wannacry | 5698d21c2b45070e70349fd8c7358afcab0d36fdd5bac0a1f8174a1dd6d311b2

Resubmissions

11-03-2024 15:52

240311-ta6s2aeg21 3

11-03-2024 15:51

11-03-2024 15:43

11-03-2024 15:38

11-03-2024 15:35

11-03-2024 15:25

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-03-2024 15:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nitr0-G3n3rat0r.exe
Size

23.8MB
MD5

f04a56628a19894bd9c0403757656f79
SHA1

1c4d8f4c61297d9128c5922b097c9a1619dea695
SHA256

5698d21c2b45070e70349fd8c7358afcab0d36fdd5bac0a1f8174a1dd6d311b2
SHA512

8f03e5b400d54a7569eaa6fffb408692cd35bdb498ce0b735cd4b49d6abcebed90e61c9246987abafbd30124b417db54f2f8fd93ed1b602b5ffb14944a824685
SSDEEP

393216:WuLrpBgQTSBfFZNRwSo6oDfDg4c6AHZgOGF3hi:r5BgQeBfFXR66ob03pZr63

Score

10^/10

wannacry persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD59DD.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD59E4.tmp	WannaCry.exe

Executes dropped EXE 5 IoCs

pid	Process
5804	WannaCry.exe
428	!WannaDecryptor!.exe
5192	!WannaDecryptor!.exe
3648	!WannaDecryptor!.exe
5996	!WannaDecryptor!.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
207	raw.githubusercontent.com
208	raw.githubusercontent.com
209	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
2784	taskkill.exe
1892	taskkill.exe
4940	taskkill.exe
2356	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-513485977-2495024337-1260977654-1000\{F907988E-93E2-4602-A81B-568BA8029DDB}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 936370.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2380	msedge.exe
2380	msedge.exe
4416	msedge.exe
4416	msedge.exe
4048	identity_helper.exe
4048	identity_helper.exe
5612	msedge.exe
5612	msedge.exe
1880	msedge.exe
1880	msedge.exe
5620	msedge.exe
5620	msedge.exe
5620	msedge.exe
5620	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	2784	taskkill.exe
Token: SeDebugPrivilege	2356	taskkill.exe
Token: SeDebugPrivilege	1892	taskkill.exe
Token: SeDebugPrivilege	4940	taskkill.exe
Token: SeIncreaseQuotaPrivilege	5404	WMIC.exe
Token: SeSecurityPrivilege	5404	WMIC.exe
Token: SeTakeOwnershipPrivilege	5404	WMIC.exe
Token: SeLoadDriverPrivilege	5404	WMIC.exe
Token: SeSystemProfilePrivilege	5404	WMIC.exe
Token: SeSystemtimePrivilege	5404	WMIC.exe
Token: SeProfSingleProcessPrivilege	5404	WMIC.exe
Token: SeIncBasePriorityPrivilege	5404	WMIC.exe
Token: SeCreatePagefilePrivilege	5404	WMIC.exe
Token: SeBackupPrivilege	5404	WMIC.exe
Token: SeRestorePrivilege	5404	WMIC.exe
Token: SeShutdownPrivilege	5404	WMIC.exe
Token: SeDebugPrivilege	5404	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5404	WMIC.exe
Token: SeRemoteShutdownPrivilege	5404	WMIC.exe
Token: SeUndockPrivilege	5404	WMIC.exe
Token: SeManageVolumePrivilege	5404	WMIC.exe
Token: 33	5404	WMIC.exe
Token: 34	5404	WMIC.exe
Token: 35	5404	WMIC.exe
Token: 36	5404	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5404	WMIC.exe
Token: SeSecurityPrivilege	5404	WMIC.exe
Token: SeTakeOwnershipPrivilege	5404	WMIC.exe
Token: SeLoadDriverPrivilege	5404	WMIC.exe
Token: SeSystemProfilePrivilege	5404	WMIC.exe
Token: SeSystemtimePrivilege	5404	WMIC.exe
Token: SeProfSingleProcessPrivilege	5404	WMIC.exe
Token: SeIncBasePriorityPrivilege	5404	WMIC.exe
Token: SeCreatePagefilePrivilege	5404	WMIC.exe
Token: SeBackupPrivilege	5404	WMIC.exe
Token: SeRestorePrivilege	5404	WMIC.exe
Token: SeShutdownPrivilege	5404	WMIC.exe
Token: SeDebugPrivilege	5404	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5404	WMIC.exe
Token: SeRemoteShutdownPrivilege	5404	WMIC.exe
Token: SeUndockPrivilege	5404	WMIC.exe
Token: SeManageVolumePrivilege	5404	WMIC.exe
Token: 33	5404	WMIC.exe
Token: 34	5404	WMIC.exe
Token: 35	5404	WMIC.exe
Token: 36	5404	WMIC.exe
Token: SeBackupPrivilege	4292	vssvc.exe
