Overview

overview

10

Static

static

1

URLScan

urlscan

https://github.com/D...

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-08-2024 01:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry.exe

Score
10/10
wannacrydefense_evasiondiscoveryexecutionimpactpersistenceransomwareworm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �
Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Kills process with taskkill 4 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 26 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry.exe
    1⤵
      PID:1136
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=3964,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=4632 /prefetch:1
      1⤵
        PID:408
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4952,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=3828 /prefetch:1
        1⤵
          PID:2684
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5076,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=5424 /prefetch:1
          1⤵
            PID:4580
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5584,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=5596 /prefetch:8
            1⤵
              PID:1036
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5600,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=5676 /prefetch:8
              1⤵
                PID:3720
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=6096,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=6036 /prefetch:1
                1⤵
                  PID:3228
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6008,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=4944 /prefetch:8
                  1⤵
                    PID:4932
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --field-trial-handle=5456,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=5536 /prefetch:8
                    1⤵
                      PID:1628
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=5512,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=5020 /prefetch:1
                      1⤵
                        PID:2324
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=7000,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=6940 /prefetch:8
                        1⤵
                          PID:4764
                        • C:\Users\Admin\Downloads\WannaCry.exe
                          "C:\Users\Admin\Downloads\WannaCry.exe"
                          1⤵
                          • Drops startup file
                          • Adds Run key to start application
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of WriteProcessMemory
                          PID:1168
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c 201551723858817.bat
                            2⤵
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of WriteProcessMemory
                            PID:2712
                            • C:\Windows\SysWOW64\cscript.exe
                              cscript //nologo c.vbs
                              3⤵
                              • System Location Discovery: System Language Discovery
                              PID:1560
                          • C:\Users\Admin\Downloads\!WannaDecryptor!.exe
                            !WannaDecryptor!.exe f
                            2⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of SetWindowsHookEx
                            PID:2868
                          • C:\Windows\SysWOW64\taskkill.exe
                            taskkill /f /im MSExchange*
                            2⤵
                            • System Location Discovery: System Language Discovery
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4156
                          • C:\Windows\SysWOW64\taskkill.exe
                            taskkill /f /im Microsoft.Exchange.*
                            2⤵
                            • System Location Discovery: System Language Discovery
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4804
                          • C:\Windows\SysWOW64\taskkill.exe
                            taskkill /f /im sqlserver.exe
                            2⤵
                            • System Location Discovery: System Language Discovery
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3376
                          • C:\Windows\SysWOW64\taskkill.exe
                            taskkill /f /im sqlwriter.exe
                            2⤵
                            • System Location Discovery: System Language Discovery
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2712
                          • C:\Users\Admin\Downloads\!WannaDecryptor!.exe
                            !WannaDecryptor!.exe c
                            2⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of SetWindowsHookEx
                            PID:5560
                          • C:\Windows\SysWOW64\cmd.exe
                            cmd.exe /c start /b !WannaDecryptor!.exe v
                            2⤵
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of WriteProcessMemory
                            PID:5552
                            • C:\Users\Admin\Downloads\!WannaDecryptor!.exe
                              !WannaDecryptor!.exe v
                              3⤵
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of SetWindowsHookEx
                              • Suspicious use of WriteProcessMemory
                              PID:5664
                              • C:\Windows\SysWOW64\cmd.exe
                                cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
                                4⤵
                                • System Location Discovery: System Language Discovery
                                • Suspicious use of WriteProcessMemory
                                PID:5768
                                • C:\Windows\SysWOW64\Wbem\WMIC.exe
                                  wmic shadowcopy delete
                                  5⤵
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:5884
                          • C:\Users\Admin\Downloads\!WannaDecryptor!.exe
                            !WannaDecryptor!.exe
                            2⤵
                            • Executes dropped EXE
                            • Sets desktop wallpaper using registry
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of SetWindowsHookEx
                            PID:5712
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=7008,i,10597648459838880772,16562651767759956329,262144 --variations-seed-version --mojo-platform-channel-handle=1676 /prefetch:8
                          1⤵
                            PID:5312
                          • C:\Windows\System32\rundll32.exe
                            C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                            1⤵
                              PID:2712
                            • C:\Users\Admin\Downloads\WannaCry.exe
                              "C:\Users\Admin\Downloads\WannaCry.exe"
                              1⤵
                              • System Location Discovery: System Language Discovery
                              PID:5280
                            • C:\Windows\system32\vssvc.exe
                              C:\Windows\system32\vssvc.exe
                              1⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:5936
                            • C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE
                              "C:\Program Files\Microsoft Office\Root\Office16\ONENOTE.EXE" "C:\Users\Admin\Documents\OneNote Notebooks\Quick Notes.one"
                              1⤵
                              • Checks processor information in registry
                              • Enumerates system info in registry
                              • Suspicious behavior: AddClipboardFormatListener
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of SetWindowsHookEx
                              PID:5540
                            • C:\Program Files\Internet Explorer\iexplore.exe
                              "C:\Program Files\Internet Explorer\iexplore.exe" -nohome
                              1⤵
                              • Modifies Internet Explorer settings
                              • Suspicious use of FindShellTrayWindow
                              • Suspicious use of SetWindowsHookEx
                              • Suspicious use of WriteProcessMemory
                              PID:6052
                              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6052 CREDAT:17410 /prefetch:2
                                2⤵
                                • System Location Discovery: System Language Discovery
                                • Modifies Internet Explorer settings
                                • Suspicious use of SetWindowsHookEx
                                PID:4404
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
                              1⤵
                              • Enumerates system info in registry
                              • Modifies data under HKEY_USERS
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:5692
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=127.0.6533.89 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=127.0.2651.86 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7ff95e63d198,0x7ff95e63d1a4,0x7ff95e63d1b0
                                2⤵
                                  PID:5220
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2216,i,17151189423712100729,4131752628831011858,262144 --variations-seed-version --mojo-platform-channel-handle=2212 /prefetch:2
                                  2⤵
                                    PID:5720
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --field-trial-handle=1976,i,17151189423712100729,4131752628831011858,262144 --variations-seed-version --mojo-platform-channel-handle=3184 /prefetch:3
                                    2⤵
                                      PID:5640
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --field-trial-handle=2408,i,17151189423712100729,4131752628831011858,262144 --variations-seed-version --mojo-platform-channel-handle=3288 /prefetch:8
                                      2⤵
                                        PID:1684
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=4504,i,17151189423712100729,4131752628831011858,262144 --variations-seed-version --mojo-platform-channel-handle=4520 /prefetch:8
                                        2⤵
                                          PID:2180
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --field-trial-handle=4504,i,17151189423712100729,4131752628831011858,262144 --variations-seed-version --mojo-platform-channel-handle=4520 /prefetch:8
                                          2⤵
                                            PID:5856
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe"
                                          1⤵
                                            PID:5564

                                          Network

                                          MITRE ATT&CK Enterprise v15

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json
                                            Filesize

                                            2B

                                            MD5

                                            99914b932bd37a50b983c5e7c90ae93b

                                            SHA1

                                            bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

                                            SHA256

                                            44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

                                            SHA512

                                            27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports
                                            Filesize

                                            2B

                                            MD5

                                            d751713988987e9331980363e24189ce

                                            SHA1

                                            97d170e1550eee4afc0af065b78cda302a97674c

                                            SHA256

                                            4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                            SHA512

                                            b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
                                            Filesize

                                            40B

                                            MD5

                                            20d4b8fa017a12a108c87f540836e250

                                            SHA1

                                            1ac617fac131262b6d3ce1f52f5907e31d5f6f00

                                            SHA256

                                            6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

                                            SHA512

                                            507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                            Filesize

                                            12KB

                                            MD5

                                            82db17d7967571dbd9ed89ebc46499c5

                                            SHA1

                                            e048e7b7f8712e82ea26de47b5d71b90d59bf155

                                            SHA256

                                            7ff3dc80fd8a45782db75083b0237bc9c12c2388641ce33fcafafa82d370414e

                                            SHA512

                                            9c3b8d1446d9624d00765957796eb021592e3f70e839c132405e5f0d66e394c92e2a5d094a734cbe3b4b676dd0e4ba651b9aa5921c2aea788b6c2e983f1a21f2

