wannacry | hxxp://google[.]com

Analysis

max time kernel
670s
max time network
691s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 01:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://google.com

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware worm

Malware Config

Extracted

Path

C:\Users\Admin\Documents\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

taskmgr.exe

description pid process target process

PID 1996 created 3832 1996 taskmgr.exe @[email protected]
PID 1996 created 3832 1996 taskmgr.exe @[email protected]
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

description	pid	process	target process
PID 1996 created 3832	1996	taskmgr.exe	@[email protected]
PID 1996 created 3832	1996	taskmgr.exe	@[email protected]

Drops startup file 2 IoCs

Processes:

WannaCry.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDDC6E.tmp	WannaCry.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDDC75.tmp	WannaCry.EXE

Executes dropped EXE 25 IoCs

Processes:

taskdl.exe@[email protected]@[email protected]taskhsvc.exetaskdl.exe@[email protected]taskse.exetaskdl.exetaskse.exe@[email protected]taskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exe@[email protected]taskse.exetaskdl.exe

pid	process
6044	taskdl.exe
5064	@[email protected]
5772	@[email protected]
5592	taskhsvc.exe
1688	taskdl.exe
3832	@[email protected]
1492	taskse.exe
3884	taskdl.exe
3200	taskse.exe
3596	@[email protected]
3132	taskse.exe
1784	@[email protected]
3504	taskdl.exe
5924	taskse.exe
6136	@[email protected]
4796	taskdl.exe
5548	taskse.exe
2656	@[email protected]
1224	taskdl.exe
4908	taskse.exe
5900	@[email protected]
1340	taskdl.exe
2352	@[email protected]
3008	taskse.exe
5552	taskdl.exe

Loads dropped DLL 8 IoCs

Processes:

taskhsvc.exe

pid process

5592 taskhsvc.exe
5592 taskhsvc.exe
5592 taskhsvc.exe
5592 taskhsvc.exe
5592 taskhsvc.exe
5592 taskhsvc.exe
5592 taskhsvc.exe
5592 taskhsvc.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

3220 icacls.exe
4956 icacls.exe

pid	process
5592	taskhsvc.exe
5592	taskhsvc.exe
5592	taskhsvc.exe
5592	taskhsvc.exe
5592	taskhsvc.exe
5592	taskhsvc.exe
5592	taskhsvc.exe
5592	taskhsvc.exe

pid	process
3220	icacls.exe
4956	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lzhzgnzvtqqc290 = "\"C:\\Users\\Admin\\Downloads\\WannaCry-main\\WannaCry-main\\tasksche.exe\""	reg.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

WannaCry.EXE@[email protected]

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCry.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{35C0EF6F-90A4-4913-8A03-89011B18A007}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4712 reg.exe

pid	process
4712	reg.exe

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exetaskhsvc.exetaskmgr.exe

pid	process
1328	msedge.exe
1328	msedge.exe
4692	msedge.exe
4692	msedge.exe
4332	identity_helper.exe
4332	identity_helper.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
4072	msedge.exe
1612	msedge.exe
1612	msedge.exe
5916	msedge.exe
5916	msedge.exe
5592	taskhsvc.exe
5592	taskhsvc.exe
5592	taskhsvc.exe
5592	taskhsvc.exe
5592	taskhsvc.exe
5592	taskhsvc.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe

Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid

4
4
4
4
4
660

pid
4
4
4
4
4
660

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

Processes:

msedge.exe

pid	process
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe

Suspicious use of AdjustPrivilegeToken 62 IoCs

Processes:

WMIC.exevssvc.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exetaskmgr.exetaskse.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4848	WMIC.exe
Token: SeSecurityPrivilege	4848	WMIC.exe
Token: SeTakeOwnershipPrivilege	4848	WMIC.exe
Token: SeLoadDriverPrivilege	4848	WMIC.exe
Token: SeSystemProfilePrivilege	4848	WMIC.exe
Token: SeSystemtimePrivilege	4848	WMIC.exe
Token: SeProfSingleProcessPrivilege	4848	WMIC.exe
Token: SeIncBasePriorityPrivilege	4848	WMIC.exe
Token: SeCreatePagefilePrivilege	4848	WMIC.exe
Token: SeBackupPrivilege	4848	WMIC.exe
Token: SeRestorePrivilege	4848	WMIC.exe
Token: SeShutdownPrivilege	4848	WMIC.exe
Token: SeDebugPrivilege	4848	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4848	WMIC.exe
Token: SeRemoteShutdownPrivilege	4848	WMIC.exe
Token: SeUndockPrivilege	4848	WMIC.exe
Token: SeManageVolumePrivilege	4848	WMIC.exe
Token: 33	4848	WMIC.exe
Token: 34	4848	WMIC.exe
Token: 35	4848	WMIC.exe
Token: 36	4848	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4848	WMIC.exe
Token: SeSecurityPrivilege	4848	WMIC.exe
Token: SeTakeOwnershipPrivilege	4848	WMIC.exe
Token: SeLoadDriverPrivilege	4848	WMIC.exe
Token: SeSystemProfilePrivilege	4848	WMIC.exe
Token: SeSystemtimePrivilege	4848	WMIC.exe
Token: SeProfSingleProcessPrivilege	4848	WMIC.exe
Token: SeIncBasePriorityPrivilege	4848	WMIC.exe
Token: SeCreatePagefilePrivilege	4848	WMIC.exe
Token: SeBackupPrivilege	4848	WMIC.exe
Token: SeRestorePrivilege	4848	WMIC.exe
Token: SeShutdownPrivilege	4848	WMIC.exe
Token: SeDebugPrivilege	4848	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4848	WMIC.exe
Token: SeRemoteShutdownPrivilege	4848	WMIC.exe
Token: SeUndockPrivilege	4848	WMIC.exe
Token: SeManageVolumePrivilege	4848	WMIC.exe
Token: 33	4848	WMIC.exe
Token: 34	4848	WMIC.exe
Token: 35	4848	WMIC.exe
Token: 36	4848	WMIC.exe
Token: SeBackupPrivilege	2164	vssvc.exe
Token: SeRestorePrivilege	2164	vssvc.exe
Token: SeAuditPrivilege	2164	vssvc.exe
Token: SeTcbPrivilege	1492	taskse.exe
Token: SeTcbPrivilege	1492	taskse.exe
Token: SeTcbPrivilege	3200	taskse.exe
Token: SeTcbPrivilege	3200	taskse.exe
Token: SeTcbPrivilege	3132	taskse.exe
Token: SeTcbPrivilege	3132	taskse.exe
Token: SeTcbPrivilege	5924	taskse.exe
Token: SeTcbPrivilege	5924	taskse.exe
Token: SeTcbPrivilege	5548	taskse.exe
Token: SeTcbPrivilege	5548	taskse.exe
Token: SeTcbPrivilege	4908	taskse.exe
Token: SeTcbPrivilege	4908	taskse.exe
Token: SeDebugPrivilege	1996	taskmgr.exe
Token: SeSystemProfilePrivilege	1996	taskmgr.exe
Token: SeCreateGlobalPrivilege	1996	taskmgr.exe
Token: SeTcbPrivilege	3008	taskse.exe
Token: SeTcbPrivilege	3008	taskse.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exetaskmgr.exe@[email protected]

pid	process
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
3832	@[email protected]
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exetaskmgr.exe

pid	process
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
4692	msedge.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe
1996	taskmgr.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]

pid	process
5772	@[email protected]
5064	@[email protected]
5772	@[email protected]
5064	@[email protected]
3832	@[email protected]
3832	@[email protected]
3596	@[email protected]
1784	@[email protected]
6136	@[email protected]
2656	@[email protected]
5900	@[email protected]
2352	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4692 wrote to memory of 4164	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 4164	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 5028	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 5028	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 5028	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 5028	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 5028	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 5028	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 5028	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 5028	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 5028	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 5028	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 5028	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 5028	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 5028	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 5028	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 5028	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 5028	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 5028	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 5028	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 5028	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 5028	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 5028	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 5028	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 5028	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 5028	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 5028	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 5028	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 5028	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 5028	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 5028	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 5028	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 5028	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 5028	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 5028	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 5028	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 5028	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 5028	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 5028	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 5028	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 5028	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 5028	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 1328	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 1328	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 3976	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 3976	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 3976	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 3976	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 3976	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 3976	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 3976	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 3976	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 3976	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 3976	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 3976	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 3976	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 3976	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 3976	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 3976	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 3976	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 3976	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 3976	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 3976	4692	msedge.exe	msedge.exe
PID 4692 wrote to memory of 3976	4692	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exe

pid process

3032 attrib.exe
4080 attrib.exe
768 attrib.exe

pid	process
3032	attrib.exe
4080	attrib.exe
768	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.com
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd329346f8,0x7ffd32934708,0x7ffd32934718
2⤵
PID:4164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,13898994616104822695,17949558412214983008,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
2⤵
PID:5028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,13898994616104822695,17949558412214983008,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,13898994616104822695,17949558412214983008,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2952 /prefetch:8
2⤵
PID:3976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13898994616104822695,17949558412214983008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
2⤵
PID:2404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13898994616104822695,17949558412214983008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
2⤵
PID:2276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13898994616104822695,17949558412214983008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1
2⤵
PID:3308

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,13898994616104822695,17949558412214983008,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:8
2⤵
PID:2728

