wannacry | hxxps://www[.]google[.]com/search?q=google&oq=google&gs_lcrp=EgZjaHJvbWUyBggAEEUYOTIGCAEQRRg5MgYIAhBFGDkyBggDEEUYOTIGCAQQRRhBMgYIBRAuGEDSAQgzMzM5ajBqMagCALACAA&sourceid=chrome&ie=UTF-8

Analysis

max time kernel
112s
max time network
114s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
21-08-2024 20:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.google.com/search?q=google&oq=google&gs_lcrp=EgZjaHJvbWUyBggAEEUYOTIGCAEQRRg5MgYIAhBFGDkyBggDEEUYOTIGCAQQRRhBMgYIBRAuGEDSAQgzMzM5ajBqMagCALACAA&sourceid=chrome&ie=UTF-8

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD7BB3.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD7BC9.tmp	WannaCry.exe

Executes dropped EXE 5 IoCs

pid	Process
5352	WannaCry.exe
2952	!WannaDecryptor!.exe
1200	!WannaDecryptor!.exe
5084	!WannaDecryptor!.exe
2044	!WannaDecryptor!.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
50	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
4800	taskkill.exe
4600	taskkill.exe
4640	taskkill.exe
4708	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-6179872-1886041298-1573312864-1000\{E15F55E7-52B1-4508-969C-F6F5D74BD48C}	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 302468.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1448	msedge.exe
1448	msedge.exe
5724	msedge.exe
5724	msedge.exe
4836	identity_helper.exe
4836	identity_helper.exe
1284	msedge.exe
1284	msedge.exe
3172	msedge.exe
3172	msedge.exe
2044	msedge.exe
2044	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	4640	taskkill.exe
Token: SeDebugPrivilege	4708	taskkill.exe
Token: SeDebugPrivilege	4600	taskkill.exe
Token: SeDebugPrivilege	4800	taskkill.exe
Token: SeIncreaseQuotaPrivilege	5968	WMIC.exe
Token: SeSecurityPrivilege	5968	WMIC.exe
Token: SeTakeOwnershipPrivilege	5968	WMIC.exe
Token: SeLoadDriverPrivilege	5968	WMIC.exe
Token: SeSystemProfilePrivilege	5968	WMIC.exe
Token: SeSystemtimePrivilege	5968	WMIC.exe
Token: SeProfSingleProcessPrivilege	5968	WMIC.exe
Token: SeIncBasePriorityPrivilege	5968	WMIC.exe
Token: SeCreatePagefilePrivilege	5968	WMIC.exe
Token: SeBackupPrivilege	5968	WMIC.exe
Token: SeRestorePrivilege	5968	WMIC.exe
Token: SeShutdownPrivilege	5968	WMIC.exe
Token: SeDebugPrivilege	5968	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5968	WMIC.exe
Token: SeRemoteShutdownPrivilege	5968	WMIC.exe
Token: SeUndockPrivilege	5968	WMIC.exe
Token: SeManageVolumePrivilege	5968	WMIC.exe
Token: 33	5968	WMIC.exe
Token: 34	5968	WMIC.exe
Token: 35	5968	WMIC.exe
Token: 36	5968	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5968	WMIC.exe
Token: SeSecurityPrivilege	5968	WMIC.exe
Token: SeTakeOwnershipPrivilege	5968	WMIC.exe
Token: SeLoadDriverPrivilege	5968	WMIC.exe
Token: SeSystemProfilePrivilege	5968	WMIC.exe
Token: SeSystemtimePrivilege	5968	WMIC.exe
Token: SeProfSingleProcessPrivilege	5968	WMIC.exe
Token: SeIncBasePriorityPrivilege	5968	WMIC.exe
Token: SeCreatePagefilePrivilege	5968	WMIC.exe
Token: SeBackupPrivilege	5968	WMIC.exe
Token: SeRestorePrivilege	5968	WMIC.exe
Token: SeShutdownPrivilege	5968	WMIC.exe
Token: SeDebugPrivilege	5968	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5968	WMIC.exe
Token: SeRemoteShutdownPrivilege	5968	WMIC.exe
Token: SeUndockPrivilege	5968	WMIC.exe
Token: SeManageVolumePrivilege	5968	WMIC.exe
Token: 33	5968	WMIC.exe
Token: 34	5968	WMIC.exe
Token: 35	5968	WMIC.exe
Token: 36	5968	WMIC.exe
Token: SeBackupPrivilege	2300	vssvc.exe
Token: SeRestorePrivilege	2300	vssvc.exe
Token: SeAuditPrivilege	2300	vssvc.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe
5724	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2952	!WannaDecryptor!.exe