Token: SeRestorePrivilege	4292	vssvc.exe
Token: SeAuditPrivilege	4292	vssvc.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe
4416	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
428	!WannaDecryptor!.exe
428	!WannaDecryptor!.exe
5192	!WannaDecryptor!.exe
5192	!WannaDecryptor!.exe
3648	!WannaDecryptor!.exe
3648	!WannaDecryptor!.exe
5996	!WannaDecryptor!.exe
5996	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4416 wrote to memory of 2360	4416	msedge.exe	91
PID 4416 wrote to memory of 2360	4416	msedge.exe	91
PID 4416 wrote to memory of 1860	4416	msedge.exe	92
PID 4416 wrote to memory of 1860	4416	msedge.exe	92
PID 4416 wrote to memory of 1860	4416	msedge.exe	92
PID 4416 wrote to memory of 1860	4416	msedge.exe	92
PID 4416 wrote to memory of 1860	4416	msedge.exe	92
PID 4416 wrote to memory of 1860	4416	msedge.exe	92
PID 4416 wrote to memory of 1860	4416	msedge.exe	92
PID 4416 wrote to memory of 1860	4416	msedge.exe	92
PID 4416 wrote to memory of 1860	4416	msedge.exe	92
PID 4416 wrote to memory of 1860	4416	msedge.exe	92
PID 4416 wrote to memory of 1860	4416	msedge.exe	92
PID 4416 wrote to memory of 1860	4416	msedge.exe	92
PID 4416 wrote to memory of 1860	4416	msedge.exe	92
PID 4416 wrote to memory of 1860	4416	msedge.exe	92
PID 4416 wrote to memory of 1860	4416	msedge.exe	92
PID 4416 wrote to memory of 1860	4416	msedge.exe	92
PID 4416 wrote to memory of 1860	4416	msedge.exe	92
PID 4416 wrote to memory of 1860	4416	msedge.exe	92
PID 4416 wrote to memory of 1860	4416	msedge.exe	92
PID 4416 wrote to memory of 1860	4416	msedge.exe	92
PID 4416 wrote to memory of 1860	4416	msedge.exe	92
PID 4416 wrote to memory of 1860	4416	msedge.exe	92
PID 4416 wrote to memory of 1860	4416	msedge.exe	92
PID 4416 wrote to memory of 1860	4416	msedge.exe	92
PID 4416 wrote to memory of 1860	4416	msedge.exe	92
PID 4416 wrote to memory of 1860	4416	msedge.exe	92
PID 4416 wrote to memory of 1860	4416	msedge.exe	92
PID 4416 wrote to memory of 1860	4416	msedge.exe	92
PID 4416 wrote to memory of 1860	4416	msedge.exe	92
PID 4416 wrote to memory of 1860	4416	msedge.exe	92
PID 4416 wrote to memory of 1860	4416	msedge.exe	92
PID 4416 wrote to memory of 1860	4416	msedge.exe	92
PID 4416 wrote to memory of 1860	4416	msedge.exe	92
PID 4416 wrote to memory of 1860	4416	msedge.exe	92
PID 4416 wrote to memory of 1860	4416	msedge.exe	92
PID 4416 wrote to memory of 1860	4416	msedge.exe	92
PID 4416 wrote to memory of 1860	4416	msedge.exe	92
PID 4416 wrote to memory of 1860	4416	msedge.exe	92
PID 4416 wrote to memory of 1860	4416	msedge.exe	92
PID 4416 wrote to memory of 1860	4416	msedge.exe	92
PID 4416 wrote to memory of 2380	4416	msedge.exe	93
PID 4416 wrote to memory of 2380	4416	msedge.exe	93
PID 4416 wrote to memory of 3988	4416	msedge.exe	94
PID 4416 wrote to memory of 3988	4416	msedge.exe	94
PID 4416 wrote to memory of 3988	4416	msedge.exe	94
PID 4416 wrote to memory of 3988	4416	msedge.exe	94
PID 4416 wrote to memory of 3988	4416	msedge.exe	94
PID 4416 wrote to memory of 3988	4416	msedge.exe	94
PID 4416 wrote to memory of 3988	4416	msedge.exe	94
PID 4416 wrote to memory of 3988	4416	msedge.exe	94
PID 4416 wrote to memory of 3988	4416	msedge.exe	94
PID 4416 wrote to memory of 3988	4416	msedge.exe	94
PID 4416 wrote to memory of 3988	4416	msedge.exe	94
PID 4416 wrote to memory of 3988	4416	msedge.exe	94
PID 4416 wrote to memory of 3988	4416	msedge.exe	94
PID 4416 wrote to memory of 3988	4416	msedge.exe	94
PID 4416 wrote to memory of 3988	4416	msedge.exe	94
PID 4416 wrote to memory of 3988	4416	msedge.exe	94
PID 4416 wrote to memory of 3988	4416	msedge.exe	94
PID 4416 wrote to memory of 3988	4416	msedge.exe	94
PID 4416 wrote to memory of 3988	4416	msedge.exe	94
PID 4416 wrote to memory of 3988	4416	msedge.exe	94

