilege	6204	WMIC.exe
Token: 33	6204	WMIC.exe
Token: 34	6204	WMIC.exe
Token: 35	6204	WMIC.exe
Token: 36	6204	WMIC.exe
Token: SeBackupPrivilege	6296	vssvc.exe
Token: SeRestorePrivilege	6296	vssvc.exe
Token: SeAuditPrivilege	6296	vssvc.exe
Token: SeTcbPrivilege	6500	taskse.exe
Token: SeTcbPrivilege	6500	taskse.exe
Token: SeTcbPrivilege	7024	taskse.exe
Token: SeTcbPrivilege	7024	taskse.exe
Token: SeTcbPrivilege	5828	taskse.exe
Token: SeTcbPrivilege	5828	taskse.exe
Token: SeTcbPrivilege	2032	taskse.exe
Token: SeTcbPrivilege	2032	taskse.exe
Token: SeTcbPrivilege	6156	taskse.exe
Token: SeTcbPrivilege	6156	taskse.exe
Token: SeTcbPrivilege	6088	taskse.exe
Token: SeTcbPrivilege	6088	taskse.exe
Token: SeTcbPrivilege	5008	taskse.exe
Token: SeTcbPrivilege	5008	taskse.exe
Token: SeTcbPrivilege	4608	taskse.exe
Token: SeTcbPrivilege	4608	taskse.exe
Token: SeTcbPrivilege	6612	taskse.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
5844	vlc.exe
5844	vlc.exe
5844	vlc.exe
856	vlc.exe
856	vlc.exe
856	vlc.exe

Suspicious use of SetWindowsHookEx 29 IoCs

pid	Process
1072	OpenWith.exe
5956	@[email protected]
1680	@[email protected]
5956	@[email protected]
1680	@[email protected]
6508	@[email protected]
6508	@[email protected]
6976	@[email protected]
2108	@[email protected]
3464	@[email protected]
6164	@[email protected]
5348	@[email protected]
2308	@[email protected]
2092	OpenWith.exe
5844	vlc.exe
2616	@[email protected]
6372	@[email protected]
856	vlc.exe
6768	@[email protected]
4328	@[email protected]
7060	@[email protected]
5368	@[email protected]
4656	@[email protected]
5832	@[email protected]
5044	@[email protected]
5556	@[email protected]
6728	@[email protected]
2360	@[email protected]
2376	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 3636	2476	msedge.exe	78
PID 2476 wrote to memory of 3636	2476	msedge.exe	78
PID 2476 wrote to memory of 4720	2476	msedge.exe	79
PID 2476 wrote to memory of 4720	2476	msedge.exe	79
PID 2476 wrote to memory of 4720	2476	msedge.exe	79
PID 2476 wrote to memory of 4720	2476	msedge.exe	79
PID 2476 wrote to memory of 4720	2476	msedge.exe	79
PID 2476 wrote to memory of 4720	2476	msedge.exe	79
PID 2476 wrote to memory of 4720	2476	msedge.exe	79
PID 2476 wrote to memory of 4720	2476	msedge.exe	79
PID 2476 wrote to memory of 4720	2476	msedge.exe	79
PID 2476 wrote to memory of 4720	2476	msedge.exe	79
PID 2476 wrote to memory of 4720	2476	msedge.exe	79
PID 2476 wrote to memory of 4720	2476	msedge.exe	79
PID 2476 wrote to memory of 4720	2476	msedge.exe	79
PID 2476 wrote to memory of 4720	2476	msedge.exe	79
PID 2476 wrote to memory of 4720	2476	msedge.exe	79
PID 2476 wrote to memory of 4720	2476	msedge.exe	79
PID 2476 wrote to memory of 4720	2476	msedge.exe	79
PID 2476 wrote to memory of 4720	2476	msedge.exe	79
PID 2476 wrote to memory of 4720	2476	msedge.exe	79
PID 2476 wrote to memory of 4720	2476	msedge.exe	79
PID 2476 wrote to memory of 4720	2476	msedge.exe	79
PID 2476 wrote to memory of 4720	2476	msedge.exe	79
PID 2476 wrote to memory of 4720	2476	msedge.exe	79
PID 2476 wrote to memory of 4720	2476	msedge.exe	79
PID 2476 wrote to memory of 4720	2476	msedge.exe	79
PID 2476 wrote to memory of 4720	2476	msedge.exe	79
PID 2476 wrote to memory of 4720	2476	msedge.exe	79
PID 2476 wrote to memory of 4720	2476	msedge.exe	79
PID 2476 wrote to memory of 4720	2476	msedge.exe	79
PID 2476 wrote to memory of 4720	2476	msedge.exe	79
PID 2476 wrote to memory of 4720	2476	msedge.exe	79
PID 2476 wrote to memory of 4720	2476	msedge.exe	79
PID 2476 wrote to memory of 4720	2476	msedge.exe	79
PID 2476 wrote to memory of 4720	2476	msedge.exe	79
PID 2476 wrote to memory of 4720	2476	msedge.exe	79
PID 2476 wrote to memory of 4720	2476	msedge.exe	79
PID 2476 wrote to memory of 4720	2476	msedge.exe	79
PID 2476 wrote to memory of 4720	2476	msedge.exe	79
PID 2476 wrote to memory of 4720	2476	msedge.exe	79
PID 2476 wrote to memory of 4720	2476	msedge.exe	79
PID 2476 wrote to memory of 4444	2476	msedge.exe	80
PID 2476 wrote to memory of 4444	2476	msedge.exe	80
PID 2476 wrote to memory of 1508	2476	msedge.exe	81
PID 2476 wrote to memory of 1508	2476	msedge.exe	81
PID 2476 wrote to memory of 1508	2476	msedge.exe	81
PID 2476 wrote to memory of 1508	2476	msedge.exe	81
PID 2476 wrote to memory of 1508	2476	msedge.exe	81
PID 2476 wrote to memory of 1508	2476	msedge.exe	81
PID 2476 wrote to memory of 1508	2476	msedge.exe	81
PID 2476 wrote to memory of 1508	2476	msedge.exe	81
PID 2476 wrote to memory of 1508	2476	msedge.exe	81
PID 2476 wrote to memory of 1508	2476	msedge.exe	81
PID 2476 wrote to memory of 1508	2476	msedge.exe	81
PID 2476 wrote to memory of 1508	2476	msedge.exe	81
PID 2476 wrote to memory of 1508	2476	msedge.exe	81
PID 2476 wrote to memory of 1508	2476	msedge.exe	81
PID 2476 wrote to memory of 1508	2476	msedge.exe	81
PID 2476 wrote to memory of 1508	2476	msedge.exe	81
PID 2476 wrote to memory of 1508	2476	msedge.exe	81
PID 2476 wrote to memory of 1508	2476	msedge.exe	81
PID 2476 wrote to memory of 1508	2476	msedge.exe	81
PID 2476 wrote to memory of 1508	2476	msedge.exe	81

