wannacry | hxxps://www[.]google[.]com

Resubmissions

11/04/2025, 22:29

250411-2d7tha1px9 10

11/04/2025, 22:25

250411-2cdh9s1n15 8

11/04/2025, 22:18

250411-18aa2s1mw8 10

Analysis

max time kernel
304s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
11/04/2025, 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.google.com

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD2EEC.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD2EF3.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Executes dropped EXE 10 IoCs

pid	Process
4620	taskdl.exe
2848	@[email protected]
1768	@[email protected]
4464	taskhsvc.exe
4288	taskse.exe
5424	@[email protected]
5980	taskdl.exe
5684	taskse.exe
1660	@[email protected]
4288	taskdl.exe

Loads dropped DLL 9 IoCs

pid	Process
5368	msedge.exe
4464	taskhsvc.exe
4464	taskhsvc.exe
4464	taskhsvc.exe
4464	taskhsvc.exe
4464	taskhsvc.exe
4464	taskhsvc.exe
4464	taskhsvc.exe
4464	taskhsvc.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4640	icacls.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vteizzisrx942 = "\"C:\\Users\\Admin\\Downloads\\Ransomware.WannaCry\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
192	raw.githubusercontent.com
193	raw.githubusercontent.com
194	raw.githubusercontent.com
217	raw.githubusercontent.com
253	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-hi.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-kn.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-gu.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-mul-ethi.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-sk.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-sq.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-gl.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1175698104\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1363076724\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-be.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-fr.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-und-ethi.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-bn.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-pt.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-tk.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_322405095\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1363076724\well_known_domains.dll	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1363076724\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_659200126\Microsoft.CognitiveServices.Speech.core.dll	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-de-1996.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-hr.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-ka.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-el.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-ga.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-or.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1175698104\deny_etld1_domains.list	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-as.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-en-gb.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-eu.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-it.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-af.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-en-us.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-la.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-te.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1175698104\deny_full_domains.list	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_659200126\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-cy.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-lt.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-sv.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1533796692\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1175698104\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1374544241\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-es.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-nl.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1374544241\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-cu.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-hu.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-hy.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-pa.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-ta.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1175698104\deny_domains.list	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1374544241\crs.pb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_659200126\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-bg.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-ml.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-mn-cyrl.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-sl.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-uk.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1533796692\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-cs.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-et.hyb	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-lv.hyb	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133888835480876430"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3078542121-369484597-920690335-1000\{43426948-73D6-437C-A425-D3477DAAFE37}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3078542121-369484597-920690335-1000_Classes\Local Settings	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3796	reg.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5620	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4340	msedge.exe
4340	msedge.exe
4464	taskhsvc.exe
4464	taskhsvc.exe
4464	taskhsvc.exe
4464	taskhsvc.exe
4464	taskhsvc.exe
4464	taskhsvc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5424	@[email protected]

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2800	WMIC.exe
Token: SeSecurityPrivilege	2800	WMIC.exe
Token: SeTakeOwnershipPrivilege	2800	WMIC.exe
Token: SeLoadDriverPrivilege	2800	WMIC.exe
Token: SeSystemProfilePrivilege	2800	WMIC.exe
Token: SeSystemtimePrivilege	2800	WMIC.exe
Token: SeProfSingleProcessPrivilege	2800	WMIC.exe
Token: SeIncBasePriorityPrivilege	2800	WMIC.exe
Token: SeCreatePagefilePrivilege	2800	WMIC.exe
Token: SeBackupPrivilege	2800	WMIC.exe
Token: SeRestorePrivilege	2800	WMIC.exe
Token: SeShutdownPrivilege	2800	WMIC.exe
Token: SeDebugPrivilege	2800	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2800	WMIC.exe
Token: SeRemoteShutdownPrivilege	2800	WMIC.exe
Token: SeUndockPrivilege	2800	WMIC.exe
Token: SeManageVolumePrivilege	2800	WMIC.exe
Token: 33	2800	WMIC.exe
Token: 34	2800	WMIC.exe
Token: 35	2800	WMIC.exe
Token: 36	2800	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2800	WMIC.exe
Token: SeSecurityPrivilege	2800	WMIC.exe
Token: SeTakeOwnershipPrivilege	2800	WMIC.exe
Token: SeLoadDriverPrivilege	2800	WMIC.exe
Token: SeSystemProfilePrivilege	2800	WMIC.exe
Token: SeSystemtimePrivilege	2800	WMIC.exe
Token: SeProfSingleProcessPrivilege	2800	WMIC.exe
Token: SeIncBasePriorityPrivilege	2800	WMIC.exe
Token: SeCreatePagefilePrivilege	2800	WMIC.exe
Token: SeBackupPrivilege	2800	WMIC.exe
Token: SeRestorePrivilege	2800	WMIC.exe
Token: SeShutdownPrivilege	2800	WMIC.exe
Token: SeDebugPrivilege	2800	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2800	WMIC.exe
Token: SeRemoteShutdownPrivilege	2800	WMIC.exe
Token: SeUndockPrivilege	2800	WMIC.exe
Token: SeManageVolumePrivilege	2800	WMIC.exe
Token: 33	2800	WMIC.exe
Token: 34	2800	WMIC.exe
Token: 35	2800	WMIC.exe
Token: 36	2800	WMIC.exe
Token: SeBackupPrivilege	1076	vssvc.exe
Token: SeRestorePrivilege	1076	vssvc.exe
Token: SeAuditPrivilege	1076	vssvc.exe
Token: SeTcbPrivilege	4288	taskse.exe
Token: SeTcbPrivilege	4288	taskse.exe
Token: SeTcbPrivilege	5684	taskse.exe
Token: SeTcbPrivilege	5684	taskse.exe