2952	!WannaDecryptor!.exe
1200	!WannaDecryptor!.exe
1200	!WannaDecryptor!.exe
5084	!WannaDecryptor!.exe
5084	!WannaDecryptor!.exe
2044	!WannaDecryptor!.exe
2044	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5724 wrote to memory of 5128	5724	msedge.exe	81
PID 5724 wrote to memory of 5128	5724	msedge.exe	81
PID 5724 wrote to memory of 2788	5724	msedge.exe	82
PID 5724 wrote to memory of 2788	5724	msedge.exe	82
PID 5724 wrote to memory of 2788	5724	msedge.exe	82
PID 5724 wrote to memory of 2788	5724	msedge.exe	82
PID 5724 wrote to memory of 2788	5724	msedge.exe	82
PID 5724 wrote to memory of 2788	5724	msedge.exe	82
PID 5724 wrote to memory of 2788	5724	msedge.exe	82
PID 5724 wrote to memory of 2788	5724	msedge.exe	82
PID 5724 wrote to memory of 2788	5724	msedge.exe	82
PID 5724 wrote to memory of 2788	5724	msedge.exe	82
PID 5724 wrote to memory of 2788	5724	msedge.exe	82
PID 5724 wrote to memory of 2788	5724	msedge.exe	82
PID 5724 wrote to memory of 2788	5724	msedge.exe	82
PID 5724 wrote to memory of 2788	5724	msedge.exe	82
PID 5724 wrote to memory of 2788	5724	msedge.exe	82
PID 5724 wrote to memory of 2788	5724	msedge.exe	82
PID 5724 wrote to memory of 2788	5724	msedge.exe	82
PID 5724 wrote to memory of 2788	5724	msedge.exe	82
PID 5724 wrote to memory of 2788	5724	msedge.exe	82
PID 5724 wrote to memory of 2788	5724	msedge.exe	82
PID 5724 wrote to memory of 2788	5724	msedge.exe	82
PID 5724 wrote to memory of 2788	5724	msedge.exe	82
PID 5724 wrote to memory of 2788	5724	msedge.exe	82
PID 5724 wrote to memory of 2788	5724	msedge.exe	82
PID 5724 wrote to memory of 2788	5724	msedge.exe	82
PID 5724 wrote to memory of 2788	5724	msedge.exe	82
PID 5724 wrote to memory of 2788	5724	msedge.exe	82
PID 5724 wrote to memory of 2788	5724	msedge.exe	82
PID 5724 wrote to memory of 2788	5724	msedge.exe	82
PID 5724 wrote to memory of 2788	5724	msedge.exe	82
PID 5724 wrote to memory of 2788	5724	msedge.exe	82
PID 5724 wrote to memory of 2788	5724	msedge.exe	82
PID 5724 wrote to memory of 2788	5724	msedge.exe	82
PID 5724 wrote to memory of 2788	5724	msedge.exe	82
PID 5724 wrote to memory of 2788	5724	msedge.exe	82
PID 5724 wrote to memory of 2788	5724	msedge.exe	82
PID 5724 wrote to memory of 2788	5724	msedge.exe	82
PID 5724 wrote to memory of 2788	5724	msedge.exe	82
PID 5724 wrote to memory of 2788	5724	msedge.exe	82
PID 5724 wrote to memory of 2788	5724	msedge.exe	82
PID 5724 wrote to memory of 1448	5724	msedge.exe	83
PID 5724 wrote to memory of 1448	5724	msedge.exe	83
PID 5724 wrote to memory of 4860	5724	msedge.exe	84
PID 5724 wrote to memory of 4860	5724	msedge.exe	84
PID 5724 wrote to memory of 4860	5724	msedge.exe	84
PID 5724 wrote to memory of 4860	5724	msedge.exe	84
PID 5724 wrote to memory of 4860	5724	msedge.exe	84
PID 5724 wrote to memory of 4860	5724	msedge.exe	84
PID 5724 wrote to memory of 4860	5724	msedge.exe	84
PID 5724 wrote to memory of 4860	5724	msedge.exe	84
PID 5724 wrote to memory of 4860	5724	msedge.exe	84
PID 5724 wrote to memory of 4860	5724	msedge.exe	84
PID 5724 wrote to memory of 4860	5724	msedge.exe	84
PID 5724 wrote to memory of 4860	5724	msedge.exe	84
PID 5724 wrote to memory of 4860	5724	msedge.exe	84
PID 5724 wrote to memory of 4860	5724	msedge.exe	84
PID 5724 wrote to memory of 4860	5724	msedge.exe	84
PID 5724 wrote to memory of 4860	5724	msedge.exe	84
PID 5724 wrote to memory of 4860	5724	msedge.exe	84
PID 5724 wrote to memory of 4860	5724	msedge.exe	84
PID 5724 wrote to memory of 4860	5724	msedge.exe	84
PID 5724 wrote to memory of 4860	5724	msedge.exe	84