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1540	attrib.exe
3124	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\Boxel 3D\index.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb74d13cb8,0x7ffb74d13cc8,0x7ffb74d13cd8
  2⤵
  PID:3636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1792,16514931948392079778,16983571733917568511,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1860 /prefetch:2
  2⤵
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1792,16514931948392079778,16983571733917568511,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1792,16514931948392079778,16983571733917568511,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
  2⤵
  PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,16514931948392079778,16983571733917568511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,16514931948392079778,16983571733917568511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1792,16514931948392079778,16983571733917568511,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4940 /prefetch:8
  2⤵
  PID:3864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=device.mojom.XRDeviceService --field-trial-handle=1792,16514931948392079778,16983571733917568511,131072 --lang=en-US --service-sandbox-type=xr_compositing --mojo-platform-channel-handle=5092 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,16514931948392079778,16983571733917568511,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1
  2⤵
  PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1792,16514931948392079778,16983571733917568511,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5808 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2988
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1792,16514931948392079778,16983571733917568511,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6108 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,16514931948392079778,16983571733917568511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,16514931948392079778,16983571733917568511,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
  2⤵
  PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,16514931948392079778,16983571733917568511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,16514931948392079778,16983571733917568511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,16514931948392079778,16983571733917568511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,16514931948392079778,16983571733917568511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
  2⤵
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,16514931948392079778,16983571733917568511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2952 /prefetch:1
  2⤵
  PID:5316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,16514931948392079778,16983571733917568511,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1644 /prefetch:1
  2⤵
  PID:6008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,16514931948392079778,16983571733917568511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:1
  2⤵
  PID:5936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,16514931948392079778,16983571733917568511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,16514931948392079778,16983571733917568511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4320 /prefetch:1
  2⤵
  PID:2452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,16514931948392079778,16983571733917568511,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:2720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,16514931948392079778,16983571733917568511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1
  2⤵
  PID:1388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,16514931948392079778,16983571733917568511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6760 /prefetch:1
  2⤵
  PID:1452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,16514931948392079778,16983571733917568511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6612 /prefetch:1
  2⤵
  PID:2180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,16514931948392079778,16983571733917568511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7164 /prefetch:1
  2⤵
  PID:2528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,16514931948392079778,16983571733917568511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7592 /prefetch:1
  2⤵
  PID:780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,16514931948392079778,16983571733917568511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:5508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,16514931948392079778,16983571733917568511,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6544 /prefetch:1
  2⤵
  PID:2616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,16514931948392079778,16983571733917568511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7580 /prefetch:1
  2⤵
  PID:5972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,16514931948392079778,16983571733917568511,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7544 /prefetch:1
  2⤵
  PID:5612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,16514931948392079778,16983571733917568511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:1476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,16514931948392079778,16983571733917568511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7924 /prefetch:1
  2⤵
  PID:4048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,16514931948392079778,16983571733917568511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8104 /prefetch:1
  2⤵
  PID:5940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1792,16514931948392079778,16983571733917568511,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7920 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1792,16514931948392079778,16983571733917568511,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=8392 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,16514931948392079778,16983571733917568511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:6400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,16514931948392079778,16983571733917568511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4344 /prefetch:1
  2⤵
  PID:328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,16514931948392079778,16983571733917568511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8072 /prefetch:1
  2⤵
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,16514931948392079778,16983571733917568511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8488 /prefetch:1
  2⤵
  PID:5616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,16514931948392079778,16983571733917568511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8636 /prefetch:1
  2⤵
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,16514931948392079778,16983571733917568511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6540 /prefetch:1
  2⤵
  PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,16514931948392079778,16983571733917568511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1644 /prefetch:1
  2⤵
  PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,16514931948392079778,16983571733917568511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7648 /prefetch:1
  2⤵
  PID:2324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,16514931948392079778,16983571733917568511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2656 /prefetch:1
  2⤵
  PID:5808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1792,16514931948392079778,16983571733917568511,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8156 /prefetch:1
  2⤵
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1792,16514931948392079778,16983571733917568511,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3808 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:6576

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3208

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3764

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004DC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4464