Suspicious use of FindShellTrayWindow 17 IoCs

pid	Process
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe
5368	msedge.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2848	@[email protected]
2848	@[email protected]
1768	@[email protected]
1768	@[email protected]
5424	@[email protected]
5424	@[email protected]
1660	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5368 wrote to memory of 5860	5368	msedge.exe	85
PID 5368 wrote to memory of 5860	5368	msedge.exe	85
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 5444	5368	msedge.exe	86
PID 5368 wrote to memory of 5444	5368	msedge.exe	86
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 3260	5368	msedge.exe	87
PID 5368 wrote to memory of 5536	5368	msedge.exe	89
PID 5368 wrote to memory of 5536	5368	msedge.exe	89
PID 5368 wrote to memory of 5536	5368	msedge.exe	89
PID 5368 wrote to memory of 5536	5368	msedge.exe	89
PID 5368 wrote to memory of 5536	5368	msedge.exe	89
PID 5368 wrote to memory of 5536	5368	msedge.exe	89
PID 5368 wrote to memory of 5536	5368	msedge.exe	89
PID 5368 wrote to memory of 5536	5368	msedge.exe	89
PID 5368 wrote to memory of 5536	5368	msedge.exe	89

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2016	attrib.exe
3044	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x344,0x7ffbb5b6f208,0x7ffbb5b6f214,0x7ffbb5b6f220
  2⤵
  PID:5860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1944,i,345462174150845909,4904212344494128363,262144 --variations-seed-version --mojo-platform-channel-handle=2392 /prefetch:3
  2⤵
  PID:5444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2300,i,345462174150845909,4904212344494128363,262144 --variations-seed-version --mojo-platform-channel-handle=2240 /prefetch:2
  2⤵
  PID:3260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2492,i,345462174150845909,4904212344494128363,262144 --variations-seed-version --mojo-platform-channel-handle=3088 /prefetch:8
  2⤵
  PID:5536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3464,i,345462174150845909,4904212344494128363,262144 --variations-seed-version --mojo-platform-channel-handle=3496 /prefetch:1
  2⤵
  PID:1228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3476,i,345462174150845909,4904212344494128363,262144 --variations-seed-version --mojo-platform-channel-handle=3512 /prefetch:1
  2⤵
  PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=5020,i,345462174150845909,4904212344494128363,262144 --variations-seed-version --mojo-platform-channel-handle=5040 /prefetch:1
  2⤵
  PID:1444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5144,i,345462174150845909,4904212344494128363,262144 --variations-seed-version --mojo-platform-channel-handle=3744 /prefetch:8
  2⤵
  PID:5900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5140,i,345462174150845909,4904212344494128363,262144 --variations-seed-version --mojo-platform-channel-handle=3708 /prefetch:8
  2⤵
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5708,i,345462174150845909,4904212344494128363,262144 --variations-seed-version --mojo-platform-channel-handle=5740 /prefetch:8
  2⤵
  PID:2540
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5708,i,345462174150845909,4904212344494128363,262144 --variations-seed-version --mojo-platform-channel-handle=5740 /prefetch:8
  2⤵
  PID:880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6100,i,345462174150845909,4904212344494128363,262144 --variations-seed-version --mojo-platform-channel-handle=6052 /prefetch:8
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5808,i,345462174150845909,4904212344494128363,262144 --variations-seed-version --mojo-platform-channel-handle=5892 /prefetch:8
  2⤵
  PID:2416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5744,i,345462174150845909,4904212344494128363,262144 --variations-seed-version --mojo-platform-channel-handle=6368 /prefetch:8
  2⤵
  PID:3532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5752,i,345462174150845909,4904212344494128363,262144 --variations-seed-version --mojo-platform-channel-handle=6364 /prefetch:8
  2⤵
  PID:4312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=2848,i,345462174150845909,4904212344494128363,262144 --variations-seed-version --mojo-platform-channel-handle=1804 /prefetch:8
  2⤵
  PID:3448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --always-read-main-dll --field-trial-handle=6400,i,345462174150845909,4904212344494128363,262144 --variations-seed-version --mojo-platform-channel-handle=6384 /prefetch:1
  2⤵
  PID:3628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6548,i,345462174150845909,4904212344494128363,262144 --variations-seed-version --mojo-platform-channel-handle=6012 /prefetch:8
  2⤵
  PID:5312
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6304,i,345462174150845909,4904212344494128363,262144 --variations-seed-version --mojo-platform-channel-handle=6308 /prefetch:8
  2⤵
  PID:1588
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6304,i,345462174150845909,4904212344494128363,262144 --variations-seed-version --mojo-platform-channel-handle=6308 /prefetch:8
  2⤵
  PID:5764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5988,i,345462174150845909,4904212344494128363,262144 --variations-seed-version --mojo-platform-channel-handle=6524 /prefetch:8
  2⤵
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6092,i,345462174150845909,4904212344494128363,262144 --variations-seed-version --mojo-platform-channel-handle=6344 /prefetch:8
  2⤵
  PID:2432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --always-read-main-dll --field-trial-handle=6008,i,345462174150845909,4904212344494128363,262144 --variations-seed-version --mojo-platform-channel-handle=6588 /prefetch:1
  2⤵
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6972,i,345462174150845909,4904212344494128363,262144 --variations-seed-version --mojo-platform-channel-handle=6980 /prefetch:8
  2⤵
  PID:6140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=7032,i,345462174150845909,4904212344494128363,262144 --variations-seed-version --mojo-platform-channel-handle=6292 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6540,i,345462174150845909,4904212344494128363,262144 --variations-seed-version --mojo-platform-channel-handle=5260 /prefetch:8
  2⤵
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6492,i,345462174150845909,4904212344494128363,262144 --variations-seed-version --mojo-platform-channel-handle=5376 /prefetch:8
  2⤵
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6412,i,345462174150845909,4904212344494128363,262144 --variations-seed-version --mojo-platform-channel-handle=4004 /prefetch:8
  2⤵
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6692,i,345462174150845909,4904212344494128363,262144 --variations-seed-version --mojo-platform-channel-handle=3740 /prefetch:8
  2⤵
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --always-read-main-dll --field-trial-handle=4036,i,345462174150845909,4904212344494128363,262144 --variations-seed-version --mojo-platform-channel-handle=6476 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5640,i,345462174150845909,4904212344494128363,262144 --variations-seed-version --mojo-platform-channel-handle=6472 /prefetch:8
  2⤵
  PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6724,i,345462174150845909,4904212344494128363,262144 --variations-seed-version --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  PID:2552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6772,i,345462174150845909,4904212344494128363,262144 --variations-seed-version --mojo-platform-channel-handle=5860 /prefetch:8
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6924,i,345462174150845909,4904212344494128363,262144 --variations-seed-version --mojo-platform-channel-handle=2972 /prefetch:8
  2⤵
  PID:244