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=google&oq=google&gs_lcrp=EgZjaHJvbWUyBggAEEUYOTIGCAEQRRg5MgYIAhBFGDkyBggDEEUYOTIGCAQQRRhBMgYIBRAuGEDSAQgzMzM5ajBqMagCALACAA&sourceid=chrome&ie=UTF-8
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffacd803cb8,0x7ffacd803cc8,0x7ffacd803cd8
  2⤵
  PID:5128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,12177372409694948277,16733321986593756327,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2004 /prefetch:2
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2012,12177372409694948277,16733321986593756327,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2012,12177372409694948277,16733321986593756327,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
  2⤵
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12177372409694948277,16733321986593756327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:4212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12177372409694948277,16733321986593756327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:6016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12177372409694948277,16733321986593756327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
  2⤵
  PID:344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12177372409694948277,16733321986593756327,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:1804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12177372409694948277,16733321986593756327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:5772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12177372409694948277,16733321986593756327,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:1
  2⤵
  PID:3444
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,12177372409694948277,16733321986593756327,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2012,12177372409694948277,16733321986593756327,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5628 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12177372409694948277,16733321986593756327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:5528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12177372409694948277,16733321986593756327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
  2⤵
  PID:5432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2012,12177372409694948277,16733321986593756327,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5684 /prefetch:8
  2⤵
  PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2012,12177372409694948277,16733321986593756327,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5752 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12177372409694948277,16733321986593756327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:6008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12177372409694948277,16733321986593756327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:1
  2⤵
  PID:5972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12177372409694948277,16733321986593756327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
  2⤵
  PID:4680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12177372409694948277,16733321986593756327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2496 /prefetch:1
  2⤵
  PID:5252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2012,12177372409694948277,16733321986593756327,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4708 /prefetch:8
  2⤵
  PID:2284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12177372409694948277,16733321986593756327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
  2⤵
  PID:1932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2012,12177372409694948277,16733321986593756327,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2044
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:5352
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 14071724270809.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1644
  - - C:\Windows\SysWOW64\cscript.exe
      cscript //nologo c.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:1580
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe f
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2952
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im MSExchange*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4600
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Microsoft.Exchange.*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4800
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlserver.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4708
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlwriter.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4640
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe c
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1200
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b !WannaDecryptor!.exe v
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1388
  - - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
      !WannaDecryptor!.exe v
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:5084
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1516
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5968
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12177372409694948277,16733321986593756327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
  2⤵
  PID:3444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12177372409694948277,16733321986593756327,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
  2⤵
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12177372409694948277,16733321986593756327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:5416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,12177372409694948277,16733321986593756327,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6356 /prefetch:1
  2⤵
  PID:3296