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:5484

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3536

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4856

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\WannaCry.EXE
"C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\WannaCry.EXE"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:5972
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:1540
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:956
- C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 52131728168210.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5252
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2500
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:3124
- C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5956
- - C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1052
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6052
- - C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1680
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      PID:6172
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6204
- C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6480
- C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:6500
- C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:6508
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=how+to+buy+bitcoin
    3⤵
    PID:6180
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x124,0x128,0x12c,0x120,0x130,0x7ffb74d13cb8,0x7ffb74d13cc8,0x7ffb74d13cd8
      4⤵
      PID:6364
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "nktegbozss876" /t REG_SZ /d "\"C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\tasksche.exe\"" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6516
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "nktegbozss876" /t REG_SZ /d "\"C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:6572
- C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6952
- C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:7024
- C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6976
- C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2780
- C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5828
- C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2108
- C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2032
- C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3464
- C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5400
- C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:6156
- C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6164
- C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4564
- C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:6088
- C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5348
- C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5804
- C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5008
- C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2308
- C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5664
- C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4608
- C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6372
- C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6456
- C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:6612
- C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4328
- C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:7032
- C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6864
- C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:7060
- C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2872

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1072

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
1⤵
PID:2368

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6296

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1724

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6064

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3760

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6920

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\RenameOptimize.vbe"
1⤵
PID:6528

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2092

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\UpdateOpen.aif"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5844

C:\Users\Public\Desktop\@[email protected]
"C:\Users\Public\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2616

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:856

C:\Users\Admin\Desktop\@[email protected]
"C:\Users\Admin\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6768

C:\Users\Public\Desktop\@[email protected]
"C:\Users\Public\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5368

C:\Users\Public\Desktop\@[email protected]
"C:\Users\Public\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4656

C:\Users\Public\Desktop\@[email protected]
"C:\Users\Public\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5832

C:\Users\Public\Desktop\@[email protected]
"C:\Users\Public\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5044

C:\Users\Public\Desktop\@[email protected]
"C:\Users\Public\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5556

C:\Users\Public\Desktop\@[email protected]
"C:\Users\Public\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6728

C:\Users\Public\Desktop\@[email protected]
"C:\Users\Public\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2360

C:\Users\Public\Desktop\@[email protected]
"C:\Users\Public\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\AppV\Setup\@[email protected]

Filesize
813B

MD5
b444557113d9b5afe1ea31c3700e2e2f

SHA1
4a8be2d2555124e2c6ebee7d29f207c6f485ba6f

SHA256
6bd836610851d4393a5ba84513818ad240616c1fa185e5e7b75422bd141aa73a

SHA512
7832519e8c95e7cefaffaca185d10c6bf0a6e2b0e2e55205023e65c5658179ddfeced7e4abbf2e6ebf143f2e6a539c15b69159f2b6118869c17057553f936a49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
302c3de891ef3a75b81a269db4e1cf22

SHA1
5401eb5166da78256771e8e0281ca2d1f471c76f

SHA256
1d1640e5755779c90676290853d2e3ca948f57cf5fb1df4b786e277a97757f58

SHA512
da18e7d40376fd13255f3f67a004c3a7f408466bd7ce92e36a4d0c20441279fe4b1b6e0874ab74c494663fb97bd7992b5e7c264b3fc434c1e981326595263d33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c9efc5ba989271670c86d3d3dd581b39

SHA1
3ad714bcf6bac85e368b8ba379540698d038084f

SHA256
c2e16990b0f6f23efdcecd99044993a4c2b8ba87bd542dd8f6256d69e24b93b3

SHA512
c1bc0dc70ab827b54feb64ad069d21e1c3c28d57d126b08314a9670437881d77dba02b5cca57ef0f2aa7f8e7d4d163fbd2c6f246ea2d51ce201d61a89015e8b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
67KB

MD5
929b1f88aa0b766609e4ca5b9770dc24

SHA1
c1f16f77e4f4aecc80dadd25ea15ed10936cc901

SHA256
965eaf004d31e79f7849b404d0b8827323f9fe75b05fe73b1226ccc4deea4074

SHA512
fe8d6b94d537ee9cae30de946886bf7893d3755c37dd1662baf1f61e04f47fa66e070210c990c4a956bde70380b7ce11c05ad39f9cbd3ea55b129bb1f573fa07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
27KB

MD5
17b6743977bcc7a7bb29fafc37f142d5

SHA1
a06d514d3d380b8c28696bba059c62cfc54deaa2

SHA256
7475e9358cc8ec5ae95b1b485ae0f5dfea9f22c375f9ccd1107b53025f71e3e3

SHA512
1696cb3834251d9f4c1a2bd5d884d06a5efe2b53e15834f9f78d60bfb186977abedb007a37eedf3a23b9347ee44853c1c715fa50faee04b9bc8cf0d3e712b5e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002b

Filesize
20KB

MD5
a0e80d593e77c9a87c4a1140456daf7b

SHA1
bae7364e48a633dcba90293670489eb422a54e97

SHA256
953c84027fedd064a40f44e885941f619d1eb63530f82c29f084fb4bc68e340c

SHA512
b07eac576c6045563447c7306f84ac4dcc99af68ad261424665766ed55a85a9879627aefb0608f50eb0c34c80367a6db72b7ca1449ff25b9be57595311c1ccae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002c

Filesize
47KB

MD5
d4573f829b4f14307ba330cb30e84a4f

SHA1
914f31667c202743a1f761d6e5d97af867692822

SHA256
153998221610cf51fb52561639d94a86a7e027225571296ce96aa1d716916828

SHA512
a2df48fdd73f7615c370c063e175d76f35c3e73e6c7b06f8c96c222b0810ac0694044084dc824f57c4a67dc783fcf92412c89927abb358f2c4af260bfca737bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
0011724564a3068a03da46a894d6377f

