wannacry | hxxps://github[.]com/kh4sh3i/Ransomware-Samples

Analysis

max time kernel
376s
max time network
381s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2024 14:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/kh4sh3i/Ransomware-Samples

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDC010.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDC026.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Executes dropped EXE 35 IoCs

pid	Process
4800	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
4000	taskdl.exe
2900	@[email protected]
1084	@[email protected]
404	taskhsvc.exe
4332	taskdl.exe
2232	taskse.exe
1104	@[email protected]
6052	taskdl.exe
6068	taskse.exe
6076	@[email protected]
952	taskdl.exe
5420	taskse.exe
5448	@[email protected]
1392	taskdl.exe
4632	taskse.exe
3848	@[email protected]
5716	taskdl.exe
5740	taskse.exe
5748	@[email protected]
3424	taskdl.exe
4348	taskse.exe
1480	@[email protected]
5200	taskdl.exe
2896	taskse.exe
2988	@[email protected]
5828	taskdl.exe
5756	taskse.exe
2144	@[email protected]
5404	taskse.exe
2228	@[email protected]
4840	taskdl.exe
2188	taskse.exe
2736	@[email protected]
3108	taskdl.exe

Loads dropped DLL 7 IoCs

pid	Process
404	taskhsvc.exe
404	taskhsvc.exe
404	taskhsvc.exe
404	taskhsvc.exe
404	taskhsvc.exe
404	taskhsvc.exe
404	taskhsvc.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2232	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qyedrxmniilpouj597 = "\"C:\\Users\\Admin\\Downloads\\WannaCry\\Ransomware.WannaCry\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
36	raw.githubusercontent.com
39	raw.githubusercontent.com
101	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 46 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wanadecrypt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-786284298-625481688-3210388970-1000\{B0D62DCA-F4E3-4626-8766-162F8860D5F5}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3456	reg.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4528	WINWORD.EXE
4528	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
4324	msedge.exe
4324	msedge.exe
2484	msedge.exe
2484	msedge.exe
392	identity_helper.exe
392	identity_helper.exe
4848	msedge.exe
4848	msedge.exe
404	taskhsvc.exe
404	taskhsvc.exe
404	taskhsvc.exe
404	taskhsvc.exe
404	taskhsvc.exe
404	taskhsvc.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
5760	msedge.exe
5760	msedge.exe
5788	msedge.exe
5788	msedge.exe
2780	identity_helper.exe
2780	identity_helper.exe
5396	msedge.exe
5396	msedge.exe
1276	msedge.exe
1276	msedge.exe
5144	msedge.exe
5144	msedge.exe
5144	msedge.exe
5144	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 34 IoCs