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:1864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:2452

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4924

C:\Users\Admin\Downloads\Ransomware.WannaCry\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\Downloads\Ransomware.WannaCry\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:5752
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:2016
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:4640
- C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 230741744410163.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2800
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1960
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:3044
- C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2848
- - C:\Users\Admin\Downloads\Ransomware.WannaCry\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4464
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1628
- - C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1768
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      PID:4440
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
- C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4288
- C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:5424
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "vteizzisrx942" /t REG_SZ /d "\"C:\Users\Admin\Downloads\Ransomware.WannaCry\tasksche.exe\"" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2416
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "vteizzisrx942" /t REG_SZ /d "\"C:\Users\Admin\Downloads\Ransomware.WannaCry\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3796
- C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5980
- C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5684
- C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1660
- C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4288

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
1⤵
- Opens file in notepad (likely ransom note)
PID:5620

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\Ransomware.WannaCry\tasksche.exe"
1⤵
PID:540

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-as.hyb

Filesize
703B

MD5
8961fdd3db036dd43002659a4e4a7365

SHA1
7b2fa321d50d5417e6c8d48145e86d15b7ff8321

SHA256
c2784e33158a807135850f7125a7eaabe472b3cfc7afb82c74f02da69ea250fe

SHA512
531ecec11d296a1ab3faeb2c7ac619da9d80c1054a2ccee8a5a0cd996346fea2a2fee159ac5a8d79b46a764a2aa8e542d6a79d86b3d7dda461e41b19c9bebe92

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-hi.hyb

Filesize
687B

MD5
0807cf29fc4c5d7d87c1689eb2e0baaa

SHA1
d0914fb069469d47a36d339ca70164253fccf022

SHA256
f4df224d459fd111698dd5a13613c5bbf0ed11f04278d60230d028010eac0c42

SHA512
5324fd47c94f5804bfa1aa6df952949915896a3fc77dccaed0eeffeafe995ce087faef035aecea6b4c864a16ad32de00055f55260af974f2c41afff14dce00f3

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\hyph-nb.hyb

Filesize
141KB

MD5
677edd1a17d50f0bd11783f58725d0e7

SHA1
98fedc5862c78f3b03daed1ff9efbe5e31c205ee

SHA256
c2771fbb1bfff7db5e267dc7a4505a9675c6b98cfe7a8f7ae5686d7a5a2b3dd0

SHA512
c368f6687fa8a2ef110fcb2b65df13f6a67feac7106014bd9ea9315f16e4d7f5cbc8b4a67ba2169c6909d49642d88ae2a0a9cd3f1eb889af326f29b379cfd3ff

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1092043783\manifest.json

Filesize
82B

MD5
2617c38bed67a4190fc499142b6f2867

SHA1
a37f0251cd6be0a6983d9a04193b773f86d31da1

SHA256
d571ef33b0e707571f10bb37b99a607d6f43afe33f53d15b4395b16ef3fda665

SHA512
b08053050692765f172142bad7afbcd038235275c923f3cd089d556251482b1081e53c4ad7367a1fb11ca927f2ad183dc63d31ccfbf85b0160cf76a31343a6d0

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1175698104\manifest.json

Filesize
176B

MD5
6607494855f7b5c0348eecd49ef7ce46

SHA1
2c844dd9ea648efec08776757bc376b5a6f9eb71

SHA256
37c30639ea04878b9407aecbcea4848b033e4548d5023ce5105ea79cab2c68dd

SHA512
8cb60725d958291b9a78c293992768cb03ff53ab942637e62eb6f17d80e0864c56a9c8ccafbc28246e9ce1fdb248e8d071d76764bcaf0243397d0f0a62b4d09a

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1363076724\manifest.json

Filesize
141B

MD5
811f0436837c701dc1cea3d6292b3922

SHA1
4e51a3e9f5cbf8c9c96985dabe8ffc2de28dae87

SHA256
dbfb38a16e33a39c35ac50bd81782e4608be14954f1df69ac8272c0b9ce87a5d

SHA512
21e7bf2f8333b2900bcbcb871ede14684073249597d105095dc7d3f101e7ccc326068732f11d4a167365f245a3f2205793f520c7666d7f948e70919b40b43d35

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1374544241\manifest.json

Filesize
102B

MD5
a64e2a4236e705215a3fd5cb2697a71f

SHA1
1c73e6aad8f44ade36df31a23eaaf8cd0cae826d

SHA256
014e9fc1219beefc428ec749633125c9bff7febc3be73a14a8f18a6691cd2846

SHA512
75b30c0c8cef490aaf923afbdb5385d4770de82e698f71f8f126a6af5ef16f3a90d0c27687f405274177b1a5250436efddd228a6d2949651f43bd926e8a1cc99

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1533796692\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5368_1533796692\manifest.json