SHA1
ee718f37a6d78917bf71e255b4d1af2e6d6c635b

SHA256
20bd03b1bcb68f1023eb52a57d30a3f3abc893cb49e64b837f35cdf00fdff9c2

SHA512
426ac2b2d146ebfe3c06507d1f4edcf7aedb0a714117af5f7ceb63bd653e8634d0f6c24a19fc75406a94857f513429a0cb3cdf68d16a906d65d47297e3809319

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
f40a40e3e48006e94f36f8ae07bc2be3

SHA1
dfd8520295362a15a31bbb4bd12564c97881bded

SHA256
092a2a260892ffead4c1752a6275a83bd5a7c42945a0df0434f538b17efc435c

SHA512
03863e07f1c22e87bb6f5f4162887efc38114faa91574ea461ca1d74dda4f6bb15c7ffe255540eb240ec9dfb45ed2cd0ca324bbc1a2a4259b7117b7810f63b8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
d17389e113dff430d6b13a42225898ad

SHA1
1a8546849f88246db9dbdce170a0231b3708135a

SHA256
4238459b8823f911ff002efe074fba5e58e54266296ec4c0be344787faaf2311

SHA512
81ee158aaf4d38e42ae707ced55ac9df993fe6ce96ac8de429f51618d9efa02bdb292d5ae61ddca1d55c6844359ec2ff928cf808dba2e22f84c552aa10043371

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
7KB

MD5
1eace6556600427b57c9bfbc5cbc327c

SHA1
042840bdec058f740be5417aaed71f633b53c0c1

SHA256
f70f0581d6b80b9e6890407294a7034da772905909ce0266b79c350f35c2c8ce

SHA512
1f0d7ab96f33b1f370e5653e6cd9a6f00ad7d9b12a5f0dc996364a33d54dcfb673adb6e137202a93debd4a0e41e552f2d7d7af107f1faa456a6ba9f8d8e31891

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
8KB

MD5
fe62039bfc83ecc328ae0352346ad784

SHA1
d09a595195fef9fc0a162edb055bffdfb3fa2e1a

SHA256
5d1e9652f53cc1a714f74f709d6e7dd80a1fe51b5e4360755be891916b6cb9df

SHA512
5cb541f77734190f59b1ffdb4a05e39c25d800866dc192fa3d217dbed1da97209e827e06092946f9aa8cb0599afd2ea7778c5ce803aaddd548355fe593c76d8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
4c1973641146bb66dd801e0b626a0e7f

SHA1
2d0d6ac75cd59b689b6083564b6160e74ff71815

SHA256
3a5582808bcee2ffcc7f5bf82f1b3a9d9fc8076a607087b2d637e521ad35ea47

SHA512
b908ce42723f2a8e85938e370daf9c8db6d70947c9c6ca4bd963b0224c4945aed38b2fa5bd1ea63765727b4e58cddb82cb24adcc0a101813a4e549bbe8639b1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
b680ab9cdd1696780e7105082e0967ac

SHA1
82aa82b5784c6204ef31d57fd6d28ff0ca4e5d8a

SHA256
15dd696a2e225361b8ab94964fb616645c55cb73d631d0a98d2bb2507499da6a

SHA512
5f75ef81a3bc5a8ba0d9f07eca945f0e95beb7806da733d01d69d0ea4623faec45339aa6a8a1b990115d8a7e6ed42f71567290f0c95c64c31186219d3f43c6ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
b0f1f5973ad11f79de592cb2a1a42697

SHA1
b819da0cf9885d9fb2582553e5d8815308adefb0

SHA256
592ec79b67ed85bc57d5513e0de8b923705e13d590f33b109572a40c53ef62a1

SHA512
b410b06864f27b83d07cc842dd9fac0a51df9c3662494951d546211b395a4287936235d74a1d47036ebb925415b427307b8aecd69674711346d26d39cbecc497

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Platform Notifications\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c8276f895404f0ccc54047a58ddfc08a

SHA1
a7c0ea8a87ef9fa4e5b1d01ed11c3888610afff9

SHA256
c27444d318aa6f566283aad9ded45a63d50ec3aad2c501b668de8cc60db5c468

SHA512
368a84118558c674b6c2254895a2d6fd12cc77cdad9f06b293d275ee0d8e7eaf5de31a96d8923efb157ae7adfca694ea8b7c1be077cbfe58d0f28eba794ad806

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
f559e766dd1cf5112e7b0b76473084fe

SHA1
aaaec64937c4f493bf69e5219008b86bbcfedf87

SHA256
bf6b811ce1a468c25ccb30bc672878ac8c371e9c53d9bab199886a3f7253bf09

SHA512
09561e536cde79d7478e92ba8d45b67da7869afb2b148fec90554395acd76bd7ee422e8d37969c43a457fc0c8df862a8082b695d862147f04f2edc2f42dd02e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f09aae215222952645fef5745a87372e

SHA1
4b7d16afbcdf87f858ad55e835c6ce359ab109d1

SHA256
b47657b91745622b42527faddd129652756d34fa87a3ed672dcc7842c48e3224

SHA512
8fae380dc2fb90d841bf10edc9ccdc5c8ca124fb799cbda63b44fa8a0fd16456e049bfb64af24a4ccf046dc276ddbde7130e63afaefcbc80100e3cda00aa141c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e45e762da5f3ebd5b75c9f18eb41ee82

SHA1
a6c05553696662036c76237d973f41e841c7d679

SHA256
c32275f7f986b6e7f9212d36b96200b577ed6bc0dc2d87aa701cdf1cdf04a92d

SHA512
cfb07779f5c5b36f971868a8dfc99e46b694d340af2b11025a13b17e1361afa631c982f11fea59023346a53062d4d18e4328ceddab8d67ccfb330a0650cb0758

