wannacry | hxxps://github[.]com/kh4sh3i/Ransomware-Samples/tree/main/WannaCry

Analysis

max time kernel
497s
max time network
500s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-11-2024 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/kh4sh3i/Ransomware-Samples/tree/main/WannaCry

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 4 IoCs

Processes:

taskmgr.exe

description	pid	process	target process
PID 1100 created 4924	1100	taskmgr.exe	@[email protected]
PID 1100 created 4924	1100	taskmgr.exe	@[email protected]
PID 1100 created 860	1100	taskmgr.exe	@[email protected]
PID 1100 created 860	1100	taskmgr.exe	@[email protected]

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 1 IoCs

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDD0D9.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Executes dropped EXE 43 IoCs

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exeed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exeed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exeed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exeed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exeed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exeed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exeed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exeed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exetaskdl.exe@[email protected]@[email protected]taskhsvc.exetaskdl.exetaskse.exe@[email protected]taskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exe

pid	process
4948	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
4804	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
2400	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
432	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
3060	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
4072	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
4396	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
1504	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
3996	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
1304	taskdl.exe
980	@[email protected]
4304	@[email protected]
2736	taskhsvc.exe
2952	taskdl.exe
3556	taskse.exe
5096	@[email protected]
3532	taskse.exe
856	@[email protected]
4036	taskdl.exe
1936	taskse.exe
2540	@[email protected]
3092	taskdl.exe
4172	taskse.exe
3392	@[email protected]
4364	taskdl.exe
1988	taskse.exe
3432	@[email protected]
3688	taskdl.exe
2628	taskse.exe
1020	@[email protected]
1976	taskdl.exe
2432	taskse.exe
4828	@[email protected]
3800	taskdl.exe
2540	taskse.exe
4840	@[email protected]
64	taskdl.exe
1020	taskse.exe
4924	@[email protected]
3252	taskdl.exe
2616	taskse.exe
860	@[email protected]
1844	taskdl.exe

Loads dropped DLL 8 IoCs

Processes:

taskhsvc.exe

pid process

2736 taskhsvc.exe
2736 taskhsvc.exe
2736 taskhsvc.exe
2736 taskhsvc.exe
2736 taskhsvc.exe
2736 taskhsvc.exe
2736 taskhsvc.exe
2736 taskhsvc.exe

pid	process
2736	taskhsvc.exe
2736	taskhsvc.exe
2736	taskhsvc.exe
2736	taskhsvc.exe
2736	taskhsvc.exe
2736	taskhsvc.exe
2736	taskhsvc.exe
2736	taskhsvc.exe

Modifies file permissions 1 TTPs 10 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exe

pid	process
1080	icacls.exe
3264	icacls.exe
1952	icacls.exe
1468	icacls.exe
3568	icacls.exe
2324	icacls.exe
4540	icacls.exe
4180	icacls.exe
636	icacls.exe
2772	icacls.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\laliykmzxf220 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_Ransomware.WannaCry.zip\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

61 raw.githubusercontent.com
62 raw.githubusercontent.com

flow	ioc
61	raw.githubusercontent.com
62	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 4 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe@[email protected]@[email protected]@[email protected]

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cscript.exe@[email protected]taskdl.exe@[email protected]taskdl.exeicacls.execmd.exeWMIC.exe@[email protected]@[email protected]@[email protected]attrib.execmd.exetaskdl.exeattrib.exeed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exetaskdl.exeed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exeicacls.exetaskse.exeed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exeed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exeicacls.exereg.exetaskse.exe@[email protected]@[email protected]ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exeicacls.exeicacls.exeattrib.exeed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exeicacls.exetaskdl.exeattrib.exetaskse.exetaskse.exeicacls.exeicacls.exeattrib.exeed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exetaskdl.exeattrib.exetaskhsvc.exetaskse.exeed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exeicacls.exe@[email protected]taskdl.exetaskdl.exetaskse.exetaskse.exeed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exeattrib.exetaskdl.exeed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exeattrib.execmd.exe@[email protected]taskse.execmd.exe@[email protected]attrib.exeattrib.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exechrome.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 17 IoCs

Processes:

LogonUI.exechrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133751751367542500"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "206"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings msedge.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

5040 reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	msedge.exe

pid	process
5040	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exetaskhsvc.exechrome.exemsedge.exemsedge.exechrome.exetaskmgr.exe

pid	process
2316	msedge.exe
2316	msedge.exe
2316	msedge.exe
4272	msedge.exe
4272	msedge.exe
1492	identity_helper.exe
1492	identity_helper.exe
4416	msedge.exe
4416	msedge.exe
2736	taskhsvc.exe
2736	taskhsvc.exe
2736	taskhsvc.exe
2736	taskhsvc.exe
2736	taskhsvc.exe
2736	taskhsvc.exe
3256	chrome.exe
3256	chrome.exe
1744	msedge.exe
1744	msedge.exe
3240	msedge.exe
3240	msedge.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
5020	chrome.exe
1100	taskmgr.exe
1100	taskmgr.exe
1100	taskmgr.exe
1100	taskmgr.exe
1100	taskmgr.exe
1100	taskmgr.exe
1100	taskmgr.exe
1100	taskmgr.exe
1100	taskmgr.exe
1100	taskmgr.exe
1100	taskmgr.exe
1100	taskmgr.exe
1100	taskmgr.exe
1100	taskmgr.exe
1100	taskmgr.exe
1100	taskmgr.exe
1100	taskmgr.exe
1100	taskmgr.exe
1100	taskmgr.exe
1100	taskmgr.exe
1100	taskmgr.exe
1100	taskmgr.exe
1100	taskmgr.exe
1100	taskmgr.exe
1100	taskmgr.exe
1100	taskmgr.exe
1100	taskmgr.exe
1100	taskmgr.exe
1100	taskmgr.exe
1100	taskmgr.exe
1100	taskmgr.exe
1100	taskmgr.exe
1100	taskmgr.exe
1100	taskmgr.exe
1100	taskmgr.exe
1100	taskmgr.exe
1100	taskmgr.exe
1100	taskmgr.exe
1100	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

7zG.exe@[email protected]

pid process

3868 7zG.exe
5096 @[email protected]

pid	process
3868	7zG.exe
5096	@[email protected]

