wannacry | hxxp://example[.]com

Resubmissions

19/01/2025, 11:43

250119-nv2rxswpak 10

19/01/2025, 11:39

250119-nsnsaawnbq 10

Analysis

max time kernel
164s
max time network
167s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
19/01/2025, 11:39

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://example.com

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDACB2.tmp	[email protected]
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDAC9C.tmp	[email protected]

Executes dropped EXE 8 IoCs

pid	Process
2428	taskdl.exe
4268	@[email protected]
3444	@[email protected]
1896	taskhsvc.exe
4704	taskdl.exe
1708	taskse.exe
3140	@[email protected]
5300	taskhsvc.exe

Loads dropped DLL 8 IoCs

pid	Process
1896	taskhsvc.exe
1896	taskhsvc.exe
1896	taskhsvc.exe
1896	taskhsvc.exe
1896	taskhsvc.exe
1896	taskhsvc.exe
1896	taskhsvc.exe
1896	taskhsvc.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1272	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mhxddduoei124 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_WannaCrypt0r.zip\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
30	raw.githubusercontent.com
58	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "65"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4616	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WannaCrypt0r.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1984	msedge.exe
1984	msedge.exe
4924	msedge.exe
4924	msedge.exe
1860	identity_helper.exe
1860	identity_helper.exe
3916	msedge.exe
3916	msedge.exe
4420	msedge.exe
4420	msedge.exe
1896	msedge.exe
1896	msedge.exe
1896	msedge.exe
1896	msedge.exe
1896	taskhsvc.exe
1896	taskhsvc.exe
1896	taskhsvc.exe
1896	taskhsvc.exe
1896	taskhsvc.exe
1896	taskhsvc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3184	WMIC.exe
Token: SeSecurityPrivilege	3184	WMIC.exe
Token: SeTakeOwnershipPrivilege	3184	WMIC.exe
Token: SeLoadDriverPrivilege	3184	WMIC.exe
Token: SeSystemProfilePrivilege	3184	WMIC.exe
Token: SeSystemtimePrivilege	3184	WMIC.exe
Token: SeProfSingleProcessPrivilege	3184	WMIC.exe
Token: SeIncBasePriorityPrivilege	3184	WMIC.exe
Token: SeCreatePagefilePrivilege	3184	WMIC.exe
Token: SeBackupPrivilege	3184	WMIC.exe
Token: SeRestorePrivilege	3184	WMIC.exe
Token: SeShutdownPrivilege	3184	WMIC.exe
Token: SeDebugPrivilege	3184	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3184	WMIC.exe
Token: SeRemoteShutdownPrivilege	3184	WMIC.exe
Token: SeUndockPrivilege	3184	WMIC.exe
Token: SeManageVolumePrivilege	3184	WMIC.exe
Token: 33	3184	WMIC.exe
Token: 34	3184	WMIC.exe
Token: 35	3184	WMIC.exe
Token: 36	3184	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3184	WMIC.exe
Token: SeSecurityPrivilege	3184	WMIC.exe
Token: SeTakeOwnershipPrivilege	3184	WMIC.exe
Token: SeLoadDriverPrivilege	3184	WMIC.exe
Token: SeSystemProfilePrivilege	3184	WMIC.exe
Token: SeSystemtimePrivilege	3184	WMIC.exe
Token: SeProfSingleProcessPrivilege	3184	WMIC.exe
Token: SeIncBasePriorityPrivilege	3184	WMIC.exe
Token: SeCreatePagefilePrivilege	3184	WMIC.exe
Token: SeBackupPrivilege	3184	WMIC.exe
Token: SeRestorePrivilege	3184	WMIC.exe
Token: SeShutdownPrivilege	3184	WMIC.exe
Token: SeDebugPrivilege	3184	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3184	WMIC.exe
Token: SeRemoteShutdownPrivilege	3184	WMIC.exe
Token: SeUndockPrivilege	3184	WMIC.exe
Token: SeManageVolumePrivilege	3184	WMIC.exe
Token: 33	3184	WMIC.exe
Token: 34	3184	WMIC.exe
Token: 35	3184	WMIC.exe
Token: 36	3184	WMIC.exe
Token: SeBackupPrivilege	4136	vssvc.exe
Token: SeRestorePrivilege	4136	vssvc.exe
Token: SeAuditPrivilege	4136	vssvc.exe
Token: SeTcbPrivilege	1708	taskse.exe
Token: SeTcbPrivilege	1708	taskse.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe
4924	msedge.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4268	@[email protected]
3444	@[email protected]
4268	@[email protected]
3444	@[email protected]
3140	@[email protected]
3140	@[email protected]
4304	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4924 wrote to memory of 872	4924	msedge.exe	77
PID 4924 wrote to memory of 872	4924	msedge.exe	77
PID 4924 wrote to memory of 1996	4924	msedge.exe	78
PID 4924 wrote to memory of 1996	4924	msedge.exe	78
PID 4924 wrote to memory of 1996	4924	msedge.exe	78
PID 4924 wrote to memory of 1996	4924	msedge.exe	78
PID 4924 wrote to memory of 1996	4924	msedge.exe	78
PID 4924 wrote to memory of 1996	4924	msedge.exe	78
PID 4924 wrote to memory of 1996	4924	msedge.exe	78
PID 4924 wrote to memory of 1996	4924	msedge.exe	78
PID 4924 wrote to memory of 1996	4924	msedge.exe	78
PID 4924 wrote to memory of 1996	4924	msedge.exe	78
PID 4924 wrote to memory of 1996	4924	msedge.exe	78
PID 4924 wrote to memory of 1996	4924	msedge.exe	78
PID 4924 wrote to memory of 1996	4924	msedge.exe	78
PID 4924 wrote to memory of 1996	4924	msedge.exe	78
PID 4924 wrote to memory of 1996	4924	msedge.exe	78
PID 4924 wrote to memory of 1996	4924	msedge.exe	78
PID 4924 wrote to memory of 1996	4924	msedge.exe	78
PID 4924 wrote to memory of 1996	4924	msedge.exe	78
PID 4924 wrote to memory of 1996	4924	msedge.exe	78
PID 4924 wrote to memory of 1996	4924	msedge.exe	78
PID 4924 wrote to memory of 1996	4924	msedge.exe	78
PID 4924 wrote to memory of 1996	4924	msedge.exe	78
PID 4924 wrote to memory of 1996	4924	msedge.exe	78
PID 4924 wrote to memory of 1996	4924	msedge.exe	78
PID 4924 wrote to memory of 1996	4924	msedge.exe	78
PID 4924 wrote to memory of 1996	4924	msedge.exe	78
PID 4924 wrote to memory of 1996	4924	msedge.exe	78
PID 4924 wrote to memory of 1996	4924	msedge.exe	78
PID 4924 wrote to memory of 1996	4924	msedge.exe	78
PID 4924 wrote to memory of 1996	4924	msedge.exe	78
PID 4924 wrote to memory of 1996	4924	msedge.exe	78
PID 4924 wrote to memory of 1996	4924	msedge.exe	78
PID 4924 wrote to memory of 1996	4924	msedge.exe	78
PID 4924 wrote to memory of 1996	4924	msedge.exe	78
PID 4924 wrote to memory of 1996	4924	msedge.exe	78
PID 4924 wrote to memory of 1996	4924	msedge.exe	78
PID 4924 wrote to memory of 1996	4924	msedge.exe	78
PID 4924 wrote to memory of 1996	4924	msedge.exe	78
PID 4924 wrote to memory of 1996	4924	msedge.exe	78
PID 4924 wrote to memory of 1996	4924	msedge.exe	78
PID 4924 wrote to memory of 1984	4924	msedge.exe	79
PID 4924 wrote to memory of 1984	4924	msedge.exe	79
PID 4924 wrote to memory of 796	4924	msedge.exe	80
PID 4924 wrote to memory of 796	4924	msedge.exe	80
PID 4924 wrote to memory of 796	4924	msedge.exe	80
PID 4924 wrote to memory of 796	4924	msedge.exe	80
PID 4924 wrote to memory of 796	4924	msedge.exe	80
PID 4924 wrote to memory of 796	4924	msedge.exe	80
PID 4924 wrote to memory of 796	4924	msedge.exe	80
PID 4924 wrote to memory of 796	4924	msedge.exe	80
PID 4924 wrote to memory of 796	4924	msedge.exe	80
PID 4924 wrote to memory of 796	4924	msedge.exe	80
PID 4924 wrote to memory of 796	4924	msedge.exe	80
PID 4924 wrote to memory of 796	4924	msedge.exe	80
PID 4924 wrote to memory of 796	4924	msedge.exe	80
PID 4924 wrote to memory of 796	4924	msedge.exe	80
PID 4924 wrote to memory of 796	4924	msedge.exe	80
PID 4924 wrote to memory of 796	4924	msedge.exe	80
PID 4924 wrote to memory of 796	4924	msedge.exe	80
PID 4924 wrote to memory of 796	4924	msedge.exe	80
PID 4924 wrote to memory of 796	4924	msedge.exe	80
PID 4924 wrote to memory of 796	4924	msedge.exe	80