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Nitr0-G3n3rat0r.exe
"C:\Users\Admin\AppData\Local\Temp\Nitr0-G3n3rat0r.exe"
1⤵
PID:1724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff8801d46f8,0x7ff8801d4708,0x7ff8801d4718
  2⤵
  PID:2360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,3965743185030370016,1179184367431850224,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:1860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,3965743185030370016,1179184367431850224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,3965743185030370016,1179184367431850224,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
  2⤵
  PID:3988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3965743185030370016,1179184367431850224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:3776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3965743185030370016,1179184367431850224,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:1180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3965743185030370016,1179184367431850224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4280 /prefetch:1
  2⤵
  PID:2164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3965743185030370016,1179184367431850224,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:3892
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,3965743185030370016,1179184367431850224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3484 /prefetch:8
  2⤵
  PID:3060
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,3965743185030370016,1179184367431850224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3484 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3965743185030370016,1179184367431850224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
  2⤵
  PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3965743185030370016,1179184367431850224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:1980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3965743185030370016,1179184367431850224,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3965743185030370016,1179184367431850224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:5280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3965743185030370016,1179184367431850224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:5444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3965743185030370016,1179184367431850224,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:5452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2096,3965743185030370016,1179184367431850224,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5272 /prefetch:8
  2⤵
  PID:5604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2096,3965743185030370016,1179184367431850224,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5576 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3965743185030370016,1179184367431850224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
  2⤵
  PID:6048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3965743185030370016,1179184367431850224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4284 /prefetch:1
  2⤵
  PID:5228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3965743185030370016,1179184367431850224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
  2⤵
  PID:5248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3965743185030370016,1179184367431850224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4384 /prefetch:1
  2⤵
  PID:5772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,3965743185030370016,1179184367431850224,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4208 /prefetch:8
  2⤵
  PID:5932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3965743185030370016,1179184367431850224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2096,3965743185030370016,1179184367431850224,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6776 /prefetch:8
  2⤵
  PID:1584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,3965743185030370016,1179184367431850224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6924 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,3965743185030370016,1179184367431850224,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6880 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5620

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1016

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4628

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3d0 0x50c
1⤵
PID:5160

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1060

C:\Users\Admin\Downloads\WannaCry.exe
"C:\Users\Admin\Downloads\WannaCry.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
PID:5804
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 102871710171922.bat
  2⤵
  PID:1468
- - C:\Windows\SysWOW64\cscript.exe
    cscript //nologo c.vbs
    3⤵
    PID:4584
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe f
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:428
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im MSExchange*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2784
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Microsoft.Exchange.*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1892
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlserver.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2356
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlwriter.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4940
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe c
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5192
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b !WannaDecryptor!.exe v
  2⤵
  PID:5128
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe v
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3648
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      PID:5468
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5404
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - Suspicious use of SetWindowsHookEx
  PID:5996

