wannacry | hxxps://github[.]com/chronosmiki/RANSOMWARE-WANNACRY-2[.]0/blob/master/Ransomware[.]WannaCry[.]zip

Analysis

max time kernel
389s
max time network
375s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
24-07-2024 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/chronosmiki/RANSOMWARE-WANNACRY-2.0/blob/master/Ransomware.WannaCry.zip

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD2D78.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD2D7F.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Executes dropped EXE 33 IoCs

Processes:

taskdl.exe@[email protected]@[email protected]taskhsvc.exe@[email protected]taskdl.exetaskse.exe@[email protected]@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exe

pid	process
1860	taskdl.exe
4620	@[email protected]
1108	@[email protected]
4864	taskhsvc.exe
1232	@[email protected]
2724	taskdl.exe
1480	taskse.exe
1932	@[email protected]
3928	@[email protected]
2632	taskdl.exe
5040	taskse.exe
3540	@[email protected]
5296	taskdl.exe
5288	taskse.exe
5304	@[email protected]
5208	taskse.exe
5212	@[email protected]
5256	taskdl.exe
2232	taskse.exe
2964	@[email protected]
3228	taskdl.exe
3624	taskse.exe
6064	@[email protected]
6084	taskdl.exe
2180	taskse.exe
1200	@[email protected]
2512	taskdl.exe
5764	taskse.exe
5780	@[email protected]
4804	taskdl.exe
5340	taskse.exe
5736	@[email protected]
1360	taskdl.exe

Loads dropped DLL 7 IoCs

Processes:

taskhsvc.exe

pid process

4864 taskhsvc.exe
4864 taskhsvc.exe
4864 taskhsvc.exe
4864 taskhsvc.exe
4864 taskhsvc.exe
4864 taskhsvc.exe
4864 taskhsvc.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

752 icacls.exe

pid	process
4864	taskhsvc.exe
4864	taskhsvc.exe
4864	taskhsvc.exe
4864	taskhsvc.exe
4864	taskhsvc.exe
4864	taskhsvc.exe
4864	taskhsvc.exe

pid	process
752	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ffvrmeqk823 = "\"C:\\Users\\Admin\\Downloads\\Ransomware.WannaCry\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

2 raw.githubusercontent.com
32 raw.githubusercontent.com

flow	ioc
2	raw.githubusercontent.com
32	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

Processes:

chrome.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe

Sets desktop wallpaper using registry 2 TTPs 3 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

@[email protected]ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe@[email protected]

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Drops file in Windows directory 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Windows\SystemTemp chrome.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

5044 1108 WerFault.exe @[email protected]
1184 1108 WerFault.exe @[email protected]

description	ioc	process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

pid	pid_target	process	target process
5044	1108	WerFault.exe	@[email protected]
1184	1108	WerFault.exe	@[email protected]

System Location Discovery: System Language Discovery 1 TTPs 44 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

taskse.exe@[email protected]taskse.exe@[email protected]taskse.exe@[email protected]cmd.exetaskdl.exetaskse.exe@[email protected]cmd.exetaskdl.exetaskdl.exeattrib.exeWMIC.execmd.exe@[email protected]taskse.exereg.exetaskse.exe@[email protected]ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe@[email protected]taskse.exetaskdl.exe@[email protected]icacls.exeattrib.execmd.exetaskse.exetaskdl.exe@[email protected]taskdl.exetaskdl.exetaskdl.exetaskhsvc.exe@[email protected]taskse.exetaskdl.exetaskdl.execscript.exe@[email protected]@[email protected]@[email protected]

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "1273584676"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31120931"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0"	iexplore.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133663336976863303"	chrome.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000_Classes\Local Settings msedge.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4676 reg.exe
NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Ransomware.WannaCry.zip:Zone.Identifier msedge.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

3112 NOTEPAD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2087971895-212656400-463594913-1000_Classes\Local Settings	msedge.exe

pid	process
4676	reg.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Ransomware.WannaCry.zip:Zone.Identifier	msedge.exe

pid	process
3112	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exetaskhsvc.exemsedge.exechrome.exechrome.exe

pid	process
1384	msedge.exe
1384	msedge.exe
5028	msedge.exe
5028	msedge.exe
2064	msedge.exe
2064	msedge.exe
1360	identity_helper.exe
1360	identity_helper.exe
2992	msedge.exe
2992	msedge.exe
4864	taskhsvc.exe
4864	taskhsvc.exe
4864	taskhsvc.exe
4864	taskhsvc.exe
4864	taskhsvc.exe
4864	taskhsvc.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4480	chrome.exe
4480	chrome.exe
5208	chrome.exe
5208	chrome.exe
5208	chrome.exe
5208	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

@[email protected]

pid process

1232 @[email protected]

pid	process
1232	@[email protected]

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

msedge.exechrome.exe

pid	process
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exevssvc.exetaskse.exetaskse.exechrome.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2548	WMIC.exe
Token: SeSecurityPrivilege	2548	WMIC.exe
Token: SeTakeOwnershipPrivilege	2548	WMIC.exe
Token: SeLoadDriverPrivilege	2548	WMIC.exe
Token: SeSystemProfilePrivilege	2548	WMIC.exe
Token: SeSystemtimePrivilege	2548	WMIC.exe
Token: SeProfSingleProcessPrivilege	2548	WMIC.exe
Token: SeIncBasePriorityPrivilege	2548	WMIC.exe
Token: SeCreatePagefilePrivilege	2548	WMIC.exe
Token: SeBackupPrivilege	2548	WMIC.exe
Token: SeRestorePrivilege	2548	WMIC.exe
Token: SeShutdownPrivilege	2548	WMIC.exe
Token: SeDebugPrivilege	2548	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2548	WMIC.exe
Token: SeRemoteShutdownPrivilege	2548	WMIC.exe
Token: SeUndockPrivilege	2548	WMIC.exe
Token: SeManageVolumePrivilege	2548	WMIC.exe
Token: 33	2548	WMIC.exe
Token: 34	2548	WMIC.exe
Token: 35	2548	WMIC.exe
Token: 36	2548	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2548	WMIC.exe
Token: SeSecurityPrivilege	2548	WMIC.exe
Token: SeTakeOwnershipPrivilege	2548	WMIC.exe
Token: SeLoadDriverPrivilege	2548	WMIC.exe
Token: SeSystemProfilePrivilege	2548	WMIC.exe
Token: SeSystemtimePrivilege	2548	WMIC.exe
Token: SeProfSingleProcessPrivilege	2548	WMIC.exe
Token: SeIncBasePriorityPrivilege	2548	WMIC.exe
Token: SeCreatePagefilePrivilege	2548	WMIC.exe
Token: SeBackupPrivilege	2548	WMIC.exe
Token: SeRestorePrivilege	2548	WMIC.exe
Token: SeShutdownPrivilege	2548	WMIC.exe
Token: SeDebugPrivilege	2548	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2548	WMIC.exe
Token: SeRemoteShutdownPrivilege	2548	WMIC.exe
Token: SeUndockPrivilege	2548	WMIC.exe
Token: SeManageVolumePrivilege	2548	WMIC.exe
Token: 33	2548	WMIC.exe
Token: 34	2548	WMIC.exe
Token: 35	2548	WMIC.exe
Token: 36	2548	WMIC.exe
Token: SeBackupPrivilege	1396	vssvc.exe
Token: SeRestorePrivilege	1396	vssvc.exe
Token: SeAuditPrivilege	1396	vssvc.exe
Token: SeTcbPrivilege	1480	taskse.exe
Token: SeTcbPrivilege	1480	taskse.exe
Token: SeTcbPrivilege	5040	taskse.exe
Token: SeTcbPrivilege	5040	taskse.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe
Token: SeCreatePagefilePrivilege	4480	chrome.exe
Token: SeShutdownPrivilege	4480	chrome.exe

Suspicious use of FindShellTrayWindow 59 IoCs

Processes:

msedge.exechrome.exe

pid	process
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exechrome.exe

pid	process
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe
4480	chrome.exe

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]MiniSearchHost.exe@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]

pid	process
4620	@[email protected]
4620	@[email protected]
1108	@[email protected]
1108	@[email protected]
1232	@[email protected]
1232	@[email protected]
1932	@[email protected]
3928	@[email protected]
3540	@[email protected]
5304	@[email protected]
5460	MiniSearchHost.exe
5212	@[email protected]
2964	@[email protected]
6064	@[email protected]
1200	@[email protected]
1200	@[email protected]
5780	@[email protected]
5736	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 5028 wrote to memory of 1540	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 1540	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 4612	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 4612	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 4612	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 4612	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 4612	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 4612	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 4612	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 4612	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 4612	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 4612	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 4612	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 4612	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 4612	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 4612	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 4612	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 4612	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 4612	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 4612	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 4612	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 4612	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 4612	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 4612	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 4612	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 4612	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 4612	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 4612	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 4612	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 4612	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 4612	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 4612	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 4612	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 4612	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 4612	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 4612	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 4612	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 4612	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 4612	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 4612	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 4612	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 4612	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 1384	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 1384	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 2708	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 2708	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 2708	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 2708	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 2708	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 2708	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 2708	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 2708	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 2708	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 2708	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 2708	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 2708	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 2708	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 2708	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 2708	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 2708	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 2708	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 2708	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 2708	5028	msedge.exe	msedge.exe
PID 5028 wrote to memory of 2708	5028	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

2012 attrib.exe
384 attrib.exe

pid	process
2012	attrib.exe
384	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/chronosmiki/RANSOMWARE-WANNACRY-2.0/blob/master/Ransomware.WannaCry.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbaa3d3cb8,0x7ffbaa3d3cc8,0x7ffbaa3d3cd8
2⤵
PID:1540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,8750838149230601336,864720157532701872,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
2⤵
PID:4612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,8750838149230601336,864720157532701872,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,8750838149230601336,864720157532701872,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
2⤵
PID:2708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,8750838149230601336,864720157532701872,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
2⤵
PID:4404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,8750838149230601336,864720157532701872,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
2⤵
PID:4788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,8750838149230601336,864720157532701872,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2064

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,8750838149230601336,864720157532701872,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,8750838149230601336,864720157532701872,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1736 /prefetch:1
2⤵
PID:3776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,8750838149230601336,864720157532701872,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1924,8750838149230601336,864720157532701872,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5808 /prefetch:8
2⤵
PID:4968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,8750838149230601336,864720157532701872,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:1
2⤵
PID:3120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,8750838149230601336,864720157532701872,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
2⤵
PID:3872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,8750838149230601336,864720157532701872,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:1
2⤵
PID:4100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,8750838149230601336,864720157532701872,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6580 /prefetch:1
2⤵
PID:1924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,8750838149230601336,864720157532701872,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6188 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4820

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3348

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2088

C:\Users\Admin\Downloads\Ransomware.WannaCry\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\Downloads\Ransomware.WannaCry\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:3024

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2012

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:752

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 234091721859841.bat
2⤵
- System Location Discovery: System Language Discovery
PID:1480

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
3⤵
- System Location Discovery: System Language Discovery
PID:1516

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
2⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:384

C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
@[email protected] co
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4620

C:\Users\Admin\Downloads\Ransomware.WannaCry\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4864

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
2⤵
- System Location Discovery: System Language Discovery
PID:1284

C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
@[email protected] vs
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1108

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
- System Location Discovery: System Language Discovery
PID:1788

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 416
4⤵
- Program crash
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 416
4⤵
- Program crash
PID:1184

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2724

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1932

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ffvrmeqk823" /t REG_SZ /d "\"C:\Users\Admin\Downloads\Ransomware.WannaCry\tasksche.exe\"" /f
2⤵
- System Location Discovery: System Language Discovery
PID:4520

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ffvrmeqk823" /t REG_SZ /d "\"C:\Users\Admin\Downloads\Ransomware.WannaCry\tasksche.exe\"" /f
3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:4676

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2632

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5040

C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3540

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5288

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5296

C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5304

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5208

C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5212

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5256

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2232

C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2964

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3228

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3624

C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6064

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6084

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2180

C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1200

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2512

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5764

C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5780

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4804

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5340

C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5736

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1360

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
1⤵
- Opens file in notepad (likely ransom note)
PID:3112

C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
"C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]"
1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1108 -ip 1108
1⤵
PID:432

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1108 -ip 1108
1⤵
PID:3928

C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
"C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3928

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\Desktop\ProtectEnter.xml"
1⤵
PID:1936

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ProtectEnter.xml
2⤵
- Modifies Internet Explorer settings
PID:4012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb95a2cc40,0x7ffb95a2cc4c,0x7ffb95a2cc58
2⤵
PID:1216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1712,i,7494811576499961504,15558105750812720254,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=1752 /prefetch:2
2⤵
PID:3876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2096,i,7494811576499961504,15558105750812720254,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2112 /prefetch:3
2⤵
PID:2664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2152,i,7494811576499961504,15558105750812720254,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2184 /prefetch:8
2⤵
PID:5076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,7494811576499961504,15558105750812720254,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3132 /prefetch:1
2⤵
PID:1920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3340,i,7494811576499961504,15558105750812720254,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3348 /prefetch:1
2⤵
PID:5068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4392,i,7494811576499961504,15558105750812720254,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3552 /prefetch:1
2⤵
PID:1768

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=212,i,7494811576499961504,15558105750812720254,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4848 /prefetch:8
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:5208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4968,i,7494811576499961504,15558105750812720254,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4900 /prefetch:8
2⤵
PID:6080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4772,i,7494811576499961504,15558105750812720254,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4604 /prefetch:8
2⤵
PID:6112

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:4012

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5460

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\8c185209315041ee9af8b8d5c4636b40 /t 2620 /p 1232
1⤵
PID:3296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
cf88d1bd5d6fdcbdac2fd707cee76150

SHA1
ed2a6afc31be416f44f1ffa7f8c0436a6f05b5a0

SHA256
cecf293067f18898063b19301a0ff2022881e585fbd73b32dfe79e55c038b5cc

SHA512
7abb6406c8447f37708277472a6a2e727e856cddb3f0c31518ccf9d599b99c69ce09ae6da126e7dbe3fd96c86fde255e13ea45e30c2461586b9d26b7de032437

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
23c001d7978a70988552a1c6132f89f0

SHA1
de5a93277735b06d652d7d45acd7b7b3911af564

SHA256
c296a324a9bf8343f6b2e392d3f05191154267c80bc6979f71041445564cdc4e

SHA512
84b79f807f95baf2159b205903b1a04da335dde0f931f14c335cb800752c410b8e0f1d5c48d973b261c2a29e8bdfd693d3dcadfa6b1f0c1de82441aa37d8114f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
a88de01a34b9bf6b56f28541ab92ac77

SHA1
e575fec4dd85f284955a3d269b6ac0c7feacab9a

SHA256
6ab46c74565db64056f4bd3bd2da833dd97df95205b84a8a663ec1cfcf6d4a59

SHA512
3e447b2f64eecae7fc6ca37c6c45d6a538764159f5d4d43419b712bab648e61e04516199a3f26a5382e50a508cde3b34438607e9f78c29bdea2d6139991784c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1532b62223f6035104d578e18f4ce3e0

SHA1
67199c4a8893fb689efc50b163601d33fe07b54f

SHA256
b04db1b046b1755a3770e3c743c3e7401f4d4b4095c9a194fd6dcac474ca12a6

SHA512
8dc9a421701820bc8a3736bdd6810f03ccbb88c9789995182aac96d59ded2e49b1461d5ec0bf9408eaca574192b15ba43f3f61c945f1cd75a454e57536a04893

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
87be5e1c82bc2d5303d946c00ffccd46

SHA1
46f079181d78b06985f0b81c93ebd381872b6d13

SHA256
f42ac06462d5f8e2c1be9abd555a378838118b57967df3e24efff45955a9325c

SHA512
4623b8e441266054aa352786cbb19756df6c2162e642ed97c3fd6712d09b21ce283cc61c1e55da5f6914ea0b2453247f3a535d84ad437a4d5f4c8ea01663b309

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
aeba1387a959cdba880bbe13069ca543

SHA1
add394b2aae549058cf10481851048865ac38bdd

SHA256
952045c1c41d32b152d6b82f8955670a3a9a5eee8c3128b611c68e081ce929ec

SHA512
4d30be07ccc78896067798643d08ae212e294812918c143928a97ffcb2cd46c2c4d4ff07c44e2ebec40b6c53a2db990c48f50f346488a7513664518d981d79f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ecc330e38ab9a3afd0e7ff8cb9ffeeee

SHA1
de2ef215a9b3e4d1e6fe5eeaa5df67eeb0737abb

SHA256
16703b027ef88fa01feab3dd0cfe0ad38fc942ae90754d5600a62ce6611e18e8

SHA512
d3656965241bd8a4848001a716a297cad6b4e95ec64e7bf6254378a866adc94559d56e090531721cb0ba521ec409dc46f085677d0f932cf0e6b5700dca74650a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0b8cfeb892d1aa242b333fe26f61058d

SHA1
a1073769c1e9594e787bc6cd964c2842ba80901f

SHA256
43fbcdd3eea8701ec9c1c862cd127fd0321626f0f962f5e926cbf3849ba41071

SHA512
bf54d29dc6960315ac46623ea8001a0bf4934b6c3713ad4e0651491abefe6d935d2d7212cd47c343b90e50fd1c333b277f474c5d38a2f1c82f2ed07ac6dafe0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
dfd9b2485e9a53b0f6e2566a3716a1bd

SHA1
4c89f6901d3c2d0e4ff54d6ab86a648b12816a96

SHA256
efc6f04b69c83fef93cd1e270e135348c7dcb54c230945427e3b5607b9a76c01

SHA512
2b4187e9a177b6a303d7208fcb4fc9ee3534a76dbc9901d09e13d3238cbe688be91016374464a268f49b393818a51efb674352a5094c5b4d58f34b469e8d2069

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b71b0788ff3ad04278177b014873d167

SHA1
745e7b617c5cc6f5525cd5e41a9beb99487668d5

SHA256
229da1006cc7751e3a24e622658b2a8d5394abbe0d70c22ab3c91bfef7907e7c

SHA512
b12beaeb17bd8d4d376c39079e9b6f38c8933cff90d8869cca3906f1060afa079b466517967ac08635edb4e83b6ae63350f88015d4eb87c7e1b2a137f6d71f80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5158bdd7ccb9a25f9b0d48b91881be64

SHA1
e3ceeda478a323aec40f93cfe476e1ac09bd2813

SHA256
fb752e40eda7e200bd5247a8bef6dcb73e9eed9d798d188214d00aa886738f31

SHA512
323dd4f71673cad48147ba0e65ed0abb60b8523ad90b3e26c2d73de3b50e511fe61911b2c6d4e29319cb29374daa450e04b81574a6d298f19d449c3c24c5509e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2f78dba3ef49e2d3537a9cc6974b4c88

SHA1
c92444d9edc01d2abbae8e9bfa70726c8686b53c

SHA256
6833f2c95fc565f05dda6a88b19fcd467a1829f73f55b98a995c50d823365b2a

SHA512
0fec42f3b567d70139180ff51b961118859700c57f1beb179878f0cc88daf6b0457423aa98846e48b922525147f4b6ae11e0f9158ca9da2acc2502fa69031f83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b06405525f6dc5f33d63bb583a24a566

SHA1
992dbd8746798a0010abd71f5ab0e5a047586c66

SHA256
ccc0a90bb584caac042395a6353bec580e6e3b06656b08c19e17f378f8bfeb58

SHA512
9314218956d7dad78757dec2edea33b39bf0c5ea576153b9efe23f7d1c9ba2bb2a5c59f9a4e2cb0cae2ec26a89bed88f9162a40fe0b31d32d95d403caace690f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
c17d237d0b5dc850a6a4c424cf0044ed

SHA1
5e2ce798fed8bc0641b6838cf8fa98c082622c4d

SHA256
f5d74c82b575b20d36fe6964633505b7126b4fe841741d5de23cd55e3a16e33c

SHA512
df6f11bb71126d71dbec5707eeb06c2decf3d9a62d25b88080290394a5a5e2972c86b6a1fffb08f8adbc23aed9da35641197d5b404410e05167cd44d5e75f95e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
459d14c511c7ac82865279f9b80017ca

SHA1
9df824603349cff34af5042c02740bd6fa0a73fc

SHA256
0201075debb078b19926b833e041fb9c5bfec1bf8a65b93ae7c491cfc8bf627a

SHA512
85a74816235c5e50f33550fc82c8aa1ed9e786b7f41525067838f534e8c01d82ad048c85a4f54cc65dd0c24e22d2fa430ac6ff103f88b3d2a56ab8626b28343f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
430c1c16a06e6baf984bb087e25b64d9

SHA1
4b661c5cf77748799b9bf7dad95b8e22196a7798

SHA256
6c00ae904c674215107d1d3d1bdb601a952bdfacead29e3be1819822d19654fa

SHA512
35ec8f64bc1770379730f03b509c344fc57df67a444541d0ab7d3af99595c15db4bdd70ee4ff86d8f993ead5b0809eaa2617d63792dfdc52c44172e5f7fd898d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
62443e8efc7cd8c439c5898678c90205

SHA1
9139951919c3719bd26b52686e28b74f6791e51c

SHA256
58eaf68b0ae6b3b9caa39172c51dadb009ba746cefeb7125f97ab5b6f8f4d06b

SHA512
d29b33b90a070873344fc2905c48b4d4dcfcccde1b9737ae9c2ed57a11cdf4275d26ae40ebda03d793e108c63011faf17a167fffab1e8def4b377edb05dee5a4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
def20c22f676a2e75e09d195684344e6

SHA1
d8e9465eeac2c1c32136e9bf4ba1304975549f35

SHA256
869b19d04d8025d58f750b78a8bcb39db502b81c2279ac2e16c299f193f90a73

SHA512
fabf0e581548ec86412e5a5b6318d159afbd7dc2c8f742781658f101430e62cd87f78a7ff47706dcd2037b0e0aa6d33a887cd0873a0f6dcad7e32b79793d5cef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
ddfd30059222cd047a1661ddfee4f9bd

SHA1
89b9ba60db244049ee0b8710af89bed01e01b58a

SHA256
1889e447f18ad0f410842f24c35f9ec9eaba3f55e914824bece291278719da98

SHA512
97946ea488808f04dd8d98bb00ea51c78267bbf91148e6a0360e2385c9ed7dc3be2eda7df44f596f95ed7c68420fa8783cb04417654c5c646e50850949b9a421

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
d1f135f9cd79322f634da3bf12d0c0db

SHA1
b77e9abdbe29fbc6d09e186e0549e92736e39291

SHA256
ce5dd441e95b5992417658f2124bc82370e23da6e31802ad36af61586d4dd649

SHA512
b1bb82fbd104ce1a598f6ad967bd23a0df31756fda150f8c434db82fd60e8b61fdd8d5aa820297cbc8f36de744c93ddc217d03726ae0ba1edcfa23ce08b8c209

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
187KB

MD5
a7e3bcef71a93306611847531868d2e2

SHA1
d5dbdeeabbcf5b2015a726047cc71cc55a911b05

SHA256
19d9ddc7f925cc352f1adb2e29f76490f0575f02d54793542c0b31eeac097bff

SHA512
7743284e30c3466d845b8f57a11e77e2021bcf1a3e69df24fd838aa1efec2e834757f4e271b2db342e4870ba5df49529950b0c33c3f2365fc6d669ea7290a0cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bb87c05bdde5672940b661f7cf6c188e

SHA1
476f902e4743e846c500423fb7e195151f22f3b5

SHA256
7b7f02109a9d1f4b5b57ca376fcacd34f894d2c80584630c3733f2a41dddf063

SHA512
c60d8b260d98ced6fe283ca6fed06e5f4640e9de2609bcfbfa176da1d0744b7f68acabfa66f35455e68cad8be1e2cfc9b5046463e13ae5f33bbbf87a005d1e0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5478498cbfa587d1d55a9ca5598bf6b9

SHA1
82fedfb941371c42f041f891ea8eb9fe4cf7dcc8

SHA256
a4e82ce07a482da1a3a3ba11fcceee197c6b2b42608320c4f3e67f1c6a6d6606

SHA512
7641a2f3cc7321b1277c58a47dfd71be087f67f8b57dca6e72bd4e1b664f36151cd723e03ea348835581bcb773eb97911f985d5ee770d4d1b8b6f7849ce74b44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0b4a61b5-2990-4944-abba-a6407209cbb7.tmp

Filesize
6KB

MD5
a555579198d5421498bb10797ee4012d

SHA1
754bbd80ee330f5aca4f6a8ba1d00fe7f5a5b15d

SHA256
492e7358db8ed422e51eb744678fd21aaf2b8302dd711733f9cce6a55ad3616e

SHA512
d15783ea295d0e15e3efd8ee60345b49304cb3ed917059228b6560b90f2a50bdb4e0d6465e055532fd45c9a838aec7b0b3419f6b6012fcb9942b71944dfa4e53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
20KB

MD5
0f3de113dc536643a187f641efae47f4

SHA1
729e48891d13fb7581697f5fee8175f60519615e

SHA256
9bef33945e76bc0012cdbd9941eab34f9472aca8e0ddbbaea52658423dc579f8

SHA512
8332bf7bd97ec1ebfc8e7fcf75132ca3f6dfd820863f2559ab22ac867aa882921f2b208ab76a6deb2e6fa2907bb0244851023af6c9960a77d3ad4101b314797f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
23KB

MD5
96b53c43d6ccc50133654af9e12f3ecc

SHA1
d269378ae11ad0ef1d75a9e264b5da9af0d0df2e

SHA256
40c01f26b194892245a48289362892da66a459c588781dbfc5a269d4e1cfcb4a

SHA512
d15ba1434f1cf354e2b2c1527be86fa3b412f9921a5281eaac78fbee55fc4dce907e6757b2e927def1ad3d3ae6a72ecccf8903d8c9b4512ccb6d051528637603

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
1b2c13cfb342787199645d436633fb2a

SHA1
8a5a97f4380b17e0a374426d1db6a775faf0cfa1

SHA256
01c57375a7ba12c11e04be3165b2ea145d917068a86347906f15e3374d724ec9

SHA512
9fc89738fa21c8a906dc513cef455f760757349eeb996b87ad0989dff8bf1c6d2288a94f7bb1755dc469b8716d4d9932093bfceb910dba41afbf227bec7a5b6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
7e6135f71b1e30d3ee0e0e88f2d48ec5

SHA1
816773b30ec4cc5340a14ee99169d98db4a456c4

SHA256
8d528c9512b4eb8c0f87c516443e792ddfedb56e1e966289552354a0a2f75de2

SHA512
3e1c8f856dbfeadb80327ef9ed93a0160553a28dbfa84677f4ea9835aaac0c5de63ecc9f5be76b20562308386136f72a21ca9fa5e2c4ce3907a8c5305ff3e664

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
f0d5d58c5152ec7a40b6750255220c46

SHA1
34739b8415ca543be5a56f44578ff724d3966a64

SHA256
c463dfe8342d05aa991ab3088bb0d258225b3b4fd350d3b7935c2c6900d8586f

SHA512
b7c9de1a8cd2f3adf5305a74bac1628aba6a47b3bc01893d4140abf66428ba95e6381a88a55ea78b3e50311cb6193823a6222875ab3f8e926a326d2f294d3b65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
909f71e1d5cfa786db3cfac1afe2e3c3

SHA1
3735c3cf5ad80109ac5bf8b8e63e82b09674a8e1

SHA256
1a088dd23e1699c11be5704405cd71b65fa4d8f6d0169945b29320daf4abbe46

SHA512
940596438366f591e3e20a6a52710a04cc5336c691b6367ca73e1299d521e683c8f687ad5828465f9a6b8b2a2b09de0ef406b7141a37cb130d43d95d4eaa4779

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6eceb9d3441491acc3a84abedff25090

SHA1
81a397a91281bedb226e366292c8abeab4fb8b45

SHA256
4e67c629f31a541ac94f2db1c673ca630bbc7a03738c197a9771e0012b988547

SHA512
3a416e326dee892a2e3b5a4ea28a4624acf3adb3769d8793f07015a06b89ad66b58832d9b269a4679bbe8874d2f91b5ec8931a349bd59a690f5cc3f4fc1289e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5eb7d369dd522117b25cfa442d9825c3

SHA1
4d056d277d5d245e6fa35e773e2c4f4bfed834e0

SHA256
6fa81a50936ce966cdcedae1b2af72190c039f5fe5c2c1e450d682fdb39669cd

SHA512
355cc04755312ff9bc3c88ef233fc5ccbc46e806bed5b180f50e3cd5cfea6e5d4598fd5fa29ab44454aa7992987e5bbf466349b5b09ab777856a9f45ce09fdff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
70441a733603c15b45e4e87d95a8062f

SHA1
545503d73ea074ae892c4106d0e0fdab1fe114d2

SHA256
f6a585cde7d57dce2fe890806f737289bfcd501e60dffc797f7b9a3052f6f235

SHA512
33ff374fbc53b61546d2295200e65b06824f1e9536aa0df80b19cbd8b90d32dea1c2de936c4d6d2f39174c0486c8b7e3eef51b3075ef61437f170d04ef8998c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
0787dd98603ae0a54fe1f97896fc95de

SHA1
461f332d33152ac71a88fd8375a6292ec076eaab

SHA256
2d1da71d91dffb78b841394b91cfdb1ac9982c073e95f94eee60b297a107d297

SHA512
d69db33b17d5e4157856be4534d5cf9a5f78c36b9aa64198a11fabd017dc0f9f2685861e35fa8cdaa5e387e1422068a0c74e5f2ee6f33264fd0149fd0c8aa34f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b784ac06e034f94b7d2b25d3bff286b1

SHA1
9bd8bd7772066f1d3870d067115bf188807a40db

SHA256
617f7c7e2bd2318bafe0097e7c50c52914a685240a123bf296ee2aea5dd1c9a9

SHA512
e93a7ad3d9b1d6155400a8249ee3c35404e7cc247e062ab3705deb5d345d70a20a8d76d2a3eccf81ead15a68309e58b4b9a53c2e382205f86e9e4bdb0623f117

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fb517b9fe7a94e40dc235792524aca14

SHA1
4fb67181c29b0652e8c6437fb8b8d9d059796a90

SHA256
a969249e5bf7149e175cd2976caa408e244f6abd67cf1cd82a9f5cdc400f2fe7

SHA512
9e57ed188705da61950ddedb96fe61eb37c27db5493c817cb432f6fecef98e77d35a682e6e2176878feeac3b83269b829684cda09bf7afd57a6597effc7f5879

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
19d8bf45ad631a16a596f2c17c37db59

SHA1
317e6ab557a200c2b4432ad5bdb5ef48707e108d

SHA256
0c4648035f3d92ac94b4541244c4597b73e8c55778caac1d6563330f29b68fb9

SHA512
fdc057150ab98ca054076cd0d73d5c37766d9903dd397ed68ba48ccedfe106476a82fb92aacc8b4a149dfb6159ad52f1f7baedf689c81d8caf8fbe49c303555f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fd7138f5d9159f28277e724b9bad178f

SHA1
5f77053615a1fa18bc65c32878dee19a37a7644e

SHA256
7c909a72c64a62ac952227471d2ff73a465bbf3c173121a225fab8a40b304500

SHA512
9b83568646f7368edb72debd54f9b96296f369a11cca2fe184714bc58b9976dcb2b5742385b0e185eb704b4c2809ba3627fe01b0e48031af5a29f54cbe74488b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582045.TMP

Filesize
874B

MD5
1662049fe062e457c3d21c71bff67a10

SHA1
d1684ac24bb6e8b6df92f474f623af59657014ee

SHA256
583491449fdde749c1c8b5b6f3d08fb7e124119ab60ae9fcaf1c2a49e27f34fa

SHA512
4849f7969a38bbc0c825bbd7b9024cbf96dd86385266ae20149299d4f68a624ab54e4e42fcd325fbf6764e126b08f97885d345379a91b77fd26e831f0b330bcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db

Filesize
16KB

MD5
9a8e0fb6cf4941534771c38bb54a76be

SHA1
92d45ac2cc921f6733e68b454dc171426ec43c1c

SHA256
9ee9211a57c3f6fa211fe0323fa8cd521e7cbffcd8ff0896645a45795dc472be

SHA512
12ed22537dcc79d53f6c7d39e92a38f8fea076d793198928f5b7a5dd1234d50a3c0b4815632f3fadf8bc4ef0499773d22bd83f961d2d0ffd8afacf471bd3a5ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\previews_opt_out.db

Filesize
16KB

MD5
d926f072b41774f50da6b28384e0fed1

SHA1
237dfa5fa72af61f8c38a1e46618a4de59bd6f10

SHA256
4f7b0e525d4bfc53d5df49589e25a0bccf2fcf6a1a0ca3f94d3285bb9cf0a249

SHA512
a140df6ec0d3099ef374e8f3ece09bf91bc896ac4a1d251799a521543fe9bdea796ba09fa47932bd54fa939118495078f9258557b32c31d3d4011b0666a4723f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0fcda45a7ee4394c480eeb2c1ce09217

SHA1
b12145f7f8d037039f9f01a9c789e62cca7b01ac

SHA256
06053876d9f897f292ae2928336514a71b462738731fbf89bef79e3806afe43e

SHA512
dce9ac656a2db818eae641d5873949f7bad8b56d0bbf33f3fa59af64b8120d5851ed1a04caba7d84fb8e24e13ea2dfc54442892937fa70c9f4809b1f051c2146

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
734cf240cf6dec9fa37a9d80ceb0ef79

SHA1
21d734195b2b79183c2442aaa80dc8dab1460437

SHA256
be9f515aa17ff413b311a4d052b42734fbad694ee5b3039cfa156e21d2270d55

SHA512
dddfec3470d3bc9eb491183857c9ad63a01efa4dbceb0eab1c2dcd6cfbb17c9424411cb097ef7287e9c1de47050c03b8b516749e08309a8d783085891ddcd8ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a08a843dd832fe86ee6fccd372c1831f

SHA1
28f4359e6fbb1ed2d77eab4e3ba3e508cdcae332

SHA256
6a21ceae4ee58ea17bf0c6c47e61058147f7eb8b665c2cf1d075002a216afce3

SHA512
2ce915167cfb906ced6562d6e479db17f4bd1f5bd5f4a93cbabfcb835d18b939d1a533a2aff9f9912825188d3f6560569c8b1339e3f679cde18e06fe8b2ea50b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d9237e61dd48d3510b6d23bcea78d897

SHA1
4b75dd83140e97c5c622fa5578473c9fc3d140b4

SHA256
139686a86926bf7c05b24f89b8ae154285d2a778431f8d7c34967fd4244b3771

SHA512
862b9f5ff48ede20ace8e7777916a7d3515d78c7ef4e4f30cf2dd6419c9676b92e2a067b5b6bf1e3076c58dba7d89c4d065b9fcf2ed3bf47b045227f1805f241

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
7.1MB

MD5
a2d831d0ef74d31404ca44924e6d30b7

SHA1
099cfbb06c09825dff917f768abae099646e32df

SHA256
722a6879adb3c05dfa41062323df4529e830d377c062722e4a77e84500acd36d

SHA512
ca21f13dc138f176ecf5d96095eabcc2f8ea6d1f6c02d5084059b3595688b7548cdd36955b40752599252d117dd3891e3609a63078ede74ba39a557e84301e0a

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry.zip

Filesize
3.3MB

MD5
efe76bf09daba2c594d2bc173d9b5cf0

SHA1
ba5de52939cb809eae10fdbb7fac47095a9599a7

SHA256
707a9f323556179571bc832e34fa592066b1d5f2cac4a7426fe163597e3e618a

SHA512
4a1df71925cf2eb49c38f07c6a95bea17752b025f0114c6fd81bc0841c1d1f2965b5dda1469e454b9e8207c2e0dfd3df0959e57166620ccff86eeeb5cf855029

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry.zip:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\00000000.res

Filesize
136B

MD5
b9eccaccdce933c5609058731a482dd7

SHA1
02d33bb75c1e920ac11e445e3febbce209bce99b

SHA256
9245b9bcf88d728910f8cd403e8d9a70eac4c31de487928640f94f11aa1d6d6d

SHA512
d40ebf75373c8640cc941244506a3ccce734199b85fe3ada967a8d6deca56f49ecebbf3fe6cfeebe9b517629049dc3d8684bab220f22fe85452a7909fee27dcd

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\234091721859841.bat

Filesize
362B

MD5
fe9561e52b9a2cad33eaa33fbdaee8f4

SHA1
2bc1b267837017ec84edec64e2ed5ab787a59793

SHA256
6cf7e177e05490a3326a71f20a6640edef1d92936601969df22b0ea5261b1d44

SHA512
e734e185a32b0d2109cb666c8bf217096fffb9804578b97d8b108a7edae01ab129c7e6bf20174faf67c5ec493e9ce0e98d85381017fd3b879fe7232a36430261

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]

Filesize
933B

MD5
f97d2e6f8d820dbd3b66f21137de4f09

SHA1
596799b75b5d60aa9cd45646f68e9c0bd06df252

SHA256
0e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a

SHA512
efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]

Filesize
721B

MD5
235b538de2446c800c5289d4ac0b4780

SHA1
9debf6e20714389f212b2abae43f301267e70fef

SHA256
db5fc23d015391e8d6eaecd845fda2eccd3935554559f46ca1e0a1fd75de4b5f

SHA512
a37e9269fd503298d41ac8bc93c66999094bf0033cf3b3017202c7412a235013e95b43e48a5afb2046bfad4ec97f183711b2d16ad59d49b6311759126ab990b2

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\c.wnry

Filesize
780B

MD5
383a85eab6ecda319bfddd82416fc6c2

SHA1
2a9324e1d02c3e41582bf5370043d8afeb02ba6f

SHA256
079ce1041cbffe18ff62a2b4a33711eda40f680d0b1d3b551db47e39a6390b21

SHA512
c661e0b3c175d31b365362e52d7b152267a15d59517a4bcc493329be20b23d0e4eb62d1ba80bb96447eeaf91a6901f4b34bf173b4ab6f90d4111ea97c87c1252

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\m.vbs

Filesize
241B

MD5
cb8af050def8bd8ff07b6fece0b09530

SHA1
8faf2a240203f7dc8739952672c788a0fb2df973

SHA256
c97d8fc0de558b033cbf088ef69122addd364e65a49111aec218465549bf1227

SHA512
5ccb09d7e199f31e4a9a92621755c6514e8aae6187b6bef8aba2b6644834776941401188646dbf552639a13124285de15b18e6ff12acb57f91cb7d204cafdd57

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_korean.wnry

Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_latvian.wnry

Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_norwegian.wnry

Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_polish.wnry

Filesize
38KB

MD5
e79d7f2833a9c2e2553c7fe04a1b63f4

SHA1
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

SHA256
519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

SHA512
e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_portuguese.wnry

Filesize
37KB

MD5
fa948f7d8dfb21ceddd6794f2d56b44f

SHA1
ca915fbe020caa88dd776d89632d7866f660fc7a

SHA256
bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66

SHA512
0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_romanian.wnry

Filesize
50KB

MD5
313e0ececd24f4fa1504118a11bc7986

SHA1
e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d

SHA256
70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1

SHA512
c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_russian.wnry

Filesize
46KB

MD5
452615db2336d60af7e2057481e4cab5

SHA1
442e31f6556b3d7de6eb85fbac3d2957b7f5eac6

SHA256
02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078

SHA512
7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_slovak.wnry

Filesize
40KB

MD5
c911aba4ab1da6c28cf86338ab2ab6cc

SHA1
fee0fd58b8efe76077620d8abc7500dbfef7c5b0

SHA256
e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729

SHA512
3491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_spanish.wnry

Filesize
36KB

MD5
8d61648d34cba8ae9d1e2a219019add1

SHA1
2091e42fc17a0cc2f235650f7aad87abf8ba22c2

SHA256
72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1

SHA512
68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_swedish.wnry

Filesize
37KB

MD5
c7a19984eb9f37198652eaf2fd1ee25c

SHA1
06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae

SHA256
146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4

SHA512
43dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_turkish.wnry

Filesize
41KB

MD5
531ba6b1a5460fc9446946f91cc8c94b

SHA1
cc56978681bd546fd82d87926b5d9905c92a5803

SHA256
6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415

SHA512
ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_vietnamese.wnry

Filesize
91KB

MD5
8419be28a0dcec3f55823620922b00fa

SHA1
2e4791f9cdfca8abf345d606f313d22b36c46b92

SHA256
1f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8

SHA512
8fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\r.wnry

Filesize
864B

MD5
3e0020fc529b1c2a061016dd2469ba96

SHA1
c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade

SHA256
402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c

SHA512
5ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\s.wnry

Filesize
2.9MB

MD5
ad4c9de7c8c40813f200ba1c2fa33083

SHA1
d1af27518d455d432b62d73c6a1497d032f6120e

SHA256
e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b

SHA512
115733d08e5f1a514808a20b070db7ff453fd149865f49c04365a8c6502fa1e5c3a31da3e21f688ab040f583cf1224a544aea9708ffab21405dde1c57f98e617

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\t.wnry

Filesize
64KB

MD5
5dcaac857e695a65f5c3ef1441a73a8f

SHA1
7b10aaeee05e7a1efb43d9f837e9356ad55c07dd

SHA256
97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6

SHA512
06eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe

Filesize
20KB

MD5
4fef5e34143e646dbf9907c4374276f5

SHA1
47a9ad4125b6bd7c55e4e7da251e23f089407b8f

SHA256
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

SHA512
4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe

Filesize
20KB

MD5
8495400f199ac77853c53b5a3f278f3e

SHA1
be5d6279874da315e3080b06083757aad9b32c23

SHA256
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

SHA512
0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\u.wnry

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
\??\pipe\LOCAL\crashpad_5028_SGFFGNMUNLUYPESN

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1936-2210-0x00007FFB79490000-0x00007FFB794A0000-memory.dmp

Filesize
64KB

Download
memory/1936-2209-0x00007FFB79490000-0x00007FFB794A0000-memory.dmp

Filesize
64KB

Download
memory/1936-2211-0x00007FFB79490000-0x00007FFB794A0000-memory.dmp

Filesize
64KB

Download
memory/1936-2205-0x00007FFB79490000-0x00007FFB794A0000-memory.dmp

Filesize
64KB

Download
memory/1936-2204-0x00007FFB79490000-0x00007FFB794A0000-memory.dmp

Filesize
64KB

Download
memory/1936-2203-0x00007FFB79490000-0x00007FFB794A0000-memory.dmp

Filesize
64KB

Download
memory/1936-2206-0x00007FFB79490000-0x00007FFB794A0000-memory.dmp

Filesize
64KB

Download
memory/1936-2208-0x00007FFB79490000-0x00007FFB794A0000-memory.dmp

Filesize
64KB

Download
memory/1936-2207-0x00007FFB79490000-0x00007FFB794A0000-memory.dmp

Filesize
64KB

Download
memory/3024-591-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/4864-2085-0x0000000073C80000-0x0000000073C9C000-memory.dmp

Filesize
112KB

Download
memory/4864-2067-0x0000000073CA0000-0x0000000073D22000-memory.dmp

Filesize
520KB

Download
memory/4864-2095-0x0000000000950000-0x0000000000C4E000-memory.dmp

Filesize
3.0MB

Download
memory/4864-2086-0x0000000073C00000-0x0000000073C77000-memory.dmp

Filesize
476KB

Download
memory/4864-2087-0x0000000073BD0000-0x0000000073BF2000-memory.dmp

Filesize
136KB

Download
memory/4864-2088-0x0000000073B40000-0x0000000073BC2000-memory.dmp

Filesize
520KB

Download
memory/4864-2089-0x0000000073920000-0x0000000073B3C000-memory.dmp

Filesize
2.1MB

Download
memory/4864-2084-0x0000000073CA0000-0x0000000073D22000-memory.dmp

Filesize
520KB

Download
memory/4864-2071-0x0000000000950000-0x0000000000C4E000-memory.dmp

Filesize
3.0MB

Download
memory/4864-2083-0x0000000000950000-0x0000000000C4E000-memory.dmp

Filesize
3.0MB

Download
memory/4864-2069-0x0000000073B40000-0x0000000073BC2000-memory.dmp

Filesize
520KB

Download
memory/4864-2068-0x0000000073920000-0x0000000073B3C000-memory.dmp

Filesize
2.1MB

Download
memory/4864-2070-0x0000000073BD0000-0x0000000073BF2000-memory.dmp

Filesize
136KB

Download
memory/4864-2116-0x0000000000950000-0x0000000000C4E000-memory.dmp

Filesize
3.0MB

Download
memory/4864-2138-0x0000000000950000-0x0000000000C4E000-memory.dmp

Filesize
3.0MB

Download
memory/4864-2144-0x0000000073920000-0x0000000073B3C000-memory.dmp

Filesize
2.1MB

Download
memory/4864-2178-0x0000000000950000-0x0000000000C4E000-memory.dmp

Filesize
3.0MB

Download
memory/4864-2214-0x0000000000950000-0x0000000000C4E000-memory.dmp

Filesize
3.0MB

Download