pid	Process
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4908	7zG.exe
Token: 35	4908	7zG.exe
Token: SeSecurityPrivilege	4908	7zG.exe
Token: SeSecurityPrivilege	4908	7zG.exe
Token: SeRestorePrivilege	4844	7zG.exe
Token: 35	4844	7zG.exe
Token: SeSecurityPrivilege	4844	7zG.exe
Token: SeSecurityPrivilege	4844	7zG.exe
Token: SeIncreaseQuotaPrivilege	60	WMIC.exe
Token: SeSecurityPrivilege	60	WMIC.exe
Token: SeTakeOwnershipPrivilege	60	WMIC.exe
Token: SeLoadDriverPrivilege	60	WMIC.exe
Token: SeSystemProfilePrivilege	60	WMIC.exe
Token: SeSystemtimePrivilege	60	WMIC.exe
Token: SeProfSingleProcessPrivilege	60	WMIC.exe
Token: SeIncBasePriorityPrivilege	60	WMIC.exe
Token: SeCreatePagefilePrivilege	60	WMIC.exe
Token: SeBackupPrivilege	60	WMIC.exe
Token: SeRestorePrivilege	60	WMIC.exe
Token: SeShutdownPrivilege	60	WMIC.exe
Token: SeDebugPrivilege	60	WMIC.exe
Token: SeSystemEnvironmentPrivilege	60	WMIC.exe
Token: SeRemoteShutdownPrivilege	60	WMIC.exe
Token: SeUndockPrivilege	60	WMIC.exe
Token: SeManageVolumePrivilege	60	WMIC.exe
Token: 33	60	WMIC.exe
Token: 34	60	WMIC.exe
Token: 35	60	WMIC.exe
Token: 36	60	WMIC.exe
Token: SeIncreaseQuotaPrivilege	60	WMIC.exe
Token: SeSecurityPrivilege	60	WMIC.exe
Token: SeTakeOwnershipPrivilege	60	WMIC.exe
Token: SeLoadDriverPrivilege	60	WMIC.exe
Token: SeSystemProfilePrivilege	60	WMIC.exe
Token: SeSystemtimePrivilege	60	WMIC.exe
Token: SeProfSingleProcessPrivilege	60	WMIC.exe
Token: SeIncBasePriorityPrivilege	60	WMIC.exe
Token: SeCreatePagefilePrivilege	60	WMIC.exe
Token: SeBackupPrivilege	60	WMIC.exe
Token: SeRestorePrivilege	60	WMIC.exe
Token: SeShutdownPrivilege	60	WMIC.exe
Token: SeDebugPrivilege	60	WMIC.exe
Token: SeSystemEnvironmentPrivilege	60	WMIC.exe
Token: SeRemoteShutdownPrivilege	60	WMIC.exe
Token: SeUndockPrivilege	60	WMIC.exe
Token: SeManageVolumePrivilege	60	WMIC.exe
Token: 33	60	WMIC.exe
Token: 34	60	WMIC.exe
Token: 35	60	WMIC.exe
Token: 36	60	WMIC.exe
Token: SeBackupPrivilege	3776	vssvc.exe
Token: SeRestorePrivilege	3776	vssvc.exe
Token: SeAuditPrivilege	3776	vssvc.exe
Token: SeTcbPrivilege	2232	taskse.exe
Token: SeTcbPrivilege	2232	taskse.exe
Token: SeTcbPrivilege	6068	taskse.exe
Token: SeTcbPrivilege	6068	taskse.exe
Token: SeTcbPrivilege	5420	taskse.exe
Token: SeTcbPrivilege	5420	taskse.exe
Token: SeTcbPrivilege	4632	taskse.exe
Token: SeTcbPrivilege	4632	taskse.exe
Token: SeTcbPrivilege	5740	taskse.exe
Token: SeTcbPrivilege	5740	taskse.exe
Token: SeTcbPrivilege	4348	taskse.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
4908	7zG.exe
4844	7zG.exe
2484	msedge.exe
2484	msedge.exe
1104	@[email protected]
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
2484	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe
5788	msedge.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
2900	@[email protected]
2900	@[email protected]
1084	@[email protected]
1084	@[email protected]
4528	WINWORD.EXE
4528	WINWORD.EXE
1104	@[email protected]
1104	@[email protected]
4528	WINWORD.EXE
4528	WINWORD.EXE
4528	WINWORD.EXE
4528	WINWORD.EXE
4528	WINWORD.EXE
6076	@[email protected]
5448	@[email protected]
3848	@[email protected]
5748	@[email protected]
1480	@[email protected]
2988	@[email protected]
2144	@[email protected]
2228	@[email protected]
2736	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2656	2484	msedge.exe	84
PID 2484 wrote to memory of 2656	2484	msedge.exe	84
PID 2484 wrote to memory of 3188	2484	msedge.exe	85
PID 2484 wrote to memory of 3188	2484	msedge.exe	85
PID 2484 wrote to memory of 3188	2484	msedge.exe	85
PID 2484 wrote to memory of 3188	2484	msedge.exe	85
PID 2484 wrote to memory of 3188	2484	msedge.exe	85
PID 2484 wrote to memory of 3188	2484	msedge.exe	85
PID 2484 wrote to memory of 3188	2484	msedge.exe	85
PID 2484 wrote to memory of 3188	2484	msedge.exe	85
PID 2484 wrote to memory of 3188	2484	msedge.exe	85
PID 2484 wrote to memory of 3188	2484	msedge.exe	85
PID 2484 wrote to memory of 3188	2484	msedge.exe	85
PID 2484 wrote to memory of 3188	2484	msedge.exe	85
PID 2484 wrote to memory of 3188	2484	msedge.exe	85
PID 2484 wrote to memory of 3188	2484	msedge.exe	85
PID 2484 wrote to memory of 3188	2484	msedge.exe	85
PID 2484 wrote to memory of 3188	2484	msedge.exe	85
PID 2484 wrote to memory of 3188	2484	msedge.exe	85
PID 2484 wrote to memory of 3188	2484	msedge.exe	85
PID 2484 wrote to memory of 3188	2484	msedge.exe	85
PID 2484 wrote to memory of 3188	2484	msedge.exe	85
PID 2484 wrote to memory of 3188	2484	msedge.exe	85
PID 2484 wrote to memory of 3188	2484	msedge.exe	85
PID 2484 wrote to memory of 3188	2484	msedge.exe	85
PID 2484 wrote to memory of 3188	2484	msedge.exe	85
PID 2484 wrote to memory of 3188	2484	msedge.exe	85
PID 2484 wrote to memory of 3188	2484	msedge.exe	85
PID 2484 wrote to memory of 3188	2484	msedge.exe	85
PID 2484 wrote to memory of 3188	2484	msedge.exe	85
PID 2484 wrote to memory of 3188	2484	msedge.exe	85
PID 2484 wrote to memory of 3188	2484	msedge.exe	85
PID 2484 wrote to memory of 3188	2484	msedge.exe	85
PID 2484 wrote to memory of 3188	2484	msedge.exe	85
PID 2484 wrote to memory of 3188	2484	msedge.exe	85
PID 2484 wrote to memory of 3188	2484	msedge.exe	85
PID 2484 wrote to memory of 3188	2484	msedge.exe	85
PID 2484 wrote to memory of 3188	2484	msedge.exe	85
PID 2484 wrote to memory of 3188	2484	msedge.exe	85
PID 2484 wrote to memory of 3188	2484	msedge.exe	85
PID 2484 wrote to memory of 3188	2484	msedge.exe	85
PID 2484 wrote to memory of 3188	2484	msedge.exe	85
PID 2484 wrote to memory of 4324	2484	msedge.exe	86
PID 2484 wrote to memory of 4324	2484	msedge.exe	86
PID 2484 wrote to memory of 860	2484	msedge.exe	87
PID 2484 wrote to memory of 860	2484	msedge.exe	87
PID 2484 wrote to memory of 860	2484	msedge.exe	87
PID 2484 wrote to memory of 860	2484	msedge.exe	87
PID 2484 wrote to memory of 860	2484	msedge.exe	87
PID 2484 wrote to memory of 860	2484	msedge.exe	87
PID 2484 wrote to memory of 860	2484	msedge.exe	87
PID 2484 wrote to memory of 860	2484	msedge.exe	87
PID 2484 wrote to memory of 860	2484	msedge.exe	87
PID 2484 wrote to memory of 860	2484	msedge.exe	87
PID 2484 wrote to memory of 860	2484	msedge.exe	87
PID 2484 wrote to memory of 860	2484	msedge.exe	87
PID 2484 wrote to memory of 860	2484	msedge.exe	87
PID 2484 wrote to memory of 860	2484	msedge.exe	87
PID 2484 wrote to memory of 860	2484	msedge.exe	87
PID 2484 wrote to memory of 860	2484	msedge.exe	87
PID 2484 wrote to memory of 860	2484	msedge.exe	87
PID 2484 wrote to memory of 860	2484	msedge.exe	87
PID 2484 wrote to memory of 860	2484	msedge.exe	87
PID 2484 wrote to memory of 860	2484	msedge.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4792	attrib.exe
4668	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/kh4sh3i/Ransomware-Samples
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcd83a46f8,0x7ffcd83a4708,0x7ffcd83a4718
  2⤵
  PID:2656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,13057418812462307957,2321136359481946225,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2040 /prefetch:2
  2⤵
  PID:3188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,13057418812462307957,2321136359481946225,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,13057418812462307957,2321136359481946225,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8
  2⤵
  PID:860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13057418812462307957,2321136359481946225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13057418812462307957,2321136359481946225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:1292
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,13057418812462307957,2321136359481946225,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:8
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,13057418812462307957,2321136359481946225,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13057418812462307957,2321136359481946225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13057418812462307957,2321136359481946225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:1820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13057418812462307957,2321136359481946225,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1
  2⤵
  PID:2996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13057418812462307957,2321136359481946225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:3424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13057418812462307957,2321136359481946225,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
  2⤵
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1924,13057418812462307957,2321136359481946225,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5360 /prefetch:8
  2⤵
  PID:2768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13057418812462307957,2321136359481946225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
  2⤵
  PID:1760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13057418812462307957,2321136359481946225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:4224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13057418812462307957,2321136359481946225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:1
  2⤵
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,13057418812462307957,2321136359481946225,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6452 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13057418812462307957,2321136359481946225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:1
  2⤵
  PID:768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13057418812462307957,2321136359481946225,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:2836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13057418812462307957,2321136359481946225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
  2⤵
  PID:1976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13057418812462307957,2321136359481946225,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:1
  2⤵
  PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13057418812462307957,2321136359481946225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:1
  2⤵
  PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13057418812462307957,2321136359481946225,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
  2⤵
  PID:2764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,13057418812462307957,2321136359481946225,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6112 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13057418812462307957,2321136359481946225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:1
  2⤵
  PID:3708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13057418812462307957,2321136359481946225,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13057418812462307957,2321136359481946225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,13057418812462307957,2321136359481946225,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:1
  2⤵
  PID:3028