Filesize
85B

MD5
c3419069a1c30140b77045aba38f12cf

SHA1
11920f0c1e55cadc7d2893d1eebb268b3459762a

SHA256
db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f

SHA512
c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5368_322405095\manifest.json

Filesize
118B

MD5
38a783f9ed173a04e5bef70a52292fc5

SHA1
2329da12d659d33a964ce876541d3ada1929abc1

SHA256
49bd6d2f7f3242bc71f47eacde83a0a1a0e7310074f30810223ea2940238bfcf

SHA512
3ae1c4d0ba65528b9476dfd6035144215227c2718104ece92f9c00bdaa505e2c80d1d30f6e1556f1ea5cbbe6c4f2a2a085ca5b3a2e33cdee74d65e5ef81951f2

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping5368_659200126\manifest.json

Filesize
76B

MD5
ba25fcf816a017558d3434583e9746b8

SHA1
be05c87f7adf6b21273a4e94b3592618b6a4a624

SHA256
0d664bc422a696452111b9a48e7da9043c03786c8d5401282cff9d77bcc34b11

SHA512
3763bd77675221e323faa5502023dc677c08911a673db038e4108a2d4d71b1a6c0727a65128898bb5dfab275e399f4b7ed19ca2194a8a286e8f9171b3536546f

Download Submit
C:\ProgramData\Microsoft\AppV\Setup\@[email protected]

Filesize
721B

MD5
7dae9ca9f84ae7809df413e54ba15e35

SHA1
be94e28108f30f4b6a80f4b9baf6539abfad8e9d

SHA256
897b506532716674debba6a639e19e162f0eea07b2b2cd64bd793b14bc2b8038

SHA512
9a2e5ecae89f0ca6b98605efe502601a7d4626f070c93cd7848320186756e2e32bb534d8839d54dc0796d50a3eb5b4b44dd5551bd86344af254d91b9310c2947

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
576f64b8f21f4203eed3f6c7b065f527

SHA1
e0c4e8f914319e112a4b3562d2d6f4107750aba8

SHA256
c39a636afaeae67ebd98682bf35ff7afafceac020ed21cb564ab954ab1ef6f87

SHA512
af606a5d7d4d96afd80d8e0117f2d5f02cc82b810149f50e26d46a5b8fd7c6b2aa119aa1b7123c54d2ef19d05ca92ca738994e047e24e567e53765fc1c52f653

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG.old

Filesize
334B

MD5
7b348930edadc08acbfa9835551fd938

SHA1
f13f7d28e622ade0a6b1f02926863d2c53facb76

SHA256
c7476b2c3fda8f46d71ea93bf76c1dd55812ed78abf70b93d5bc59d4eef7e8b0

SHA512
785ec77621b74bddbc048c61e2bf70917712559f59e7befec95f38358693a1b0ddf7fdea340865bc18e692a2cde80379c248a3770a647c65062ac552eb97e8a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00007c

Filesize
216KB

MD5
50a7159ff34dea151d624f07e6cb1664

SHA1
e13fe30db96dcee328efda5cc78757b6e5b9339c

SHA256
e990d9d31c4c7d57dd4795e43baea05501fb6ea8b7760f89001be660425dd01b

SHA512
a7768dd7e315b07754a305080e0fc023765e5a224b2c3824e8e10f29286df63bbdefef379e069941fd8cd9c7c3befce976779ae2efdfb6e7da697b09d7f07250

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
52dd994256602338c75c76796bbe27b1

SHA1
3377b85396b2806de52df921022d34dedc0a8d93

SHA256
6ed14b162d30e901a70dd16d22a1d001a49cba2ac170cad0fd395b294fa58e9f

SHA512
dc9f4bae41ad9792fca53dd3779daca99a182b31a75f58b1b2dfc1da14790ff02680341a97b41487b21437995146487bcb8c5c1925d47e6d01f931629986640d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
2553f20ee2fcd6bb4cfbfd985dcedf54

SHA1
01996d3c72c33b0f2d529ce753a31dcad2adf264

SHA256
c152539aaf57dda08cfb7cd72fad453af7b8280d04dab6956c86b60c73c1a99e

SHA512
ea46d3332200b6b12165661a487f4dabebda9969c9556d6c8f6e597ec846d3eeea53ec0b143d983146ff74e981d6ac8210b523042a36f6b97a1a51347cf4ca3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5824d9.TMP

Filesize
4KB

MD5
97c90f8c81ed8d36940dd6f1a2bebd5e

SHA1
e23550424d6091259b6b14a0c34292db0f87bef4

SHA256
a59a72dc0b57a1407c14432c5cad1c21754625b776f22cfd74f36dc101999b68

SHA512
c14ae55c118d83ee992f02215bd4c7612a9a3ebc997c01f9c6491e4de92a53f6b707314be16f26e01fe6f01b0d2dd96669803096498d9c247c2a6a5102bddb1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
2b66d93c82a06797cdfd9df96a09e74a

SHA1
5f7eb526ee8a0c519b5d86c845fea8afd15b0c28

SHA256
d4c064db769b3c109da2ed80a53fbab00987c17421a47921e41e213781d67954

SHA512
95e45c0aea0e704be5f512dffaae377d4abef78da99b3bca769264d69be20f2570daf2f47905645217e1b2696e42b101f26149219f148b4d6dd97a6c2868b6f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
f6fb0b52b89d1c91d0d6e7e1f01089cd

SHA1
285e5e68b5b9be59e41d787e72ea207464cc1f66

SHA256
72f1aad2d88402eea9e2c2e6b61f8d58791ae6ec4a88d3fc8dce53a27ed52026

SHA512
0afa90a19085705d5c901936fdeb1e82d04854b58c1ece83d5f406ab6e4414ef304a3596547175628d9e57df7572afb519cb30325c5b03a0272bc53bcd0fa7ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
63f95b5fa38692d66d731bf90cd5513b