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4732	attrib.exe
4084	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://example.com
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff3a0b3cb8,0x7fff3a0b3cc8,0x7fff3a0b3cd8
  2⤵
  PID:872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,10487553058153972017,11941640283134499705,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2080 /prefetch:2
  2⤵
  PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,10487553058153972017,11941640283134499705,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,10487553058153972017,11941640283134499705,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2468 /prefetch:8
  2⤵
  PID:796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10487553058153972017,11941640283134499705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10487553058153972017,11941640283134499705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,10487553058153972017,11941640283134499705,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5744 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2060,10487553058153972017,11941640283134499705,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5556 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10487553058153972017,11941640283134499705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
  2⤵
  PID:1032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10487553058153972017,11941640283134499705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
  2⤵
  PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10487553058153972017,11941640283134499705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:3688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10487553058153972017,11941640283134499705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4040 /prefetch:1
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10487553058153972017,11941640283134499705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10487553058153972017,11941640283134499705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:2864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,10487553058153972017,11941640283134499705,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10487553058153972017,11941640283134499705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:4616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10487553058153972017,11941640283134499705,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10487553058153972017,11941640283134499705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:1
  2⤵
  PID:2388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,10487553058153972017,11941640283134499705,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6284 /prefetch:1
  2⤵
  PID:1784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,10487553058153972017,11941640283134499705,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4820 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1896

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1764

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2824

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\[email protected]"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:1280
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:4732
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:1272
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2428
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 303191737286923.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:948
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2008
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:4084
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4268
- - C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1896
- - C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    PID:5300
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1728
- - C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3444
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      PID:3996
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3184
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4704
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1708
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3140
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "mhxddduoei124" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\tasksche.exe\"" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1116
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "mhxddduoei124" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4616

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4136

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a23855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