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2616

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4844

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2900

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\WannaCry\" -spe -an -ai#7zMap8908:78:7zEvent31445
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4908

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\" -spe -an -ai#7zMap32584:118:7zEvent2319
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4844

C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:4800
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:4792
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:2232
- C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 289511725546255.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3320
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3372
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:4668
- C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2900
- - C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:404
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2860
- - C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1084
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      PID:4704
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:60
- C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4332
- C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2232
- C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1104
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=how+to+buy+bitcoin
    3⤵
    PID:2044
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcd83a46f8,0x7ffcd83a4708,0x7ffcd83a4718
      4⤵
      PID:768
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "qyedrxmniilpouj597" /t REG_SZ /d "\"C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\tasksche.exe\"" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4488
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "qyedrxmniilpouj597" /t REG_SZ /d "\"C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3456
- C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6052
- C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:6068
- C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6076
- C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:952
- C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5420
- C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5448
- C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1392
- C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4632
- C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3848
- C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5716
- C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5740
- C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5748
- C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3424
- C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4348
- C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1480
- C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5200
- C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2896
- C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2988
- C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5828
- C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5756
- C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2144
- C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5404
- C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2228
- C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4840
- C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2188
- C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2736
- C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3108

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcd83a46f8,0x7ffcd83a4708,0x7ffcd83a4718
  2⤵
  PID:208

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\SendCompress.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4528

C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
1⤵
PID:4332

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:2596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcd83a46f8,0x7ffcd83a4708,0x7ffcd83a4718
  2⤵
  PID:5816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,16343794864339102994,6205486916055622679,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
  2⤵
  PID:5988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,16343794864339102994,6205486916055622679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,16343794864339102994,6205486916055622679,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
  2⤵
  PID:6012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16343794864339102994,6205486916055622679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
  2⤵
  PID:3108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16343794864339102994,6205486916055622679,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
  2⤵
  PID:3380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16343794864339102994,6205486916055622679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:1
  2⤵
  PID:448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16343794864339102994,6205486916055622679,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2780 /prefetch:1
  2⤵
  PID:5300
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,16343794864339102994,6205486916055622679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 /prefetch:8
  2⤵
  PID:1812
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,16343794864339102994,6205486916055622679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16343794864339102994,6205486916055622679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
  2⤵
  PID:5424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16343794864339102994,6205486916055622679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2168,16343794864339102994,6205486916055622679,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5740 /prefetch:8
  2⤵
  PID:5332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2168,16343794864339102994,6205486916055622679,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5776 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16343794864339102994,6205486916055622679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:5728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16343794864339102994,6205486916055622679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:1652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16343794864339102994,6205486916055622679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3828 /prefetch:1
  2⤵
  PID:2600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16343794864339102994,6205486916055622679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:1
  2⤵
  PID:3908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16343794864339102994,6205486916055622679,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:1068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16343794864339102994,6205486916055622679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3612 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16343794864339102994,6205486916055622679,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2168,16343794864339102994,6205486916055622679,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4508 /prefetch:8
  2⤵
  PID:2760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,16343794864339102994,6205486916055622679,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
  2⤵
  PID:888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2168,16343794864339102994,6205486916055622679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6264 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,16343794864339102994,6205486916055622679,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1120 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5144

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3120

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4128

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f0 0x4a0
1⤵
PID:6096

C:\Users\Admin\Downloads\wanadecrypt\wanadecrypt.exe
"C:\Users\Admin\Downloads\wanadecrypt\wanadecrypt.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1648

C:\Users\Admin\Downloads\wanadecrypt\wanadecrypt.exe
"C:\Users\Admin\Downloads\wanadecrypt\wanadecrypt.exe"
1⤵
PID:4516

C:\Users\Admin\Downloads\wanadecrypt\wanadecrypt.exe
"C:\Users\Admin\Downloads\wanadecrypt\wanadecrypt.exe"
1⤵
PID:2796

C:\Users\Admin\Downloads\wanadecrypt\wanadecrypt.exe
"C:\Users\Admin\Downloads\wanadecrypt\wanadecrypt.exe"
1⤵
PID:2580