SHA1
e3016273ff599951e89179e1cec033f698c56091

SHA256
c72551458c36d1cfd05fa68b059f885ba35742a4d035e41591abef595c5c1f54

SHA512
24cc04eb83248d9d37b2e76968b32718fb00800bc582f503e708a19f2592f29fe6eb637739f33237ee00802114c70849610201f1e107e29062c7c8f2dd4d570e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
7e1bbeebb41790fe2efb14ea8413d8e3

SHA1
9a2be486fe2a531447e1cac15983e142d5dbba6b

SHA256
6e7a0c830c5194fda72572f978f55d5c4100991987c14cd0c4ffd9ca3b89e851

SHA512
1a0174a56ac71ba04d94802a2d4911c9b24d8ef2fc47466f450c4e056de64a1d1957dcb8df6b310dddfb2d403a0b2e4403c294d5b1ec4902e3f8974b1292f7f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
9f103bf56c9a3992b7a43b694e661f66

SHA1
b313cd54992c9c8987f000098772200ea16a2517

SHA256
b65ce3c753eecce1a7bfc3844356942cfc12f3710372b3a8909aa62e6e036f59

SHA512
2c1371b73db99a0e869747d5ae43e7617ae607f64156df9f8fc71204bc68f80f6fe062bd649ec5ee6e50d0eccd76700ee1beaa41d79b94058fc0fe248f689c9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
de7e62978e98c67452374fc840360561

SHA1
8c0c7af5c59d6721b8ed7f00e4d611ed9985673b

SHA256
d5fdf297d6ec691f84b71a69093993376c48c7f004be6c4fa894cabf49939729

SHA512
56a07fcb094c6bd144331fa76a9a4ee5bb571fb0a5aa5d746fca77c142e7952304aad8c137db9b5d8fb22a109b58bb405162e0d664c203f844245428f9edec50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
f946253b840151f8fee04d19bb1e89d0

SHA1
e073548d00c44c955438e06c2f2797680765235b

SHA256
f8a5fd6a4feac056369fe27e370b8e134edeaad26e79918fa35986245e4b8eb4

SHA512
bd0c4f3951fcbd66bfdbef16c9263ab8420362e9cb5a0247448732b00eb8e8f88f644ed6007eab655370d0ab5d772de4501bdf163e90557415cb11f43eca009f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
2c218fb3d1bc802e58b10f173f9014e4

SHA1
bda606f115eb36cda553f44ddd1b0ca70049e538

SHA256
8fc21c79ef1136de5b8b5e2470c2cdfbb7741a8d716d231578d4b90e7c2e909a

SHA512
b6b07621b958bcfc40524a831f9dfd1624c028e2e1f8f1c14fccb1169875bf69c1c8538034ce20752cfbf7a7d5a05d25183677cab2798eae7f528dc0ca38f325

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
738c1ba51f115daf9a6b4b9c73b3e12e

SHA1
9a8b018d90286539b8642340b02d930b81cbd556

SHA256
6beb5006ef9ea747dcfd41e2ee4aa80bee8559a376ab4c5212b2cfd423a2c4d7

SHA512
997d94a29e4d53c5afbd578f27e3eaf917e3eaffae7a4b15835125b1437c8758e5281c36abe690e29a12ec950fb9de68e9f7c7426466f1888009566164759a4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
467B

MD5
de4e6c6f4c043c4b9ee8c3f39e47a71a

SHA1
a5f3b04717958b62350fbf4a75d54369abe701c8

SHA256
ff2f4915045816b0d645bca468a531dc2832863ea0e892decfce6b70d8eccd36

SHA512
03e8b20f48fffd53adde08b4024516a8a079253d088ee5a42b2b6db2a67ea2ecaa90bfdbc6d341d4c3968c5e291231d192e9fbeab78a1699f239bc46bcee6ab0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
20KB

MD5
c431dc6b285e81748d2eb48163ecd350

SHA1
e9bf619064a5bab4d297c54a70e0c96a9c99509c

SHA256
62b93a87d49cfcd5253ce87107d9ede801e56d00fef861714c878f981a774c1b

SHA512
a68ace079d5056f8475a4f92899eb955a574b15aad59405a5524ac58951c85310ae71d02c1597a15a92c1b840f28396f9da0f0c2ce80dc51bfe66fe0ffd92635

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
900B

MD5
4fde18a6de563a13fb52214777b6651c

SHA1
f3350d4b1321a0ca467f804ba3df48bfc51b3b3a

SHA256
4b1a4114d922dc1767789cdf6c119fc49ad270c2d8a7eb951a567797b980eb02

SHA512
2a029f5eea35d58ca352acb64693550cb9b40db5147ad450d5e73fb4422cddd43307222873df85b33269435490d2282f2db62ce99fee19c1f1c8eb6b878aac40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
22KB

MD5
3f8927c365639daa9b2c270898e3cf9d

SHA1
c8da31c97c56671c910d28010f754319f1d90fa6

SHA256
fc80d48a732def35ab6168d8fd957a6f13f3c912d7f9baf960c17249e4a9a1f2

SHA512
d75b93f30989428883cb5e76f6125b09f565414cf45d59053527db48c6cf2ac7f54ed9e8f6a713c855cd5d89531145592ef27048cf1c0f63d7434cfb669dbd72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
5f964798b237c7f51d9949c8e1e5be9f

SHA1
82fbc2cdbcaa6b8eddb0520f1bf1f97f889acd20

SHA256
85bc27c4fe827710e991d1af64e0f43df5dc86ab7cb19d4d30bde46fedd51aab

SHA512
d98a73c03d0617a4c16e23fd1d279cc43da46a47dd8d832af97885244149ce993039ded5070f7f66e8d84274377a52c7da5393c745f65c726880a361e01bbd78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
46KB