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\!Please Read Me!.txt
1⤵
PID:6124

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7c6136bc98a5aedca2ea3004e9fbe67d

SHA1
74318d997f4c9c351eef86d040bc9b085ce1ad4f

SHA256
50c3bd40caf7e9a82496a710f58804aa3536b44d57e2ee5e2af028cbebc6c2f2

SHA512
2d2fb839321c56e4cb80562e9a1daa4baf48924d635729dc5504a26462796919906f0097dd1fc7fd053394c0eea13c25219dec54ffe6e9abb6e8cb9afa66bada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5c6aef82e50d05ffc0cf52a6c6d69c91

SHA1
c203efe5b45b0630fee7bd364fe7d63b769e2351

SHA256
d9068cf3d04d62a9fb1cdd4c3cf7c263920159171d1b84cb49eff7cf4ed5bc32

SHA512
77ad48936e8c3ee107a121e0b2d1216723407f76872e85c36413237ca1c47b8c40038b8a6349b072bbcc6a29e27ddda77cf686fa97569f4d86531e6b2ac485ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
1aa2108bd1e437d3a7e1d5ffd799e56b

SHA1
709dadb21001324ea637d5c50f2e99355988b5e6

SHA256
4426a87003772b198fea0c1b2d65d9a5b1d933a8be02c047bdc3ff1e88fb9f73

SHA512
9ba8586b27be8a506f95a108c1569451a3579c50a3181823faa3b9666d7f85552cf6a0d71b819d6da3079dae6f4d8a7810486c833683700249d0936e372f8d07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
870B

MD5
f12d536847ae723bd226508062072422

SHA1
f48624225ca62231186f1316b4eca6e27aaaf6d2

SHA256
790866b475e1716ce43c49e0b1151d58edf0c057e0d0b5e1e24d6a9c6661ed87

SHA512
fee993ec12c48b578a4f5eba1031e6ede14bb482f7307777f9209acbcd0668ad8673411e2166ac64948ba263578dc88f7b305c8c8be3556797c58fdff92219ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
f965b917abfc0abeba00c65ad08f65dd

SHA1
39b8c2350c29e768d7f92edd19ce3812b574e023

SHA256
d2cee35d0f80df91ec25ecf55fab01178637d1e476aabc446b62e86771f2e4bb

SHA512
9545de37329ce4aff0eeee299961d72e613fe967d3c3c86d0ea1212daa617ef0523e55aedce85bc1442cc56302f461893f1c77d93a3b0223dc68912d35ae002e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
870B

MD5
2cdbb6fe0b40e52b2c4a67be8b3ef892

SHA1
8721c99585880c1184319df5af9155865d72687c

SHA256
8a619fa15d5b0a1b2076296071c1a869574f8e7313bf162dbb3c5cd7f2886120

SHA512
dcacfce8709f1c2a8ed14b65a13088b019b06ecfc28182dafb0c422ee543ef08651ab25a4883ed75914e5b749da6b154a0c33b6d2bcb4b3d6af82c3e196f37b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
331f41d707de95b3b12510c1a2f333b1

SHA1
223a1b537fa1d31e8c6845a571c5a0a467b23e0d

SHA256
f61648bd1e48be3d55d6deac6e3324a346478d1359ef14497b399d8019bfa7f3

SHA512
efa597be968bfd7e9b3276897204854d69b5852e64ef51fee8f0188c2458d41eda441a30f032fdcf7be85f1d1f69498169e1403879fd7b23941704e1d7c6377e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c99339c185d2c47f4abe76501be8acad

SHA1
3cdb1f6c5d56e7d712b58b064aec28e0110c68c6

SHA256
9c20edd183b68aa05980c76a90f5ecc111998d925225e15faf05e2c27e5fb53b

SHA512
234a715cbbfccc5450d1d183bd45507a1113fc2dea04b5f883ee3558150e2989dca16f86e7398935b5076a16e18f4f3839064d95c553ed9233cbe02bb026fdc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d50bf478ec11751c0ff507bbcff8c270