C:\Users\Admin\Downloads\wanadecrypt\wanadecrypt.exe
"C:\Users\Admin\Downloads\wanadecrypt\wanadecrypt.exe"
1⤵
PID:5436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c6f8bc1855d77f959789fc4aecbea583

SHA1
945d9a1e1884e7dbe8198df7b1c7bf9f54821348

SHA256
722a07cf042231cd939f3b092db61f1a9481609c3204c020b8c42ddae506f2df

SHA512
242d9c02fd97a4410a4d63d7a88af48cbf1836c698730060076442af2332b84489762ccaaa74f5042f7cd276fe50da39367e12403cd3483bc4f8e2568599a2b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
04e4b56a9ee010978f60a764c17a7514

SHA1
252e64bdfcb658a990183cf38b774c758399345e

SHA256
09dbbafef71b60b083042fdd95d87253b8dceee0d1859ef8f6d7f315a5ccd41e

SHA512
386a2f55475ba61170702447c94104a867c0084fcceff45473036716b02eace44a1a6aafc350c90a5eab66fadf7e4f0689162f00d9c105f62b529922ac78348a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
36KB

MD5
01369d5062d49b270c8dd6ab535bc403

SHA1
39c654df64cd7386081da8108f23573f331debab

SHA256
ed672ed37bfdadddb835de8c346655a17b653094197a2d6080e6777fa59785ea

SHA512
de704934135717cb62e4d15ef1666e78b3d43c17ff5d50b279c21a5318ac2ce0cea88ebeb17b66f4668e1ca1a8801bdd6bab0194b157b1da6bd90c71b29da08e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
212KB

MD5
08ec57068db9971e917b9046f90d0e49

SHA1
28b80d73a861f88735d89e301fa98f2ae502e94b

SHA256
7a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1

SHA512
b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
5f0f2005c72ddf621e4d523c93404137

SHA1
4777a55796d73fd63e70dae87de42ad9af55418a

SHA256
ee494773dcfc7fdf6fee2a50d28b3dc9abf9816dcbcfa6a8a2fb82e041a1cce7

SHA512
9b1324483bf140b8128e279a191760737c9b2171fe3a8adf522165042cf9c64bc6181fc73c19a5fc2eff016ffa4efcfe2968d344b503c5fd17168ca65e9b050a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
d841189d1c27202ae7bfd9abb91bfad6

SHA1
d6f6b6abc3e0d93382373e70ed37488d4d4b884e

SHA256
60b89227b11b870b7aeace66bbdb11bde0d83c120d9ac827dc6a0af7a27a09d2

SHA512
699c806537ad850ed12824cb4edc1797e70dec016e874eb9727ecee7d5efab72cae1cc7e50a241bc821b0643ab03f3f2802ffe9d7738a4f69d6bf85f520dbcb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
5ab05f92bbbbcca4f096ee2d9a157d60

SHA1
351e5019d3f2a2bd712349ea1932abfc0c1a7bb4

SHA256
9d98917cfd27b0aeb6863f2a3a246ad48343473c425a0b7fec6b432192c511db

SHA512
e57e8584359e5dd72db9c533e17ecf228629072332977388899f71a2867a6163413cbd6cb9f3920bc3df154e969bebbaa5cdff7bd6aa6c765f20491981bc1af1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
458d93a7e82269a455d55d0e803ea3c7

SHA1
f3215812c53d9ae35b3a3bf3bc60da685da86efb

SHA256
2f4a46c635ec7c646f29b118ec8c1e18ea7c09614e7c96ba939cb99d5a2c0df8

SHA512
4a1c1d83e90568a4364f7f4a0e158381c13a10f5d8cc6acb3a9bb56aef79554050f11157c07080dbf52e4317c3f0fe3fd7af404225ad0eb56ce12954d29c88bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
a43192552fbdecb9e3ee16c37dee16be

SHA1
cbe189797a56afc19a421736a090b83de19f8b23

SHA256
66641b17340a033db1989e76151962408d96cce10bcd7b716d037d9ee7ea4c94

SHA512
92502d96c54e3c2f4fa51e4a18f1c5bf7576a19be9fa46450ef82e4c432e8f7a264a872ac8d39045cfd85c7e2a702e7b6465affe4f51647ed14f6ffe672853e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
d713fc1c38a12fba526e6d502ec0b1b2

SHA1
bbfa0ba634820639ce0c170a76c06598a0cbcda8

SHA256
87017a1545d3a06ee7c7ec028262565cbdfbc313b8da886efe76e3d07e2279e7

SHA512
c67c9f5b03e9520b03b8b37bef7f5f15d798205aa296a38dceb3095fb3366f87d9e4486a840eb279bc48c8949f2aa7e05d1f4fb77ef3500d904eaaae17776b91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
46228c9454051c42d3153f85da388f5a

SHA1
539f4ae09e45fcb669bc0e3fb33d8dcb73d3e433

SHA256
c1762657e77ae120fd369ee762c25e697a8d963a3ae0886487031fec9dd2c00b

SHA512
a691ccb1f049ceb4acf7bead89a9c37905f13d8df1c6d65426f5a4152767c22e3b21519b6ad6de9b665613ffd4efd080eb96db765f1f58119a3d2f920ab6898d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
03162089937c0cc0f4b3f44e4c165fea

SHA1
e366e618c94e2b1cc47783d5a14f928285b0e0aa

SHA256
67664f30125c9c98985d43e3f3dec522df05b91326a753933439560ddfb833b4

SHA512
ed8c42a79094f82c2ed2d7b3dbab7672de952bfa2cc1bb7fef232fdca64de0cd0e8293ac534888f08cf69ed95c677e5dca251aca3d7abaf1a5af53c23664e639

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
dce336ff5f1561e9ab4ad275ba1eb7e8