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f3a5a2dcec651635dc00a9b63d8d4454

SHA1
31d276ce9094b2af2334c4e9fbc43a3b0c160f4b

SHA256
168e1ef5177327c59f845f448276d94eb7a1bd2ff4ed2027e2152ad7d2b80ec1

SHA512
d2a6dc15d370feda438e89ae4db390bf54a26e76fa0487b671cfe09f38ee73474911185e758ea02d43029771e57148fd4a2ce9c950c67c72ec487955d61adcfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
0b61ccfcd60eb521a5a1ecabe59ca693

SHA1
3a07d5d790626eb20addd541c2f9c61e5e3788a8

SHA256
2a7debd51423e7c5b603d27ab3919ae731292908c0d557b34f88ac60dc9484c9

SHA512
a39766acbb1364f1876fdcde9b351b8f9fe7165d350ba41e5b1a86176baade1be772565dd2457891f525ebe50c2c0b03579a0c1f1a55f4accf47adba41485afb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
dfa9f4b2fd27f2f3291ee3656d294651

SHA1
766d335beb0f88204745a169b1d871a022e425a3

SHA256
fe47b776edd18fe5345e59b9620d592137583ee369ca22188c2114f9bb544bed

SHA512
ffd8e1faca748588ffbaa033c911cd2634ba84ffaeb80533924b2268dfcd68e4fc464e76618ad86bd1f0ed09188357a114d7718aa3d0c0a56818c0ee691abfaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
aac31846a075c93f27d3b473fb2a725d

SHA1
5fbb43e9e61fb244201548b07d22e33bd884626d

SHA256
8e042e3b6a112a155586e74505ea14450b104a1feac2dc398158846d96c9ab72

SHA512
4ed07851e57688487595d09b56ad19cb51c57f4e65e34ed882b5aaa69c9089d384b7f76c1b7677667fae04357013440a5797b2ae3750a4928ab192f2a277c6cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
cdb706f71476a3e075af925a73932928

SHA1
fbde2b472ac704d42147746d4356d9ee7e4d45da

SHA256
a10724e1b3877275687f80eb659bf9574e43086b104de022e549bedc9e4a6747

SHA512
dc90a2a014b83f75d0fefd05971a60c4c2ff365622bad87f2eb16ce8651573a4aecc330e7ee7cf2c21153e56e0a85b86ef2825b304b5f6e7078d08d39ab09b86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\3da4db1e-f0c9-48f6-9c25-e90fcd891c99\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\89088423-3372-4068-83e8-74b5ec610b48\index-dir\the-real-index

Filesize
144B

MD5
dcc3aaa738bf7eebc5b7821031ab9bf2

SHA1
35e4a94468a1cebf41bb85e9f6ea36fc1f9e04c1

SHA256
0d4da26f7952b011cb8ee6a9a39be6890c31186ea5b9896a14cb4a44a4204d75

SHA512
7b2bf5cc7928af016ca8c913d03e1afd8dcd4edfc8227ad88c5e427c03aa8da741fbc5ab987b69cf9b0b0e6e074eea52bd53b0e2ebdd1c41027b10819530bf0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\89088423-3372-4068-83e8-74b5ec610b48\index-dir\the-real-index

Filesize
2KB

MD5
726f5e7dc322ad39fe1662c3f8f06bc2

SHA1
b419dd1cd478e2a96486b0dd7d2e3f3110147137

SHA256
cfd91d7e39cf6f0f9f0ef8ed66bc467859c2bbfa205afa712d0e3b2c2a990385

SHA512
d7c949dce0f2018cac3bf05ee5c7f29fc7603178678e043ee695a174a4db781d581575c416457096522798fc0b595b265b0c141478944e21dfa645cbfc035b11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\89088423-3372-4068-83e8-74b5ec610b48\index-dir\the-real-index~RFe585d0f.TMP

Filesize
48B

MD5
134058971ac635dc6ebc0913ad2d5ec5

SHA1
3e164e97a12527da13660d051989de2e47d202b1

SHA256
2b25fb3b1fdfbc6b20b257408f0fb683c738e91437e0c90878da9edea632281f

SHA512
4935da399e29830de2084f73b7fe3f70c85aead7201d2f04eb403d0da08ab8465ba263638f61c7a1d88bc484ff900e1936a20b4d2cde2a0bc9448a23788253ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
8631f820536b86e68f6fff8e68f4185b

SHA1
7d8154fdde255922aa3095a67da760823c84103c

SHA256
069ae5f55cbf48d245944bba40cde8577406e5d18eaee21489f93f90bb4d41b3

SHA512
e681a49401c986f8966e8e2395a555d3cdab30b60436958deaad263c4aa37cea8b071eae5085fc307e94893b73811cb5e659ba49d4fd5f259d242af721db7bab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
147B

MD5
a4ec8f1d5729e9b80dca39457c7a4922

SHA1
b16498ebac9dde6bab97ede8a7920764b911cfd7

SHA256
3738dbcd5aab1602cc44df7b069025220f320d9c3b785057cf6d42d109394a37

SHA512
13b319490ed213abcebc68b5f1b239815e79de972ca89354ec888b803bef3b9738571a7e7e5b68bbc10d84baa26e716498a64b19a93ac6ea887d2d608b544723

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
83B

MD5
c8cbd4e63d308ef35f8d817afea69025

SHA1
3340af8c7e2b4e2da5360c2efa97136d6e9f3ea7

SHA256
734258976fcbe0939a652467662df540a4ce42077ad99913978bbeda10cc3f4f

SHA512
33e975c1889ac99a54659f340f57aa4379068bd2d605eeff7234ce4dddaf99dc7cfbc9f58398fa37fb2a9f3c4b854b4d59adbdc4c59a56b35e4dbe778118a27a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
ba4d163c4f620cd671ecd69b248ef44e