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,13898994616104822695,17949558412214983008,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13898994616104822695,17949558412214983008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:1
2⤵
PID:2000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13898994616104822695,17949558412214983008,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
2⤵
PID:1716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13898994616104822695,17949558412214983008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1
2⤵
PID:2388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13898994616104822695,17949558412214983008,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
2⤵
PID:3960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,13898994616104822695,17949558412214983008,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2036 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,13898994616104822695,17949558412214983008,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5344 /prefetch:8
2⤵
PID:1944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13898994616104822695,17949558412214983008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
2⤵
PID:1596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13898994616104822695,17949558412214983008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
2⤵
PID:5640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2136,13898994616104822695,17949558412214983008,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5512 /prefetch:8
2⤵
PID:6080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2136,13898994616104822695,17949558412214983008,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4992 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13898994616104822695,17949558412214983008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
2⤵
PID:1284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13898994616104822695,17949558412214983008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
2⤵
PID:3092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13898994616104822695,17949558412214983008,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
2⤵
PID:3180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13898994616104822695,17949558412214983008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
2⤵
PID:2540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13898994616104822695,17949558412214983008,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
2⤵
PID:1868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13898994616104822695,17949558412214983008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
2⤵
PID:5384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13898994616104822695,17949558412214983008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6412 /prefetch:1
2⤵
PID:1980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13898994616104822695,17949558412214983008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6708 /prefetch:1
2⤵
PID:4132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,13898994616104822695,17949558412214983008,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1780 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13898994616104822695,17949558412214983008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
2⤵
PID:1624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13898994616104822695,17949558412214983008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
2⤵
PID:3556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,13898994616104822695,17949558412214983008,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
2⤵
PID:3132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4172

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1584

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3568

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\WannaCry.EXE
"C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\WannaCry.EXE"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
PID:2604

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- Views/modifies file attributes
PID:4080

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:3220

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:6044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 61051715218702.bat
2⤵
PID:3716

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
3⤵
PID:3504

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
2⤵
- Views/modifies file attributes
PID:768

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected] co
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5064

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5592

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
2⤵
PID:5896

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected] vs
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5772

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
PID:4560

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1688

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3832

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "lzhzgnzvtqqc290" /t REG_SZ /d "\"C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\tasksche.exe\"" /f
2⤵
PID:2084

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "lzhzgnzvtqqc290" /t REG_SZ /d "\"C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\tasksche.exe\"" /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:4712

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:3884

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3200

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3596

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3132

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1784

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:3504

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5924

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6136

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4796

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5548

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2656

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1224

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4908

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5900

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1340

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3008

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2352

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:5552

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskse.exe
taskse.exe C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
2⤵
PID:5872

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\@[email protected]
@[email protected]
2⤵
PID:1812

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
taskdl.exe
2⤵
PID:760

C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\WannaCry.EXE
"C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\WannaCry.EXE"
1⤵
PID:5064

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- Views/modifies file attributes
PID:3032

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:4956

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\@[email protected]
1⤵
PID:432

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1996

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\2f0477179a0d4e6992f85940c4a1361c /t 4200 /p 3832
1⤵
PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]
Filesize
813B

MD5
27e7273b1d3aa6f25a58437844ece17f

SHA1
5f22cd5e00ee54ee60e9bdd65c54f9c22c516058

SHA256
7c2b8fce1ff0edf0b5927bf33eb2b9a83e89e6fff34104cc0e9a1af6bc4f2f8d

SHA512
b5dc780d37c131771f7093ee83b42a22cdf970dc08360b067dbd420742ffd8d54dcac3806be90151182f62878975b974bf86528b0292e92184daf1899b3a00a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
537815e7cc5c694912ac0308147852e4

SHA1
2ccdd9d9dc637db5462fe8119c0df261146c363c

SHA256
b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f

SHA512
63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8b167567021ccb1a9fdf073fa9112ef0

SHA1
3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

SHA256
26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

SHA512
726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009
Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a
Filesize
67KB

MD5
d2d55f8057f8b03c94a81f3839b348b9

SHA1
37c399584539734ff679e3c66309498c8b2dd4d9

SHA256
6e273f3491917d37f4dbb6c3f4d3f862cada25c20a36b245ea7c6bd860fb400c

SHA512
7bcdbb9e8d005a532ec12485a9c4b777ddec4aee66333757cdae3f84811099a574e719d45eb4487072d0162fa4654349dd73705a8d1913834535b1a3e2247dc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b
Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c
Filesize
37KB

MD5
449575adc5b691252ccd790af54aa1fa

SHA1
08fbf2330df4d9b8863dbd25981ed28842f5c449

SHA256
7d773ed5be32890577b137400ab9d2e829cd966a7529a2cbdeba4d589fd50f1b

SHA512
031ff5e4c4b5d2a7911d8e7fcac5584eca2337daa1dfe1feaf5cf56ac574a7d6b8c2e64472279d58bd8234ddd0072d4468a72aa39c5716840a39237ee9cedf45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d
Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e
Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f
Filesize
1.2MB

MD5
25a7f8dea0207366b4b9d77569ff6f78

SHA1
57a20ac66704e6b2766c6946fafdec22f47ee79d

SHA256
502a9f82d39ef6fca4b4fc1bfd046b9736d8e232c8b1562eed0ca62d149bbfed

SHA512
db300662a1a49ae8417fb013462fc62ab20351c9c458cb60b0b22ec89c1cba410ae03301cefa6464dc58ed332ceb8a2d67eb6b8078c7f2127729594126133024