SHA1
f1b43270bc99c1c153c1430f8745969f7db94b5f

SHA256
108b4a20a81a5b93539b1d5e16c1401dc2e5c2912fdb60dcafd9ed29db88fb36

SHA512
90f62f619a9619e2cfaf6b5c6af4d763efb88e8c224ea2e7bb1159e09bcbe0db65e7cc5a24b14d3185c7134d7afe21575bc1f8eb10f94b7e726156b79b73bdfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
41c66ee05a72c4666243155d1b2b7d20

SHA1
bd80858eb3ffa775edb0453589c22d9b6a459fbc

SHA256
6caf03c60a5193eabad8d1f4f883932ccf8238b065f452dbd2b7313643a455ae

SHA512
55e531a180c9865388c01e1d243246022e1aba1016ff2f0dc7a149b3c44379f91bc611fbd318e91863da747664389fc3b76a1767f03da74803d1ac5c83467ab2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f81edb48116b378e744495318c569b7c

SHA1
f08f810ad96f0e8f32516f0f7aa399191a679401

SHA256
906518c3bc2394e2458f5bf6f3e2491e4e1ffbfb66e3622b795d95bc34ff3132

SHA512
daaad376d4111560d614311b4588787039a84d1acbbee6f26e7b21f75fc941d766b3ee60f994d99365cddc2b0b80caf9eb4fcaf3583114e7ed38d522f6aabab3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
20cc2274f5c0ffedf776e2fa797d645f

SHA1
a23a20b726992a8bc576abde4e77cd6d7b71df3a

SHA256
b0b0c6dd3ed91a6a84c1a572d1258d76886ca9cb01594d8ddc0e64b8eb5711d3

SHA512
375323811b4d2fec8950e1ea541b074e9b87da79ee3b8ce5efb585b5817753e65d8b4c338feaa91a19bf9415c6e6e0b2da7a2fe556b59038ef31bc4a82f55ec5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
29c41a4f5f7d2ab19a16ac8f1c21d889

SHA1
9523148bc60ab9466c7dd652c294a4b54b50305d

SHA256
c0409e8a9fc8538f2f9b78aa923704797cd48b927197c56d84642d085951bd49

SHA512
b75ef6f531c89a0a2fb606b3f674ed5705428d662b18466696337fc8d6399e4afa437005668fe586414a304d4826a592cd60ef84afbde012f0225058928139c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f762dffef3389f126460526060023e96

SHA1
29e81c48de66addc1328679aa2b80dc308bfbb0d

SHA256
9a966e7127939e1affd9eb9140f1323341306969f68457e508498b23c90a9526

SHA512
a2650c2742db5b1df5dbb330b3f241081824dc0dcfededb105df0878d266805c799190197b40743a015c8faec06acb28d3f62dfcb33ca05798108ba9c593d268

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c90c3fb88b96b5b1b3ba1b181533da61

SHA1
b02fba5be699fd0dfadd7bdbc7eb579f0446556e

SHA256
49ed246ddade6515a4cbf5e412c86d067433f15f5d12196aa995edbd702f4efd

SHA512
6d91be402f50e6f5b46305ae93f66ff2ab8b9bcbe6325f419fa7299e102a954064a6e93e72eadba175743105b69cd1f1d832a32908c175d095f467a56431dfaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7df51e73ede82b56c8f7d5b67da38d3c

SHA1
3f7d358b3a4eb9f73223d5f7a983ef86611dd736

SHA256
b09725a9e128d710d38fb768ba57ae473258a9ef864e1cda8262138b080f0a1a

SHA512
ee280530819f7786a59b2d6a26fbd562bec097d7236872fa35c3bdea150cf1b88d7431f15dd7bbbfb5994a474860d7586385b967aafdc24172ec24f75b58d8c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57facb.TMP

Filesize
705B

MD5
4f397acf7d1958c2a244918e8a396a30

SHA1
8e2b2208b245e84a98d2ad3133633ac4848bbcc3

SHA256
f169994e162036b5a29536f039f1db8ab700c526b2b4cf7bc7aae75849d3bc6d

SHA512
724a0a997547f4417e215253affe93d4126d86cd742045ed77ce2ec0c66ae03887bba587f535f0912d9078f164405fd9979e2e4b5d517186f14aca1ea0c71d39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
62d91055498b38cbe507bf9edbeaf6ef