SHA1
4b1f4816d57f2151d036a908f68c21e8bb4424c0

SHA256
fbb31bfc42dda6925abe48b9b8d316b826c4c52785fc4300ef057c2cf5757c7a

SHA512
02d4db8e84dc9d5721bd17d8c3cd1f3eef836925778f5f05c6b24d345e66731545cb158f92f40d6411312b7a8fa808be765444f4eb20b4491725a6a4b922cbf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
554493b06b569e32638c7047b567a831

SHA1
c0ef9e779530d45cd3bc5d70190a707e4f4615fa

SHA256
32fee6004df8a74c144fa77cb558b163b64cea2c1e0ae9d5ea15af8e89aaa848

SHA512
f0540735a0af1d6ccbae1c1c85a0d14d4496798931ea211e136e8d6b8b7eff8ed103e604ba99881f7ec7684bae8e9e5adf051d89fd9aed8fd7e574f3520df5c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe584b3d.TMP

Filesize
89B

MD5
f87e6996319ae68e837c85fbf44f7c8d

SHA1
7e87d35533d3572e2658e59d7f485209ce6df7af

SHA256
abe227d5d409f75d151e3e7ad6448f47073c1c812a912be030092ae57127f3ea

SHA512
9ff495910eaf3b60c5489ca4aa700a0c61bab908ddb7647fd805de1f74c0f09603abd7119ece4e72dbcb61afb667a4e43c7406fc1bf0a1f1f522f484f7f507ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
58356417f4d5433db1f21659a36c4748

SHA1
9e164a7a02fbc2e9f4a066afb4ffeb61c24724c0

SHA256
1766b9e3af67c2726913bae69dab20444abc47807e3e29338a0799ee307d0fe0

SHA512
d1f452d7561192d0c94c21d195052ac6e39a407bda002e9175a5a43f740885d92a899f6908f71bdfaf9bb0b9c916d32de57ebbaafb7e5a3355951972c2f24342

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58e143.TMP

Filesize
48B

MD5
78894129f5685f219da945426e96145d

SHA1
774195836f30ed9f8b23bcacd8de1c1ecbbf870d

SHA256
45d008b1625a006533e3db00d7fa7b196696408befad9737f7dd248e69400c63

SHA512
d2a87aaa020b1f3e6fc151411728bf46c66810b9fc560e665f62dd8cbd446d59990852071dfac6022689a31aeae4cf82cd7ed4a687a5af0a99de6dcfea2c88c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
30e9e50bace6e14d54086c8cb4ce1d3c

SHA1
acc2c898a25952e4d69d98873f2e727abc4b77e2

SHA256
08867a941e95e7ae66cd1198b86f0de8c54da81905434f470b3442425d8661d7

SHA512
1937e306ad03c9a5b1c520faa87c9b6f2b027d3889b5854595547b11ffcb87ca70ef992144c94a855983f0908e9a754dea2c060d6deda2c590b31818e3ee393c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3aae9b42814503557d2b18d7d7fc86e6

SHA1
4ba3606bf8b15f0303f8b24221ea8119af78fc56

SHA256
3cc3e5dfc7d00113375494ce6f47ae8715623991d4e9e61460a473b62ceb3ec8

SHA512
a11dd52f6cfeb287e210c2a1a0f79e51e9b32bdef94a236e0123a2986e5ead1ded53794e195988f40ebcb41301c7e0b02d99b7fc3627909c99ee5c798c5209b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
357f6f1f367c725fdcf573aac5a620b4

SHA1
e6d4a2f0de8057669845c204306e19a011ddb6c0

SHA256
7d2c2d7ed9549cecf7baf272bc8e5773d9932e0fb75638dd4c1cd3065c734e0f

SHA512
66cbf4177c501c32be67f11de6ffa74fc07795e65d25f13f8daa101bb8fbc95938c1779204ec1b91dcb2ba733fccb1bc1aebf4ede20aba433e2b644235f05cde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
3890f8c079a8095474e0fa4e467a558f

SHA1
5b5a384b41d1d185517e58e45e6fb54e80690e57

SHA256
09e00b626fe3890ea37eda5dd60c13008bdf3ba2aa71a4726a45dd5f710faedb

SHA512
db67b4472c09bf9575fa6fe3b5f089d64228be87c975b8d23fe3f4ab76d8375e3198bc98a8eb8364b13027d0ec617db1eb3c3760ba522e52176dd694735124e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
df33e365ea429b6aef44c4eb3ec418cd

SHA1
d2c407db0b01b9c129567144f8a32e3f69967efd

SHA256
310dc758069c6a3e1d5bcf153aa9968384189eb3708fcd4b54d9f12116bfff73

SHA512
69b6a4ffebb6a20e0b1939ea5948aeb0cc1e455669501232082bd3703178716761ef265b5226bde018b1f0deb14a3747a99d06f802d1277f86e8596c5cb9d5d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
904db19e4bfc7b41d9d5e6394d32060e

SHA1
da434c19fbcf90bc62d1d365225c0d7334149fbf

SHA256
5a556cfa849127d59abb8136d9b6dca447af74894b207edbe9ce581646e26db6

SHA512
f2e2b403bb49db480b9a5f09adb6356ef0cba497ae5ef59db4056a3d0302894c35e0a3a112ad7bbf163952d69e51c164718bf1616421774aa7d73efd03ae28c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ed32f1228a174ca1a80e5319c6be342c