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
4KB

MD5
afad5a7af73e595e572b27dda0baa388

SHA1
4a820f0d7aac1c5765cb963aae2019e28c76c25e

SHA256
a026de5aa5ebeb8b32f20377c40220ef8154783010bfd7a6a15b334c9cae0938

SHA512
9a35d60482d43f78ff55a742fd39e06cd6d5dd2e19c1df06abba8592ea098698ba64bb347b137bddba79c24216097ca7acc542b88497d668116f4982f4ddda70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
4KB

MD5
e15fb2546b7cc4bddc9076ef97363abb

SHA1
c8795141ccf093cc14f25fcd271e3bc1a2e446d3

SHA256
45a32ee7b864180ef83bd088df6d6c29b8202499796d56d0cd18203b6c3fc3eb

SHA512
96062bc1b1f2f33639785d54abbd932b54fdb79b77d4e5fb9e0f5f7f30cc278932a1dac00bdda81721e2737fe145965730d65546c526ca9ddf54066e53b0db59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
4KB

MD5
f5e142358914f2f02e10a034019bb026

SHA1
14071b057a7066d67b35ca91d25cef7564992c2d

SHA256
e371c678160c4d271215dda113ddd381d219279357d8daa7b4dd91e9902ea3ac

SHA512
bba5e96619a05fa63faeadc247f44d2223d512b00bbd414a045b1095332699c2ef5b8682a1c5a766504f0eb30406fd96218dd4207ba691ec3866ce9fdb4826c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
216B

MD5
a0109be23d0a13d8f8a5ef9350697442

SHA1
27b22a7df615886f088b2bb1e23d014fe713b0d7

SHA256
f5e62936429bb9133c2e6c1e8ee565d4610924b748438cf5a701c69f0e342b37

SHA512
181007ad0e63351e01e0551b5a2f0858f72a386264f5046c4e8391496d0ca6145c00dd41a2a76a1791d13756ad9b08ec30ba9e6c071d554b90dcae1ca09ffd24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
b4079a54c5b039052f9a8dbf3fcb7435

SHA1
6e2904c7a3c92bcf41717b032066a4178bb62aaa

SHA256
9b49a2cd2480ec8bdcbe28e2118ef3fea2c6e72fc8e74fa02167df5338558276

SHA512
d317c46bccbd54316a6707f859b9d80d122b710805ab102731485617a9f7366756274579ae23e91801838c49294877d8bee4681cc4162e38e60772feb0589af5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
81cb61b8b61ec5f31145dc4a950f0b78

SHA1
616be4974b7d3e4106bc5eb5f3b5cbab82ced1d7

SHA256
89753f447a52489e824cd14cdfcd55ec5c6923904cbb93e6cff361bee1ccac66

SHA512
dd067bb12ed224c2538df849f2df9322f31b2ee90f541557563cef9a9da01dfed1478c3abcf831ef2e7b7d576239073f2d5d24d30c20c2fd3b8130a3403ebf34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
52ce6ca77f0959f469b243678579e562

SHA1
df7f713378ca7d5d15ba9b8aed18810bf15e5df4

SHA256
7250138427ec4696c83547b74d81d68430a9c82e9bcedd6bd2907d4f4749ca38

SHA512
1b018c002c6fd56c3c76a7924a74f745cd24f6a521a156f2e4279811c7e2bb159f37e4d31f151050c5c730dc57dd3398854841b8947be439fcfdde13db803fc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
3fa23d198e512d4712e980bf503202c9

SHA1
036267a80f2bb1f0eac701eeb2843685d1ac9d8d

SHA256
7027cc9bad93791f2cf4d2ed8d3419e465673fc48da29a59d89a2573a98fdeff

SHA512
466ef8f27b0e06e170e1febbed58c112c652de1cd91e35348c06a714902b42e8df41fe516045e67328847a3c8b297658ba504f696526c494734f1b439e9e7a1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
446f50a7e093c736cdec3af02811ed25

SHA1
ab25810903d0d43d29f25efae4603c6148db6cbd

SHA256
6d645e86f49cac07f897aab46f71e22a32927082cc5e3fef47bf5ff8053228ac

SHA512
72a3094aff5abe42c1a8966eb0f2fc3da16e381b1d789bb9d6f37bc15fc7ccd0c946b70a326faf4d94b9dfecb30e6aae0adbbabc232239ec80580bfa96645aaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
2d42d8c0230e1cb11c7bdefeb0b7de17

SHA1
caf24a71e4d2ff035259a845a31cf76c1df4718c

SHA256
fc0d2d3ef3904141882367b1fa650baf4930a00deff36f0136e357095fcb586e

SHA512
af09d78dec134e7a5bf8382530d9b5d1608f53af91097c016b5198f1787027885b2186be59e07a24b51ceb878d596ba8138c4003ff94a0977d3a48e2ca648455

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
c3e533d4696a4392c841cd99a8786f00

SHA1
4d83b6c3ba78d7d3d4d06d8db2e3b33d368d040b

SHA256
8950b628ebec18994a7a93935d2c9407a79cdaee0e2b8bff09c617a345e106ca

SHA512
324e897f1fbde7d306f9553095ed76a520e3d52da3a824d653fb61522dafda7713bab0ddb194548149bbaf6edad7b1596df84a32562fd3b9ec8833753e004b1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
d3773fd0d4e55b460af9d99eadd693b7