SHA1
4bacca7c38ad342e6920a1bc654b1627ef0392ee

SHA256
59e91eb1bdea2f24be7080bab7778dbaa01f7c92d9adef76ee9932a193380b3c

SHA512
b8065bd11cfbc75ce5de3086b601c2b061a583a68b7a5395fc22779d1a62da0f382f443f5a4baf1b8c13b13c43126caf0438cdf2a95b8092c6b53d53beaa78e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
20cb1ac9087147bbb78d3a850cf5999f

SHA1
817344eadcd7f78f0e8b7456ba9d03986c5455a3

SHA256
02271adda0e7f940ee8b2c9b0b0be0046a1ee0b7d9fc15d82fd9130b987497ac

SHA512
5ddbcc9580187b059d518059934c28c6e24963fe154a5657046c47c1e2a4e6ab5c2dec1d991d50c7e52af1dcd7925bdcfa56dee45e986b7a993c4b148b7a19e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
972685b4b7c0152008a96780ff0a0c6d

SHA1
c3043936695cd57b04100076d5056c99ad1ee590

SHA256
3e938d28becc4e2fac3829659172b1337a6f3d69e39217c646ed9ef36abb0a7b

SHA512
60c1c44b7e318dd72b215e0df6d31d2912362aa1e1d79f96c73601099b7c6b64b325e90c5bc27a6a650c1439aa480405a8c52b2ada20027f61935d11b5a09e10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
df5e92ad8213fdc9f5d9128386aaf1b5

SHA1
52ad078736f670cc89a813ab8e3a0b3d9ac5124f

SHA256
2281f595702266100c639b18f109c0b0d330662b5449dc9927ebddc7b10a3915

SHA512
eb28da94037c64730fa94237e3c317c0bf36fb30e42d8207f0afbcfa74f2232d1532849551611b6b98fd2f70b4a5676011dbc63d6b2576b60cc958a47093e914

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cef331b8470ecb941d589dc54bb68a1a

SHA1
0bc4216fd6f4eb0098c4e1425b62812b63d04c9d

SHA256
767a970650d650dd47a55e7b6b1b6d5db77ec5e6232d76369c6d6bbf78bb7aa2

SHA512
81ff2e0bf5219c61046c2232ab633f90236325cdebcc13eedb90806593f36353be80986fb8f8865b1d7df998ea0372798f3fdf6173f08ba7779870a098c82950

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2c0bef760d8f8105858f941a712cb5b2

SHA1
bfe6540762344e13e77ed4fa6dca02832bb8ec4d

SHA256
a7230275f5dd7aee47d61a09c90731cd968b846a49c9fe21ad6d9e107d09744a

SHA512
66b3d6e954c9145f4dc1382cfc5e801606b50e5a98f8d4ff2ee5275c377b2c5c6a8f62eb525b0f5348ad303900303cf65e300c781b6a750ef73d1e977980b601

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e62772f11203bfe2491b6a4b7aa64e6e

SHA1
0c00060e96c4487e095fda26a31fc56417a39e45

SHA256
ddf1dea1dee98600c4ccc2ffaff72b8abe7e7edf695d0932fc1afb0299e02cab

SHA512
04b0a9e141d699ba9952496d85883090b2d3870b7688c9730b3bac08107812fc09a7313c62e29fbfa969a2360f1c7049f315669d38b403de76ccfa98b3a8cd0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7d4c32b09863cf868068a40c16172ebc

SHA1
2b34e19a6da56499e81792477d83447980bae819

SHA256
f67787137177c70db49ae02fec0de1152c6950e623fb0755a4528f4700edab7b

SHA512
313f3df82b4a210c4e05ada6213019f99078078794ad1c68aed3d0b3ee1fad466dadfec90b774f7598599938f60300d358c070e8bb62fdd54a5e47cd76e9efac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d243506076049e506daec75ac513a8c5

SHA1
17a6924abe5f1def520e867b310b3c7063d5f21a

SHA256
bd34409a68c55f23cc611d814e547684e4a5e9962084fea9792d3bc3389f055b

SHA512
be059b28bcb240444d5671e2748ca300b951d245b884f1e588192763bfd30821bf7be381183b971f9a1ff7ee40f4b0ad83231640d5a43c44a49f36ae6d0ec80c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
7bf26694949ecbcce747c487ddd733b6

SHA1
97a459a618b4f3fc3194a724ae275a99ec4f589e

SHA256
e7ab34c43a7124256bca821c2d7145b49aed596e71b58df06adb9511e5a4d5ce

SHA512
4ac0513a9e76f3bc9549f199ef1f5bd5a10e647b9ae14e9566b6fb1cd1df86f742fad2a6606b3996d236768072ea03ceb42d61ceba5df1e4f0d886c8a4d996c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
fd33c3fc97743751d461ff2371f6b2e1

SHA1
d6b976a2938319764990292d16b1aad8bd7cae25

SHA256
afaa4b6022185f5ec4d6e34feac6aedb1ecc3e6e8285d5322ffa0d9dd78910c1

SHA512
a063d6ea482b3b0de3a2c2b9e5ee8efa0b84d250ff9718b8d343b3157d943a96d5aa7f9648597ff976e418fdbef4f08d5a64410661e3c27dcda601e23bfaf77d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
a3f9256b46e6733d9dde0ebee48e5080

SHA1
83b6676e70b4ede13644482ea2de7ff3078d1543

SHA256
bdd733d9263e91b3002dcb61084e5f22b8231d8d6077077a7ecfb27e3e8c61f5

SHA512
1d61582704407609114a4f0619ff27a672b40a2292797ece26ef15d910ea22f29334a2caeef659b5ecc5d39e0aa7fa88738c651e81970cf39c68fbb7a7b596e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fd75221a645592de503d48b479af1e74

SHA1
3423469dfbe9172e4605258b07ae8d9ec184aadf

SHA256
2ac67b379199c86d8d6bf5e93a3be2a05fbd3856583e0621d3fef3b79666fe9f

SHA512
81122c277df3af90cf2f1b6cecda2e82a7c4899ee796b11ac80df74f94ffb6791076aff78014d9e8346ae73c02960dc1ba2673f9b6a8ca2cd6f2032e966de950