MD5
0fd4b05f088b5c5c5a10f71ceefabf70

SHA1
f3900097834adae0b8223e026a0371a2eaa55eb3

SHA256
2bbe2a89469b11b74a9e583a138c90f43cf766c3ba14b8c2835615096bcefe88

SHA512
28e86885faf6af1e202ebf2cc129b50369c48cd654ec6ef51640ffe8f22a4235782c668c3c495186b7fcd5036d41f525ba5a0d43da7e0e51948fa031fd0c555b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
46KB

MD5
855ccfa78862004fddf2674b5df542be

SHA1
4bd03dcbc077896f465b5e03323a1f22dee450b4

SHA256
14d6de18924a650fc720fb87a1c7d137b72b2056da0d9f3b87b3a25bbbd01b26

SHA512
3e88163ca3d75f4a598add2a490339ef5d2a578ae6e030b54cc9169f213a7a07e3b8cf075f64e3339ce8114f9980f58d49734665d2ac9a893d08176c19b19895

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
46KB

MD5
2fd92d535b38f0b3eeef1cfbba7ee6ac

SHA1
9cf1e28bb2fcc8440ed3654fad82d8b71a2c3dd1

SHA256
e8dcb2e9a1982bba0695be23b668cbbad49376c13d9581f2fc614f7b686c7ac5

SHA512
3b01abceacac9756590a42574c189c5c0da9c4fbb67c3fd7e0055d83592e3347b07f881b4e207524d1090b154ef7aabaf55921dca98717cd1152bd6bf36c2bef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
0e79ebbdc0949aa1e7bcdd3bbcc75351

SHA1
6cf795b48cd562b141d7ae74d9a078e07f5c02b2

SHA256
a1b454ae05b9f0c7c078be330c07cc519dc40f06b090e286a259633eec2d67d8

SHA512
cc358446cd142705923dbb2c708d638e7d7a685854f3cdf1ad1c262306c3abf480abba176741126d9917ad2eb93f2bed09241ee27aaf48499af4f342f0a675d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
46KB

MD5
ac40ee3d8673eb7f27399664f39ac8c8

SHA1
d0a4d53f90840286810ade61f24e2a633e307a86

SHA256
2580c5b6855670e2901ee6137d2ad3d9eac7302f4b72107898d26536442ee381

SHA512
b444b6434d4eb32e7f26d9aa32ff623eb0e96d39a91e8bb0824241b64bed1c151523d7d4639601b1057c9c729b1927f9c74bd21eb81737bff77f25fd82fa24a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\PKIMetadata\22.0.0.0\crs.pb

Filesize
289KB

MD5
2b59269e7efdd95ba14eeb780dfb98c2

SHA1
b3f84cbc37a79eeecb8f1f39b615577d78600096

SHA256
ff2ced650772249abb57f6f19c5d0322d6df22c85c7cf2be193b6134e1b95172

SHA512
e4b454db2248021e0d198805ea54f1c0cfd84b9716a9348b1d0e0acb7c6fb5dd0839e532a5eb6d4410ab759d6688dd6cce8375ad55a150d738d280993142e9d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\PKIMetadata\22.0.0.0\ct_config.pb

Filesize
8KB

MD5
811b65320a82ebd6686fabf4bb1cb81a

SHA1
c660d448114043babec5d1c9c2584df6fab7f69b

SHA256
52687dd0c06f86a2298a4442ab8afa9b608271ec01a67217d7b58dab7e507bdf

SHA512
33350cce447508269b7714d9e551560553e020d6acf37a6a6021dc497d4008ce9e532dd615ad68872d75da22ac2039ef0b4fa70c23ec4b58043c468d5d75fd81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\PKIMetadata\22.0.0.0\kp_pinslist.pb

Filesize
11KB

MD5
0779206f78d8b0d540445a10cb51670c

SHA1
67f0f916be73bf5cffd3f4c4aa8d122c7d73ad54

SHA256
bf0945921058b9e67db61e6a559531af2f9b78d5fbedb0b411384225bdd366ec

SHA512
4140b2debe9c0b04e1e59be1387dca0e8e2f3cbc1f67830cbc723864acc2276cde9529295dcb4138fa0e2e116416658753fe46901dfa572bdfe6c7fb67bd8478

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
902a05164253cbf9bd017a32521b226d

SHA1
5d42ac496638d2f1891ee06e3c0b44b84ca0d137

SHA256
26c179394f2e79e98e85490246d0d98f04928671d424bf788d0fca7829c40a32

SHA512
dc296a9bf491c798d41cb426cf8313eb73f87be3c7ed99f684a39a857e15e9dc4b3a900265af12bd2b7f254b767da59a3b74d342cb4de487424ad9ab3259d0a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
817c6a28ffc13104b3e75289000a2046

SHA1
3edb81104dc66f8eeb320d3a66e35f47ba9acbc4

SHA256
719b1ab6e2487ee843b9b329958fc065801fdd134ddebbc33a96a1012ce893e4

SHA512
96b5cd77f651b885611b395ac2e9043ea0c1f84eed12dcc1f0c76e80c329016e5189a552eba837db858052bc3f33f5f4822da60b76ff91708e9cec300afe0c69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
956b706b3870e10f968521f4c9fa4269

SHA1
73ab24527b4cd0e2cdd3c2d5b08385312831a8b3

SHA256
fcf14d0575e5fd4a933f9feae0e8bae63dbf126a7c52dce70113ced51f374e64

SHA512
5fc433ece6d83366bdd2150cc44f56979c3507a7907192c302b078f65ffb211453b0fc2bbc88a5e3f74688ab1e94166a4e092a2e4cbc106d88d452e55850dbf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
2ccfbfe7db4c8b89d9372ce8c205cfa1