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3844

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1420

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
302c3de891ef3a75b81a269db4e1cf22

SHA1
5401eb5166da78256771e8e0281ca2d1f471c76f

SHA256
1d1640e5755779c90676290853d2e3ca948f57cf5fb1df4b786e277a97757f58

SHA512
da18e7d40376fd13255f3f67a004c3a7f408466bd7ce92e36a4d0c20441279fe4b1b6e0874ab74c494663fb97bd7992b5e7c264b3fc434c1e981326595263d33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c9efc5ba989271670c86d3d3dd581b39

SHA1
3ad714bcf6bac85e368b8ba379540698d038084f

SHA256
c2e16990b0f6f23efdcecd99044993a4c2b8ba87bd542dd8f6256d69e24b93b3

SHA512
c1bc0dc70ab827b54feb64ad069d21e1c3c28d57d126b08314a9670437881d77dba02b5cca57ef0f2aa7f8e7d4d163fbd2c6f246ea2d51ce201d61a89015e8b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3ef782e2-70af-43ba-ada8-06bdb3baffb4.tmp

Filesize
1KB

MD5
d14102e2a1fe93feeaafdfbd860f4c29

SHA1
2e2ff37d9d44504ea30eb18129a6817e6b78573f

SHA256
b0cba18423d5a0ad87b0e26221cb3bd65958e9bea687a5c472d7208cc1b2582a

SHA512
623d48b6c6537097cae071fc7a9ef2e8e48d21a308630f4e5e99903a4175486114e83abed3fb112dfc1bff7df9f382fa0f3616678b60bacb2385fb8c34d32d0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
212KB

MD5
2257803a7e34c3abd90ec6d41fd76a5a

SHA1
f7a32e6635d8513f74bd225f55d867ea56ae4803

SHA256
af23860fb3a448f2cc6107680078402555a345eb45bc5efb750f541fe5d7c174

SHA512
e9f4dc90d0829885f08879e868aa62041150b500f62682fc108da258eee26ad9509dcbf6e8a55f2d0bdba7aa9118dd149a70a7d851820d4ea683db7808c48540

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
a2d32fc1c77dec9f68c6008c2f4ab313

SHA1
4e9b613f056349d38525cae6751f8c4bff2171a0

SHA256
decf54b86f33ef483cd0eb3d32a8bbae8f725c93fb3a4fa0bc267d4a49b4080d

SHA512
8f5117114f2ee65206741c9d763877de9e5e67eadb45ca1414ab8e24191b8ec91d0ec0ff140d1219a3a9f23bda60f6abf6928c7c9647ade4ac41e1ccfd5ac629

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bab454a1d121202c017277f05fb3c220

SHA1
ebbc8fda640ac9da2cbed7ffc3767f4793ba8bc2

SHA256
9953d12e575bbd007447de4fe02c9d364ebd409b4b577dff5a086c45f288ddfc

SHA512
6b74e17337507a0520826f5b941b2acd40789cc2f0ff6ccad468e61690ec3b357946fcb484a5cac45fab0d4e369e1196ecc30e2289d946b26dafe6521c368d8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c377558e178461cee9ebe35a5b576160

SHA1
d44afcff992d2f3567a90e4f2996dd0ac69962ec

SHA256
8440b316422119f15de25073daf5acf44b248f5bd469a06d74a75f987abf331a

SHA512
3be4a27d088fbdbb6f9e30094e91b51b22a925439cf2e3029dd6e3100e26bc0d8e2c2921546132428182a29dbf21b7cf2de3fd73758a351d737a3000b155624a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c897e456f3494a46f85ec4d5587baa7f