Filesize
1KB

MD5
64f25e171c12a2dc5af2e9dd981000fc

SHA1
8babd9890775a333f60949429dc30542ec217daf

SHA256
06e4d0b26cd90c767eb0ad6e11901c29be90af3bde18d752da9211cc48f3d6e6

SHA512
c8f119b35d0cc1c1cb6c9eebaf7d24f0b548b8ea863f6834203869d888b5d3ddf21230f697e6e37005a68f23f828660ced9eb9c938123d33a69e8a3bd7119bd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5431d6602455a6db6e087223dd47f600

SHA1
27255756dfecd4e0afe4f1185e7708a3d07dea6e

SHA256
7502d9453168c86631fb40ec90567bf80404615d387afc7ec2beb7a075bcc763

SHA512
868f6dcf32ef80459f3ea122b0d2c79191193b5885c86934a97bfec7e64250e10c23e4d00f34c6c2387a04a15f3f266af96e571bbe37077fb374d6d30f35b829

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7bed1eca5620a49f52232fd55246d09a

SHA1
e429d9d401099a1917a6fb31ab2cf65fcee22030

SHA256
49c484f08c5e22ee6bec6d23681b26b0426ee37b54020f823a2908ab7d0d805e

SHA512
afc8f0b5b95d593f863ad32186d1af4ca333710bcfba86416800e79528616e7b15f8813a20c2cfa9d13688c151bf8c85db454a9eb5c956d6e49db84b4b222ee8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
3146c4b7112b82ffa18496d48df3ca84

SHA1
01abc9e3848d37a7df64b02b9487e07acec6d2b6

SHA256
7862e00d048235cf885804335e5c59519798ba117ae7ea371c0cbe8c0afc83cc

SHA512
82fe7629519ee17fec6032ea68f884ddc3135dba713a4329e932c7a3bbf74437a83d78f13b645f40006ef2f06ee4efc8e643cb912fe99137f310e43dde1fd0f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
fdf4cf1fedae03381614c15dbb602800

SHA1
43ab46484bace63ecfabb55d34a243b389635a67

SHA256
cce2a58c7e8a99c87f77e7e98e7fa7e01e4b77ae6e5bcc4115cd58f9fa38b8f5

SHA512
a58dc93b158088d8ee8d64c23caf488cb0fc7b31feddcb16be709a1112925622e7df38bc161c031bba2b1c8a046bbdf49ff2bcfccb42cfa579fc072ad29e3a7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bee33c4b5e245ee9bb85d899d9341422

SHA1
0384398ec3785c9ae7fc3c77992b59757a71530e

SHA256
b31f0ee203ed24aeb7034e6aac99032d3db16d3d955c8489c8f1f38b8546f213

SHA512
4c2477c8a89ba7de366c1d70779b78f1873c308faa69a6c411bd1228a211d9dcbb18d96ad6f145d94d22f22cf6d00296683968ee2968c5aef91560bae5d4ffc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
423a8a64d0d65543bf17df4b950b0653

SHA1
fee26bf43146d1772d5c94efc6c8fb87aa972a7a

SHA256
fc617cca3ac83346522a3c1993f589ff0c0eb97932e5f7fd674fb2ae6d811c0b

SHA512
9f8098871c1fba04768599686273d9818dab67c41b85c4fc11ae26ff4d46011008a1b22c00666710ee7715c02004d150d994eb2af86d7b1b23e91763c25b6545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
98e5308f05c828c0a9449ec14d1464df

SHA1
367f61f80e64ed7e121d25295973691c610bcc83

SHA256
4fa4cab64e689da5e83077b573eaa4c5ab3ed073cca556a5ce598ef4709deaaa

SHA512
312c08e620c98552695eaf055075aa4df2af80f8971ed38eb70e1fb0ccc97da221b300038ee0728f62fa781eafa94bd13fc88e0732f753cdbc83100a3db0ec47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
eb2f73c5f24d4206f3a64bcfeb80ace4

SHA1
f4abe3330cef6ebea0a68d3258e3dbd57e870f01

SHA256
e45043f893e87be4fa65bd424fd3cad5aa8e4af65137dc1a5250b9693979a5b1

SHA512
d657a01dbaa362d3f58ca5969e7d3d23ab14e036a425ecb52777ba700b2473ad60f63127465953c8d7ee6b8360216050308018a7c039587a4941db9d6c24071e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0c03ff177053fd30bdb8bf74a2511127

SHA1
96136d92911232d3bb6c010b35330a7b55473949

SHA256
f77339c5ac6b58db8fc230967127249b51498b9262a297b76ee41fa27ac66f31

SHA512
b366e800d1e477954a0c8992f17434eac366f3112fb0fef5fed0796f1fcba3263d6cc5e5bb593a288c85e77c10b5347ddb652033957f871eb5ca99b741b3c587

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
71442b65561b15f757a4f86e9e70981a

SHA1
0a5de3c8632515804be1131a657797649f8d440b

SHA256
3b72fe80182855a0e6f1a765a9d2576e9f59bb306a192d978ef09af9967f933f

SHA512
d70bf24bc7f7cf333f6469d9b982ef438feb896c708251f539a78b732268d4f17642355ad6f28a43ccd356bebe01f69d496b4a70324fa40cbd8eef54c2b48d5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe586721.TMP

Filesize
1KB

MD5
a5d6e9eb6a814268ae854b4890063073

SHA1
547351d20365324baa808d92bd692f6b40223b56

SHA256
a01990e91d9f3b819421f5bb763fba959980c5ba95a235843cf8932f0c4e0404

SHA512
9b4d7710ddadc19b8828e48bdeeab680c736465a2e5c63751170b742338a2e69effb808c8dc8511fd98fb4551d8025df8d0ee020919e6f71701eea2ea5b7a85f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
365d3cf348ad5513812d5b078fda0898