SHA1
757275a30023fc650a9037506529f38621ef7bc0

SHA256
89b725b1a66f57baf5bcf24aca4f785c69797ed232eb5295c45bd8942898a08e

SHA512
6584bbd1c7e49dc048b670cb5552eff696c8f9de5c2284934978b34f4fa1b9a66164ff5c646efc7f797f5fd8100e4c613316f83a7e1c506067326d4d11bb15d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
16bd074c8bdf735291f6613e4da070e4

SHA1
149b3254c9ce010a2ca84cb89344df818a3feecd

SHA256
e9af4f256512fcdd8738eb9754318088227b9012b0b848b6c139b75830948edb

SHA512
ddfc1e47892dbe492769932f3aae1525a165fc5989ebd255941692db8e4388b08043dfc9f14cb422395b29391bb232dc560cfd09395a754fb5449ad988932c95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
186d3219d103ce1519645ee9a08b0314

SHA1
ec71478ee37765419becb73eb729236c585e5222

SHA256
2985ac059b214c10135c34d3734e96a1805cd80e56f18563656fe4caee2e3164

SHA512
1a0d0d14eb5651671563bd49dd57be076bb3ccb423235306923a3acdc96542e0ec5b7e5345de224ab1542a3c14c5ca962b11d6265f849e2e28f9e9cb73e584fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
09f1482dacb63aac015f697eb84e5aae

SHA1
125a8fe16d27d66151d923cb634a73b5b60356de

SHA256
bccf365b964a65a12e1f540e8f3b7a78f022f87f2c56c9a96820960f69a77d04

SHA512
5394c24b84a42e241d3a7ad811d7f976d47f54cbd6c33a27e2521ff4ab86304984ab4656f49aa1be0ba3c1f0a80ec2d8e877b06074d2ed74fb858ef3fbfd6c18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
db1f6df513f33c37430d4030b98043eb

SHA1
4cc08f99dbb678d9f2e6809fabab1cc4559dfba1

SHA256
43042a068a07b35053b48f3ef3cd8fa0f436cb11e980976eeac08798144569ef

SHA512
4733a2c6d0562ef2024a18dcd6879d8292d1f339a7277aa7ac3ceb449f449248172823a150e31e6e5bf78ca6349d07aedb844da8a33f8d332b70c876b73b83c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe585f42.TMP

Filesize
538B

MD5
3ad401c1ce496f83c334ee1355ddef65

SHA1
cb701ce92cdeb03fba7973f4c92e69fd0cf9e54b

SHA256
77e3210520fbefa139d7521c3362a93333d1e42c9f8ee569d38377f5f3c7f524

SHA512
3d171d2271aa4a672b123a2a37f9a011fa1b78539c7f90aad392d5895b1129a7448eb0927032ab4c92cb9e2671c71d283d6607cbcc8003d75f265fefab1aa9f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0caa6be9e7dc77abc76665a4ea7e4e1d

SHA1
3d0db4a0d60d641f65c576dbae0459a67f41c78d

SHA256
ce2c2145b6a27d7cde1c12a4b1b07f6e289f03dbcecc7e8b3baee5c8abf49edf

SHA512
615499e18d91aaaf0b5ccbfe5c901bd95925c631f17b1631165fde8485fd0c5aebca96a0b525e734e609f175daea4b2c07ae077bb645b3bb2fbcb9d09c23d7eb

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
4.9MB

MD5
b83b09af887791a9c1dc24e6c7ae883d

SHA1
3a4efc4ec91f329d6aa591649d8715141bcd4457

SHA256
e4788bec085d616465cd88801e8b05d1160ab58eee4a0df717b70951825019bf

SHA512
6ddcd20318ec64336220a8467ba550e661e460b46d0b07aacbd013654b91a923810b4b100ff24334db1d29165ddc85d788b33e4c769022d3ce8c13c8a99b995e

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\ml.xspf.tmp856

Filesize
304B

MD5
781602441469750c3219c8c38b515ed4

SHA1
e885acd1cbd0b897ebcedbb145bef1c330f80595

SHA256
81970dbe581373d14fbd451ac4b3f96e5f69b79645f1ee1ca715cff3af0bf20d

SHA512
2b0a1717d96edb47bdf0ffeb250a5ec11f7d0638d3e0a62fbe48c064379b473ca88ffbececb32a72129d06c040b107834f1004ccda5f0f35b8c3588034786461

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 954521.crdownload

Filesize
25.6MB

MD5
737122d52dcabfcf591d660378647b0a

SHA1
f03ca20bf1bde27678792d605926d0972d9e0c65

SHA256
3cb9167366cd59bc12325c709bf5cdf82b49a5ad7c151a6e33210a127f744d38

SHA512
567a6676423e87b0b688081d8b6c14e42302a5aded9d09ec5fc06b1c7ea0ca5a5bb3fa3f342fdfe4d2552da1f5d08bb126608a2a6db53cd02a36f6b3a762221a

Download Submit
C:\Users\Admin\Downloads\WannaCry-main.zip

Filesize
3.3MB

MD5
3c7861d067e5409eae5c08fd28a5bea2

SHA1
44e4b61278544a6a7b8094a0615d3339a8e75259

SHA256
07ecdced8cf2436c0bc886ee1e49ee4b8880a228aa173220103f35c535305635

SHA512
c2968e30212707acf8a146b25bb29c9f5d779792df88582b03431a0034dc82599f58d61fc9494324cc06873e5943f8c29bffd0272ca682d13c0bb10482d79fc5