SHA1
d7ba6b1621f830937750117e5a854baff080000b

SHA256
97b662c7ea43ece0900cdf8ee6c08a69669f609821f8e0b4cdabaa879dd56c4d

SHA512
181f3af15609c5ebed9388f7ea28b1db6c451c84649e3f1e1c287da5b7d4260ff06e81ca4e27f4eab7c95d5da7394e7c4589262e49ffc2dd78865166a5decf08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
6f8ff73678f1ffdf449390c8841c502a

SHA1
2472e40337fb60c296e01cf532e735c62de0ad92

SHA256
cd82f58613fd015484250ed62efdb9792073d0f05999efc6a6ac573ae7f2bb85

SHA512
fd661b2724c2976d31a097defb56063105554f9877db34dbf09bc949c16c189ae3b179a9f33fc74380c85054ca5a72a09e0355f3dc4213baa36370e6f04b9ee7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
f4b022800d9d45af4fc3b973303e03f0

SHA1
0ec692a14bf14f9106ff71c80d5814b8b2f443e5

SHA256
54208bbd7140974e47c031005896993de90c85964314dae3add32910eda2eabb

SHA512
0caf83c76cc0b8cfe1f19de91d1f2a7d96a53bc39828c1cc61b2581c08317af93c8a10f7636c94832e629002b7f03152063aac3147f710df470ca61633461be6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
35e168b52a65f8794b5c780cede97f97

SHA1
b4b3dab129782a72ee6b6a6bb439108b011c1d3b

SHA256
34c48df3eb95b3976f3fe55b2a4e7f0e2e419b80c683f53b18ef88d1bcdafd78

SHA512
74bbdfcd31810d260c61590cae7aae3871e9ae8399d32a7c9d2d167cdd2a2d3d40aa3357939a505ea8327acb0ffb8695192a3de7d0101bb321f7b30ed1f80cc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter~RFe587337.TMP

Filesize
392B

MD5
7f2deac33f5572357dad3140c81e7463

SHA1
62bc4682b27ff03dc3ded53cb686070db5734652

SHA256
6f1cb13a2a6389b0442f72f95991a1a9f73c580989935902a34f81ea0668175c

SHA512
0658e2564021b108f79ec3f8b2cf05dde51ae5c4fba34cbedcc71f0fa7b2b3f785d76efa0157d21fd04e2bacc7d35e692b3d79c558c1ec88eb9b489ace3fa348

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Typosquatting\2025.4.10.1\typosquatting_list.pb

Filesize
626KB

MD5
0104f1d6d013bd1e93f9d9da98366a4d

SHA1
38291eff21f6fb2680eab78418f54beda8e77114

SHA256
0060831feb8e7c25fa67fb62023111ca8c767e4c48ee5ba8d64ff7b9f88dea77

SHA512
35db78d2916a71e73501d7c3d18f3e7d655ca668863b9142ae4e4f99ec2169b2104e41991835ae3557c533d0fbbbe5474847e6027bc41808e18a4dd2cb3682a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Well Known Domains\1.2.0.0\well_known_domains.dll

Filesize
572KB

MD5
f5f5b37fd514776f455864502c852773

SHA1
8d5ed434173fd77feb33cb6cb0fad5e2388d97c6

SHA256
2778063e5ded354d852004e80492edb3a0f731b838bb27ba3a233bc937592f6e

SHA512
b0931f1cae171190e6ec8880f4d560cc7b3d5bffe1db11525bd133eaf51e2e0b3c920ea194d6c7577f95e7b4b4380f7845c82eb2898ad1f5c35d4550f93a14b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
ba34bc1cdf6125a77018b82da9d3b19a

SHA1
0e9bfcea860894cdb9f1585c26a93aaf4a19c06e

SHA256
31772ae01139fabcac5fc5b1b571cb741537de558e608d251ecf7b6ef8f0c052

SHA512
193ea31f5202f79601a90da5ee370b8815b1a239c6c925e558e4c4a16b64445a7a71e5d247218e16c24e333b4ce0bff7faf209e5865d48d70bfa2f285490af3f

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry.zip.crdownload

Filesize
3.3MB

MD5
efe76bf09daba2c594d2bc173d9b5cf0

SHA1
ba5de52939cb809eae10fdbb7fac47095a9599a7

SHA256
707a9f323556179571bc832e34fa592066b1d5f2cac4a7426fe163597e3e618a

SHA512
4a1df71925cf2eb49c38f07c6a95bea17752b025f0114c6fd81bc0841c1d1f2965b5dda1469e454b9e8207c2e0dfd3df0959e57166620ccff86eeeb5cf855029

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]

Filesize
933B

MD5
7a2726bb6e6a79fb1d092b7f2b688af0

SHA1
b3effadce8b76aee8cd6ce2eccbb8701797468a2

SHA256
840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

SHA512
4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\c.wnry

Filesize
780B

MD5
8124a611153cd3aceb85a7ac58eaa25d

SHA1
c1d5cd8774261d810dca9b6a8e478d01cd4995d6

SHA256
0ceb451c1dbefaa8231eeb462e8ce639863eb5b8ae4fa63a353eb6e86173119e

SHA512
b9c8dfb5d58c95628528cc729d2394367c5e205328645ca6ef78a3552d9ad9f824ae20611a43a6e01daaffeffdc9094f80d772620c731e4192eb0835b8ed0f17