SHA1
6075ccdaf052ba3eb19bab8683d9084d8065ad17

SHA256
7474f198eb4fedd20110c8acf7a747fdeac01ec303581962b8785f7cff168542

SHA512
0586906f6893df94696bbd00668191d106aa9c5102a60348f3aa78b35e3889b18e20015336e684bb4e956bb94ac049ce0fa86bd013c98572d4f9f0ed36025f71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
cf0683e4e85da7fda407da9b73b8fe45

SHA1
d233a392914b1151035bb60173caa95e2ebda431

SHA256
517894bd686494771928d0f78f28c4c9460477d0996c98590b3261d6e5fbf0b6

SHA512
1c9cdea15b881a0352c52f8349fe67ac9c3829545b0d819dfab1ac98652a8f70978442cff4a43a396b762d512aa2a3a26d4c5e3a3f8ee4391b967e94d2354e69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f4859ef80a0b348049a003f44dde0c0d

SHA1
c02f53e08cfedc069afa20b4cc2392882dd4df6f

SHA256
1d168ca49f970ad339f834a850b08ea3bddc31a6bc5b5d4c87f849aa0356b781

SHA512
c1b3089f6fe7fdb5b582a0fdf33eb981c2e642ee3a840004bf1c0cb93edc02c50c7e60cfd7a560ae43183677317a3395ab2e61c9b972d7b5b1545ea7d7be7997

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]

Filesize
933B

MD5
f97d2e6f8d820dbd3b66f21137de4f09

SHA1
596799b75b5d60aa9cd45646f68e9c0bd06df252

SHA256
0e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a

SHA512
efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\c.wnry

Filesize
780B

MD5
383a85eab6ecda319bfddd82416fc6c2

SHA1
2a9324e1d02c3e41582bf5370043d8afeb02ba6f

SHA256
079ce1041cbffe18ff62a2b4a33711eda40f680d0b1d3b551db47e39a6390b21

SHA512
c661e0b3c175d31b365362e52d7b152267a15d59517a4bcc493329be20b23d0e4eb62d1ba80bb96447eeaf91a6901f4b34bf173b4ab6f90d4111ea97c87c1252

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
11.3MB

MD5
a6c259915012001528585bd297bf7324

SHA1
6e7e757b1d8d57ee055469a20fe954982f124893

SHA256
0c23d59c4dc890879201c4e1eda6c2ab82e1fb280dd299e527f50201b4a8c10d

SHA512
0a7340eaa65bd9256c794ff0c11ec25c8f34be7ca509df5bb210df6dc45dcaf31e7e237d557a319b08b937f4b1c555605c4742033089c022c4d80dbc4f2c4e3a

Download Submit
C:\Users\Admin\Downloads\AssertConvertFrom.cmd

Filesize
585KB

MD5
21789218f53c1cd4afeeb52c2d58ef2e

SHA1
aa2d606cea6644ad8be0d5a5d7e08684b2375a3f

SHA256
b80a3a3421cdc2a96ae20bde971bfe9d2c9c06373c327dd56c0da46b9c8922cf

SHA512
d3e53b2ccae63997f2f3047b256d08c38611ee689907177807b7656d70099b10d5740a305b7d044a59cb1b488d68d41b218bbefadbd90fbd27df1ff74ee90ec8

Download Submit
C:\Users\Admin\Downloads\AssertStop.ADT

Filesize
531KB

MD5
78e823ae99c0602ab5a52b9c3dfe8295

SHA1
e4ff8068582e13c86a464975611181d3ed03ad62

SHA256
4ae1a70a6bbe61e31f5cc7efc1d2fce2757d82974c2b6a530fbb8586d52527b9

SHA512
ad83099c65fa2538d1267ecf21b634dd3ea3b69fb082bbc529894d6794f794a703f9c441547746e5104f3349f2cac53e5301496057f2a39c11118bd2495ba721

Download Submit
C:\Users\Admin\Downloads\BlockHide.temp

Filesize
491KB

MD5
58de570b208b0dd84b1f5e81c477b1f2

SHA1
87886f1e93d14594388c0e39b7f340a2c30a156f

SHA256
c56f8ed503ee89ef5e5e194da25b1dafea62f790173f9845cd94eeaab8119fad

SHA512
ee055de0a3a420afd7b13cf35476ce55c74a62bbbe2b3247560565a7c81506d670dd43fbc92d736c13f0f03b015cd45aa267a42a849b7b830ab178d04ae4473d

Download Submit
C:\Users\Admin\Downloads\CheckpointConnect.tiff

Filesize
1.0MB

MD5
32231dff2173f4aa7fcf02b18ffeb085

SHA1
0ffa6ec11ce7ee7cdae051150a178bd59a631336

SHA256
c09c853e11788c5882e27c04a3e1ddf1cf099779d2577d9cba73042363ddc0ab

SHA512
3d6848dd969fa1cf73f938dc74e5bfbab3bade8c1221e5274c6c2c1a03392217f48ee9f7ac5d39ae0c312b353eb49d0ad07d8a12b4659d86764a918b2efb2f31

Download Submit
C:\Users\Admin\Downloads\CheckpointGroup.rm

Filesize
464KB

MD5
7280b7a1c7abb33c7502850b34e91bf7

SHA1
b843940e1cb405b5b6b1df1289f6ed3599339442

SHA256
0fea7ac40d0b7078cf8d295fd8240d9b12ba30e6e6ae739399f604bb98b9301a

SHA512
b3b4fec03fdae23f5ecfb4ef0163d90031cb46e42582ae4ec451518756e3b5d35f1ca10e497d2eac3ef959abb63add8319a6c2e32ef743d4705a249a705d2fe5

