wannacry | hxxps://github[.]com/chronosmiki/RANSOMWARE-WANNACRY-2[.]0/blob/master/Ransomware[.]WannaCry[.]zip

Analysis

max time kernel
218s
max time network
221s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
16-08-2024 23:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/chronosmiki/RANSOMWARE-WANNACRY-2.0/blob/master/Ransomware.WannaCry.zip

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 1808 created 2212	1808	MicrosoftEdge.exe	82
PID 1808 created 2212	1808	MicrosoftEdge.exe	82
PID 1808 created 2212	1808	MicrosoftEdge.exe	82

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD86BE.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD86C5.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Executes dropped EXE 10 IoCs

pid	Process
6656	taskdl.exe
5344	@[email protected]
3500	@[email protected]
6608	taskhsvc.exe
7036	taskdl.exe
7028	taskse.exe
7048	@[email protected]
1668	taskdl.exe
6012	taskse.exe
5692	@[email protected]

Loads dropped DLL 8 IoCs

pid	Process
6608	taskhsvc.exe
6608	taskhsvc.exe
6608	taskhsvc.exe
6608	taskhsvc.exe
6608	taskhsvc.exe
6608	taskhsvc.exe
6608	taskhsvc.exe
6608	taskhsvc.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
6380	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eveyoomrh293 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_Ransomware.WannaCry(14).zip\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
155	raw.githubusercontent.com
158	raw.githubusercontent.com
163	raw.githubusercontent.com
152	raw.githubusercontent.com
153	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
6772	3500	WerFault.exe	123
7076	3500	WerFault.exe	123

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
6708	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 8f2e30d032f0da01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\NextUpdateDate = "430692260"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\bing.com\Total = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000767ff23460788c49b8f99ddce3317b4d1e559e66748734da651ce3fb93d933b5fe2d1c33cb8c036d665cdc50c85b39d15279ab213435ee419fb9	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\bing.com\Total = "605"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "262144"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\OneBoxLoadAttempts = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\bing.com\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\www.bing.com	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 5235e1e132f0da01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\Total\ = "233"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\FileVersion = "2016061511"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\Total\ = "645"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 63e03ec732f0da01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\bing.com\NumberOfSubdomains = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
7080	reg.exe

NTFS ADS 15 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Ransomware.WannaCry(6).zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Ransomware.WannaCry(7).zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Ransomware.WannaCry(10).zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Ransomware.WannaCry(2).zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Ransomware.WannaCry(5).zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Ransomware.WannaCry(8).zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Ransomware.WannaCry(11).zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Ransomware.WannaCry(1).zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Ransomware.WannaCry(12).zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Ransomware.WannaCry.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Ransomware.WannaCry(13).zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Ransomware.WannaCry(14).zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Ransomware.WannaCry(9).zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Ransomware.WannaCry(3).zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Ransomware.WannaCry(4).zip:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
6608	taskhsvc.exe
6608	taskhsvc.exe
6608	taskhsvc.exe
6608	taskhsvc.exe
6608	taskhsvc.exe
6608	taskhsvc.exe

Suspicious behavior: MapViewOfSection 9 IoCs

pid	Process
2784	MicrosoftEdgeCP.exe
2784	MicrosoftEdgeCP.exe
2784	MicrosoftEdgeCP.exe
2784	MicrosoftEdgeCP.exe
2784	MicrosoftEdgeCP.exe
2784	MicrosoftEdgeCP.exe
2784	MicrosoftEdgeCP.exe
2784	MicrosoftEdgeCP.exe
2784	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4820	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4820	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4820	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4820	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	484	firefox.exe
Token: SeDebugPrivilege	484	firefox.exe
Token: SeDebugPrivilege	484	firefox.exe
Token: SeDebugPrivilege	484	firefox.exe
Token: SeDebugPrivilege	484	firefox.exe
Token: SeDebugPrivilege	484	firefox.exe
Token: SeDebugPrivilege	484	firefox.exe
Token: SeDebugPrivilege	484	firefox.exe
Token: SeDebugPrivilege	484	firefox.exe
Token: SeDebugPrivilege	484	firefox.exe
Token: SeDebugPrivilege	484	firefox.exe
Token: SeDebugPrivilege	484	firefox.exe
Token: SeDebugPrivilege	484	firefox.exe
Token: SeDebugPrivilege	484	firefox.exe
Token: SeDebugPrivilege	484	firefox.exe
Token: SeDebugPrivilege	484	firefox.exe
Token: SeDebugPrivilege	484	firefox.exe
Token: SeDebugPrivilege	1808	MicrosoftEdge.exe
Token: SeDebugPrivilege	1808	MicrosoftEdge.exe
Token: SeBackupPrivilege	6804	vssvc.exe
Token: SeRestorePrivilege	6804	vssvc.exe
Token: SeAuditPrivilege	6804	vssvc.exe
Token: SeIncreaseQuotaPrivilege	6940	WMIC.exe
Token: SeSecurityPrivilege	6940	WMIC.exe
Token: SeTakeOwnershipPrivilege	6940	WMIC.exe
Token: SeLoadDriverPrivilege	6940	WMIC.exe
Token: SeSystemProfilePrivilege	6940	WMIC.exe
Token: SeSystemtimePrivilege	6940	WMIC.exe
Token: SeProfSingleProcessPrivilege	6940	WMIC.exe
Token: SeIncBasePriorityPrivilege	6940	WMIC.exe
Token: SeCreatePagefilePrivilege	6940	WMIC.exe
Token: SeBackupPrivilege	6940	WMIC.exe
Token: SeRestorePrivilege	6940	WMIC.exe
Token: SeShutdownPrivilege	6940	WMIC.exe
Token: SeDebugPrivilege	6940	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6940	WMIC.exe
Token: SeRemoteShutdownPrivilege	6940	WMIC.exe
Token: SeUndockPrivilege	6940	WMIC.exe
Token: SeManageVolumePrivilege	6940	WMIC.exe
Token: 33	6940	WMIC.exe
Token: 34	6940	WMIC.exe
Token: 35	6940	WMIC.exe
Token: 36	6940	WMIC.exe
Token: SeIncreaseQuotaPrivilege	6940	WMIC.exe
Token: SeSecurityPrivilege	6940	WMIC.exe
Token: SeTakeOwnershipPrivilege	6940	WMIC.exe
Token: SeLoadDriverPrivilege	6940	WMIC.exe
Token: SeSystemProfilePrivilege	6940	WMIC.exe
Token: SeSystemtimePrivilege	6940	WMIC.exe
Token: SeProfSingleProcessPrivilege	6940	WMIC.exe
Token: SeIncBasePriorityPrivilege	6940	WMIC.exe
Token: SeCreatePagefilePrivilege	6940	WMIC.exe
Token: SeBackupPrivilege	6940	WMIC.exe
Token: SeRestorePrivilege	6940	WMIC.exe
Token: SeShutdownPrivilege	6940	WMIC.exe
Token: SeDebugPrivilege	6940	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6940	WMIC.exe
Token: SeRemoteShutdownPrivilege	6940	WMIC.exe
Token: SeUndockPrivilege	6940	WMIC.exe
Token: SeManageVolumePrivilege	6940	WMIC.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
484	firefox.exe
484	firefox.exe
484	firefox.exe
484	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
484	firefox.exe
484	firefox.exe
484	firefox.exe