Suspicious behavior: LoadsDriver 64 IoCs

Processes:

pid	process
2896
3488
2624
5032
4600
4924
5048
2168
3088
1832
4296
4100
1092
3068
64
2828
452
2756
3728
3672
640
3668
1996
4604
756
3892
3756
4280
3808
4352
4156
4260
3636
1340
3788
3872
3896
4208
3816
832
2064
3576
3584
3680
4788
4212
3608
4188
4220
3644
4936
4028
3948
1576
2616
636
3848
4684
3612
1844
3620
432
1096
4900

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

Processes:

msedge.exechrome.exemsedge.exe

pid	process
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3240	msedge.exe
3240	msedge.exe
3256	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zG.exe7zG.exeWMIC.exevssvc.exetaskse.exetaskse.exechrome.exe

description	pid	process
Token: SeRestorePrivilege	1328	7zG.exe
Token: 35	1328	7zG.exe
Token: SeSecurityPrivilege	1328	7zG.exe
Token: SeSecurityPrivilege	1328	7zG.exe
Token: SeRestorePrivilege	3868	7zG.exe
Token: 35	3868	7zG.exe
Token: SeSecurityPrivilege	3868	7zG.exe
Token: SeSecurityPrivilege	3868	7zG.exe
Token: SeIncreaseQuotaPrivilege	3308	WMIC.exe
Token: SeSecurityPrivilege	3308	WMIC.exe
Token: SeTakeOwnershipPrivilege	3308	WMIC.exe
Token: SeLoadDriverPrivilege	3308	WMIC.exe
Token: SeSystemProfilePrivilege	3308	WMIC.exe
Token: SeSystemtimePrivilege	3308	WMIC.exe
Token: SeProfSingleProcessPrivilege	3308	WMIC.exe
Token: SeIncBasePriorityPrivilege	3308	WMIC.exe
Token: SeCreatePagefilePrivilege	3308	WMIC.exe
Token: SeBackupPrivilege	3308	WMIC.exe
Token: SeRestorePrivilege	3308	WMIC.exe
Token: SeShutdownPrivilege	3308	WMIC.exe
Token: SeDebugPrivilege	3308	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3308	WMIC.exe
Token: SeRemoteShutdownPrivilege	3308	WMIC.exe
Token: SeUndockPrivilege	3308	WMIC.exe
Token: SeManageVolumePrivilege	3308	WMIC.exe
Token: 33	3308	WMIC.exe
Token: 34	3308	WMIC.exe
Token: 35	3308	WMIC.exe
Token: 36	3308	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3308	WMIC.exe
Token: SeSecurityPrivilege	3308	WMIC.exe
Token: SeTakeOwnershipPrivilege	3308	WMIC.exe
Token: SeLoadDriverPrivilege	3308	WMIC.exe
Token: SeSystemProfilePrivilege	3308	WMIC.exe
Token: SeSystemtimePrivilege	3308	WMIC.exe
Token: SeProfSingleProcessPrivilege	3308	WMIC.exe
Token: SeIncBasePriorityPrivilege	3308	WMIC.exe
Token: SeCreatePagefilePrivilege	3308	WMIC.exe
Token: SeBackupPrivilege	3308	WMIC.exe
Token: SeRestorePrivilege	3308	WMIC.exe
Token: SeShutdownPrivilege	3308	WMIC.exe
Token: SeDebugPrivilege	3308	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3308	WMIC.exe
Token: SeRemoteShutdownPrivilege	3308	WMIC.exe
Token: SeUndockPrivilege	3308	WMIC.exe
Token: SeManageVolumePrivilege	3308	WMIC.exe
Token: 33	3308	WMIC.exe
Token: 34	3308	WMIC.exe
Token: 35	3308	WMIC.exe
Token: 36	3308	WMIC.exe
Token: SeBackupPrivilege	3380	vssvc.exe
Token: SeRestorePrivilege	3380	vssvc.exe
Token: SeAuditPrivilege	3380	vssvc.exe
Token: SeTcbPrivilege	3556	taskse.exe
Token: SeTcbPrivilege	3556	taskse.exe
Token: SeTcbPrivilege	3532	taskse.exe
Token: SeTcbPrivilege	3532	taskse.exe
Token: SeShutdownPrivilege	3256	chrome.exe
Token: SeCreatePagefilePrivilege	3256	chrome.exe
Token: SeShutdownPrivilege	3256	chrome.exe
Token: SeCreatePagefilePrivilege	3256	chrome.exe
Token: SeShutdownPrivilege	3256	chrome.exe
Token: SeCreatePagefilePrivilege	3256	chrome.exe
Token: SeShutdownPrivilege	3256	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe7zG.exe7zG.exechrome.exemsedge.exe

pid	process
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
1328	7zG.exe
3868	7zG.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3240	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exechrome.exemsedge.exe

pid	process
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3256	chrome.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe
3240	msedge.exe

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]LogonUI.exe

pid	process
980	@[email protected]
980	@[email protected]
4304	@[email protected]
4304	@[email protected]
5096	@[email protected]
5096	@[email protected]
856	@[email protected]
2540	@[email protected]
3392	@[email protected]
3432	@[email protected]
1020	@[email protected]
4828	@[email protected]
4840	@[email protected]
4924	@[email protected]
4924	@[email protected]
860	@[email protected]
860	@[email protected]
760	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4272 wrote to memory of 1672	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 1672	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4976	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4976	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4976	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4976	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4976	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4976	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4976	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4976	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4976	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4976	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4976	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4976	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4976	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4976	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4976	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4976	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4976	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4976	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4976	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4976	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4976	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4976	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4976	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4976	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4976	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4976	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4976	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4976	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4976	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4976	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4976	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4976	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4976	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4976	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4976	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4976	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4976	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4976	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4976	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 4976	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 2316	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 2316	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 1552	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 1552	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 1552	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 1552	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 1552	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 1552	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 1552	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 1552	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 1552	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 1552	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 1552	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 1552	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 1552	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 1552	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 1552	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 1552	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 1552	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 1552	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 1552	4272	msedge.exe	msedge.exe
PID 4272 wrote to memory of 1552	4272	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 11 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
2044	attrib.exe
3044	attrib.exe
3512	attrib.exe
2828	attrib.exe
1036	attrib.exe
1684	attrib.exe
8	attrib.exe
4588	attrib.exe
624	attrib.exe
920	attrib.exe
4480	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/kh4sh3i/Ransomware-Samples/tree/main/WannaCry
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb5ea846f8,0x7ffb5ea84708,0x7ffb5ea84718
  2⤵
  PID:1672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,2399177924339815119,9512239678128601374,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1800 /prefetch:2
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,2399177924339815119,9512239678128601374,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,2399177924339815119,9512239678128601374,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
  2⤵
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2399177924339815119,9512239678128601374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2399177924339815119,9512239678128601374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:2476
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,2399177924339815119,9512239678128601374,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:8
  2⤵
  PID:3728
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,2399177924339815119,9512239678128601374,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2399177924339815119,9512239678128601374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2399177924339815119,9512239678128601374,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:1864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2399177924339815119,9512239678128601374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:1
  2⤵
  PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2399177924339815119,9512239678128601374,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
  2⤵
  PID:1888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2156,2399177924339815119,9512239678128601374,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3120 /prefetch:8
  2⤵
  PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,2399177924339815119,9512239678128601374,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
  2⤵
  PID:2136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,2399177924339815119,9512239678128601374,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6048 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4416