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
2d5c5e33f84a3b06edbf843e687c27d4

SHA1
9c446aa3ba729b128d6a2307b72a53a8c8a41d66

SHA256
d2f65eb82b1304d7caa1b75c3fa5e22d9cc6f800012fbdd8e1441dbc03f474d9

SHA512
10e33f07382fcc9ea2c29998653432adc3b114102e4ff620626b0a80533d5d96306b2ca5b802db7a626a024b9424339017201c72bb8bcac259bffaeb16feeb8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9a979b36cc85527ba20009d781d4e1ba

SHA1
28c35e11b8ad20243ae789d148ba58e7ba327caa

SHA256
5605fcff752490fad1325668f32ffa56c3bbc0d9b081fc0d97f9ce457adf35d3

SHA512
79829f788235ca515f9efec7c543f0d853a1c6148cf7dbe9d3c1e044c962f6494c70aaca531aa5cc3d1c94e20890117d12d768f1967e1c201653b62524e2f08e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
efaa0dd84cf2f633135e9150807b3933

SHA1
3514dd4abb4a16f09fd4ff22907d0d8f29190a06

SHA256
478eb2235022fb2e991a1954887d1534533cac2d85adbe0978bddb1cb1f8a9bf

SHA512
791919da6200731a019a37d6d46838c534b61320982e29a8fb5fcc2d2e06e9c335d7c3f1027ff065949cb011cab77721967c0169494501433d0b1c52d755916a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5a02c18a0368f4de55dd211be5b74638

SHA1
75c23211fadd5734a56d90ad83a4c6d0a19b0afc

SHA256
96f083ac1d7d89516cdd0de3906f9ccc9f0b693aa7a2cfad3049cb24a33a2f52

SHA512
02601ded3bba9ea448edee3310dba7ea32716baac80a79406fe2a3faea90b198300c2e2f70cd83a83efe21f5cbb4fad904b2c5a9e4f94e1ef0026d52a92729b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580f1e.TMP

Filesize
1KB

MD5
a840cc9519dce357230f3fdb8077474e

SHA1
8a66a0005c752f83962e4a6155d93737506ef808

SHA256
3c8c88df836a0728a34c2002eb1bceb2fd939e424e62ac92ec8d8cae72e32ff0

SHA512
82da79c5249c21019669015fe7068082351df5ac8448def0e3fb5401f4d577b644e88d2faedb55e90551d74294b385e2fe4a02c23a19d816eaae8928cb07a620

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f62eb5fc-e863-47a6-9b55-e1511a364ce1.tmp

Filesize
5KB

MD5
6944ee2af2aa3c829921ad9e31c32c71

SHA1
5bfa7ed56dcf8a3af39a151fcfa528686c66cf75

SHA256
ca98ba287fb421e6936a1e1d3fb6fb93aa8379a0369e67c0875a905f33739716

SHA512
b2f2411397f5c90b82a3e866cc165dae5c40238b69cb98ff9236ab230578a1a47582467b62133969569456b92cc3cd7d5c275d9f193942a78861f09ab3738b26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bf7d8fa44a51e09e9c21880520832d32

SHA1
5e6b58b3044e50f21f06d13eb4f332686dff9781

SHA256
122750bca9a333339ee94bcf1167cd510df06854ccdc2de3f8d8c4dd28eecc65

SHA512
319a74ca92ddb001f82c821f5b667e858642e9858023878ea6f1f8fe44cc29308b25fa5ddc90f35f94e13c0086f0865fcd2fa905f52a81cc97878ac505e81fb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7f6a17a1347187c9b6824676923d63f2

SHA1
55e1319b572333dba7f99cadd22f787ad87c715b

SHA256
0749e62c519c06cf49809bcafed7a2d042ae7ad2c3e21555ce19d571f04dbae6

SHA512
d0ad9919cc759055fecdcc3cd4c056f67b46a2db53d91afb12818af789c2fcf89caa5195af7ad2b38e7da071062391237286d15ce4f95bf58a28daa29d372b14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
953d7acb89ab2bb9b34906b7b280e44c

SHA1
5de1090d27e328a94ed0a40d50b3718f3f4d5aaa

SHA256
78a684fd7bfc530d6c4faed77dc97437c13905b672bfa14135b2fb045115b74a

SHA512
509c931adfe99726ea24dc4f457be4db8047498a3cf7fe16d33c3499ecee812edaa4d5bb432c65859af751d0a3a9bb4b2a210c6b814da2513e4470074981797d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e3ba9f56d9e65c3a2b9e9c2602a9d735

SHA1
f0f43de0d355fd5c3971ac78304d467cf2787cef

SHA256
d9495b7ac0c5f4d0597eb0e79f082ba5e60d394c45437f7812945c13a5479c50

SHA512
422a488faba26fc0f8e8ea23ca3ad20818e652d7dd13afac0d7a788c9f656a6170937094a0cb439cee15caeb29499f5746800bcd71f3ab71dad40fac653b739f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5ab731325078e7d6241b25dfa1b47d68

SHA1
0c09e7f53a91ab3d4cfe5423c0e44ebe6e514c51

SHA256
ad6d5848a6441ec093154c9f926ccfad068e17b2a53b0c9ae0f99ee7a8121a33

SHA512
4022fdf3ddc7aaff2b6229afec49d48deed328f415d2e6b92013dec5f38d8c45e672501377a81c714a0914a9f265f55cd87bcda58d2ed439f5d268b3b029fd5f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
6.4MB

MD5
5262dd07486b37198611779ee9405b0d

SHA1
1b88a36fc69585d021db8baffac746c9a46814fe

SHA256
87c5dc9e68abe6edd5dba039b5f69c238038bd00a1027e2128051542026bc638

SHA512
08f520cda7d3e7dac37efc3461d61e27e8699b277ced8f9bb22959bb025e196dfc31a9dfde20c8188142816d3054e6a39a13fb7036c8f198fe78b4f2761d360a