SHA1
a8fc4f842933754f10b63627f8b0a989c71b20d0

SHA256
12cce7dc875bb002993b42a17f9c0ef6f5a372073207b7125a9db49fd78b2907

SHA512
567a7031838b5cdbf494b01930c01e34ff9f5a557b0d9ed202449637fb4b69591ef2c2b5acf4ac0d428ad420f1aa75b4cc5298b40e39a041bc5cc214daac5227

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
4bf5c0c6e0634b139424b5f3930c7d8b

SHA1
f04ba9f84cd4b7a3f5f020d7ab4ea09c67e8ecb6

SHA256
607403ecc6fd1400aa7bf64abec5ca0da0ba1e912b8bab6bac47732b817aedd2

SHA512
e4819f241217e27577d59287e29a0de39716fbfd372d8f43d7a0877da9fe2974687d3267b58f38ad4b96e97603b6fa740432e7bbe65241cd38534ddc92c97cd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
038442ccff762f662257633bd0241aad

SHA1
7b103c6e1272dafff1682a55639440e04c6048b1

SHA256
15407b38c898bc4ff07c5decc428ca0a13fcf88d96571692cbcecf15b827668e

SHA512
467d8792a2bd18c7948462d7861ce136b3fbaca0ec3f51ac37809998bbe8e876ea64dd74435e08fab4a8197a67375f773507c9fd20d71b6bc3d73deeeba654b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
3a858215f75bd928ae495be15fd415ba

SHA1
2814ee3429bc9e3f937d878cd4eb23e6c3cbfbc3

SHA256
155f1ad50fee7109c9cc55bac9bf6168d819a2fd9688ae84136b94a71680cd5c

SHA512
1274b61771ef2a18d4039d05979ceb049fa32a4c0b824374f291b27cd08fe320f5119358863056de7936e3c0e45e587b5a6bf0fef2cfd600c64af63c6d26098c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
8abe242f8e461a67faa8ad8845c562cd

SHA1
1c7873a7202ac2c51e0ce5dce29e29c034cc127f

SHA256
d24a86315368e99bb9f4eab6c642d2cd16ae1be952687903989ce899091fb2d9

SHA512
efd3fd43ba8fcedf42f52f5d650daff5de1f78c4d5873b64009a189cbf89e9aeb3115dccfeddd6b5d2d6621a17d863ef6d7d5e5ca996791a384d1e1390f44014

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
30b1729f6035955327f2ce97a982b7d1

SHA1
5ec155bea50666242a12a9a825899ae50475b2ed

SHA256
28fc9c70760f68c5258705058cb0f09f6a958fdd43354e00a2350dc1162e89c3

SHA512
0485ecdc4d523588e894b22e8b8210ce7e1f21775443e9738923d8a394d7e0dd53809aed605e0374de0ab14f23e4a52c3a4e4c60485195b801b96025ebc71f35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
0280a287c8c2033303ddec9cae087ff9

SHA1
c75cc5f3464e2cc42065c6ccdd0281793c7953de

SHA256
c4837057089c1a3a6ef2028d1861038e5e74443ea5079808258c8f6c904828ac

SHA512
edde701f4d4292593d1710d30f088dcf9ba2aaed4cab53e69077f71b3430eca343e190a2ef61a6c974edc077215c9052658356551a1bb7172a5bae2a76998901

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
1432052986412ad46015f3b25b17a697

SHA1
093b9aad99658c1d805e5901d4017199ca954db9

SHA256
ad6c9a4efa3c348b292a4ea225cdbeb4e03880389ae7e51045eea79561026a8c

SHA512
751291c6bd8a5c01b87658c1887be4500033035bb1d6aa7509f74ed7d8472f239d1c9e1966b25785e328bd34903ffefb43edb122018940086049153a3965d80c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
43e5e06e423fa3a3ed34c1149842a005

SHA1
eab7045b628fd044c65b7a162f61eac0e35e4086

SHA256
e3713dc82b42706cd22ea83eaff21626a693238aea975bc5ce7f2a2eae1a2409

SHA512
92b60fbc24aca77e14b34aec57f5ac00239a115aeb9037cee0c9fcb63e666c7486c0f74568f5f4b8513b953c0841877cc4f4ce64d628c5d242cc52970c2620e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
f000368ffd84ac98ca2772aa31d32f7c

SHA1
9a566209db1a73482ad6b02952e7c6adaef4ca2f

SHA256
a95d23f2b77d26fd55c390d305822b522d103889c8a15aea746186c95fb7ca8b

SHA512
cae4a137111b0e69e8311bbf4670d84bdd4606ded28c14a4a3ad1aea2f8ce47ef5b21c9c4ccc7961af86ff87290f97514798cc68f88bf44319ecb963ba1926a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
706B