SHA1
d48591ff4449204e41510be4e2226f6de63e1803

SHA256
e9299b22183ff4902a0c4597feae900d99edd00dfe2f0bbc0c481ae82fa22da6

SHA512
d7f166e60dc8c1e7ae06594bf44a7ec370dc0576b67b203bcbbe68aae921d23dcfa2fd0a908d08fe5aa1bbd8c452beb06dff9f2e4b83e01c71e5109f6b4c929d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2be8f1cb0f24d2ebed806782de43a56c

SHA1
192d781977074ab80448ca72ac1caa940c44f574

SHA256
68c050c389bb516f469527284279ad71dd79e876b2b0fc4c90c4b62ec1905c22

SHA512
275c88deee8dc46fc1f8ade6031caa7198fa6d47be657644ab23f795f866dd7906410532b1ff4eb7a2df13d93451ad391dcab2f86946ebb255d1601ebd380fb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
865bc0fe8ec60277b2f95b5c8599ab16

SHA1
4153c71b5f3d4ffab037885cd232c0fd53798d6b

SHA256
b24b525da83de3461628d7e53578cdec973e6979af6c66319b1846d6a4e2d211

SHA512
be8e4bfd22e5457fc10a7a215d3d4828875ba46cb7299ddd7e7cfb10c0f03ad0cba98110d8027d7a7f749ad3f92a510d9aa176034548dc200422924c872be340

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8acde586b732524bd601d32b6cbac3e6

SHA1
74e6bb9a53f1ae497fbd53bcc597c9560eaa00c2

SHA256
fdcdb65b2c651ef89108e5eb398501aafadf9c816aa1c1bf3912ab663158afda

SHA512
6c07da2f00c6372e0950d23c291a7fe28d4ab25f13c05fe9b7d7fcde98ac4aa622a5f89fc74e7003e5883b448b49e2d873a584cf806ffdb970758e98a1ea2fac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bc82dc4f25ddc86ee4297a4f9ae5826a

SHA1
749f91d1601c535025048191f28bd56504ba0256

SHA256
7105fcf06703c8fa44b0abc26b5eddc07994b1fb3ce67042cc4b459713fd15c9

SHA512
d09f8ee37ce1d2e4d14daa07170e2eea0927c204099d624d6226b02c54c532f6ef0c64523a04c2efd1274281777ac3f3ae054371c344c9c6b91b3c9318e6414a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580700.TMP

Filesize
198B

MD5
5295d07463da35a030e1413d11b4997e

SHA1
60a6a74b2abdea137c437a019f27a70aa9fb9bbd

SHA256
6725b5c9a090f5eaf788bea984c3d0adde52f23f2266f12cabcf8c1ae8a5ac55

SHA512
be4212edbf46c3987d8e5519ffb690d22fc8f4400db0cb88309a760b5e29bbdd2e9b0f24d70bbcb6506d84bf1ecfd3a2ee1e0ccecacbd56fa0c7ef3e78f9b4c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ad456727f2f7dfcf6a048a6c91ea6720

SHA1
5d0ce2f4c2fa10980435cedad38adfb53e921f93

SHA256
ad6b3e89d5c6db54c513cf2df2434913b9c354b38df41590eb6fc7ca034551bb

SHA512
fd0aa47a2772a145200ce3015883c8f17487e6c4a040ec830dd71e5c0bae5ad5823b5de5030f294b1fc800dc9a002617a0edf2a01806f39a826b4469eeb1e538

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5440a27b610cb51f2b5f827917f6f463

SHA1
397c1b9e1b59241c1f7d68b8c3681725511dbf86

SHA256
2b85b25628d6fa05c374a293995fccb2a24fcb24eeab8a91e5bf77d516c67378

SHA512
b86541970457caac1afb49a4a7b7e9a6a61f2610726d8b6af33f670ffb42cc76a2468d7d94e7f51d352b46c116b8ed1d83a8a60e68b97169cb13e236e7cdcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d8e8dbe95b8f3b9f9d9f3955ffd03b2a