Download Submit
C:\Users\Admin\Downloads\WannaCry.zip

Filesize
3.3MB

MD5
34019fa0ed5c184f946cb8cab9548a35

SHA1
78def080eb89ba25cfc68d3a2cbfd4e931916f12

SHA256
00150d99922c1fffbb0790aeb97c01a2379f4718f88ffc253a71187eb83dcf19

SHA512
5d389aa171a6306f122ae07ab7f743e3fac390c2a3bc3d7e03a39789aceb87091b66429f61c6f6e53b61499341e4f666dd40da18185ebc7311da9fc50ad75183

Download Submit
C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry.zip

Filesize
3.3MB

MD5
efe76bf09daba2c594d2bc173d9b5cf0

SHA1
ba5de52939cb809eae10fdbb7fac47095a9599a7

SHA256
707a9f323556179571bc832e34fa592066b1d5f2cac4a7426fe163597e3e618a

SHA512
4a1df71925cf2eb49c38f07c6a95bea17752b025f0114c6fd81bc0841c1d1f2965b5dda1469e454b9e8207c2e0dfd3df0959e57166620ccff86eeeb5cf855029

Download Submit
C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\289511725546255.bat

Filesize
380B

MD5
b8cd7949bead7064e9e508f71450d070

SHA1
c39575c6ea608e040c766f26011cccda2785c181

SHA256
57f4193c12608729fec5140fb726eaaff5527c79fda04dafc68cc561a6610dd9

SHA512
8d9a49667ab1ab03896027e91893688a89d0d6ae166d139b6956b71f7d68a2a143f89082a2ff031ecff559be9a453ddaebf465b9ea924d1279186de8188e1464

Download Submit
C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\@[email protected]

Filesize
933B

MD5
f97d2e6f8d820dbd3b66f21137de4f09

SHA1
596799b75b5d60aa9cd45646f68e9c0bd06df252

SHA256
0e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a

SHA512
efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0

Download Submit
C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\@[email protected]

Filesize
820B

MD5
6ef4292b6ca189b67c9284ca1c730479

SHA1
d3af37dda204ebd97378fa8a9b2a78a3975ff72b

SHA256
efad3371f87c5d04facc19bd37e3c572836cd93baea25a153c7363cae32e6187

SHA512
b58637a7b0ea4464e1e2903a36f933392c90107487da47de3826259a95678a306a35a46bab090589a7832dd184b3ce8ffd5111eb7928e36cf2440e0c913cbb81

Download Submit
C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\c.wnry

Filesize
780B

MD5
383a85eab6ecda319bfddd82416fc6c2

SHA1
2a9324e1d02c3e41582bf5370043d8afeb02ba6f

SHA256
079ce1041cbffe18ff62a2b4a33711eda40f680d0b1d3b551db47e39a6390b21

SHA512
c661e0b3c175d31b365362e52d7b152267a15d59517a4bcc493329be20b23d0e4eb62d1ba80bb96447eeaf91a6901f4b34bf173b4ab6f90d4111ea97c87c1252

Download Submit
C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\m.vbs

Filesize
259B

MD5
5c94719d540c394807ebf7b58228a74d

SHA1
2041b358994ff6715585ee46420d8ce5bdc0fe52

SHA256
3caafcee9212ca2439fc60460e5ddf1e422da54ca182679ff26f4a5fc5ab93fb

SHA512
1125232a367c15cc9d26aab11eeb512ff096f73d675f94435e096c5b0c82d5f7be0be320c7409cdbc3892000721957b04ba170acc4dd83e7717242c13b9bc527

Download Submit
C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\msg\m_korean.wnry

Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\msg\m_latvian.wnry

Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\msg\m_norwegian.wnry

Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\msg\m_polish.wnry

Filesize
38KB

MD5
e79d7f2833a9c2e2553c7fe04a1b63f4

SHA1
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

SHA256
519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

SHA512
e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

Download Submit
C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\msg\m_portuguese.wnry

Filesize
37KB

MD5
fa948f7d8dfb21ceddd6794f2d56b44f

SHA1
ca915fbe020caa88dd776d89632d7866f660fc7a

SHA256
bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66

SHA512
0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

Download Submit
C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\msg\m_romanian.wnry

Filesize
50KB

MD5
313e0ececd24f4fa1504118a11bc7986

SHA1
e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d

SHA256
70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1

SHA512
c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730

Download Submit
C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\msg\m_russian.wnry

Filesize
46KB

MD5
452615db2336d60af7e2057481e4cab5

SHA1
442e31f6556b3d7de6eb85fbac3d2957b7f5eac6

SHA256
02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078

SHA512
7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f

Download Submit
C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\msg\m_slovak.wnry

Filesize
40KB

MD5
c911aba4ab1da6c28cf86338ab2ab6cc

SHA1
fee0fd58b8efe76077620d8abc7500dbfef7c5b0

SHA256
e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729

SHA512
3491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a

Download Submit
C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\msg\m_spanish.wnry

Filesize
36KB

MD5
8d61648d34cba8ae9d1e2a219019add1

SHA1
2091e42fc17a0cc2f235650f7aad87abf8ba22c2

SHA256
72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1

SHA512
68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

Download Submit
C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\msg\m_swedish.wnry

Filesize
37KB

MD5
c7a19984eb9f37198652eaf2fd1ee25c

SHA1
06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae

SHA256
146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4

SHA512
43dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020

Download Submit
C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\msg\m_turkish.wnry

Filesize
41KB

MD5
531ba6b1a5460fc9446946f91cc8c94b

SHA1
cc56978681bd546fd82d87926b5d9905c92a5803

SHA256
6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415

SHA512
ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9

Download Submit
C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\msg\m_vietnamese.wnry