MD5
92ccbe2448c2eced767cb29f977e0a01

SHA1
8f03fa2fa178af21d7857243f8cfdf197c465ce1

SHA256
98dc76bb3dbf4608d2c7de08f1b47408bc8e29c524d1a4b84e76cb5cd97f4bcc

SHA512
cde7ae6c9277f768f4d4c3efc6070da44f4dc00483ec3356a468567bf67490cb00cdacc4783b457c803b0b5b4c5a786ea3c5e6a8ac17e0c02ab914693aefe225

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
204B

MD5
1f569177798f23ed38ee982df5794ce0

SHA1
3f0d5470a467022993fb2a10f0a54faa21dcc3a6

SHA256
b2e9cdd11dc3445e1f6d1d8172e3e82e4a844ad6a49c5be8e2d92d9375417d1a

SHA512
38c13ca5ed61c8d8401172730c040fb122daad1c0d1b0ba089dcb91a9181eb4dbab21d4be362b2c88dafae749f6af8e1cbd34a1de4e2f902f59cd547eb01cdc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
314d75fa4ae268f495fe15feba235545

SHA1
435aa95a59b7387f00880d3d45a700b5abdf2598

SHA256
bc3e15a656e878ce456532d4085873e2ac8dfd3cd8adfa8d1ae23d98726cc18d

SHA512
93731f39318e6cc44930a4548ed2576bdb44026e79a80b15ea1f0c349ca48eece5c694ea933cdb423a4a501681bb89ae57c28d9f0ed5460cee6f94b12a496722

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5c7e8e.TMP
Filesize
204B

MD5
0d57800bc167b0eff1cec34a111aac88

SHA1
c57f96b934971daa6be1cecd3904b5cbeb52585a

SHA256
2be17cb1b2422d4e6ee01998c42ea45b97c605f2d21de97e6afd048ebb8dac5c

SHA512
9b64a1d063d063c977d4190ca3901d1a0a08100519313fd2782a660efd7f883327e9e9605c0fb6256ab8639c7c16eca697dd1b94c4951ecf1adecf83102727e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
a4c5e9c49805792ac5920d4b71692648

SHA1
ce84f8198e42638a0f281e1f9c4b50c700cb9090

SHA256
3b12bda6c1d8fba3623b1b1eca2692f818761899f4209efd85c5992b0faec692

SHA512
6426004178c0f32bf7e872bd9f79b2cf29c0dcf4ea08ebe61af09a6ca2c62fc97d7d7c47944afe8e604f6bbb1d061db0c5e5ec25b51e954e384453eed4f04013

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
75751e39e1ede84c034388369c5f9c28

SHA1
b8bcc66eaa09dbabda99d85ce1db00aa1a9ba37e

SHA256
12fec857d02d6ed5fafd95f70a224a1554d6ba9324f5c1308349ab695e1e1737

SHA512
ea0c1ff4dc6151ff1855054f9f094515ace02047b13af105254fa67dc8e3b7ec3ee05591380033f80a8dd36b41175b31dcfaa446a99cc760059d310a27055d28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
bcb944942a9b8b9ef03a7735808992f6

SHA1
0be328e42052d6ea66a5b801464c064cc09904b3

SHA256
2de331a7471338c051d1d17e19be649a05ca25d6094be15b6037b63fc7a711d2

SHA512
070dbe8e0197610dfd58ff1e90d8af06d9c1ba01d798af9013fc56cf82ba7b4b120d59160ba2aeadd53e755d6e5a34e5544babc7dee44ddb9b6d6c1735303512

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
8f2e33e8006e6ac748348779fc911048

SHA1
886f976f782574e6f8d4865451f9150451ad054a

SHA256
06d46939d524d7fd32d65b93b44022625f548ec3bd37742958ce37b55e2909af

SHA512
37ad65db066d3cb181a37afde3d31ac26f6dbea8446236442c417aaa5b77ab1f5730b5ddc38d763d849cda47c799901e487ebd1607b58b8bad860fdc9358d574

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
a1f68e1d90ce54a28a00174ddffd6040

SHA1
652542d7b67bbbc5b3ec6cd1d18f443f4109e542

SHA256
84c031ec73e1ae50aa70128759090077acb91def6e2df859879fbb9b466738fc

SHA512
466af732fad28d17104d8f020cf844085ad644dc07ba81ed06b4de40890d6f0c255882525e05fd33f68fd3ad6c9863f0580262945f4e44b8b46e21e4d7dbf8d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
da0dd43ac3955a0cbb52e6aa28ebe892

SHA1
2107383ba29866d50d40d012150a4c860fb3c83f

SHA256
411a3a1b4e6ea3052d5d0ab24718bc238de038856b1ea7a28d1ec217104c7eca

SHA512
ed73b0a7e477241d6e55e4ea34edbd5e3ebdfe693c448555462ee03e4f5facacddad808dc0f2db92202f2e399d18ebb476252d2a43f5adcd32d270efd67c2f6a