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2168

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1528

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2204

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap14234:96:7zEvent424
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1328

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap1509:186:7zEvent22180
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3868

C:\Users\Admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4948
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:1684
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:1080

C:\Users\Admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4804
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:2044
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:3264

C:\Users\Admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2400
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:8
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:1952

C:\Users\Admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:432
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:4588
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:1468

C:\Users\Admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3060
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:624
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:4540

C:\Users\Admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4072
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:920
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:4180

C:\Users\Admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4396
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - Views/modifies file attributes
  PID:3044
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:636

C:\Users\Admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1504
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:3512
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:3568

C:\Users\Admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3996
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:4480
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2772

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:2800
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:2828
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:2324
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1304
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 279111730701451.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2704
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:1036
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:980
- - C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2736
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1800
- - C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4304
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      PID:1152
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3308
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3556
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:5096
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://en.wikipedia.org/wiki/Bitcoin
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3240
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb5ea846f8,0x7ffb5ea84708,0x7ffb5ea84718
      4⤵
      PID:1544
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,3409271373088731004,12360755056971124274,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2308 /prefetch:2
      4⤵
      PID:940
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,3409271373088731004,12360755056971124274,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2732 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1744
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,3409271373088731004,12360755056971124274,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2964 /prefetch:8
      4⤵
      PID:1344
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,3409271373088731004,12360755056971124274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3692 /prefetch:1
      4⤵
      PID:4824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,3409271373088731004,12360755056971124274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3704 /prefetch:1
      4⤵
      PID:5020
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "laliykmzxf220" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\tasksche.exe\"" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1508
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "laliykmzxf220" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:5040
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3532
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4036
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:856
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1936
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2540
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3092
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4172
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3392
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4364
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1988
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3432
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3688
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:2628
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1020
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2432
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4828
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3800
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4840
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:64
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1020
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4924
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3252
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2616
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:860
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1844

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\@[email protected]
1⤵
PID:1304

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffb5e51cc40,0x7ffb5e51cc4c,0x7ffb5e51cc58
  2⤵
  PID:4464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1868,i,5237091075819984139,2120912675058767194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1864 /prefetch:2
  2⤵
  PID:3280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2208,i,5237091075819984139,2120912675058767194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  PID:3492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2272,i,5237091075819984139,2120912675058767194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2288 /prefetch:8
  2⤵
  PID:4460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3168,i,5237091075819984139,2120912675058767194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:3856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3392,i,5237091075819984139,2120912675058767194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:4740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4540,i,5237091075819984139,2120912675058767194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4516 /prefetch:1
  2⤵
  PID:4688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3680,i,5237091075819984139,2120912675058767194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3684 /prefetch:8
  2⤵
  PID:4112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4524,i,5237091075819984139,2120912675058767194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  PID:692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4844,i,5237091075819984139,2120912675058767194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4896 /prefetch:8
  2⤵
  PID:5064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4764,i,5237091075819984139,2120912675058767194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4936 /prefetch:8
  2⤵
  PID:2220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4784,i,5237091075819984139,2120912675058767194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5084 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5128,i,5237091075819984139,2120912675058767194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:4040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5036,i,5237091075819984139,2120912675058767194,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3992 /prefetch:8
  2⤵
  PID:1120

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1168

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3892

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2964

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f4 0x4fc
1⤵
PID:3056

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1100

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\c5c256b3f7854663b4f91f446931d581 /t 4244 /p 4924
1⤵
PID:4412

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\e092d27aa16049709e39781fb42dd3a4 /t 4800 /p 860
1⤵
PID:1976

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa3f87855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

Filesize
1KB

MD5
19bbc89ef84412d067185cbc3f297ffb

SHA1
e9e9245722b12f04203f59f087b31b345292371f

SHA256
6aed9c2fc4e72bf819f0792827f2efb94c7b918993cae7cb8e5644bca98ee11e

SHA512
2b3e266c771be1b4c9b6a56bbc98fb8c1a90d9459cff41ff1871ea2021dd3929a8f1e9f559634beeb1809d690f87e6834dba2dd90241caae186566c11db10815

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
186ccc6761714f7e88de1fff069b95fb

SHA1
c7dec1fff5e2f359cccf94875265f96757865b34

SHA256
abb5c7113a03fa5d3a4d6d25007f875d5189c85054252a03a3c9d2cc64a5f59e

SHA512
5f346abd0068d56df1bc7236a8f8ae6e0397cd35c7e8a6554f90724bc4936ed6a1f127aef797391d34ab458ba9ff3337bade05334155aae7473e6c463b0499c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
6f8707650e6035675d15e64afeadc561

SHA1
146fa7e7ff0c1f2257c611f319a935dca18be17f

SHA256
93205e9faceae5a8830682b178a95254bd870844f49256ec4b88875cffbc3f8e

SHA512
7753b3f3372803aa9d723e7b3feed53ed8fcc5f2ca8b504200468143f255e66cdeaec6f16733e617c99629bae21a3c7dba41ebe7294cff47d149e40f3fd4621f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
120B

MD5
38bd08bea80e34683dfc63497c51f39d

SHA1
05aff568fadfaba716a3056c097ae3d2b8949e49

SHA256
ee09f2d5bf9991d1fa78975dd9e4b5cae79bd39889da4fd13ee4fafc6241341f

SHA512
1f2c61c5b38141105883530ad6a05a4fbc37ea1985ece4e6a353025db07c373b4f1e7fe7839e3334d08ee830b51b6bd823529fd61d9eca88a710ce8987d73a73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5d7533.TMP