Filesize
91KB

MD5
8419be28a0dcec3f55823620922b00fa

SHA1
2e4791f9cdfca8abf345d606f313d22b36c46b92

SHA256
1f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8

SHA512
8fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386

Download Submit
C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\r.wnry

Filesize
864B

MD5
3e0020fc529b1c2a061016dd2469ba96

SHA1
c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade

SHA256
402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c

SHA512
5ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf

Download Submit
C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\s.wnry

Filesize
2.9MB

MD5
ad4c9de7c8c40813f200ba1c2fa33083

SHA1
d1af27518d455d432b62d73c6a1497d032f6120e

SHA256
e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b

SHA512
115733d08e5f1a514808a20b070db7ff453fd149865f49c04365a8c6502fa1e5c3a31da3e21f688ab040f583cf1224a544aea9708ffab21405dde1c57f98e617

Download Submit
C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\t.wnry

Filesize
64KB

MD5
5dcaac857e695a65f5c3ef1441a73a8f

SHA1
7b10aaeee05e7a1efb43d9f837e9356ad55c07dd

SHA256
97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6

SHA512
06eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2

Download Submit
C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\taskdl.exe

Filesize
20KB

MD5
4fef5e34143e646dbf9907c4374276f5

SHA1
47a9ad4125b6bd7c55e4e7da251e23f089407b8f

SHA256
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

SHA512
4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

Download Submit
C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\taskse.exe

Filesize
20KB

MD5
8495400f199ac77853c53b5a3f278f3e

SHA1
be5d6279874da315e3080b06083757aad9b32c23

SHA256
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

SHA512
0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4

Download Submit
C:\Users\Admin\Downloads\WannaCry\Ransomware.WannaCry\u.wnry

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\wanadecrypt.zip

Filesize
639KB

MD5
14531c8b846b3cec9b8baac68fb50992

SHA1
6b705e7ab79487d8ac317fb23062e74aa1c902e9

SHA256
0d96d1f27719ee3644557a0b54c66156854411b2528420bcc88f4f67443ec9b2

SHA512
65704fe6a44ca4486c8853a07ce2d70552f7027e136e20869b29ba42419fd380e965534555261d5f8e9c0b1138b49221fbaeddb045ab456d6dc26737acc6075b

Download Submit
memory/404-2126-0x0000000073E30000-0x0000000073EA7000-memory.dmp

Filesize
476KB

Download
memory/404-2129-0x0000000073B50000-0x0000000073D6C000-memory.dmp

Filesize
2.1MB

Download
memory/404-2176-0x0000000000BD0000-0x0000000000ECE000-memory.dmp

Filesize
3.0MB

Download
memory/404-2224-0x0000000000BD0000-0x0000000000ECE000-memory.dmp

Filesize
3.0MB

Download
memory/404-2110-0x0000000073D70000-0x0000000073DF2000-memory.dmp

Filesize
520KB

Download
memory/404-2262-0x0000000000BD0000-0x0000000000ECE000-memory.dmp

Filesize
3.0MB

Download
memory/404-2268-0x0000000073B50000-0x0000000073D6C000-memory.dmp

Filesize
2.1MB

Download
memory/404-2112-0x0000000000BD0000-0x0000000000ECE000-memory.dmp

Filesize
3.0MB

Download
memory/404-2124-0x0000000073ED0000-0x0000000073F52000-memory.dmp

Filesize
520KB

Download
memory/404-2125-0x0000000073EB0000-0x0000000073ECC000-memory.dmp

Filesize
112KB

Download
memory/404-2123-0x0000000000BD0000-0x0000000000ECE000-memory.dmp

Filesize
3.0MB

Download
memory/404-2111-0x0000000073E00000-0x0000000073E22000-memory.dmp

Filesize
136KB

Download
memory/404-2451-0x0000000000BD0000-0x0000000000ECE000-memory.dmp

Filesize
3.0MB

Download
memory/404-2460-0x0000000000BD0000-0x0000000000ECE000-memory.dmp

Filesize
3.0MB

Download
memory/404-2127-0x0000000073E00000-0x0000000073E22000-memory.dmp

Filesize
136KB

Download
memory/404-2109-0x0000000073B50000-0x0000000073D6C000-memory.dmp

Filesize
2.1MB

Download
memory/404-2128-0x0000000073D70000-0x0000000073DF2000-memory.dmp

Filesize
520KB

Download
memory/404-2108-0x0000000073ED0000-0x0000000073F52000-memory.dmp

Filesize
520KB

Download
memory/4528-2221-0x00007FFCA6FB0000-0x00007FFCA6FC0000-memory.dmp

Filesize
64KB

Download
memory/4528-2158-0x00007FFCA6FB0000-0x00007FFCA6FC0000-memory.dmp

Filesize
64KB

Download
memory/4528-2222-0x00007FFCA6FB0000-0x00007FFCA6FC0000-memory.dmp

Filesize
64KB

Download
memory/4528-2154-0x00007FFCA6FB0000-0x00007FFCA6FC0000-memory.dmp

Filesize
64KB

Download
memory/4528-2156-0x00007FFCA6FB0000-0x00007FFCA6FC0000-memory.dmp

Filesize
64KB

Download
memory/4528-2223-0x00007FFCA6FB0000-0x00007FFCA6FC0000-memory.dmp

Filesize
64KB

Download
memory/4528-2157-0x00007FFCA6FB0000-0x00007FFCA6FC0000-memory.dmp

Filesize
64KB

Download
memory/4528-2155-0x00007FFCA6FB0000-0x00007FFCA6FC0000-memory.dmp

Filesize
64KB

Download
memory/4528-2220-0x00007FFCA6FB0000-0x00007FFCA6FC0000-memory.dmp

Filesize
64KB

Download
memory/4528-2160-0x00007FFCA4CB0000-0x00007FFCA4CC0000-memory.dmp

Filesize
64KB

Download
memory/4528-2159-0x00007FFCA4CB0000-0x00007FFCA4CC0000-memory.dmp

Filesize
64KB

Download
memory/4800-620-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download