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
Filesize
5.9MB

MD5
5c22410f2afbf84a7d3b943a9c2bcba4

SHA1
4cdd0419bcf1d2f76a50e4f8cd5ec3bd66b3a90d

SHA256
4d24e16f867ae2f10c7f70564bb92f2125620fa3f940267d0f6d320b3359776b

SHA512
571cacdeba2899a565b48e974b2b08a45ea7c1ae7a7ec712e2be7daf2bb2e341c6c23d8a00f40aa8656106d15f370955782b40b6dd20804d0ea0d20e05033fde

Download Submit
C:\Users\Admin\Documents\@[email protected]
Filesize
933B

MD5
f97d2e6f8d820dbd3b66f21137de4f09

SHA1
596799b75b5d60aa9cd45646f68e9c0bd06df252

SHA256
0e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a

SHA512
efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0

Download Submit
C:\Users\Admin\Downloads\WannaCry-main.zip
Filesize
3.3MB

MD5
3c7861d067e5409eae5c08fd28a5bea2

SHA1
44e4b61278544a6a7b8094a0615d3339a8e75259

SHA256
07ecdced8cf2436c0bc886ee1e49ee4b8880a228aa173220103f35c535305635

SHA512
c2968e30212707acf8a146b25bb29c9f5d779792df88582b03431a0034dc82599f58d61fc9494324cc06873e5943f8c29bffd0272ca682d13c0bb10482d79fc5

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\61051715218702.bat
Filesize
378B

MD5
41cd59f7dc3eaa903f418496114e7b2e

SHA1
e53bfb75b19e629f87432e6709e815f36ff2a138

SHA256
6859cbc76800cbf431277ee41d10411d446c5461284fd8cf42849ddeb2a2cce7

SHA512
46de33f05780c7fa8f544dec28664a48933f1f743564a0d7bdb8b5bbbfa22233be180d7cdd97fc55d8f080b43824f75cf9df336cd414f60d30a291857cb94bce

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\TaskData\Tor\tor.exe
Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\b.wnry
Filesize
1.2MB

MD5
5e946a6ce2e4a60215ffb99710c72930

SHA1
9bfa2404c730d6b616cc8079b46e03ff010cc513

SHA256
e8185e0624c54221f073820f91bc11c1e480de3d7f7e39d3dfab88dbd5ff30b3

SHA512
128be87b039e6c94607b81e24015a2f943567d0fec39f6e3b02529c2ab46b9cff98c1071655c037e49df543a14ea3089f68b8e62ec45329f66c899af57bce7ce

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\c.wnry
Filesize
780B

MD5
383a85eab6ecda319bfddd82416fc6c2

SHA1
2a9324e1d02c3e41582bf5370043d8afeb02ba6f

SHA256
079ce1041cbffe18ff62a2b4a33711eda40f680d0b1d3b551db47e39a6390b21

SHA512
c661e0b3c175d31b365362e52d7b152267a15d59517a4bcc493329be20b23d0e4eb62d1ba80bb96447eeaf91a6901f4b34bf173b4ab6f90d4111ea97c87c1252

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\m.vbs
Filesize
257B

MD5
e496dd7cfa46f8934d82b381bfde0aaf

SHA1
4b87a838dd83e84b9e6c72af15493e6e48979170

SHA256
9c4dfc0e56b406d9966fbd413a47ac29e77e262bd0d497ef72e835d5cb36fc8c

SHA512
461bf87167c4ee764bfdad32d3940309d2fa37e631935a5be966396f10392059297dc06f9d2c07257ae63edf988061bb53aa984bb0bb399e240e792888170372

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_bulgarian.wnry
Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_chinese (simplified).wnry
Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_chinese (traditional).wnry
Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_croatian.wnry
Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_czech.wnry
Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_danish.wnry
Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_dutch.wnry
Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_english.wnry
Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_filipino.wnry
Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_finnish.wnry
Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_french.wnry
Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_german.wnry
Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_greek.wnry
Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_indonesian.wnry
Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_italian.wnry
Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_japanese.wnry
Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_korean.wnry
Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_latvian.wnry
Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_norwegian.wnry
Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_polish.wnry
Filesize
38KB

MD5
e79d7f2833a9c2e2553c7fe04a1b63f4

SHA1
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

SHA256
519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

SHA512
e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_portuguese.wnry
Filesize
37KB

MD5
fa948f7d8dfb21ceddd6794f2d56b44f

SHA1
ca915fbe020caa88dd776d89632d7866f660fc7a

SHA256
bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66

SHA512
0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_romanian.wnry
Filesize
50KB

MD5
313e0ececd24f4fa1504118a11bc7986

SHA1
e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d

SHA256
70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1

SHA512
c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_russian.wnry
Filesize
46KB

MD5
452615db2336d60af7e2057481e4cab5

SHA1
442e31f6556b3d7de6eb85fbac3d2957b7f5eac6

SHA256
02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078

SHA512
7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_slovak.wnry
Filesize
40KB

MD5
c911aba4ab1da6c28cf86338ab2ab6cc

SHA1
fee0fd58b8efe76077620d8abc7500dbfef7c5b0

SHA256
e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729

SHA512
3491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_spanish.wnry
Filesize
36KB

MD5
8d61648d34cba8ae9d1e2a219019add1

SHA1
2091e42fc17a0cc2f235650f7aad87abf8ba22c2

SHA256
72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1

SHA512
68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_swedish.wnry
Filesize
37KB

MD5
c7a19984eb9f37198652eaf2fd1ee25c

SHA1
06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae

SHA256
146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4

SHA512
43dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_turkish.wnry
Filesize
41KB

MD5
531ba6b1a5460fc9446946f91cc8c94b

SHA1
cc56978681bd546fd82d87926b5d9905c92a5803

SHA256
6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415

SHA512
ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\msg\m_vietnamese.wnry
Filesize
91KB

MD5
8419be28a0dcec3f55823620922b00fa

SHA1
2e4791f9cdfca8abf345d606f313d22b36c46b92

SHA256
1f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8

SHA512
8fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\r.wnry
Filesize
864B

MD5
3e0020fc529b1c2a061016dd2469ba96

SHA1
c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade

SHA256
402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c

SHA512
5ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\s.wnry
Filesize
2.9MB

MD5
ad4c9de7c8c40813f200ba1c2fa33083

SHA1
d1af27518d455d432b62d73c6a1497d032f6120e

SHA256
e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b

SHA512
115733d08e5f1a514808a20b070db7ff453fd149865f49c04365a8c6502fa1e5c3a31da3e21f688ab040f583cf1224a544aea9708ffab21405dde1c57f98e617

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\t.wnry
Filesize
64KB

MD5
5dcaac857e695a65f5c3ef1441a73a8f

SHA1
7b10aaeee05e7a1efb43d9f837e9356ad55c07dd

SHA256
97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6

SHA512
06eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskdl.exe
Filesize
20KB

MD5
4fef5e34143e646dbf9907c4374276f5

SHA1
47a9ad4125b6bd7c55e4e7da251e23f089407b8f

SHA256
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

SHA512
4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\taskse.exe
Filesize
20KB

MD5
8495400f199ac77853c53b5a3f278f3e

SHA1
be5d6279874da315e3080b06083757aad9b32c23

SHA256
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

SHA512
0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4

Download Submit
C:\Users\Admin\Downloads\WannaCry-main\WannaCry-main\u.wnry
Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Default\Desktop\@[email protected]
Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
\??\pipe\LOCAL\crashpad_4692_EOZZSHRFEOGYEXYA
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2604-641-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/5592-2013-0x0000000073FC0000-0x0000000074042000-memory.dmp

Filesize
520KB

Download
memory/5592-2015-0x0000000073D20000-0x0000000073F3C000-memory.dmp

Filesize
2.1MB

Download
memory/5592-2104-0x0000000000150000-0x000000000044E000-memory.dmp

Filesize
3.0MB

Download
memory/5592-2110-0x0000000073D20000-0x0000000073F3C000-memory.dmp

Filesize
2.1MB

Download
memory/5592-2025-0x0000000073D20000-0x0000000073F3C000-memory.dmp

Filesize
2.1MB

Download
memory/5592-2019-0x0000000000150000-0x000000000044E000-memory.dmp

Filesize
3.0MB

Download
memory/5592-2010-0x0000000074110000-0x000000007412C000-memory.dmp

Filesize
112KB

Download
memory/5592-2011-0x00000000740E0000-0x0000000074102000-memory.dmp

Filesize
136KB

Download
memory/5592-2012-0x0000000074050000-0x00000000740D2000-memory.dmp

Filesize
520KB

Download
memory/5592-2032-0x0000000073D20000-0x0000000073F3C000-memory.dmp

Filesize
2.1MB

Download
memory/5592-2014-0x0000000073F40000-0x0000000073FB7000-memory.dmp

Filesize
476KB

Download
memory/5592-2096-0x0000000000150000-0x000000000044E000-memory.dmp

Filesize
3.0MB

Download
memory/5592-2009-0x0000000000150000-0x000000000044E000-memory.dmp

Filesize
3.0MB

Download
memory/5592-1995-0x0000000074050000-0x00000000740D2000-memory.dmp

Filesize
520KB

Download
memory/5592-1997-0x0000000073FC0000-0x0000000074042000-memory.dmp

Filesize
520KB

Download
memory/5592-1999-0x0000000000150000-0x000000000044E000-memory.dmp

Filesize
3.0MB

Download
memory/5592-1996-0x0000000073D20000-0x0000000073F3C000-memory.dmp

Filesize
2.1MB

Download
memory/5592-1998-0x00000000740E0000-0x0000000074102000-memory.dmp

Filesize
136KB

Download
memory/5592-2026-0x0000000000150000-0x000000000044E000-memory.dmp

Filesize
3.0MB

Download
memory/5592-2081-0x0000000073D20000-0x0000000073F3C000-memory.dmp

Filesize
2.1MB

Download
memory/5592-2075-0x0000000000150000-0x000000000044E000-memory.dmp

Filesize
3.0MB

Download
memory/5592-2040-0x0000000000150000-0x000000000044E000-memory.dmp

Filesize
3.0MB

Download
memory/5592-2046-0x0000000073D20000-0x0000000073F3C000-memory.dmp

Filesize
2.1MB

Download