SHA1
20f8966453d75efdfcdfaad24bdc054c4df904ad

SHA256
bdc70bc46c2ebeaddbf7dde5b153bcd682ebb073a7c29dd8cc9b343c2d8964d0

SHA512
7fa734d2e3d6120d16d824c2392ec8227ca0d318848c48ccf35cc05a368eaf2b277d0d082866e5cc4d0155315cbe082d550049601656cdf8bd163a773e0e8d46

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
54fc82d1f86ad776cfbf6fc80e0a03f1

SHA1
e93a171cf3f20d4eb8550329a8f59353d3076da7

SHA256
66e9f6df33b49bc79c20bf9831f1ccb02c82ca807e4be05302d93a6c5e32177c

SHA512
79514b3d298dc262f68b213df64fd3232b5394a3c938d0f9adc59ce2845ad46161edfa78fc5912f7e2b63e51f81259b9b3ec2fe4e7b05892661765f29f5e6fa0

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
5c6d0efd3380b3430e68e5bc94792d5a

SHA1
4520bc5169e5ce5730acc81425a5367343209eae

SHA256
03cf470c434a7ae24b3c773dcb557fea0a729eb8fb3ada29cbe0c5b8a1e7ec64

SHA512
36dcbb3fdba55b004ac7f7fb5eaa68e118173e2d41729c1cfaa1dfac8f231ff2be7e9516e90a7ba91fafc6b0692cdefe5b355e6c78a36117ad0dbdd1e649da27

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
9d61a1e8b1920c7edb4ccf07eb590ade

SHA1
0c1f6eb0140e5da931d5a58794db7c7e50ed966b

SHA256
c73e55fcc3e79878d0c018ee3cd65d2da71dd0303b5b5d9d09b7b618c5bdaac9

SHA512
79a5cf555c43897e57fe285e4b6b176bab4a0db1b667e939028d2829cc5dd3c9ebd0004f2ff0668bf1727fbbb92845e710a968db8cbb3765ec6b32606f16ffc6

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
226c7afd449c6e866bcd543295fd42aa

SHA1
0ac229f4154ad391bc089c7fc15acb35e76a554d

SHA256
88e3e5def8dca2bf9b19e809f7328a1008bc1bd43e89bb28467e363e65389019

SHA512
ac4898d94883316b9060789d2acd21eb13e26fba0377e1862bfe07b80cdf67e28e21eee2cd034747d25253bb1fcefe12b12570a2bdc76628fc3f797a4965b712

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
5ff2ac2edc2a27f9c9507ecc14f83226

SHA1
faacb7f4cb6ad678a43b532afafed43faf13d86d

SHA256
8a48553d5129778098e0cfbc482a989a08f05540b0c868799abc35746b09d249

SHA512
d94b35d370cf162e71d7ebcea09dfe1d147c5b69ab013730219147960e0af949b542173395dbd07d4a9539330f3d100f939fd8f671d67a1e9d6e27d6e617115c

Download Submit
C:\Users\Admin\Downloads\14071724270809.bat

Filesize
318B

MD5
a261428b490a45438c0d55781a9c6e75

SHA1
e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e

SHA256
4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44

SHA512
304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 302468.crdownload

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\c.vbs

Filesize
201B

MD5
02b937ceef5da308c5689fcdb3fb12e9

SHA1
fa5490ea513c1b0ee01038c18cb641a51f459507

SHA256
5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1

SHA512
843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

Download Submit
C:\Users\Admin\Downloads\c.wry

Filesize
628B

MD5
8ecbfe3bfa8a4ff6528e1d20778fd941

SHA1
545f3541a94ea7de3e69c93b1e48f0e00ae0877e

SHA256
fd11bfe3bcfae0ba68e3f6620ec5683a8e9ead316feda2df64d5313d2af8ab94

SHA512
277f1a2f83a144fdbbc6e538ecf1885afc121718c8a7c973432d4097e43245b1961f75f008afe0ea201841b9428c6894a7f4ce872a90d9f5342255baadd3fb36

Download Submit
C:\Users\Admin\Downloads\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
memory/5352-470-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download