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
1808	MicrosoftEdge.exe
2784	MicrosoftEdgeCP.exe
4820	MicrosoftEdgeCP.exe
2784	MicrosoftEdgeCP.exe
3040	MicrosoftEdgeCP.exe
484	firefox.exe
484	firefox.exe
484	firefox.exe
484	firefox.exe
1808	MicrosoftEdge.exe
1808	MicrosoftEdge.exe
484	firefox.exe
484	firefox.exe
484	firefox.exe
484	firefox.exe
484	firefox.exe
484	firefox.exe
484	firefox.exe
484	firefox.exe
484	firefox.exe
484	firefox.exe
484	firefox.exe
484	firefox.exe
484	firefox.exe
484	firefox.exe
484	firefox.exe
484	firefox.exe
484	firefox.exe
484	firefox.exe
5344	@[email protected]
5344	@[email protected]
3500	@[email protected]
3500	@[email protected]
7048	@[email protected]
7048	@[email protected]
5692	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 1692	2784	MicrosoftEdgeCP.exe	91
PID 2784 wrote to memory of 1692	2784	MicrosoftEdgeCP.exe	91
PID 2784 wrote to memory of 1692	2784	MicrosoftEdgeCP.exe	91
PID 2784 wrote to memory of 1692	2784	MicrosoftEdgeCP.exe	91
PID 2784 wrote to memory of 1692	2784	MicrosoftEdgeCP.exe	91
PID 2784 wrote to memory of 1692	2784	MicrosoftEdgeCP.exe	91
PID 4276 wrote to memory of 484	4276	firefox.exe	95
PID 4276 wrote to memory of 484	4276	firefox.exe	95
PID 4276 wrote to memory of 484	4276	firefox.exe	95
PID 4276 wrote to memory of 484	4276	firefox.exe	95
PID 4276 wrote to memory of 484	4276	firefox.exe	95
PID 4276 wrote to memory of 484	4276	firefox.exe	95
PID 4276 wrote to memory of 484	4276	firefox.exe	95
PID 4276 wrote to memory of 484	4276	firefox.exe	95
PID 4276 wrote to memory of 484	4276	firefox.exe	95
PID 4276 wrote to memory of 484	4276	firefox.exe	95
PID 4276 wrote to memory of 484	4276	firefox.exe	95
PID 484 wrote to memory of 4364	484	firefox.exe	96
PID 484 wrote to memory of 4364	484	firefox.exe	96
PID 484 wrote to memory of 5140	484	firefox.exe	97
PID 484 wrote to memory of 5140	484	firefox.exe	97
PID 484 wrote to memory of 5140	484	firefox.exe	97
PID 484 wrote to memory of 5140	484	firefox.exe	97
PID 484 wrote to memory of 5140	484	firefox.exe	97
PID 484 wrote to memory of 5140	484	firefox.exe	97
PID 484 wrote to memory of 5140	484	firefox.exe	97
PID 484 wrote to memory of 5140	484	firefox.exe	97
PID 484 wrote to memory of 5140	484	firefox.exe	97
PID 484 wrote to memory of 5140	484	firefox.exe	97
PID 484 wrote to memory of 5140	484	firefox.exe	97
PID 484 wrote to memory of 5140	484	firefox.exe	97
PID 484 wrote to memory of 5140	484	firefox.exe	97
PID 484 wrote to memory of 5140	484	firefox.exe	97
PID 484 wrote to memory of 5140	484	firefox.exe	97
PID 484 wrote to memory of 5140	484	firefox.exe	97
PID 484 wrote to memory of 5140	484	firefox.exe	97
PID 484 wrote to memory of 5140	484	firefox.exe	97
PID 484 wrote to memory of 5140	484	firefox.exe	97
PID 484 wrote to memory of 5140	484	firefox.exe	97
PID 484 wrote to memory of 5140	484	firefox.exe	97
PID 484 wrote to memory of 5140	484	firefox.exe	97
PID 484 wrote to memory of 5140	484	firefox.exe	97
PID 484 wrote to memory of 5140	484	firefox.exe	97
PID 484 wrote to memory of 5140	484	firefox.exe	97
PID 484 wrote to memory of 5140	484	firefox.exe	97
PID 484 wrote to memory of 5140	484	firefox.exe	97
PID 484 wrote to memory of 5140	484	firefox.exe	97
PID 484 wrote to memory of 5140	484	firefox.exe	97
PID 484 wrote to memory of 5140	484	firefox.exe	97
PID 484 wrote to memory of 5140	484	firefox.exe	97
PID 484 wrote to memory of 5140	484	firefox.exe	97
PID 484 wrote to memory of 5140	484	firefox.exe	97
PID 484 wrote to memory of 5140	484	firefox.exe	97
PID 484 wrote to memory of 5140	484	firefox.exe	97
PID 484 wrote to memory of 5140	484	firefox.exe	97
PID 484 wrote to memory of 5140	484	firefox.exe	97
PID 484 wrote to memory of 5140	484	firefox.exe	97
PID 484 wrote to memory of 5140	484	firefox.exe	97
PID 484 wrote to memory of 5140	484	firefox.exe	97
PID 484 wrote to memory of 5140	484	firefox.exe	97
PID 484 wrote to memory of 5140	484	firefox.exe	97
PID 484 wrote to memory of 5140	484	firefox.exe	97
PID 484 wrote to memory of 5140	484	firefox.exe	97
PID 484 wrote to memory of 5140	484	firefox.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4844	attrib.exe
6372	attrib.exe

C:\Windows\system32\LaunchWinApp.exe
"C:\Windows\system32\LaunchWinApp.exe" "https://github.com/chronosmiki/RANSOMWARE-WANNACRY-2.0/blob/master/Ransomware.WannaCry.zip"
1⤵
PID:4180

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1808

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2012

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2784

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4820

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3092

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:3040

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:2212

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:2968

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3040

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4692

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:1692

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:3656

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4276
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:484
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="484.0.1953210876\783074345" -parentBuildID 20221007134813 -prefsHandle 1700 -prefMapHandle 1576 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2b2c0f2-fa41-4780-8b89-3b0e058abeb1} 484 "\\.\pipe\gecko-crash-server-pipe.484" 1784 2a20c1d6158 gpu
    3⤵
    PID:4364
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="484.1.319910148\1715784112" -parentBuildID 20221007134813 -prefsHandle 2168 -prefMapHandle 2164 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f5e427b-9eb0-405a-ba4e-cd7f4c3c9728} 484 "\\.\pipe\gecko-crash-server-pipe.484" 2180 2a20bcec258 socket
    3⤵
    PID:5140
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="484.2.65451720\1002239851" -childID 1 -isForBrowser -prefsHandle 2892 -prefMapHandle 2888 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1068 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6afba008-99f0-4c17-9ac8-10a8161ebe66} 484 "\\.\pipe\gecko-crash-server-pipe.484" 2620 2a21019ba58 tab
    3⤵
    PID:5484
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="484.3.969552151\924259310" -childID 2 -isForBrowser -prefsHandle 3076 -prefMapHandle 3192 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1068 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5a209111-c73c-46eb-9583-561330e16375} 484 "\\.\pipe\gecko-crash-server-pipe.484" 3556 2a20e7a6258 tab
    3⤵
    PID:5684
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="484.4.1341904910\957239347" -childID 3 -isForBrowser -prefsHandle 3572 -prefMapHandle 3676 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1068 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {edd8e3a8-1d8a-4691-aa14-5b84b35e9969} 484 "\\.\pipe\gecko-crash-server-pipe.484" 4428 2a21210a558 tab
    3⤵
    PID:5304
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="484.5.1815698019\1322702218" -childID 4 -isForBrowser -prefsHandle 4912 -prefMapHandle 4920 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1068 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec09f7c2-615c-4054-a727-c1c0238087e9} 484 "\\.\pipe\gecko-crash-server-pipe.484" 4928 2a2125f1b58 tab
    3⤵
    PID:5968
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="484.6.1508985799\2030393073" -childID 5 -isForBrowser -prefsHandle 5064 -prefMapHandle 5068 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1068 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f53fa08b-f0bc-4902-a9bd-4fc9761df01a} 484 "\\.\pipe\gecko-crash-server-pipe.484" 4948 2a2125efa58 tab
    3⤵
    PID:5980
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="484.7.1680319943\2052765744" -childID 6 -isForBrowser -prefsHandle 5264 -prefMapHandle 5268 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1068 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f8d522c-5010-4f44-97ac-01886daba5a1} 484 "\\.\pipe\gecko-crash-server-pipe.484" 5256 2a2125f0058 tab
    3⤵
    PID:5996
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="484.8.631400025\1541096702" -childID 7 -isForBrowser -prefsHandle 5100 -prefMapHandle 5088 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1068 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c6e4fe8-43b2-4524-bbaa-a783e3cad33b} 484 "\\.\pipe\gecko-crash-server-pipe.484" 5264 2a20d754358 tab
    3⤵
    PID:5788

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6528

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:6184
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:6372
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:6380
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6656
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 21541723850519.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6712
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6824
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:4844
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5344
- - C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:6608
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2740
- - C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3500
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      PID:6636
    - - C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        System Location Discovery: System Language Discovery
        Interacts with shadow copies
        
        PID:6708
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6940
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 464
      4⤵
      Program crash
      PID:6772
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3500 -s 464
      4⤵
      Program crash
      PID:7076
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:7036
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:7028
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:7048
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "eveyoomrh293" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\tasksche.exe\"" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7052
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "eveyoomrh293" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:7080
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:6012
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5692

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

Filesize
1KB

MD5
203417f458c25d2f0c84273ea75d22ed

SHA1
5ebf99b233ecf0417f5fd6410f42d7671ff39138

SHA256
30fd5cf26296ced5a291e06bf24f332786211c0e3fdaa7c84a5f2fd0a94be096

SHA512
700736298669a9df34bae878e321cbf219df0771e9cab4fbf8748b7db58fd6fced3f99f897be91d0d35910039d668bbb1abb92648c61273ecccda22b9dd03b34

Download Submit
C:\Users\Admin\AppData\Local\MicrosoftEdge\SharedCacheContainers\MicrosoftEdge_iecompat\IECompatData.xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\15049

Filesize
13KB

MD5
97700fe2556e59a457761341b5ca034a

SHA1
6c02d833b0ab9a36e864c0631183ead55fe0c929

SHA256
1b7601c9677ac1166bb80c19fd15d547865ec530c5f1ae89f42c82c179d77131

SHA512
ce8dd0181896d05299e276ccd2d0d5ef716eab601b678c4a1311e7f20b023d6dcee12207841f19c5a918fb6febe504065361201226b4a0962e74b426b918452f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\doomed\17188

Filesize
13KB

MD5
a9845763a0b306d019c063d57e0a27ca

SHA1
1ba824562aef53f7c20fd76e2a6e1f5a29c882cc

SHA256
105b868e9bb642e772c308030ade14b2ac2a8c446dc5d6abbe991a087d76a8c8

SHA512
608a936dbbb16b989eebf345aa7c30e0c2685fcea364f268f0944baf2819daa23150c7f21145592d1424b6fb1f30fe8d1e29122385533ab280ea5f36b590cdc8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\cache2\entries\17575D8A7850CC569656145486F9E6A52DCC316F

Filesize
61KB

MD5
5fe75b9443db1ef86e6007b3ce2f0cd6

SHA1
cdd4d6326dc4f847abcc7cff39b81e1532e199ee

SHA256
2de94925e1d0945457eb3b7c6519bb64502e61d8d27898a2b2ac3231f14ecda0

SHA512
6362d9daea9d2fbb8801c415dc4ab1eecd234e18a731bbda78adbe755f747016737250fc465bba27bcef79131712928398ae143f402d07c0cd2218f237757762

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\User\Default\DOMStore\AH9EKP5D\www.bing[1].xml

Filesize
1KB

MD5
d11c89c4d3320f1ef13fdbc124fec0b3

SHA1
5a799c4cf21d68d3d26185281be4d3a3f0bb5422

SHA256
a78bc2b3799d988405a15167c77fea63275fea9050be423adad3c9e5cb3437b0

SHA512
c9920b816120e109cd5b694ff0285ad387d6a50384c915d186253c2a31a08662bd6a6cf3702956b31d130c89efc9aa2acc262ac9c37a08e20c4e2882abc9249d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\9BU0VLOY\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DFD10A13E97304506D.TMP

Filesize
24KB

MD5
d3cdb7663712ddb6ef5056c72fe69e86

SHA1
f08bf69934fb2b9ca0aba287c96abe145a69366c

SHA256
3e8c2095986b262ac8fccfabda2d021fc0d3504275e83cffe1f0a333f9efbe15

SHA512
c0acd65db7098a55dae0730eb1dcd8aa94e95a71f39dd40b087be0b06afc5d1bb310f555781853b5a78a8803dba0fb44df44bd2bb14baeca29c7c7410dffc812

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FUJ3HSW2\Ransomware.WannaCry[1].htm

Filesize
292KB

MD5
c94a877f1942e77f551a482d05555676

SHA1
034c5c7f20b2b9dedc4593177311298867daa7b2

SHA256
6f34438c6391fa5dd567a09ca64207b86821ddac3230650fd16818b464548e46

SHA512
b2184af93923e43ee80d73688f555fa40c75e85d5ac7b0bb535a4bd58b50a2b1f3500dce80eb9daaeb64e7f0d438b434e08ebab49f2ebe4bc146488ad7bcbb3a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FUJ3HSW2\element-registry-713fac168aa4[1].js

Filesize
48KB

MD5
5e72f888f2d06af963df60b8ab3da5c5

SHA1
92b31583988e1beb090d9992a8e1ff08d86a151e

SHA256
e1cf5be4a3499294c5c7071a35e46987eeb3066fa0ca61a8d451755d00def24d

SHA512
713fac168aa49c25042f442bbb39b4c1297b09c660257b3058ea32f142f2aa8b6761b47bb9a4ed99f34e2166d13aad5bf37e6085d19ddb95e416a5ebf0ad94d6

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FUJ3HSW2\environment-cd098098ff2e[1].js

Filesize
13KB

MD5
c946fb5a94c699f0b69bbcf7e85dd938

SHA1
81f6899e9f2d5e0357cb42792801c38f31e455a6

SHA256
29dba15e8182dbf52cd9dbde2287d57fdde0f6fb2e4dcfa0ee8381ee099f752d

SHA512
cd098098ff2e8f8b50d62e959c8a4190fc01fd7f96b651005059d18e0ac9e0c24ebeec4011308e7dead2614f83f2d3626ec5bf14e3eb1be8eb159042dd7432e6

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FUJ3HSW2\vendors-node_modules_github_auto-complete-element_dist_index_js-node_modules_github_details-d-ed9a97-841122a1e9d4[1].js

Filesize
17KB

MD5
d50f30bd48bf15a39fb0de84d338b063

SHA1
c974701a469b2ae91195cc57a42c3157c0210646

SHA256
21c5e70f201ea5ebcaff6f1244e6a7fbfca84d1878cd41d4400696bbbe09af5a

SHA512
841122a1e9d49b8484e68dc82869b7835e54a9d632909ec4f0c386ba843d2eaf20416c75c19c4a250a8cf22de8ef43f1fff6d77d29630132266c6f533c487e2f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FUJ3HSW2\vendors-node_modules_github_catalyst_lib_index_js-node_modules_github_clipboard-copy-element_-782ca5-54763cd55b96[1].js

Filesize
8KB

MD5
80708c39dbd42e80616bc4a61b51c1bb

SHA1
a87eb08671b07a1c2689a6caca2486727af9ae3e

SHA256
10e085fffc04da9cbf0a46c8a6e120d34947c4ed859f05e26cb0abaae312e094

SHA512
54763cd55b96117e15652c12e9ca5e8ec71e58eabbd9537a7e6c833ec124199eae23091ef59275513f2cacf055e9ae69d7683474fc31f81ef823578118c462ba

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FUJ3HSW2\vendors-node_modules_github_filter-input-element_dist_index_js-node_modules_github_remote-inp-2e8678-34feeec9c894[1].js

Filesize
17KB

MD5
3da8f54401dee42f64704d3b0757b790

SHA1
c6d76cf669c85eec10065fb8d10d4f62078957df

SHA256
1e07175839890a819b17ec7ecd2ad34eed67352630c8e91c19ae12e8f59e9f24

SHA512
34feeec9c894b71f2001925534b378e1700f0522f3747079e4ef830854f7c69c240198f4f0a59bf00f3815658fca2e03f79709603ef00d704bc2ebe625063a5f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FUJ3HSW2\vendors-node_modules_github_mini-throttle_dist_index_js-node_modules_delegated-events_dist_in-3efda3-701acb69193f[1].js

Filesize
22KB

MD5
a693601ad5e308513903deba2de13192

SHA1
67798204da9fa7579572048e4082f4a661081f10

SHA256
1b9356bc6a944ef62aded9240620165198d67511e7ca1d83141a497887ea5c99

SHA512
701acb69193fb70e56de2b560c510e72690a4e3c93407f1823a812dce3f82641606fb82781bf9423017e5ecdb04866d9833111ed3137fdef978298b329b054e3

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FUJ3HSW2\vendors-node_modules_github_relative-time-element_dist_index_js-f9b958f5f2df[1].js

Filesize
15KB

MD5
46afaaf3a6253f2ce9568db9e301ec8a

SHA1
b365c36e165567048bad614c98baa22bef4b9b91

SHA256
7ef807f7b9fe45ec17faa06e235c7adac46227f7589b91653fe4e0ae3a7a0ff4

SHA512
f9b958f5f2df5e85cfb021de43dac548c271eab2ddfa4463c213d7bf311b7ea3b7b93b7231de9834db884bbe53b012b3a1dde85eef9c6daaf46609aeb446fdb4

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FUJ3HSW2\vendors-node_modules_github_selector-observer_dist_index_esm_js-f690fd9ae3d5[1].js

Filesize
9KB

MD5
e131f8c9b77918aeb94fd82199a423d6

SHA1
71eaae086cd44a8904f39d27fb5387bb957976f0

SHA256
01f9a0ec0bb24312ae0395b6aa238f8d910dc35c08ef5a25a1e9cd8feac83c32

SHA512
f690fd9ae3d5a240e479fea97ac82940f136f3f2e0262cac840345f2b956123117ca94424dc354d90d13f1c0169c24b19526505bb2fad70c8c364899474a9495

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FUJ3HSW2\vendors-node_modules_github_text-expander-element_dist_index_js-cd48220d74d5[1].js

Filesize
14KB

MD5
69f387b852329683c3f4856ccb905f60

SHA1
a58ffa40abbb4c6f5ef0545c1ffb932c21d73cc1

SHA256
d9cdb2e9f9c648237f22c43f8f12e85d8944c75ab325352059c3e53516635167

SHA512
cd48220d74d52b956312b2c59ec764d2d559e73c51789f9d649e108925f79ae3c910744161904b2840894bfcff64507971d5a19f921e5190a710bda4eceb63e2

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FUJ3HSW2\vendors-node_modules_oddbird_popover-polyfill_dist_popover_js-56729c905fe2[1].js

Filesize
9KB

MD5
2eb9961e08f81bdca617ddb67c2fb708

SHA1
15cb6d7ffe93324b38bb62bcc4ff14d1a57f94bb

SHA256
0f2cd40ad364711db1fee03cf9f6ca04fc56f5c3ba497dc476c5879e129d968b

SHA512
56729c905fe263a6b7978bc67c09b8dab69592e21aa9addba78866790bdb2dbd85e41e6a6663d511e73a8edeb75933b549b3c393a465748790a6fd50b337cee9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FUJ3HSW2\vendors-node_modules_primer_behaviors_dist_esm_anchored-position_js-node_modules_fzy_js_index-05960a-797b1227c4b8[1].js

Filesize
23KB

MD5
84645696994a44b9a487a86e579d57e4

SHA1
ad0cd59b0d9b1182e1ee9d3e07a68a9e9df74bab

SHA256
6adef556a80a604cafd2dd03f9c46b3be39779aea8973db9b67fdd9987862dd4

SHA512
797b1227c4b88f54b80e95d2ce2e920da001284f7ede11dbabacb1831d6fddbeab834274e325325903bf507ece6501b6f21ec89d53fb5d678556744e6dd56f6d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FUJ3HSW2\vendors-node_modules_primer_behaviors_dist_esm_focus-zone_js-c9086a4fb62b[1].js

Filesize
8KB

MD5
19e28fe2dcffe5582e6352b53d0b22ce

SHA1
1e656d3443915c4e4bc9782f4366b4eebcf45720

SHA256
345e3daa928a64bc11b3778cfb36228d0025c260defa0b78e4c0ebe66c419737

SHA512
c9086a4fb62b90cd43e0a47621528a23582de79c4bdb1b2eac386f8e331c5ac891aa69975fdfb487a4cf508852c1c3ebc2df24e00ffca5443fb6e22f3b3ee99c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FUJ3HSW2\wp-runtime-f2080426983c[1].js

Filesize
53KB

MD5
b89062f09b6c27df5ca41f9a1a191b5d

SHA1
62adc43b24b22ffca98c5c3ce0655de46d6eace5

SHA256
3980b822efc17cc64efa664445f55ca321562268398f9d980a75c021bb48e49a

SHA512
f2080426983c61b2154b9dfe884a73f9aaad34b137eab242ab742db7f0f3f2286182a647e97e1ec2827beb86ec26d5d06c40f96ecca5494ef89a796cd6793711

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\NITQOYHO\code-34406d39e629[1].css

Filesize
31KB

MD5
ee14556fc6c8c5e35d7acf63edb7c840

SHA1
6e106d8fb2bcdbf90a553b2db5ad3faf8b5b1d35

SHA256
e98b22b626274eb24481f138c7aed6681b3ade70d4427bc0cb05ceccd9ef4a61

SHA512
34406d39e629a65f5162757c5142f9b02149d2d18caedf15a528315a5dddccc86f3445c852f7e42a2979004b3c07ffe62c1b0c13cf5b60f6b8a06e5836027b67

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\NITQOYHO\global-fe6db6dfddd1[1].css

Filesize
285KB

MD5
83a1fe0c5e9cd039ffeba40274ed3e97

SHA1
3f7378950c11d499188c250eaaba823d301911f7

SHA256
63e4e2ef04a1e8a91dd3c31884c79890b7421f9387e4dd2a1a9b8b9cfd6b8968

SHA512
fe6db6dfddd18d5b2dacce0dd6038c651f230b31df823f2484311e52a62f757e902d0376fca309c81c3f59b6c8c6b7952dd2b6cea0070f66207ba5f997d87692

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\NITQOYHO\light-efd2f2257c96[1].css

Filesize
48KB

MD5
b8473fdb0f4749de99341662aec850f2

SHA1
f593c957a26528558217837aead34cf718d27443

SHA256
8aabc55d211fc93acb563c9cf30732577212a998196f73b067f9795c8d1ef72b

SHA512
efd2f2257c96c12eba6da741c677030ac63c34a925846080ec606e5a974706726479bd5babea6dd0ac7e8e421704263787986fb07a9c384994cf403bf8bc3dee

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\NITQOYHO\repository-992e95451f25[1].css

Filesize
29KB

MD5
ba1468dd22fb87a14c2e6e2204531deb

SHA1
ade22d3c001f90fb4998709fa1062c2964742ab1

SHA256
d47b5116f66ce8d8840e44fbcee18453ec46cd6a12f863308a1f456380c35707

SHA512
992e95451f25275a9263e398d325f64591772d9ac887be883b8ad97e09008bd31a0e2f59f62c0cc97a983cbaba7b20bd4ae49748a834c1862323bac59e318bf9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\RK76R0BC\dark-6b1e37da2254[1].css

Filesize
48KB

MD5
96ba1deb375c1c66bb092fa0a1765be1

SHA1
03f188ec52d09882b8403ed57d7aa73a224ddd62

SHA256
d6bc29d6a4e33c7f4da1d4b8060cce6dedf384d7334b71661c277e985ef8c156

SHA512
6b1e37da22544d5626c6f78691a8d8f723c49c95a782f5195f4b00b0e1b9d4408402c25d5915e097ef31273c3c8d06d81d1ba1bb08e12677941b8b1f24d92848

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\RK76R0BC\vendors-node_modules_dompurify_dist_purify_js-89a69c248502[1].js

Filesize
20KB

MD5
36f04458790e19bb99bd77a1cdc16295

SHA1
8f25cd75135fec8c088728f53d39dcc21d375fdf

SHA256
cfac43b55a6b86258b9d3495eff18f26f598313a14cf76a3dbb1e3e7fd341f00

SHA512
89a69c2485029e3393d81637b2eeac776d0765835e6ffcdddb1394f4421c5236b5cfee873568736d8a233b6c9bafe6ea828d2b718133aae8f0d22f220165fb9e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\RK76R0BC\vendors-node_modules_github_mini-throttle_dist_index_js-node_modules_smoothscroll-polyfill_di-75db2e-686488490524[1].js

Filesize
15KB

MD5
e3f26045b6c949207e83b64a3049fb97

SHA1
93d1e9454d48afdfd846149723dcf845804552e2

SHA256
0aec79ad0107317829bd0d38cd83a44a1e3a14c9c62b7d1590298c4caa56ac0a

SHA512
68648849052442cf704c50e9abae2eccc3c289c388c4e4a7f32071d2878cb6c1bdca49a401fa820469a90658543fa1ff92649d232fcf0f94955a2872ff0899a1

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\TBLMKGZN\github-cf4e90581e80[1].css

Filesize
125KB

MD5
17dd5ff830e3a3b0d60eba96196eef76

SHA1
d191b957af007ae7ae2fdfd8b20d0ab3fc1ea274

SHA256
42681431f54d4e9bbdc102af4d2f3de9c5409507dc6f89abed7813f6461cf3bf

SHA512
cf4e90581e80a8f0d3aa169f580d171911d61d894301808bf51e7c2facfc6b0e5338f22f1af3253d20c94e4e56ca905fc5d0e1d8ce46fbcd03ed976d18ff86d4

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\TBLMKGZN\primer-bbda46ca867f[1].css

Filesize
333KB

MD5
77d264a65da1bdf6226a7b14304b56dc

SHA1
8925706abc2ab2aa391b2b6a9cc58b4dc8ba841f

SHA256
a2b62581aa107332cdab817fa60dcf7387d60e10fef392a98827abdc8e57ea75

SHA512
bbda46ca867f036551a1712a90c927f0b16dd413900a1c25dd022c8e80c54864989365097d4309b027f0067f0e57647357d19e48237da8b180079b74c9b702ce

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\TBLMKGZN\primer-primitives-8500c2c7ce5f[1].css

Filesize
8KB

MD5
e9c08b9ba681ad6606bd18f264e73ef6

SHA1
04d1e96739d82e07587f10bd2d953c8e70b93d9d

SHA256
b08c9718118f5b814e632ac3dc0d8e009e5dc2913df183f0ed322e6817e997df

SHA512
8500c2c7ce5fdad5fa01aa92156964108335c704a127ce290d201395009914c814ac6e08a467e45d1ca0fc75b2269b7f09a6d437939d91c9513c659a80cf472e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\P5F0ZTT1.cookie

Filesize
169B

MD5
815ff7b9b12693eb9e45ad968822f3a4

SHA1
bdee0f9918a26179753cd7136ddd2708059a9cd3

SHA256
275dfabec6729ede29fa0f35ee4c417a996646e9bb9f3b25ff04f054feb98ec5

SHA512
4bd0bf4024c231121ae086a117c44da5effc7862ede463f9efc302624c5d074c9abb97901015eb1ac712e0b0eaad82a10d1bfcb02aa7c6a07b35c7bf991d82fe

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\A66A8DB907BADC9D16AD67B2FBFFDD5C

Filesize
281B

MD5
40c55127ba5eba2e97b9f616685628d7

SHA1
283e4a7ebddc737c8057d43a30bb38c7db13632a

SHA256
e338651656f5c04a9a3c2c72c313a7f31724069ed68bca3fe1b0536f747781a6

SHA512
6c65f9e755e467c8e6199a2ed718bebcb8ab266b9b631bbc172577e45312d92d5b58f227edb54ea30185e03f74a60a3d3b91695ed127cfdeed8180f55ea90581

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

Filesize
1KB

MD5
217c9d2c26169bdf488388824de40ab3

SHA1
e970b9aa0f9167a631687be49ebe5e2eb33cb051

SHA256
5d70dd6ef20c747c7d56604663415ae497196d5624c705cd840bab8d23202321

SHA512
36fc2cf016569232addad691f02af705b4c183d675bbe399e359ec7c191d79c461b3863c4011646ad0a4a8a1995b2313a1dcedd52dd7e5b68dcc07ad749b5d98

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90

Filesize
979B

MD5
a70f46c2b96793585aabcec65c918458

SHA1
697ef66dd7cb5b4ac834b0f05d9728e06b376ed8

SHA256
5ff2aa81382591e38b6f868b5a408ac51c29dcac927bb339d1920f27ab267993

SHA512
8a43984a9f6964976db2c05c695e90721c0604afb8fef86c16163b222bbf2c8e507669e3a61cf585bc0ffcb13a87f042b27868d6bb0d8fd385f3b827fd498082

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\A66A8DB907BADC9D16AD67B2FBFFDD5C

Filesize
480B

MD5
d36ae5d8c9e7d4aff73d7c6e767a3093

SHA1
27a0caed09c8ae3b5fb739bc7fcb99066e1b7908

SHA256
b37f3c2c670a1ffeb94951318591d4544726f460e658c6e61835831a78e3ae7a

SHA512
02c1d6d010025e61dd6c50b63266ddc2131f16d46d72006df8f3ea33cf3a7f4a43bc2f1ab547f569a9798b91b34dffb230f6e47793ef80626f82c220f6711f20

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

Filesize
482B

MD5
dcb0296deb6a0ea8a29141885821a6a9

SHA1
54dcaf7765d189c02298cbc4222634969ee1d320

SHA256
55edd656d60d48d34c1967903c156c51a2ca816dd343db33702e5c0109d14968

SHA512
6430867bf5086ba6bcb7f3dce3365b23dcc8ad7b4c4d11855ce1f56673ff0a2bdcede5a6df3c03acb650a75a26be67c45462f5193049767100795e65660be18f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90

Filesize
480B

MD5
97366f4051a74fc9742427fc583e55cc

SHA1
d76d85b4e13bdc9c3b16f9d54a9a1ca270621721

SHA256
9d6ea4115bad96af28821b7e7880c2908e69fadc68bd6a58c6729ab5806ad299

SHA512
39f091b5f77a93eb2a1fd121f6285a01b9aa4d5a56ce00e7b94c71657b7800b3a9257fb17225acfc20f7bb51f5da0c4b4b8bfe6eef9d83ce45ae93d4600b4f28

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\@[email protected]

Filesize
933B

MD5
f97d2e6f8d820dbd3b66f21137de4f09

SHA1
596799b75b5d60aa9cd45646f68e9c0bd06df252

SHA256
0e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a

SHA512
efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\c.wnry

Filesize
780B

MD5
383a85eab6ecda319bfddd82416fc6c2

SHA1
2a9324e1d02c3e41582bf5370043d8afeb02ba6f

SHA256
079ce1041cbffe18ff62a2b4a33711eda40f680d0b1d3b551db47e39a6390b21

SHA512
c661e0b3c175d31b365362e52d7b152267a15d59517a4bcc493329be20b23d0e4eb62d1ba80bb96447eeaf91a6901f4b34bf173b4ab6f90d4111ea97c87c1252

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\msg\m_korean.wnry

Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\msg\m_latvian.wnry

Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\msg\m_norwegian.wnry

Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\msg\m_polish.wnry

Filesize
38KB

MD5
e79d7f2833a9c2e2553c7fe04a1b63f4

SHA1
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

SHA256
519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

SHA512
e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\msg\m_portuguese.wnry

Filesize
37KB

MD5
fa948f7d8dfb21ceddd6794f2d56b44f

SHA1
ca915fbe020caa88dd776d89632d7866f660fc7a

SHA256
bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66

SHA512
0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\msg\m_romanian.wnry

Filesize
50KB

MD5
313e0ececd24f4fa1504118a11bc7986

SHA1
e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d

SHA256
70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1

SHA512
c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\msg\m_russian.wnry

Filesize
46KB

MD5
452615db2336d60af7e2057481e4cab5

SHA1
442e31f6556b3d7de6eb85fbac3d2957b7f5eac6

SHA256
02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078

SHA512
7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\msg\m_slovak.wnry

Filesize
40KB

MD5
c911aba4ab1da6c28cf86338ab2ab6cc

SHA1
fee0fd58b8efe76077620d8abc7500dbfef7c5b0

SHA256
e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729

SHA512
3491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\msg\m_spanish.wnry

Filesize
36KB

MD5
8d61648d34cba8ae9d1e2a219019add1

SHA1
2091e42fc17a0cc2f235650f7aad87abf8ba22c2

SHA256
72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1

SHA512
68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\msg\m_swedish.wnry

Filesize
37KB

MD5
c7a19984eb9f37198652eaf2fd1ee25c

SHA1
06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae

SHA256
146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4

SHA512
43dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\msg\m_turkish.wnry

Filesize
41KB

MD5
531ba6b1a5460fc9446946f91cc8c94b

SHA1
cc56978681bd546fd82d87926b5d9905c92a5803

SHA256
6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415

SHA512
ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\msg\m_vietnamese.wnry

Filesize
91KB

MD5
8419be28a0dcec3f55823620922b00fa

SHA1
2e4791f9cdfca8abf345d606f313d22b36c46b92

SHA256
1f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8

SHA512
8fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\r.wnry

Filesize
864B

MD5
3e0020fc529b1c2a061016dd2469ba96

SHA1
c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade

SHA256
402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c

SHA512
5ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry(14).zip\s.wnry

Filesize
2.9MB

MD5
ad4c9de7c8c40813f200ba1c2fa33083

SHA1
d1af27518d455d432b62d73c6a1497d032f6120e

SHA256
e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b

SHA512
115733d08e5f1a514808a20b070db7ff453fd149865f49c04365a8c6502fa1e5c3a31da3e21f688ab040f583cf1224a544aea9708ffab21405dde1c57f98e617

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
f2a73d718fc893b895db78ecad288f52

SHA1
e8ad92b859221fecb48385d2dc5cdbaf4b26d692

SHA256
f8e9006a82e6555a1398c3695c05acd4d8ba0ba55920cf82ffb349784f5f924b

SHA512
433fe2dc1dd0a58bfb086ff148584d8b73a116b5cad769159d7753cca0ee52f4486d96208c54df98dad5022d590cc5630f6c38df41cf4b39b5a1b953d4644140

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\61078cb8-5a6e-48e9-9c35-3bdd25df79b6

Filesize
11KB

MD5
25e4475c8bb7ecfe4cb910ba0da4161f

SHA1
604912cdcf6bcf61ffb60640e680acdebd9aae0b

SHA256
e179a05a7cfbc0d07d5304fd5c1733cdda0e19ca71285545cd466848939e481b

SHA512
31d679ba39e24c3643c4c957402ac0598864779f115e3c2007d4617c9801c6fca703d6b208a5970499720f9b4d04e9a9b707f7ef98717901c46dcf75d6e6efba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\df6ef62f-709b-4b5b-bbc1-abd489200487

Filesize
746B

MD5
6443e262ed0724b0285bbfa77f9ff9a6

SHA1
05d123e4790f5bf595936e7d22d73f049cd906fa

SHA256
846d62c72d0f1e9963bd687ea252a84b4efb6041733449a577c65d82e462ac5f

SHA512
4eea1f0cc6e7dbe7b552b655be1d0354af3327bdde8a08e32755a3de254ad5dca23a2a22b3d58453607821fe28cc6813a5698502404ef3e5616b156426318fba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\downloads.json.tmp

Filesize
4KB

MD5
85b59badcb179d5b4d7aac4bbb8ad569

SHA1
e8d5abe8c1234052bb9a943cf9bfffdfe24a7e1f

SHA256
cb1842dd50cf0f80ae415e7ee527964daa7352bc693bcf97f588e0f614e4fd6b

SHA512
765707a7cc8902391be82ac94f87adb8a2cfe429b57a2e86137caebe474f89c2717b3a4b56b16d3847c55f13cadb137f982843d76e8ff9aa46fe90a71e43f71f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

Filesize
6KB

MD5
c025fc36e9e0209a77838cd91c5c13a6

SHA1
5ef2042596338575bd4f5354bc31bd6a6876e742

SHA256
74a4077a15ef2b0864e33e062be46e1bade145ea79bc6e8e1e7b1d25d744d0f1

SHA512
23c23ee26bcf88f605702211dfcf96792dd85486cd26897d02196027451519cadb8924e77165be84fdf08303ed978a07470c767ddaa854478f608835e074b546

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

Filesize
6KB

MD5
7e6022977b0e2c75739f56eef38febf6

SHA1
8f7da1df1c87efacbb294434410acf6aa631ed8b

SHA256
756d70a3ee872c17f0d504851566ebb88a92c20b7974970e615c469b5332d77d

SHA512
a0e0e306177f5b9bc8f18397adbe53ebd1a19f47438d5b7db4cdb0e122f26f85e19afcc60fc726a2f1ab25f5e377c706c61b05e34f3570b8f7fa66148454ceab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js

Filesize
6KB

MD5
aa9a489e89d8940425791302266399d2

SHA1
9a2bf6d00ab51718d05b77eb871ee0534aa8c585

SHA256
a9b8f15c38b5bcb3c971f5ebc8b5a97c5e21912bd689bfb6dfa784ff27401a31

SHA512
a9052645f76eedbffebded0c77b15cf57c04d163d50dba66c423d30e3afe44e18c8a345a2e046eb735447cf6c2d09aa9478b90b675890845564dfd18ed638663

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js

Filesize
6KB

MD5
a8fb4406ca09eb42689a6add0bf1361b

SHA1
abc107e26c88071f857e4d9858f3bcc936c86193

SHA256
a7d1c87cd0794dbecf4aa16145ee00ec767561a1fd1c8287e51cf0457da9d56c

SHA512
ac3c4d1789f0a3b9cf1e6e44a5e5209c13427eca781f85ed7f156cfee657974aa10d451ddc812d5bb954040dcbda737ca49d3d8bb69d65473dea85b68776666c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js

Filesize
7KB

MD5
05b530b6f8179f47f27f350406129efb

SHA1
11bb9caea64d85e60a0682cd5864a97e4337627b

SHA256
c662d9980babc9c61763db98b2d5e7b9bd47b8266cc43f5c0f487418f37d5cb6

SHA512
e07b4032062db445a367c545202988c195ea77194dec5cd4b4d2cd8f32b153b68cd3ec18db6f8dc778f59ba8abac9a8725d932662841e3dd3f703100b23e3d41

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js

Filesize
6KB

MD5
c3a362fb3fd13a1c5242a45ce3dd3706

SHA1
ab53724d0d18b2b1790898ec0670fe373f3f2311

SHA256
c975df66c1b036f3d1286d8d062ebb927353de6f2d43f0c30dca9b33b39df5c5

SHA512
c2f3e31872abd293e10b2b2e2bcbeca29ad9bbf3da3230c38f54e3262c72abff75633f6a97315f0225eb878d0bee59fb23c161959adb448194464febfe022fb1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
6bd988980a746ae5bfa216b7100562e2

SHA1
daeac144481e78dad68f05e902bf4a062466e574

SHA256
3b3105bf76ccceccca4ec04a80061b4d455b4f10ef955c66c13c8cebdcbbd883

SHA512
24cf51504a8499daa746d71412f0c887d5ac3a2ff867ff99aac619bd2d2e9d9e127546af48bed77125e719a4ca0f36216da853d0658027e165737bb351d3ca6f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
c1dc91d639bd1f902c6aabfb0ed0925b

SHA1
7c606a7cb969f0b78a47ec2485c6960fcccfa295

SHA256
9cc8f6d8397e1df53202f38f18f8f1f2fff7a9f1d233a46f587f3035583469bc

SHA512
b5be1ba5ac5c12796c667efde5d5269e8a39cd96a03aff27b9aa9700b36650b105cf241a2ea8608c5de5216240d9987dac5bb036e24fdac76cf3892160b5fa1e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
e27967b6bb30c63eb66ed574cb2d087a

SHA1
7a4b5c591192b4b6a1c8a3205d555be874ac4e86

SHA256
d343878aca4c20317df4e599f7e193e199590b5d90646d4c2f89f88815bdd637

SHA512
e2c01498ca8f1af8b1293a0a7dd790ce5600205e2f3c30e9b9a417e30498671003b9294791840611e79a37fa7dc1db6fefe248e95f1878c5ae9c06c59e3ce435

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
8716944b47075520a288dff5f18c5820

SHA1
09c19f032bff929665a5b71d663e10bd53ee40a7

SHA256
e2229d410bbc8073987b4c80ba8f8fe52ac0ff3db569bd061c0b7feca2a072eb

SHA512
7940bac901d3e0eb7eb2ce7fd5f657bf8b9b58e3eb7d4d970e8c0fa686352a4507b16335cf7e55ba67ebb9150e2ac849d293d5f5a3a8d0ac80cd9ff59ddb933f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
f98d58788325da9f899cd8a416f99e7a

SHA1
7e0851b9f9984c80634fd317a6ed3a2107222242

SHA256
871f7cb0336697e728bfca50e64ca1e540e3183880af003756c88e2a045213a7

SHA512
1126ad1a0bc2aa503d5913d5997865e7cedb6c5a2af00f26c99fb59954957578b4e3d0ab69d58266db80dc00f45a7fb953f4e78cce4fb5e781a12a4c66a0ea70

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
7f868e557b098795d645df9ea302427f

SHA1
001f3306144559b4049a8ab139b4139f51e59c0e

SHA256
b228e23ecfb7965e3badefcbb031de0b4bb887634bccb34a826ac8ac89124ac5

SHA512
56fd8aa514cc25db5a2c9191d665eaffe90182cc5e4f15317e0cfbc9adf7336d9ad937d20384b0504f784e5939b76b4c4b0020cb06e4a472c650355cc6c4c89a

Download Submit
C:\Users\Admin\Downloads\Ransomware.W2B-nE82.WannaCry.zip.part

Filesize
68KB

MD5
3571ea6452d5ea5c26a297afddb4299d

SHA1
f3c170337378eb376aa790d3900f38fb7a55ef6e

SHA256
19bd3136ee37016bdd5b229c2187039aa78652462bed450d3d110abc4ce841c7

SHA512
db5e0e2e1f72232cfa92f626749e9b67865f7dfa328c80f927b1a4c5a556b069ad2c06f78c142ab630734ccd4dfef9ca5fbd6299c098ad701ccf42ffc2ff478e

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry(14).zip:Zone.Identifier

Filesize
50B

MD5
dce5191790621b5e424478ca69c47f55

SHA1
ae356a67d337afa5933e3e679e84854deeace048

SHA256
86a3e68762720abe870d1396794850220935115d3ccc8bb134ffa521244e3ef8

SHA512
a669e10b173fce667d5b369d230d5b1e89e366b05ba4e65919a7e67545dd0b1eca8bcb927f67b12fe47cbe22b0c54c54f1e03beed06379240b05b7b990c5a641

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry(4).zip:Zone.Identifier

Filesize
240B

MD5
0325f6e99dd2bbb0e312fab950a5b292

SHA1
24673e9316a7f5b6ed505ff1c20102d1eb85dc20

SHA256
2b317019df8e70bd0041796590fc6a2e6db1e364058eafad7d1825a7bd083c96

SHA512
4857aa546680e23cf5beda26a501210c6020199c1c45fd2326df7f939c7a1bcc588a72d5f329068167e193e9abaca1bb756b6d13422fb8e85ad9105d5ac4dd4c

Download Submit
memory/1692-183-0x0000024C11390000-0x0000024C11392000-memory.dmp

Filesize
8KB

Download
memory/1692-185-0x0000024C113B0000-0x0000024C113B2000-memory.dmp

Filesize
8KB

Download
memory/1692-187-0x0000024C113D0000-0x0000024C113D2000-memory.dmp

Filesize
8KB

Download
memory/1692-173-0x0000024C00600000-0x0000024C00700000-memory.dmp

Filesize
1024KB

Download
memory/1692-172-0x0000024C00600000-0x0000024C00700000-memory.dmp

Filesize
1024KB

Download
memory/1692-177-0x0000024C11330000-0x0000024C11332000-memory.dmp

Filesize
8KB

Download
memory/1692-179-0x0000024C11350000-0x0000024C11352000-memory.dmp

Filesize
8KB

Download
memory/1692-181-0x0000024C11370000-0x0000024C11372000-memory.dmp

Filesize
8KB

Download
memory/1808-2647-0x00000299E3DF0000-0x00000299E3DF1000-memory.dmp

Filesize
4KB

Download
memory/1808-16-0x00000299E6920000-0x00000299E6930000-memory.dmp

Filesize
64KB

Download
memory/1808-573-0x00000299EDB90000-0x00000299EDB91000-memory.dmp

Filesize
4KB

Download
memory/1808-2644-0x00000299EABC0000-0x00000299EABC2000-memory.dmp

Filesize
8KB

Download
memory/1808-0-0x00000299E6820000-0x00000299E6830000-memory.dmp

Filesize
64KB

Download
memory/1808-572-0x00000299EDB80000-0x00000299EDB81000-memory.dmp

Filesize
4KB

Download
memory/1808-35-0x00000299E3DA0000-0x00000299E3DA2000-memory.dmp

Filesize
8KB

Download
memory/2212-145-0x00000291BFF00000-0x00000291C0000000-memory.dmp

Filesize
1024KB

Download
memory/3040-215-0x0000024866300000-0x0000024866400000-memory.dmp

Filesize
1024KB

Download
memory/3040-320-0x0000024876A80000-0x0000024876AA0000-memory.dmp

Filesize
128KB

Download
memory/3040-309-0x00000248769B0000-0x00000248769D0000-memory.dmp

Filesize
128KB

Download
memory/3092-64-0x0000026B85800000-0x0000026B85900000-memory.dmp

Filesize
1024KB

Download
memory/4820-43-0x000001E871800000-0x000001E871900000-memory.dmp

Filesize
1024KB

Download
memory/4820-44-0x000001E871800000-0x000001E871900000-memory.dmp

Filesize
1024KB

Download
memory/6184-1107-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download