Download Submit
C:\Users\Admin\Downloads\WannaCry-main.zip:Zone.Identifier

Filesize
151B

MD5
a0b18987a65152f7edacfbd93048dbf5

SHA1
1ba670627cce604dd2c69348307576b205dc4a1d

SHA256
4b23fa6bab214000bf833ae32892d0a54ac2ef796eabbf99f396f3a709800b8c

SHA512
5f3445f711558304a611904f368f5db30f637b2b889309679d2abbb59a29aeb70629a57529e6e632673eaa18f776da92e555490b92d687ce11a6f922101bfcca

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]

Filesize
933B

MD5
7a2726bb6e6a79fb1d092b7f2b688af0

SHA1
b3effadce8b76aee8cd6ce2eccbb8701797468a2

SHA256
840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

SHA512
4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\c.wnry

Filesize
780B

MD5
8124a611153cd3aceb85a7ac58eaa25d

SHA1
c1d5cd8774261d810dca9b6a8e478d01cd4995d6

SHA256
0ceb451c1dbefaa8231eeb462e8ce639863eb5b8ae4fa63a353eb6e86173119e

SHA512
b9c8dfb5d58c95628528cc729d2394367c5e205328645ca6ef78a3552d9ad9f824ae20611a43a6e01daaffeffdc9094f80d772620c731e4192eb0835b8ed0f17

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_korean.wnry

Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_latvian.wnry

Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_norwegian.wnry

Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_polish.wnry

Filesize
38KB

MD5
e79d7f2833a9c2e2553c7fe04a1b63f4

SHA1
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

SHA256
519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

SHA512
e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_portuguese.wnry

Filesize
37KB

MD5
fa948f7d8dfb21ceddd6794f2d56b44f

SHA1
ca915fbe020caa88dd776d89632d7866f660fc7a

SHA256
bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66

SHA512
0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_romanian.wnry

Filesize
50KB

MD5
313e0ececd24f4fa1504118a11bc7986

SHA1
e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d

SHA256
70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1

SHA512
c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_russian.wnry

Filesize
46KB

MD5
452615db2336d60af7e2057481e4cab5

SHA1
442e31f6556b3d7de6eb85fbac3d2957b7f5eac6

SHA256
02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078

SHA512
7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_slovak.wnry

Filesize
40KB

MD5
c911aba4ab1da6c28cf86338ab2ab6cc

SHA1
fee0fd58b8efe76077620d8abc7500dbfef7c5b0

SHA256
e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729

SHA512
3491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_spanish.wnry

Filesize
36KB

MD5
8d61648d34cba8ae9d1e2a219019add1

SHA1
2091e42fc17a0cc2f235650f7aad87abf8ba22c2

SHA256
72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1

SHA512
68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_swedish.wnry

Filesize
37KB

MD5
c7a19984eb9f37198652eaf2fd1ee25c

SHA1
06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae

SHA256
146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4

SHA512
43dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_turkish.wnry

Filesize
41KB

MD5
531ba6b1a5460fc9446946f91cc8c94b

SHA1
cc56978681bd546fd82d87926b5d9905c92a5803

SHA256
6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415

SHA512
ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9

Download Submit
memory/1052-2827-0x0000000073DC0000-0x0000000073DDC000-memory.dmp

Filesize
112KB

Download
memory/1052-2853-0x0000000000170000-0x000000000046E000-memory.dmp

Filesize
3.0MB

Download
memory/1052-2871-0x0000000000170000-0x000000000046E000-memory.dmp

Filesize
3.0MB

Download
memory/1052-2877-0x0000000073A90000-0x0000000073CAC000-memory.dmp

Filesize
2.1MB

Download
memory/1052-2912-0x0000000000170000-0x000000000046E000-memory.dmp

Filesize
3.0MB

Download
memory/1052-2921-0x0000000000170000-0x000000000046E000-memory.dmp

Filesize
3.0MB

Download
memory/1052-2935-0x0000000000170000-0x000000000046E000-memory.dmp

Filesize
3.0MB

Download
memory/1052-2941-0x0000000073A90000-0x0000000073CAC000-memory.dmp

Filesize
2.1MB

Download
memory/1052-2942-0x0000000000170000-0x000000000046E000-memory.dmp

Filesize
3.0MB

Download
memory/1052-2792-0x0000000073DE0000-0x0000000073E62000-memory.dmp

Filesize
520KB

Download
memory/1052-2860-0x0000000000170000-0x000000000046E000-memory.dmp

Filesize
3.0MB

Download
memory/1052-2866-0x0000000073A90000-0x0000000073CAC000-memory.dmp

Filesize
2.1MB

Download
memory/1052-2794-0x0000000073CB0000-0x0000000073D32000-memory.dmp

Filesize
520KB

Download
memory/1052-2826-0x0000000073DE0000-0x0000000073E62000-memory.dmp

Filesize
520KB

Download
memory/1052-2795-0x0000000073A60000-0x0000000073A82000-memory.dmp

Filesize
136KB

Download
memory/1052-2828-0x0000000073D40000-0x0000000073DB7000-memory.dmp

Filesize
476KB

Download
memory/1052-2829-0x0000000073CB0000-0x0000000073D32000-memory.dmp

Filesize
520KB

Download
memory/1052-2831-0x0000000073A90000-0x0000000073CAC000-memory.dmp

Filesize
2.1MB

Download
memory/1052-2825-0x0000000000170000-0x000000000046E000-memory.dmp

Filesize
3.0MB

Download
memory/1052-2830-0x0000000073A60000-0x0000000073A82000-memory.dmp

Filesize
136KB

Download
memory/1052-2796-0x0000000000170000-0x000000000046E000-memory.dmp

Filesize
3.0MB

Download
memory/1052-2793-0x0000000073A90000-0x0000000073CAC000-memory.dmp

Filesize
2.1MB

Download
memory/5972-1378-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download