Download Submit
C:\Users\Admin\Downloads\CompressTrace.wm

Filesize
612KB

MD5
c33a3d3706f8963c6f731fd9d2e30c0b

SHA1
242ecad78529fd024effb2c15ebea0c02415a4a3

SHA256
8758e3e95b1ee6ff4ea4cd476d16916893477296704810805f029c72b3b59399

SHA512
54da84144df0c1668db2f0d0a075f4c03b81d98ef9f430865f9953f5833cb80e7f0724c5aa9d1e842b170c5619921d9d2ed018a6fb133862194df98acb19f883

Download Submit
C:\Users\Admin\Downloads\CompressWrite.sql

Filesize
302KB

MD5
33a7bdc13554432f1ac82f46bb144646

SHA1
75947d2c0b9ee0acc5acd26ff67b5ba26328977c

SHA256
d5ff5a1684a94a39748092bd85aecda179fffb7dba8cb7460f8e42c36f11c1c2

SHA512
75139b031d06e73a5e6b7e90e42ed0043a3f574e2ce9134000cd8cbdc1243db0eb62555fded7ad2ff33c10ba7caede2a3f4208b895969793c345029db8258935

Download Submit
C:\Users\Admin\Downloads\ConvertFromUnpublish.txt

Filesize
329KB

MD5
1b69ffb622a81cd2ad086c35a3295eb6

SHA1
dde7b7545c7683a67e8fffe30a02b5001aa9d994

SHA256
c5a1446ab0cad0b63ecd5f6bd7ca60a31803f82b674cbc771a6aa9da3b84ba65

SHA512
ed1d61d2002a35da855e88fc1b4c6fec6ba53ee0a3c320242f41913ea706c735fe865b78cccbc3c456e1200a8ad8cf5f1e13e1f5348a707cbce0d550ae138a6f

Download Submit
C:\Users\Admin\Downloads\ConvertToEnable.htm

Filesize
478KB

MD5
8086ae24d124fe3ff2fa1588789d4b13

SHA1
9b1011c48f199e5801e530e38a56a669a5a57f61

SHA256
102d13407c5a20edc5a5c056d09cfee2cb0645264c0d1a62d6b9da699de5e26a

SHA512
1a25f3c27151f5bfc6ddf1626caaa2e868de87c51bd1be65dcc1a123c42af1a174b63f3d45123667e739b34e3cdf8ccf268c182ef3e432376527ebf024587b94

Download Submit
C:\Users\Admin\Downloads\ConvertToUndo.lnk

Filesize
558KB

MD5
9d9b2e51d11c81f7001900901075d2b1

SHA1
4209a05798522daca9a76e61514cb13ebe534b56

SHA256
a78dad421474b55b8bc2881777108449cb519a69fabb8305ff84668c8a147ab4

SHA512
9b502393a6c069d73e1db6fd2572abf04455b2fb3555b51cc138e233f57cbcfd1ac80857f75ae1f03543074806a5a1e9b647fdb3eb3928b3062275f9e6b0db44

Download Submit
C:\Users\Admin\Downloads\DenyStep.doc

Filesize
720KB

MD5
e712ee834349c1107130755e2418a479

SHA1
f413d4f1bfbd42cbdd8ee3e939fb5a6bfd95dd81

SHA256
b24a96c9b3644afad63adb87d4f0e01db5597821272debf2f5bff1eb993f533b

SHA512
1ca96d7ce0c9e1dee6c08a18932c8330cf9d612939507a47ea418bb5b4ccebaf8a79e2a1fa2d63d1f5e0d9eaa0db18cd7bb281a4659c03b31c3bbd41b095ecb5

Download Submit
C:\Users\Admin\Downloads\EnterRestart.zip

Filesize
733KB

MD5
928b9d844e85b35ff4ea062a05794364

SHA1
b18065c1e47213b4a9314cd5a94b3addc0785b0b

SHA256
98f70124303dee416830402bbd02556db68889a7888a4379a21b229dbdf265cd

SHA512
7b8ee103e05dfad8a27b713793508d96b8a135692b7409408a865dab9c2e058895401ec975d6bada8dfefaa976ea7aed5e3692fdd1f8a24f866b8e282bbe55e5

Download Submit
C:\Users\Admin\Downloads\FindSplit.bmp

Filesize
599KB

MD5
c6d8c8bedb6e1addc2a05d21192cf62d

SHA1
801813bd4a3a195665247a3680d5fd44672f1236

SHA256
507bf60e7667fec75a0743b845b0895b162b4a57711b30ae4f8fb2e4674535f5

SHA512
d31ead2ba742f2b1c28c9c950e29982d30b82a722fb2ac85d206bb6aa6b11241429ff0234bedfc79ff058559d19b98606483676f12a3dd1c5f811b5563b5d210

Download Submit
C:\Users\Admin\Downloads\GetAssert.docx

Filesize
343KB

MD5
1f58b8bd93ff15fb48e02d9fa8601918

SHA1
d1c2201798c138e525d345a26534544f94cec6b0

SHA256
048a4837b143f89aac5ba0e03c7b5f1a1bc4e678407dad476ad4eaa4005f4784

SHA512
1774c8e12241c164e230f9f5ca834048cf6f235b2925b9ec82dd78f858bb0da47e6b0a15949cbe2662a5a1ee719340b606ce10d9160c710169e157c7544b81e0