SHA1
03782fde6802ff5ddf2f59e52bda130cf165cd64

SHA256
dbc5b84b6fcfb3e200ce38d6b2c7de2078882711002910ab3f3d4d73a0175bc5

SHA512
652eea66618d2b56ceb758e2fc3202c101de4e3b511b5c04c2ac3cf9010e3c137367a7d6f2a02493203c4b8dc9299cb2a0394b845531ae07af108f9cb43f4e84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ad46a3936391ee60cde784d8011653af

SHA1
1a52aa1da1577fbbf7e7baf3379ccc8bef58b775

SHA256
f2428ea100da915ab7619beabedd261c120804a07c4ed4f54d6a3fa06bc8165c

SHA512
a8f8abcffa8d66c4ea0769bfd1ed41d37dd918b9a7798b8e8c2f79af810ef3a5f12e77d74fa448eeb279e7d6c057836c654f906f65505d249b29f1e86350340d

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\!WannaDecryptor!.exe

Filesize
157KB

MD5
0c82e497cdc35a09372c7c6449317968

SHA1
8f9b2f0a13c382d2e76ae37478edcc716eb09e39

SHA256
2b4ba7d5c51629a92ff933630b5477860cfb4c828a812b5243afceed777a4546

SHA512
4124217994956ef7d27d3e1f6c859a4e172e139604ed649894b20cf749db87e91c6354601921701518515d3c48ce2fc4203dc275f77412fd32efab26de4d8796

Download Submit
C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
ced13f3ab4758bcb5e8e1690698b10b3

SHA1
b4c480e0b4b35fe8634b28e1e399cfc9811f6664

SHA256
1b2ee685494cee0ce19f62a404f5816b9dab34222f4f33149f08b7e51daaa595

SHA512
1cf2e7593fc9de4143bac667eebe88e8af894604ae9715ad862dc8b5e27489ed15cb8832af63aea59da7e7ea5bd00fd0bbdddf61269b99c7b7824bd78dc1dae4

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
589c714474e2214235fd001b62264d89

SHA1
9d24f2513c124a6b384349d845e8d17bd478c052

SHA256
0636de1175e392245c57b568449f7db58c31919d25900a76f19ba259ad1818e5

SHA512
c25715ca66c686c48e790b160e86340fba40d3bd77e57696ee86931e3f189075e48df5500c75e9b43708d52c90a35fcf905ea557e097d0d82919ab82605f065e

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
7435e21c34f45b3892ee891d5d99d13e

SHA1
0fb9511ff191e79e1cf8a5a6b8dc84b65db61da1

SHA256
beaf86bcb9920aa0122051145f60589d352e25ae8c9d26ea2f58f806d558a4e1

SHA512
c2109b057a4af0f7c9e69c62c35c7460de16b0c3a3fde210b4ed82c888df726a1b489ccb226ad3995ac0f6dbbd878b5704e67ef4224b26811d366539e7f599c8

Download Submit
C:\Users\Admin\Downloads\102871710171922.bat

Filesize
318B

MD5
a261428b490a45438c0d55781a9c6e75

SHA1
e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e

SHA256
4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44

SHA512
304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 936370.crdownload

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\c.vbs

Filesize
201B

MD5
02b937ceef5da308c5689fcdb3fb12e9

SHA1
fa5490ea513c1b0ee01038c18cb641a51f459507

SHA256
5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1

SHA512
843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

Download Submit
C:\Users\Admin\Downloads\c.wry

Filesize
628B

MD5
061d635ff6318438e50745b20fe593a6

SHA1
40d2b321b2e38fbbb61a10d5e0d85adcfba7e5bc

SHA256
9ad5216099c417103f439335416e14f3594c3043892297955c567574f360e944

SHA512
b2258b093da51f23b6a8b32e48d3128e0d2383d04aa0d8a73a89cc91b581802fafe8bec6d2fd7834d4dbc1c2976ffd02cdcaf50c955cedd58c38405b4e7b3f47

Download Submit
C:\Users\Admin\Downloads\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
memory/5804-550-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download