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
                                            Filesize

                                            30KB

                                            MD5

                                            fb01262627cb84cb4326d93ea88ba810

                                            SHA1

                                            b3e18caccad0fe0974e2c559572bee0a0a2ac3da

                                            SHA256

                                            de13ab6a0cb582662e7f4841adcddce1852099b605db3582753203849447d2ca

                                            SHA512

                                            0d17ee22d30d5ee248069b81de4dff53856b3b62e16784395e8451b443e39f75f6529ad6d1cf3a2f8a35050f35abc625703653da02f031562ff3182d1cb23d2a

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                            Filesize

                                            74KB

                                            MD5

                                            ceeb2566f17c245cbcf4907c76cea300

                                            SHA1

                                            492230899c067e93cba65af977e818207e94c68a

                                            SHA256

                                            dd3070c0d3854abd868d8b0bf45ee61885070b1f97b7e30f82e5fe65e0fe405d

                                            SHA512

                                            7455d9a1d283e3d6b3737b76e0a13f86a5e221620e2a4ac944f5287a3b5df4d46015ce9aa29c3b5fdc3260a8fdcac39b2a1f0b947624710fb62e6279370e9aa4

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                            Filesize

                                            74KB

                                            MD5

                                            912542ffce5cb5c769bf547a6a3237ed

                                            SHA1

                                            2350d691e00b5104c68fe877209fbd63e3b28a22

                                            SHA256

                                            6e267364281effd3425379f45764cb0d88b2f5476e40ecbe201f8e3bf5d1ae51

                                            SHA512

                                            789ab4b7748368de8e289949a2b2df13b98c51b54fe28d310f6f2e1082ebe77c2a8ad68d876438280b62e3181f1f3b179f5dc7e1438108fb5a311cb5651582a3

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
                                            Filesize

                                            2KB

                                            MD5

                                            d9206d21cc1e83cdf638762ea46c9411

                                            SHA1

                                            698ddd192278ae5555c57ae2127d120ac9dd4fcb

                                            SHA256

                                            d40f3925baa2881bfb3bd7f18811e08993291280d3acea3dbba67a68d0346cf8

                                            SHA512

                                            7e804c9f5105d9698163fcc05f35a0b0db6b5775f97926c97c62c2b3335e4e27ec9c8b8db23719f0a459ff288c1a06c6da6858fe78e99a73e860d8359529548d

                                            Download Submit

                                          • C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
                                            Filesize

                                            2KB

                                            MD5

                                            ddb9717bb7b96232a2a132b75f6a8a49

                                            SHA1

                                            e0034aa866554261f28d2009177286261bb82849

                                            SHA256

                                            d8b3d6cde6a8610fcb9f35a8d4cf05d2189040e1dc3509c6af0a20a722c41176

                                            SHA512

                                            940a2eabe7ba704502cedf1b99838d8e2b5dd9e9583198af460b00bce534d388b937a403d58a1da7dfd3d21477fd071f483d8b472f6f874418df9980d9fa12e9

                                            Download Submit

                                          • C:\Users\Admin\Downloads\!Please Read Me!.txt
                                            Filesize

                                            797B

                                            MD5

                                            afa18cf4aa2660392111763fb93a8c3d

                                            SHA1

                                            c219a3654a5f41ce535a09f2a188a464c3f5baf5

                                            SHA256

                                            227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

                                            SHA512

                                            4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

                                            Download Submit

                                          • C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnk
                                            Filesize

                                            590B

                                            MD5

                                            3b049df135ea56c994653c6d97c52924

                                            SHA1

                                            dbdb221e6afae5a7b647b06200d3f389de3cdf10

                                            SHA256

                                            845894c184d01800ea187465286c97d4786cbf2d5b77836f0287998ada629cf5

                                            SHA512

                                            e2dbc3b489416e842969ec2c327dd965d5ac1de7c956c601526d6d949e8c576458bbe267b645973dc6dbd99674b2faec6fc188089939d2d6efc06449f07c0edf

                                            Download Submit

                                          • C:\Users\Admin\Downloads\00000000.res
                                            Filesize

                                            136B

                                            MD5

                                            47c641b99ad048359aef106904d4d16f

                                            SHA1

                                            7404dee5aa6853cc4832251e4dc9597e0b319a1f

                                            SHA256

                                            319227998273b3bf085386cc60c4f0a784a7f55ee87a0ab2caa0186fa2d4fee9

                                            SHA512

                                            91aa4c8f05fc14828d01503e144b51373c408a612c0f635bb0972fd164ad7d4a86a8bd701152eb80cfa204437db8fea853bef01919fa608effbae0b5920a8d70

                                            Download Submit

                                          • C:\Users\Admin\Downloads\00000000.res
                                            Filesize

                                            136B

                                            MD5

                                            82afc86a6b814cafce9de78625be86b1

                                            SHA1

                                            75b53a741fe17b4abc8d481cb5abf1a14ce5781c

                                            SHA256

                                            0d395d4d4e16c1b5fcca81a76129e5d85c29c231b4bbb77222fbb01f8d2a3ae9

                                            SHA512

                                            36e85441681a0d2274d0165b0e302ebba77124846640033c87059191ee3b7464116dad23df9e7d157d3dad2ca06ec6a0782f744a0fb4d37c28d7a87acea45f0f

                                            Download Submit

                                          • C:\Users\Admin\Downloads\00000000.res
                                            Filesize

                                            136B

                                            MD5

                                            a80782af21bed64e4d866f4844d749b0

                                            SHA1

                                            5348b524d0a8ae6bde23a251c940f79563b7def5

                                            SHA256

                                            7e4b6c961a9c1165800baf6e4ca583f04ef76b3b4bf342e87799c3f5c92f9ff3

                                            SHA512

                                            43f3a1d803aecb04ed33355f4018a35e7c3c3af2a08929095cab3fbbf5555510662daeddaedb3e66aa3b0e54d6c16a0a788201e67cb574fe420f7cda9dd463f8

                                            Download Submit

                                          • C:\Users\Admin\Downloads\201551723858817.bat
                                            Filesize

                                            318B

                                            MD5

                                            a261428b490a45438c0d55781a9c6e75

                                            SHA1

                                            e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e

                                            SHA256

                                            4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44

                                            SHA512

                                            304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

                                            Download Submit

                                          • C:\Users\Admin\Downloads\c.vbs
                                            Filesize

                                            201B

                                            MD5

                                            02b937ceef5da308c5689fcdb3fb12e9

                                            SHA1

                                            fa5490ea513c1b0ee01038c18cb641a51f459507

                                            SHA256

                                            5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1

                                            SHA512

                                            843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

                                            Download Submit

                                          • C:\Users\Admin\Downloads\c.wry
                                            Filesize

                                            628B

                                            MD5

                                            663e55df21852bc8870b86bc38e58262

                                            SHA1

                                            1c691bf030ecfce78a9476fbdef3afe61724e6a9

                                            SHA256

                                            bf22e8e18db1638673f47591a13d18ee58d8c6019314bab5a90be82ae3dc9538

                                            SHA512

                                            6a54be1fa549633a2fd888c559207437b8f6efda98bb18d491c8749f39e9754f1e680fa8e2d623777b5f665b2c04d19385c75ce4e61fb251db16018963a9a6f9

                                            Download Submit

                                          • C:\Users\Admin\Downloads\c.wry
                                            Filesize

                                            628B

                                            MD5

                                            ca2c794a5b33580293578ddda668ed22

                                            SHA1

                                            693f3f6ab7d531ca5e7fb1d8a41842c6131b2dc1

                                            SHA256

                                            cf8def586158772e317443fbac98d0012e80fed894dd5faab2be6e3d00052031

                                            SHA512

                                            76b40d40c79dd0c8d70f092edf49af3a95e06d35d1a6938acb80d8b600713cc7990bdbc138bc2a071cc487a5e1c34c48c279bb472379512b9e6d1f6d48ad5851

                                            Download Submit

                                          • C:\Users\Admin\Downloads\m.wry
                                            Filesize

                                            42KB

                                            MD5

                                            980b08bac152aff3f9b0136b616affa5

                                            SHA1

                                            2a9c9601ea038f790cc29379c79407356a3d25a3

                                            SHA256

                                            402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

                                            SHA512

                                            100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

                                            Download Submit

                                          • C:\Users\Admin\Downloads\r.wry
                                            Filesize

                                            729B

                                            MD5

                                            880e6a619106b3def7e1255f67cb8099

                                            SHA1

                                            8b3a90b2103a92d9facbfb1f64cb0841d97b4de7

                                            SHA256

                                            c9e9dc06f500ae39bfeb4671233cc97bb6dab58d97bb94aba4a2e0e509418d35

                                            SHA512

                                            c35ca30e0131ae4ee3429610ce4914a36b681d2c406f67816f725aa336969c2996347268cb3d19c22abaa4e2740ae86f4210b872610a38b4fa09ee80fcf36243

                                            Download Submit

                                          • C:\Users\Admin\Downloads\t.wry
                                            Filesize

                                            68KB

                                            MD5

                                            5557ee73699322602d9ae8294e64ce10

                                            SHA1

                                            1759643cf8bfd0fb8447fd31c5b616397c27be96

                                            SHA256

                                            a7dd727b4e0707026186fcab24ff922da50368e1a4825350bd9c4828c739a825

                                            SHA512

                                            77740de21603fe5dbb0d9971e18ec438a9df7aaa5cea6bd6ef5410e0ab38a06ce77fbaeb8fc68e0177323e6f21d0cee9410e21b7e77e8d60cc17f7d93fdb3d5e

                                            Download Submit

                                          • C:\Users\Admin\Downloads\u.wry
                                            Filesize

                                            236KB

                                            MD5

                                            cf1416074cd7791ab80a18f9e7e219d9

                                            SHA1

                                            276d2ec82c518d887a8a3608e51c56fa28716ded

                                            SHA256

                                            78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

                                            SHA512

                                            0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

                                            Download Submit

                                          • memory/1168-6-0x0000000010000000-0x0000000010012000-memory.dmp

                                            Filesize

                                            72KB

                                            Download

                                          • memory/5540-1490-0x00007FF9438B0000-0x00007FF9438C0000-memory.dmp

                                            Filesize

                                            64KB

                                            Download

                                          • memory/5540-1523-0x00007FF9438B0000-0x00007FF9438C0000-memory.dmp

                                            Filesize

                                            64KB

                                            Download

                                          • memory/5540-1524-0x00007FF9438B0000-0x00007FF9438C0000-memory.dmp

                                            Filesize

                                            64KB

                                            Download

                                          • memory/5540-1525-0x00007FF9438B0000-0x00007FF9438C0000-memory.dmp

                                            Filesize

                                            64KB

                                            Download

                                          • memory/5540-1526-0x00007FF9438B0000-0x00007FF9438C0000-memory.dmp

                                            Filesize

                                            64KB

                                            Download

                                          • memory/5540-1495-0x00007FF941060000-0x00007FF941070000-memory.dmp

                                            Filesize

                                            64KB

                                            Download

                                          • memory/5540-1494-0x00007FF941060000-0x00007FF941070000-memory.dmp

                                            Filesize

                                            64KB

                                            Download

                                          • memory/5540-1493-0x00007FF9438B0000-0x00007FF9438C0000-memory.dmp

                                            Filesize

                                            64KB

                                            Download

                                          • memory/5540-1492-0x00007FF9438B0000-0x00007FF9438C0000-memory.dmp

                                            Filesize

                                            64KB

                                            Download

                                          • memory/5540-1491-0x00007FF9438B0000-0x00007FF9438C0000-memory.dmp

                                            Filesize

                                            64KB

                                            Download

                                          • memory/5540-1489-0x00007FF9438B0000-0x00007FF9438C0000-memory.dmp

                                            Filesize

                                            64KB

                                            Download