Download Submit
C:\Users\Admin\Downloads\GetConvert.mhtml

Filesize
316KB

MD5
f6585ad9371f90dd63f61312645c374f

SHA1
036e46b6efbfe047794e6c4a403b8efeeb204ba3

SHA256
2fc51a499c6391caa10d45e1ccb845060c8983ce3c210fbac7d4049852e47ad9

SHA512
1cbc51bffa1a5f25edfef214f56649a95952fb74e7d3d1ae502e531d915629ad9dd7a233f7b95abb1c50d0b0a77de51c300748b9375b06796b71805acd30827c

Download Submit
C:\Users\Admin\Downloads\GrantUnregister.mpeg

Filesize
572KB

MD5
954857a98297705016c4da35c6dc44d7

SHA1
edb2403f8701122678f7865945c3b292b7061019

SHA256
bedc324828868f7ef05c7ca5057f89f1e09da4e70cf87ef0f2c5c470839e5b80

SHA512
e85b8e23b1eba8b2c1bbde19d43faf63f876f4d4941f54c4d6ca84639955729eed29f883b55ea19c38bdfbb8cd6bf8ef2cb2da50c3f745fe41cfdaf1ff205e5a

Download Submit
C:\Users\Admin\Downloads\ImportShow.pub

Filesize
289KB

MD5
dcf20b923160edadf813af21fa48955e

SHA1
1be21bd1d289b9fac937f7054515393417a43978

SHA256
a2589837ba14bf74662b11bcc254fcb502baf27860f2bd9eaf1bb4648e77fc69

SHA512
e22f4250e31f69488d5d764dfd66275d49be9f5fde4c49b951b120386c83452361ec524f8ea43e3921ddaba0dcbbe55523e701be525802ff9f99348f9c3357ea

Download Submit
C:\Users\Admin\Downloads\InitializeUnpublish.mpeg

Filesize
410KB

MD5
7b34bab001da91145932847c2268ccbf

SHA1
07f478cd6300b7d6e9909a59e9c63c3e5579a844

SHA256
f5360bc84094f7df3c7863186ea1cc511109a380a782d6593618f5bc83197bf3

SHA512
bddc2722096b3cfc379bf847feb8024a75eb0e5bf73d969bb42522f3764192995e8373c9f6b545cbbc363245fac8581a765e3206c2c432ac775501e7185fe302

Download Submit
C:\Users\Admin\Downloads\InstallConfirm.ods

Filesize
356KB

MD5
a47a417233341a11bd10a434a147217d

SHA1
736e787fbc2a484ec04f4a4a74a8a0cba50a2fe2

SHA256
8272f2e7d389a6a47fbf018435020d0fe133dc1eabf99b36782693ccae269d5b

SHA512
b731a7f571dc44fec4aa02e46a03f24b1c826c631d25f67a046dee13665a1ee7b97dcd1ba8f9d60d3f4c281a096c8de5e64f8342330e516d758b8e707c71a096

Download Submit
C:\Users\Admin\Downloads\MeasureSplit.emz

Filesize
451KB

MD5
9c6578b02820037cbd3a29cc6bb0e21b

SHA1
777407eb84e8892a1aa1f33cf734ea09aa699fcf

SHA256
ec42f561dc11023d07776189c01e98fcc43762250f0c4927069de086f0541aa9

SHA512
7d90ed54b10d2965080c8d4d8322145437421b943c9aec26c1adb0a9b6b1148365fc5b219b87d209a33bbe9ada32736fb0ea17387767ad3c5ff5ade75c450108

Download Submit
C:\Users\Admin\Downloads\MoveTrace.wm

Filesize
397KB

MD5
54d506505657675488cca2a3eb3d79c6

SHA1
83aa27022fce9df1677fc520d89575f91b608537

SHA256
b8aff280fe3dff0364ca5878e368341a404d2628c8519d327aeeaac1db473daa

SHA512
1f7ba6d5f7d894a278ce29d28f29b5ba3123d4740679db48e94859b7339b37a2a7a14d945e8c6c0f12011347c3bda4c18ad1bcae0337bb47985a6479d5939ebf

Download Submit
C:\Users\Admin\Downloads\NewAdd.dotx

Filesize
626KB

MD5
01e28a72d305b951e113da52b3a25673

SHA1
90b71a010117eef6dd28dbac6f2961ddcb2f7a95

SHA256
660785068ed5dd8fd04ecd3b810905c18aa86b686566744bab012895dcddfe5a

SHA512
8448b5d37bad09d622cfe158bc85ee30fcc41fc9f383dd905c6fc9ed725ce2b34ad511267ce73f7305d0ef215a3ef9966ba05bfa5bf9476923d5828f2d3ddf01

Download Submit
C:\Users\Admin\Downloads\NewApprove.tiff

Filesize
666KB

MD5
95c9daaaf5e5dc61b09ba9c938c76c13

SHA1
9711760b59fd1e7386dbe9ccb281250a6d15da74

SHA256
7e98d8689c9b21827508e35f2342371d385ab11cef525d58657968bb09a08c67

SHA512
48d91145f79878a8dd9a14935120a75d200c80850217f601fbeb2e713399036dfaac711f60202b762c781a6e0d23028528fe92f68cf2e9c3b496befa6937a7a7

Download Submit
C:\Users\Admin\Downloads\PopExpand.dxf

Filesize
504KB

MD5
98d91a45ef0e22508392b36d82c49606

SHA1
a5c7b0290f09917b5a83279b8b63ac678516e17a

SHA256
bba7494ce72d8aaadbae61d8c1a515d9644c04ff9858ecd99bb72e03d97a38c7

SHA512
094fb38853af0411319061d1645ad9c7365c87c66a27f7a55106c2a9bffa8b840ba6b9de20b174aa4eebe2f92f52cd02eea1bb5d3227e75b06e0cd3e14116b05