Filesize
96B

MD5
78b42b63c05578b7a13c505d718ed342

SHA1
d63f726d6ced73a7b54238d31f0d798fde0e46c4

SHA256
90fce8c927ae55fafb0af33b849e04100bfb79f8c9060f4abfd2a4c97bc7cb5e

SHA512
d24dc8f01c70fab319f35087109177f20d167556745504ff3f53550ea8199db2558f6cdcbb8471c7aeb35dde93e446cc3ab7ad63593057bd9cb265ab328a4598

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
8059f3ec1da9f1f53f62285fbb28dd97

SHA1
ec689bb88781b206d98ab54f897d789fe70cc56b

SHA256
66a87edf9d01cc459603bc033d7d462c48647c0309257af214c835d8cb3ada13

SHA512
7f5adbd61c6806af1d59629a06b424d91ce076a7a0438120fdfc6604a56c1771e98d386f00f1ec23ff26b3fe8cd641da4a65e2ef646b14bee3c304a94a7a55a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
5e8a602306e607c6c60567890abefd4a

SHA1
4907e1be2644d7e9c258840590215dc0833c2b71

SHA256
5d0fd823436df23a1c1c6846acb8252c86117bc8606ee6f7c3399baf37e516b5

SHA512
d3132a8e6b0c49689b599f1b37fd46ece73a3a8f1e2cac2416d81aa38c907e0adec68bbf06da97114f0c686bdf4b9a97d1d48574cc91c2648d21e2a84e8d0fb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
05d9e48e0c6db2aa426ab0b5421be94f

SHA1
4c585ca05efe8d8816c74e09a92d2efc0c4e26fd

SHA256
fe8190af0dfdf1825c20c26411594eecb13cbcbad1944092d105fdea6d04c9ae

SHA512
bca658731448b7f55ae5a5fe3a3ecb8db699b3c043a85826080e64fb446290cd816159c552c20d753d55c038e3aa97ff88b9a846d4bae450563949bda2790829

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
3495a4ff30fd4a1e32992d8c15bd7d79

SHA1
776f44eceeacf69eb5dbb74213b0608654c67cc3

SHA256
6d3c81beb97d896bde4fd91651bee3b73eb12deaef510c63a4025d33a97bd89c

SHA512
e9f717a8b70ff56968974410c701d124928bcfc2433cb21cbd1496d7ace5f96f836eebe6da213e18cd691a5830c62bc555542b8e02ecb095f7d042ca19876c75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
038f1ff065ddd177296c56e43c520e1b

SHA1
826dfa6be489736b6af967a476e4870a68d8cdce

SHA256
89be804644dc788983c83247600d95a26e25cb9c641d87379296cf6743a8fa80

SHA512
be7214c96ab7413a2be2082b16e31edf42622efe65490d636ae7781905d473db42aac619b9633504f1c2c1c29cff5e0ef270972fa36a4b0ca5138c2377296327

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7b053cc8f934e9645b2dacbb3552b588

SHA1
96badd71226d2fde9cd89cb4ee5ca2b8e6b19990

SHA256
2a12ace64ee168a3bef90574628123b587742c34045340941642a5e39a8d7c6f

SHA512
c76162cf84a985e8415c58d11f2a140526354e744b6e338d17b24e655f3c708cfb5967f726bdf5e7a0fa4738ff08d8f448d5516befb4c7194aaad44dda95846a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2d0f5fddd83c63127ecec3eccf69ef0c

SHA1
8e15ab56f3a7fd088e9dced2d90e1c830c9fc6ee

SHA256
b930148a0e945d49befba1d08c41d07025802734ed22db414719eff76cb8f652

SHA512
e7c9e02793f09658c8507ab023fe3ef9a286aabea457c5e008bafaaf0bca3d030de502fe0d172e35df9700fd88f0e4b854bc21a89842ba26c800a3ebef7acfc7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9dd8a8f4fbcb4eed2ef4677058e67c1d

SHA1
277601fb241ed5b4335ba22413fd2bae01c939b2

SHA256
6603767f6001d66cae5e9d08b8061d2a2d993915e3a23ec0cbba7d13e31d3059

SHA512
373d222aa5dbaef7758ba68037326b6d3e0ca536035dfe03be12892f937331e391fcce2651bd544a5b9615e44043b5f81ec8dbc76a70028bcbacca338d3e9c37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
8f5a8c117bc6471b6fded2819c7c3879

SHA1
b9a429257d8cb8434b27f0a051f0b9e834e10d72

SHA256
3e1719e403460557c83557e18e02a0a612729fa862f9c49030f9b0dc90e5b75f

SHA512
ffcf9a5d84b0bd68fc2d56fe8492f8e13fc42c580fdeaacb5c8418dc25f32eab3ae6a2ded8e4108e2c7b40c1d42f029ece943700955af72374ace40cb21e7496

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
18f45cfadc780be3abab93bf03bf2857

SHA1
3bb0efdb885f18c033d8bb22665396726b60326c

SHA256
ef4234f519248423c770fc7f49bd6f63c5e78dae08f3c70ebee5555960570b28

SHA512
572fb9021870e443b5c771f68595e03aa6769c2ed19d9d43a2394a7202368156e84cc37e67ad64adb022e4d0a372d6bd602f4f3698c483ff0f553f789d2f7d53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
65603b8c5c76a0d3af11e6bd0aaae0e3

SHA1
86f9b43a5f64b029743707716147b5cd016e4353

SHA256
8597b357a60e72cafc79a078730cb174d58658eb6386cf7d5883f413ee6d5300

SHA512
835b7ce2b8c640d4e5d23efc67bfa7f7080567b1148e48e487fddd49b8bf681d82b787bd34b8c7e8e11268a2175aa0ab2f1e2ee9ad341b2de5a3555e72fa76df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8376c0e5cc418d0db86dc064190fb2a3

SHA1
0f67a4b60548780f5f4f36f55d16870b5cccde4f

SHA256
2bea02cf72e0ce4def6ab7ca078afb011b98f9690a453df8e6d0cfdfcc15a94b

SHA512
e8288ac9827860428efe6431a9b6122394184fb1ee6a11642ac66231c9eb86b7995ab030ed093e9ef7811c031588a50232253b1b6b422b3ca441fa11f6a45ea9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6bd2d0327059ecef875fe65da0b370e4

SHA1
7fc47d907a4093280f71f15e57c147c154b55c42

SHA256
65532d2f327f5204f8cf7afff075ec18949e371e605a6c6982eef7da4b73041b

SHA512
e32c62410a0071be270467ceb6c415b5c08dc96e65a18b2a99f438b7beea4ba6f8a9fb1dc314f0f67eb22eac0c892aa9749a0710897c09bfa644091fcf0ade51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e634f305706f730f3b17427a63221d75

SHA1
3184a53c55661e0f0842a20066464939a8963ceb

SHA256
05bae3bf4cd248450116c5aeed8f8211f02879546f84881fd90d5d1bcbdc92df

SHA512
8dcfa034aeac1340d3b18b57b3a96105135668635fa54cfb62506495f68a43ffdb0fdb20b253513db0e245167e0bfb5638fbeb966f0ed9c7775ed4bdb8228772

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
42e42c419cb316d50354fc8e7bcd82df

SHA1
4b7fe710c754e440a4a93c88cb6322cf741deff2

SHA256
f4f85859a44543a74adc03b31506c0fd25e14297515d35e8c131dc82f27fd662

SHA512
5bcc70b99f8d985e91632b6bbeab6a176301a9aa34b6a4fcf0a4353a87ea359c7858a69aeafd916d328ad0296056d2569f8f6347e36280bcf2c96c2ac3f2af34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
18c43f8f779fa952925a5134d0244fb2

SHA1
0b8c5b05e328cfa9672e0290dc19ed666d6b379c

SHA256
b3a99fab13d325bf824047954b7a7684cd71bc8741343b57c689969689eb8371

SHA512
b829c06e7a20f750e885cc9b3c9acf305a26f8e03104eb3c0c36189d936e8e6174b050d9aa900cd1b3de680383f89996ffe5c523450aafb92e8c5c53938ac27e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d17f6f7389619a7045fecfc789257a2d

SHA1
08089995e8c25ba38acbd3eda211092fdc9284ec

SHA256
4d9b9149865d29f66806e51ae6128171cf0894794b3e8f71f00012a1f2a60403

SHA512
5feff96a67c696cb8fc40246b31255891aabb8f0b237fc6482474c0c4a979265f25336208a424dccc30dcca1256ece14c79cd58356b3dd67644e10fba91aed2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
373cdeab4cd7a35f1e271fa7cb010107

SHA1
70a88ef79d5c1c7ef5e2dcd25ecb80cfd3294010

SHA256
cf2266d7206260026f4f21a01db574b63cbafed5b1dec94a5b6b9d053d09fd43

SHA512
d72fd669c5d621c642af6d6db58e1a26835bdb072645a412fe725abc4de9ed161712e30ee568a2bfb919b3e5b1d32d35641ac247bcfeb2b618c1bfc7a79c7d48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
38ec5ddb2d8c31ea47036dbd6b74fd52

SHA1
f17519ecab37dec785f9e9032802071bf0e23eb9

SHA256
914a89d15d1981303057984f7957f90e6af714b39ca21f703baced15bd9657f3

SHA512
c1226f40c382d6e95a73e0aa5553f75b40710583dcd69f36170562d06e3fc75661a36784405f3edcc1fc343adeaef0cd3ed3e3df2f328c2324d43d511ede1167

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2b9d48c6d4167c07363d1868945a3302

SHA1
cb5a684d25aeaf891f99c1109af373f0b3e1af8a

SHA256
4c0974904ac6527eafa6fd8f462308d8352be437cbb5dc76b3edb240dd649902

SHA512
175b6427a1b3f1c9e76746a68f106d35fdb66c344cf4b17bbc0dfa9205d47cb4dc2d561f58ae2f1829c053a94847818dd5a320a4f629256218c2c7ddc836ff93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
fb8f04a2e9af161e8fa3cf7e0b221222

SHA1
517ef00bb0ccae22cec2aded2aa7f844e0839655

SHA256
c1e10e7a3fb8baea636fe706836ed2fc3d94d1258f717140ee30a7c32e9ce647

SHA512
1b8a94a3f7210e087f9b977dcf2d0e9360a6843f80deffff11de7fce78ae0dfff301ab32440c658836409b315454477f02d54384f58d86334b7afd96cbbe9e35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
59237764aece35daa2f122c9c99df7b4

SHA1
e482c53df72b9fe8984d92cefab291255aad89db

SHA256
425768351432c2b4c313f019b4cc72fa65bf830c70f8e117e2081945cab168e9

SHA512
687b232c62377227dce1a8e5778aa657f3d0f7e241387a18da8333f1a627b6f8980b36ebfcb7d7d544e934528c72fa934a7aa02347547abdd534c2455c73e2fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
2a9bd3ac79f63fe70a8d1e131020d8e1

SHA1
68ef6a57732354018862d3a570542f7e4bca892c

SHA256
e5e99291d8e3cd9a4bbf4b348e30d1d56fc7db61722ef83a9595fc600fe9a987

SHA512
ffbec592c9ca7ff422b349a1e4cdc7b941a031e38622daa826f3bd7d76e8681e9932fe7d8d1e71aac1162adba537c7626458e544967441e3fb70cf23d1512892

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
229KB

MD5
fff4a39b46dc3c2495df586081f6eecf

SHA1
f5edd59c2432961f2010c3c1904b80d050211107

SHA256
2185786a430be197eb22a826a72dcd5148255de1da2efc5977f98c5fcd98a718

SHA512
3080de5665e2d986e2ba11e92ba4cea72ad0662e85dbc74e54d3c20fd4b55f9977786ef2201831ad058aa5d03c97bc69bcd29eac3586e7bf44c8de1bd4ffc084

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
229KB

MD5
825050b7500b0fda12a4718b00f2e067

SHA1
de6ce2079d570c184e65339069f771a0104992c9

SHA256
95d994c003a3b4a86eea772670036dfd210555b9bace35a3c1ec5fb206ca0190

SHA512
b5141c279ddd1f86e3cc6911513678ec4cc2ff8adc5353e0b563d1f1830d0b280e2c354d6252c0dbeb26a60237cb81208838a91819755f640e1daa5e7b8b1d78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
229KB