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_korean.wnry

Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_latvian.wnry

Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_norwegian.wnry

Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_polish.wnry

Filesize
38KB

MD5
e79d7f2833a9c2e2553c7fe04a1b63f4

SHA1
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

SHA256
519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

SHA512
e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_portuguese.wnry

Filesize
37KB

MD5
fa948f7d8dfb21ceddd6794f2d56b44f

SHA1
ca915fbe020caa88dd776d89632d7866f660fc7a

SHA256
bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66

SHA512
0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_romanian.wnry

Filesize
50KB

MD5
313e0ececd24f4fa1504118a11bc7986

SHA1
e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d

SHA256
70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1

SHA512
c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_russian.wnry

Filesize
46KB

MD5
452615db2336d60af7e2057481e4cab5

SHA1
442e31f6556b3d7de6eb85fbac3d2957b7f5eac6

SHA256
02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078

SHA512
7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_slovak.wnry

Filesize
40KB

MD5
c911aba4ab1da6c28cf86338ab2ab6cc

SHA1
fee0fd58b8efe76077620d8abc7500dbfef7c5b0

SHA256
e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729

SHA512
3491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_spanish.wnry

Filesize
36KB

MD5
8d61648d34cba8ae9d1e2a219019add1

SHA1
2091e42fc17a0cc2f235650f7aad87abf8ba22c2

SHA256
72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1

SHA512
68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_swedish.wnry

Filesize
37KB

MD5
c7a19984eb9f37198652eaf2fd1ee25c

SHA1
06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae

SHA256
146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4

SHA512
43dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_turkish.wnry

Filesize
41KB

MD5
531ba6b1a5460fc9446946f91cc8c94b

SHA1
cc56978681bd546fd82d87926b5d9905c92a5803

SHA256
6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415

SHA512
ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_vietnamese.wnry

Filesize
91KB

MD5
8419be28a0dcec3f55823620922b00fa

SHA1
2e4791f9cdfca8abf345d606f313d22b36c46b92

SHA256
1f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8

SHA512
8fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\r.wnry

Filesize
864B

MD5
3e0020fc529b1c2a061016dd2469ba96

SHA1
c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade

SHA256
402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c

SHA512
5ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\s.wnry

Filesize
2.9MB

MD5
ad4c9de7c8c40813f200ba1c2fa33083

SHA1
d1af27518d455d432b62d73c6a1497d032f6120e

SHA256
e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b

SHA512
115733d08e5f1a514808a20b070db7ff453fd149865f49c04365a8c6502fa1e5c3a31da3e21f688ab040f583cf1224a544aea9708ffab21405dde1c57f98e617

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\t.wnry

Filesize
64KB

MD5
5dcaac857e695a65f5c3ef1441a73a8f

SHA1
7b10aaeee05e7a1efb43d9f837e9356ad55c07dd

SHA256
97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6

SHA512
06eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe

Filesize
20KB

MD5
4fef5e34143e646dbf9907c4374276f5

SHA1
47a9ad4125b6bd7c55e4e7da251e23f089407b8f

SHA256
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

SHA512
4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe

Filesize
20KB

MD5
8495400f199ac77853c53b5a3f278f3e

SHA1
be5d6279874da315e3080b06083757aad9b32c23

SHA256
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

SHA512
0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\u.wnry

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry_Plus.zip

Filesize
2.3MB

MD5
5641d280a62b66943bf2d05a72a972c7

SHA1
c857f1162c316a25eeff6116e249a97b59538585

SHA256
ab14c3f5741c06ad40632447b2fc10662d151afb32066a507aab4ec866ffd488

SHA512
0633bc32fa6d31b4c6f04171002ad5da6bb83571b9766e5c8d81002037b4bc96e86eb059d35cf5ce17a1a75767461ba5ac0a89267c3d0e5ce165719ca2af1752

Download Submit
memory/4464-2708-0x00000000737B0000-0x00000000737CC000-memory.dmp

Filesize
112KB

Download
memory/4464-2723-0x00000000001D0000-0x00000000004CE000-memory.dmp

Filesize
3.0MB

Download
memory/4464-2711-0x0000000073670000-0x00000000736F2000-memory.dmp

Filesize
520KB

Download
memory/4464-2710-0x0000000073730000-0x00000000737A7000-memory.dmp

Filesize
476KB

Download
memory/4464-2709-0x0000000073700000-0x0000000073722000-memory.dmp

Filesize
136KB

Download
memory/4464-2706-0x00000000001D0000-0x00000000004CE000-memory.dmp

Filesize
3.0MB

Download
memory/4464-2707-0x00000000737D0000-0x0000000073852000-memory.dmp

Filesize
520KB

Download
memory/4464-2712-0x0000000073450000-0x000000007366C000-memory.dmp

Filesize
2.1MB

Download
memory/4464-2729-0x0000000073450000-0x000000007366C000-memory.dmp

Filesize
2.1MB

Download
memory/4464-2700-0x0000000073450000-0x000000007366C000-memory.dmp

Filesize
2.1MB

Download
memory/4464-2703-0x00000000001D0000-0x00000000004CE000-memory.dmp

Filesize
3.0MB

Download
memory/4464-2699-0x00000000737D0000-0x0000000073852000-memory.dmp

Filesize
520KB

Download
memory/4464-2702-0x0000000073700000-0x0000000073722000-memory.dmp

Filesize
136KB

Download
memory/4464-2701-0x0000000073670000-0x00000000736F2000-memory.dmp

Filesize
520KB

Download
memory/4464-3007-0x00000000001D0000-0x00000000004CE000-memory.dmp

Filesize
3.0MB

Download
memory/4464-3024-0x00000000001D0000-0x00000000004CE000-memory.dmp

Filesize
3.0MB

Download
memory/4464-3030-0x0000000073450000-0x000000007366C000-memory.dmp

Filesize
2.1MB

Download
memory/4464-3070-0x00000000001D0000-0x00000000004CE000-memory.dmp

Filesize
3.0MB

Download
memory/4464-3079-0x00000000001D0000-0x00000000004CE000-memory.dmp

Filesize
3.0MB

Download
memory/5752-1078-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download