Download Submit
C:\Users\Admin\Downloads\RequestCompress.xlsm

Filesize
639KB

MD5
c9647bf11c2d172a1d2cccba4f231102

SHA1
3df9670a1647248eacb94b7230f82ca4e926e1c0

SHA256
03f43c474de765b083e85af927604f1512f9f60f4757d0c06ec4f67dbdb62d50

SHA512
9e2d4b77f383a6c02512f26fec23fa88d0b8b2386218349b4e4858059cbfec76a8b58b840999bd742595353f131e277d9119909a3c55368a6e7c03b8bf2ca8ac

Download Submit
C:\Users\Admin\Downloads\SearchConnect.ex_

Filesize
437KB

MD5
7f6ff951c7c0f7203f4268f55eb1776c

SHA1
35b721705c5c7eee39cb0fbe30c084848d6931b0

SHA256
ffe5b082ac802425e40a259b1a16033e5eb6426f57d6e90dd5bb9d6c711d5942

SHA512
6cfe49125844a5f8b0e6c8ca35f74c51034bb355060e1eeb4cfa337338a3ba5e5bde55e40334b00f5ce70a48f4f9ed476fcd93374d1821cd58f67b52da01ac0c

Download Submit
C:\Users\Admin\Downloads\SelectSet.docm

Filesize
693KB

MD5
fd907af45d59870451fecb68512e8fb1

SHA1
a0a0fc01145d2094d00812ef648b6cedd2b5f8a0

SHA256
c74e4cb5fd58b2303534d7d71e3989f36e72aca6524b3d2d4228b259ca0f8000

SHA512
d51b70f0b8916555202393f8f079bcb2246f0c874a9a65d3e7addcf552a10fb9ed59fbcb57e59776b7bd44eed60199b7ff552266638be691a4ee0d456a89dd4a

Download Submit
C:\Users\Admin\Downloads\SendUnregister.mp3

Filesize
653KB

MD5
7f26555516d2398c92a5d884d2ad4f0f

SHA1
4719f3537a8bfe46b20b2f8f7819a604c44ca300

SHA256
6980eedbb44c4610ed7febd948c6dca36fcae754416fe2d30f589970da22e519

SHA512
6f24d4d7a766257e746d55020d43e6ffa921c78d63cc5ea57c6c1f0d85484932346e13d3ad778d3adcd86eeb308c05c60ab8f184617ca237de293119600104f7

Download Submit
C:\Users\Admin\Downloads\SkipResume.m4a

Filesize
747KB

MD5
0cc7f5f6093da8ae8c89af163ada0778

SHA1
7445b6559ed45842ffb4c66a5b7652d55f8cb375

SHA256
48c1ac3c980e90f746bb73308ec1b364eec3fad9e1f9b1b919e057494c32493e

SHA512
10cfe032086cf0a13c8f8e8d0746b8c6bfbe6afb52542fc1f54b1cd72209301c3aa8a1368853ad93d173f4fa1cafbcc50492c97c026c0542e88cf63a0196d309

Download Submit
C:\Users\Admin\Downloads\SplitUnlock.cr2

Filesize
706KB

MD5
3d71ac9310ba9c2904fac1c17a60952e

SHA1
d2a28a5916acc8e79b0e330ffb3bdf17e02cb583

SHA256
7b63705a9717f8f15c9094dd5692c58b4e5ac6910b7450cab2bbd9ad86fdba32

SHA512
4bd58d4a11d5ff8b29dba6b7b6d2bb7213ea1b334411c73616cc73d0a8963558c2c4d56fb6cb9933eb1c07238bb39ee80f80c03b892b4d5d48ab4f3ae5faa63d

Download Submit
C:\Users\Admin\Downloads\SubmitConvertTo.png

Filesize
760KB

MD5
37e3ce7b5a15fb09b4be737ea1ad5a3f

SHA1
3064578a831b8963ce27e895d3c834a03824ccf8

SHA256
5c08426fe0404bd7ffaf4fd410754285c07e6914d43fda0f6053540dfac0760c

SHA512
5c4c9c7811921ddfff57d7303b9511835ae98ae8932292bc3f3d10da86a97878d5eee4dc19943a8d1df9fce11eddea18bfd4b539aceb31d5e5fd261019e6fd35

Download Submit
C:\Users\Admin\Downloads\SubmitReset.vsdx

Filesize
262KB

MD5
587ad97df619ed5211c7fafc91625b98

SHA1
29dff7d2abed31bc64d644f471bfaae3971f9cdb

SHA256
0a729ff4a39fcc6705c51af9a3bc45904729bd7ec144ed76b1ee5c336c05d87b

SHA512
0b436fd66e9b5536da1d36311cdfd897c47bab7dfaadf4a31f624b5b5026a92d1455efb4c883dd9ef1578c99154edf15be9fcbd11b42f9e673a0c21f549070a6

Download Submit
C:\Users\Admin\Downloads\UndoSkip.aifc

Filesize
679KB

MD5
7e025cabb573d58949c4cd3e5d08d276

SHA1
dd3404e145181a331ec177b101bbd69fa5edb901

SHA256
66781d1074d97c17d19f9ff2a6a4ca60e9e19e89298e9ca2736429bc6d248fd2

SHA512
da62644c5aa87b4202b08855f3f12f022aead1e93bbcf00e0f0da757e53f496b632bdad5d0fe46c7b1e698a2d5930459a8afdca378f25379420ec7391090bf09