MD5
1fae91db52dbb6fee121bd68587afaa7

SHA1
920504e4de4e76f3eb1d9409fce829c9577ace92

SHA256
a27a041f2bc896d24ffa78f7639dff04ae8ced3b09084a2d7aa4bd7c3b7b7413

SHA512
ace5e8b75204b1bc3be3d01f4d347a71b19f89ae1848d0b087ea8cfef9fad28204b77238b44e9883b8643c120d1813e4c433525dcf2b8013a43681480328b2ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8749e21d9d0a17dac32d5aa2027f7a75

SHA1
a5d555f8b035c7938a4a864e89218c0402ab7cde

SHA256
915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

SHA512
c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
33c736647b3355b11b34afecd49f910c

SHA1
058f992b47e7c5f3fbd25a836383ad87e18dec16

SHA256
e848f313b7a712d2c6143ed59f93ca03f753c5dc7252feb7b63de991dc75029e

SHA512
40dfd354ecb2165f22655cb7230e58f0c0f0c8343368c1af8d91690d6e68e01b9c1fe255a493ed2291b41831117777914370ad4ad40c983b5fb1e5f8a88e1594

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f7efc6992499d246d2a5aeec7fd72d0d

SHA1
7f5cfb0fdf9a6842002fd99c180fd89037f6909c

SHA256
49878b6da135f7e56923f9df275b0caa9b90dc8af6118137db403f416103bcca

SHA512
aeb70df17783d3a5bdbae1cc479f36b9059534cf5ede571fea614bcea832a984b417af065e60e3d886dcf16a2c593acc148d259a08dd5750df2a8046b6d1c2ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d2c4f40f47672ecdf6f66fea242f4a

SHA1
4bcad62542aeb44cae38a907d8b5a8604115ada2

SHA256
b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

SHA512
50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
499df919e649e11c2684c83ed917820f

SHA1
15c85c9e0a76cd923367bd9f3688b9fbda9b14f0

SHA256
5e6052e18b3c04b45a98c325ca100f99cc4afa9fa96eca1b6c8e8adca9f769df

SHA512
c82a7382ef72484d406c3d3a1d25098b37d719148cea8c065091060283b4e42224167f49755973f50a27b71745854539d8f36fc948d37c06d22ea44635782674

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
14d61b2ef0b6df5df9060418da8be3f0

SHA1
0ce76bcb2f4849196a4a1693b06d4468e590014b

SHA256
44d7850197378a4579ed6245dcd65d777b8b071bcc6a78eb1a7b5157c5803c92

SHA512
4f821ade93b7da928d83bde065dd74a7fcc93b753d12141d1fbd89a38b5ff1b6fb9bd5797b03f9665a6bfc170785e323acc6d126ec10422de46b04aabb9868f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5c9c09.TMP

Filesize
1KB

MD5
92e64a10be0cc6c4e7378acab6963370

SHA1
915627afb268b0e83fe80cde6ccb44c2a0e66c3d

SHA256
7cac4dfecf5bb3555cbe0632b9aa5779b6bf922187958c384727b63f8062169f

SHA512
44f2a6c7017e48d9c533bd7327582f7f42a6fe27509efc4b079862efb7a8671edc791de12b66e6722d6e57b77888b42a3229de911c5f6057cb256671210d62f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
ec1c4c851451274a50769aee9e413be9

SHA1
10836380429d2012fa0485e763c3b8a1ad8e1d81

SHA256
993a7f4026f345cdc46dbf11048662678c71c828b42d5923470faa563abbbe62

SHA512
37e9125af328e95e19a5b9cfbfcc21e816ac4d491205a0ec4048de5bf91cd567ff968915259021b03adc53944aac32369a17659eec4a07ec92ea4b6b18ba76ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
731B

MD5
5e5e2e2b04262f1d31629da4f7005f00

SHA1
68b16c76a2518cc203843a28ed4608ab77ee2615

SHA256
37f365c064641071f76700036012162aab675e4b74ada12aa18ca8a1a14f935f

SHA512
dece66d5c92d088f18ebbdb5282fee89a706188a091d9b8af35b4da952aaf2849e2567aa392e9d6565797b032066ce3f71aa8caf711bbc746411555401ce4a4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
e51401bdf1eae288a9ba5d952ebb3aa9

SHA1
5effd82fee8231e1294fd404dd1f10caf5c41fd2

SHA256
a08ea4c022c5207583d92dedf27194f6d81335b90bef42e90132333220a52fa2

SHA512
f777e86f2eb64d2c31afba76f544f9a65392b0d77de18e16d6a2b5534f43febc083f757d37c0719b29b556c5f73b1238c0857ee7b9a6e18c0c9c99ca54133edb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
221768492fec97ab626b4aeeb71efc65

SHA1
9253fc185cf44815aac0966fe5b96f8ddeca66c2

SHA256
66b343a76862c5caceb428dc6691f6ec447d44c17c5c90ea3c809d6920d627b2

SHA512
6c413955d784e05fddcaaf707f63d3790111dd5d44e0ef60396d090b0851d13b992dcdae29399057e6436cc6ac1da0a0c1f7014cad6daf5108a6a7a184487696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6207ea9ec07bb209c9234e74904d7353

SHA1
745a0f22858aac4bbc48a02773ad7b2a89c46df7

SHA256
25439e6f1e6800d6604ecad8c4a858f3d0813691ff63166e716956743347bc3b

SHA512
adfee0b80d3767066323c2725ee91b7b9e97fa1d5d7ccdb7d3d6e3fe71447b0455f5f5ff5fad729b8b6fe307814e252bfea544a4a589f806b4cecfdda498ce6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
751b2d3de54c5f84680693bd6b8bf920

SHA1
b1fb5274164405c194efcdcfe378f19f78bbafe5

SHA256
b22d5195cc9e41a696fcae3a7e954041acaf8f79bba4be7545bc4bf22889acb1

SHA512
4a4f37cd8f6b9eb00f00bfd2d8852dd362ead25de2de205448adfc1df7a63b8116ad35b6d6936ed7f1f35f05fa6e01892acd7098de766dc5914783da2dcc5494

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6cad8713fc1ba99dc2c8c0a27ff20d66

SHA1
92454443a76c29d04b9f3558c2f8f5d5f86651ae

SHA256
9c9cf8f7ee8ef71da07ef9fadf691370923d702bb0d59e58be0b7010e1afa39c

SHA512
590634c7d0a19a5025f4cb99e32da8a7b6c8b1d5f21ba0c9a6c9686dae2ddce9f80a66149185d434126d9912f0679ed4959ee73d60ca3a843edde7fa1db40ce8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c9e88d0a43db0f05a91207e803b6e4b7

SHA1
e26d90119c51154756e64caf8dd10fcd46ee34de

SHA256
bc11337d8dd3558c27cefa53bdabe50edda1eda459611661e2509d941aa1a037

SHA512
e25d0ac53e80d4de1d943705b539458504d3e0dbf63053bf0189bf057eae65251b0e1aa6154815c6961e21486159246bfd761412d15be68b738437224cc7be42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
91647b9a5d1cf139b2bd3a6b06bc22d1

SHA1
2cd602bedda17cb341faa3f0b94758d6bb00d052

SHA256
973e8e2f527ba025362b826bc76cd0b1ec6dfb2974ab2d908a2e141f6104592a

SHA512
08ccdd97ed00ba32177d4ded038ec865b788950e61de18255d58fe8065e12b9e593c83ee72de15ca4e5b3eeaf767c28b9583220d238c57be63a159f447b4af71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a14b9d3c39d3e8a1f1290ef4d8bedb02

SHA1
d46992ed50b167b38897bc7d8092bde423456180

SHA256
dad6ab41739531281884c1fa1941b5bbb20465b6e24c5de9e7f96c440a6965c9

SHA512
3fb65b7924cad9e9447cd480eae9b2bd4a79dd0a9a042bcca51f83fdf08027c8658c3f718de6378d9b3403cd338bc21f70be7933fc961c3c965736c83be3beb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
665d9801f25e94ba0bfe941b8bf35bf4

SHA1
b683f4c8ce24196c4b6969d6709494c9b1a6825e

SHA256
9cd3dc713b424478102d565ff774fc67c5a249c3f8d06120534f1ee102e6ad2a

SHA512
1db4c328c8d5a9ac67434541db950aeb14e2d3bb165834a3112398f60e8d49387cee6bfadaa07c10701f0c68beb87e933811f1f4b00a526e2aa81638361b1147

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
65c7ce7d09f8778f50ab242ff2bb1a19

SHA1
8732f7e0e3f85fd0a32f968190fd39f597e1f86d

SHA256
c7b1a1bd8cc3467d4424dd26dbe5ebb94ed328014b24d7fd0e1269487b2ddcc1

SHA512
80b58ff7493df13063cd503389b46b03782e68a9e033ff74022659f8aa475d00a6c5eb50813bce94468e1f8c933b68fcc4a1b045fcfac9376bc13d7323ad6ec3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d4b5.TMP

Filesize
874B

MD5
11fe337d3dfe1fbec7875b2ecea7bb93

SHA1
c1f177a4db7843b84a92ebd3e1a0fdc00e294adc

SHA256
d25342e2f1073d34f63962c407348a82f41cba943fb01095cfa3bc5b837250fe

SHA512
266a52ec2237f24581e2f404d6b91b3fb3815820a2b45590ff30ded9482a7a25313250a52e52ec9c98d80523923c044c675302394fc8f4883ea70de802aea5b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\fcdf0509-9d2b-425f-a751-c0ea43f94e8d.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fb3d20a6651af774cc6971a6158b17b0

SHA1
24ea9afaea3a3f3fb5cf8e0fa19546afd821107f

SHA256
db947280990a5d599627a5432db0c9fd0d2681e0e467e08e10c5514b78322649

SHA512
d993e115af8c73bec162940760add9116b6cc4fdad77e63bf42a5b85f00fd44a9a71c8d5f894433978e482d3a47d562570ed03f5216dcf8388754d765f824710

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b45bc6b0f7bae4a17a6c4dd8b6d7c907

SHA1
9e178064e75b29ed149b040bb314bac4df16b31a

SHA256
b089ae8ff655e962b6e5de73a8d17c8c7207e578a35c15ce5665ae26c8278744

SHA512
8720eb110e390435b249a8b6f0d73115ac046033ef42a7d011b6d57d6c6fb3264bad61e549b7c6490dc74dc279874e16434cd5ea322dc2fe795310bfdd8ab35f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2970dadb73c1062c6ea0fa5c0d71b22f

SHA1
6534aa4dd860c1d1217e43e656280b5983089f42

SHA256
819cd2935966d68a8252a129e200b9bcab7df2e67b507b53cf4bad33a2ab50d6

SHA512
50692ae15e14689d29de87de76c54e782c8e6f2016d02fe292bb8047b2dfb504966d00f977b8fb8870ee7c39f38e6b0ed49ac3b4d01ea9da31764a068f396570

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]

Filesize
933B

MD5
7e6b6da7c61fcb66f3f30166871def5b

SHA1
00f699cf9bbc0308f6e101283eca15a7c566d4f9

SHA256
4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e

SHA512
e5a56137f325904e0c7de1d0df38745f733652214f0cdb6ef173fa0743a334f95bed274df79469e270c9208e6bdc2e6251ef0cdd81af20fa1897929663e2c7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
8.1MB

MD5
fd52295f461170c96ac553619b36d10f

SHA1
da9a9719c8f9f9990dd05ad2bbba497c758f3a56

SHA256
e2fc2d2902747766a3db4812052e465d5460d15cb343aaa7d0aa57fed98e62fb

SHA512
d6df9d9fa34842303537920c0d4c42451280b2f3c2e4b490df6dacafef495cbb9065588ebd74ebc507857eddae3916389fc598baf6ba960aac6b209a924f1f90

Download Submit
C:\Users\Admin\Desktop\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\Desktop\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\Desktop\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\Desktop\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\Desktop\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\Desktop\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\Desktop\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\Desktop\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\Desktop\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\Desktop\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\Desktop\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Desktop\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\Desktop\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\Desktop\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\Desktop\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\Desktop\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\Desktop\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\Desktop\msg\m_korean.wnry

Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\Desktop\msg\m_latvian.wnry

Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\Desktop\msg\m_norwegian.wnry

Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\Desktop\msg\m_polish.wnry

Filesize
38KB

MD5
e79d7f2833a9c2e2553c7fe04a1b63f4

SHA1
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

SHA256
519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

SHA512
e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

Download Submit
C:\Users\Admin\Desktop\msg\m_portuguese.wnry

Filesize
37KB

MD5
fa948f7d8dfb21ceddd6794f2d56b44f

SHA1
ca915fbe020caa88dd776d89632d7866f660fc7a

SHA256
bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66

SHA512
0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

Download Submit
C:\Users\Admin\Desktop\msg\m_romanian.wnry

Filesize
50KB

MD5
313e0ececd24f4fa1504118a11bc7986

SHA1
e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d

SHA256
70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1

SHA512
c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730

Download Submit
C:\Users\Admin\Desktop\msg\m_russian.wnry

Filesize
46KB

MD5
452615db2336d60af7e2057481e4cab5

SHA1
442e31f6556b3d7de6eb85fbac3d2957b7f5eac6

SHA256
02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078

SHA512
7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f

Download Submit
C:\Users\Admin\Desktop\msg\m_slovak.wnry

Filesize
40KB

MD5
c911aba4ab1da6c28cf86338ab2ab6cc

SHA1
fee0fd58b8efe76077620d8abc7500dbfef7c5b0

SHA256
e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729

SHA512
3491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a

Download Submit
C:\Users\Admin\Desktop\msg\m_spanish.wnry

Filesize
36KB

MD5
8d61648d34cba8ae9d1e2a219019add1

SHA1
2091e42fc17a0cc2f235650f7aad87abf8ba22c2

SHA256
72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1

SHA512
68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

Download Submit
C:\Users\Admin\Desktop\msg\m_swedish.wnry

Filesize
37KB

MD5
c7a19984eb9f37198652eaf2fd1ee25c

SHA1
06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae

SHA256
146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4

SHA512
43dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020

Download Submit
C:\Users\Admin\Desktop\msg\m_turkish.wnry

Filesize
41KB

MD5
531ba6b1a5460fc9446946f91cc8c94b

SHA1
cc56978681bd546fd82d87926b5d9905c92a5803

SHA256
6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415

SHA512
ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9

Download Submit
C:\Users\Admin\Desktop\msg\m_vietnamese.wnry

Filesize
91KB

MD5
8419be28a0dcec3f55823620922b00fa

SHA1
2e4791f9cdfca8abf345d606f313d22b36c46b92

SHA256
1f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8

SHA512
8fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386

Download Submit
C:\Users\Admin\Desktop\r.wnry

Filesize
864B

MD5
3e0020fc529b1c2a061016dd2469ba96

SHA1
c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade

SHA256
402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c

SHA512
5ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf

Download Submit
C:\Users\Admin\Desktop\s.wnry

Filesize
2.9MB

MD5
ad4c9de7c8c40813f200ba1c2fa33083

SHA1
d1af27518d455d432b62d73c6a1497d032f6120e

SHA256
e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b

SHA512
115733d08e5f1a514808a20b070db7ff453fd149865f49c04365a8c6502fa1e5c3a31da3e21f688ab040f583cf1224a544aea9708ffab21405dde1c57f98e617

Download Submit
C:\Users\Admin\Desktop\t.wnry

Filesize
64KB

MD5
5dcaac857e695a65f5c3ef1441a73a8f

SHA1
7b10aaeee05e7a1efb43d9f837e9356ad55c07dd

SHA256
97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6

SHA512
06eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2

Download Submit
C:\Users\Admin\Desktop\taskdl.exe

Filesize
20KB

MD5
4fef5e34143e646dbf9907c4374276f5

SHA1
47a9ad4125b6bd7c55e4e7da251e23f089407b8f

SHA256
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

SHA512
4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

Download Submit
C:\Users\Admin\Desktop\taskse.exe

Filesize
20KB

MD5
8495400f199ac77853c53b5a3f278f3e

SHA1
be5d6279874da315e3080b06083757aad9b32c23

SHA256
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

SHA512
0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4

Download Submit
C:\Users\Admin\Desktop\u.wnry

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry.zip

Filesize
3.3MB

MD5
efe76bf09daba2c594d2bc173d9b5cf0

SHA1
ba5de52939cb809eae10fdbb7fac47095a9599a7

SHA256
707a9f323556179571bc832e34fa592066b1d5f2cac4a7426fe163597e3e618a

SHA512
4a1df71925cf2eb49c38f07c6a95bea17752b025f0114c6fd81bc0841c1d1f2965b5dda1469e454b9e8207c2e0dfd3df0959e57166620ccff86eeeb5cf855029

Download Submit
\??\pipe\LOCAL\crashpad_4272_NRRUAPPPIAFQDGXV

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2736-2246-0x0000000000BA0000-0x0000000000E9E000-memory.dmp

Filesize
3.0MB

Download
memory/2736-2202-0x0000000073AA0000-0x0000000073AC2000-memory.dmp

Filesize
136KB

Download
memory/2736-2199-0x00000000737F0000-0x0000000073872000-memory.dmp

Filesize
520KB

Download
memory/2736-2215-0x0000000073AA0000-0x0000000073AC2000-memory.dmp

Filesize
136KB

Download
memory/2736-2214-0x0000000073AD0000-0x0000000073B52000-memory.dmp

Filesize
520KB

Download
memory/2736-2213-0x0000000000BA0000-0x0000000000E9E000-memory.dmp

Filesize
3.0MB

Download
memory/2736-2239-0x0000000000BA0000-0x0000000000E9E000-memory.dmp

Filesize
3.0MB

Download
memory/2736-2216-0x0000000073880000-0x0000000073A9C000-memory.dmp

Filesize
2.1MB

Download
memory/2736-2217-0x0000000073B60000-0x0000000073B7C000-memory.dmp

Filesize
112KB

Download
memory/2736-2219-0x00000000737F0000-0x0000000073872000-memory.dmp

Filesize
520KB

Download
memory/2736-2200-0x0000000073880000-0x0000000073A9C000-memory.dmp

Filesize
2.1MB

Download
memory/2736-2218-0x0000000073770000-0x00000000737E7000-memory.dmp

Filesize
476KB

Download
memory/2736-2201-0x0000000073AD0000-0x0000000073B52000-memory.dmp

Filesize
520KB

Download
memory/2736-2203-0x0000000000BA0000-0x0000000000E9E000-memory.dmp

Filesize
3.0MB

Download
memory/2800-778-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/4804-443-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/4948-367-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download