Download Submit
C:\Users\Admin\Downloads\UninstallResume.mhtml

Filesize
424KB

MD5
1910cdb43074680e173c6834371e9a54

SHA1
da54aa9b9858170640265f867ccae9768bb3d0fb

SHA256
3613dfe9d4e66bbd7b9b4aedd5e3d9dac6b700d19b3b16e657e3e0410d4fa3af

SHA512
c6d94fee0a57608ef6f2071bcb32ce7efce9783b27a56191829e0d9ed58d190accd8d42c1c1f2a0beec19b024a36e1481b0c2f080bfea2c265b29c9fe12076f6

Download Submit
C:\Users\Admin\Downloads\UnlockInstall.mpv2

Filesize
383KB

MD5
11622414a9e6105f176d07b2dc08ceff

SHA1
f0b24b81582de232e7a3f348320ab0660fc175af

SHA256
59358139290ce84595031d680f2a31c0304c853739d0f2dcfe514edf9bc32c08

SHA512
7363ace54520a55ec8c5697183ec4427bbd8b0fa9fc184665091e28cbbb0db03213b3effcfaecf5d3a41fd1f44bc7156687b6ffbc59766046ab708860addd3e0

Download Submit
C:\Users\Admin\Downloads\UnpublishDisable.tmp

Filesize
370KB

MD5
4a06f4f7b7ce0df4df5ef3837cba8cbb

SHA1
1e7bf0f4d3d187adb7cc15c6eaadc355104071b0

SHA256
ccae8363cd9c7f5fab519a862df648b87c967dddf5408a9840251544b8af3bd1

SHA512
2642c749f58364fb178721266eef5813f5a5c65a2a41f45d140dbcf0037f5af6ccfffe315fe8a4917151c58eacde083d99a85a8bac9f829c3afd995212c48821

Download Submit
C:\Users\Admin\Downloads\UseDisable.ps1xml

Filesize
276KB

MD5
ee8d4cf5ccc09bcb87bedac222448570

SHA1
4dde56663a7b9066c5ed402e187af1c2fb8d9269

SHA256
b6a357a1595aa35e8dc195a8dd980458ad5e973e75249e51146e7d14accf4410

SHA512
3867cc50c837843cf44d6b3e619775659271c69f018f466c90f0c6fdb6ca32ba3da42fc92163635f7b49ab3ffc0b4bf7736e4d944a097a837f59ebe8c69deaf8

Download Submit
C:\Users\Admin\Downloads\WaitJoin.pub

Filesize
518KB

MD5
9fc18929f986feda565e4b68941b778d

SHA1
3cc8069c5ded360507bf3d91a08f974a1eeb2a9d

SHA256
812ecef0811e71f768edf949623dd4371d0c4168d50aec487f43cd93c4bdd23a

SHA512
9c2751995a43090cea339e773c797239cd1103da4a374d5ed3870c5627c02715fe2fa2a719870b78ac365fb1b0fc2cf0fdfe4bf9c9cce598afad872f747da303

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r.zip

Filesize
3.3MB

MD5
e58fdd8b0ce47bcb8ffd89f4499d186d

SHA1
b7e2334ac6e1ad75e3744661bb590a2d1da98b03

SHA256
283f40e9d550833bec101a24fd6fd6fbd9937ed32a51392e818ffff662a1d30a

SHA512
95b6567b373efa6aec6a9bfd7af70ded86f8c72d3e8ba75f756024817815b830f54d18143b0be6de335dd0ca0afe722f88a4684663be5a84946bd30343d43a8c

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r.zip:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\WatchImport.dwfx

Filesize
545KB

MD5
7138167b461fd35aa693546b12c6e050

SHA1
2a87f81015df0c78fdf945677984ba30b7b3872a

SHA256
601f434d07d2022ae3fc4514ee3d4e2ec0e9bc30714281fafc888932c9bc0ab5

SHA512
e2e9fa519fc238f982b331392683b0649a61057425a86b97b87de9aa5a5d6816b50a85813d5f8eeaeb1c714225dcce3f03c93da5efd90f94cbeafa3b14254b89

Download Submit
memory/1280-508-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1896-1925-0x0000000073880000-0x0000000073A9C000-memory.dmp

Filesize
2.1MB

Download
memory/1896-1961-0x0000000073AA0000-0x0000000073B17000-memory.dmp

Filesize
476KB

Download
memory/1896-1927-0x0000000073B20000-0x0000000073B42000-memory.dmp

Filesize
136KB

Download
memory/1896-1926-0x0000000073B50000-0x0000000073BD2000-memory.dmp

Filesize
520KB

Download
memory/1896-1924-0x0000000073BE0000-0x0000000073C62000-memory.dmp

Filesize
520KB

Download
memory/1896-1956-0x0000000000990000-0x0000000000C8E000-memory.dmp

Filesize
3.0MB

Download
memory/1896-1958-0x0000000073BE0000-0x0000000073C62000-memory.dmp

Filesize
520KB

Download
memory/1896-1928-0x0000000000990000-0x0000000000C8E000-memory.dmp

Filesize
3.0MB

Download
memory/1896-1960-0x0000000073B20000-0x0000000073B42000-memory.dmp

Filesize
136KB

Download
memory/1896-1959-0x0000000073B50000-0x0000000073BD2000-memory.dmp

Filesize
520KB

Download
memory/1896-1957-0x0000000073C70000-0x0000000073C8C000-memory.dmp

Filesize
112KB

Download
memory/1896-1962-0x0000000073880000-0x0000000073A9C000-memory.dmp

Filesize
2.1MB

Download
memory/1896-1975-0x0000000000990000-0x0000000000C8E000-memory.dmp

Filesize
3.0MB

Download
memory/1896-1983-0x0000000000990000-0x0000000000C8E000-memory.dmp

Filesize
3.0MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads