wannacry | hxxps://github[.]com/0rbianta/WannaCry

Resubmissions

12-09-2024 23:09

240912-25exsszgrj 10

12-09-2024 22:26

240912-2clvmsyblr 10

Analysis

max time kernel
39s
max time network
30s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
12-09-2024 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/0rbianta/WannaCry

Score

10^/10

wannacry defense_evasion discovery ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDFD21.tmp	WannaCry.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDFD0B.tmp	WannaCry.EXE

Executes dropped EXE 5 IoCs

pid	Process
2008	WannaCry.EXE
1044	taskdl.exe
1928	@[email protected]
4932	@[email protected]
4152	@[email protected]

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1964	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
8	raw.githubusercontent.com
9	raw.githubusercontent.com
18	raw.githubusercontent.com
28	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCry.EXE

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCry (1).EXE:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCry (1).EXE:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3120	msedge.exe
3120	msedge.exe
2312	msedge.exe
2312	msedge.exe
1124	msedge.exe
1124	msedge.exe
2848	identity_helper.exe
2848	identity_helper.exe
2876	msedge.exe
2876	msedge.exe
4544	msedge.exe
4544	msedge.exe
1400	msedge.exe
1400	msedge.exe
4336	msedge.exe
4336	msedge.exe
2828	identity_helper.exe
2828	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1928	@[email protected]
1928	@[email protected]
4932	@[email protected]
4152	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 2508	2312	msedge.exe	80
PID 2312 wrote to memory of 2508	2312	msedge.exe	80
PID 2312 wrote to memory of 860	2312	msedge.exe	81
PID 2312 wrote to memory of 860	2312	msedge.exe	81
PID 2312 wrote to memory of 860	2312	msedge.exe	81
PID 2312 wrote to memory of 860	2312	msedge.exe	81
PID 2312 wrote to memory of 860	2312	msedge.exe	81
PID 2312 wrote to memory of 860	2312	msedge.exe	81
PID 2312 wrote to memory of 860	2312	msedge.exe	81
PID 2312 wrote to memory of 860	2312	msedge.exe	81
PID 2312 wrote to memory of 860	2312	msedge.exe	81
PID 2312 wrote to memory of 860	2312	msedge.exe	81
PID 2312 wrote to memory of 860	2312	msedge.exe	81
PID 2312 wrote to memory of 860	2312	msedge.exe	81
PID 2312 wrote to memory of 860	2312	msedge.exe	81
PID 2312 wrote to memory of 860	2312	msedge.exe	81
PID 2312 wrote to memory of 860	2312	msedge.exe	81
PID 2312 wrote to memory of 860	2312	msedge.exe	81
PID 2312 wrote to memory of 860	2312	msedge.exe	81
PID 2312 wrote to memory of 860	2312	msedge.exe	81
PID 2312 wrote to memory of 860	2312	msedge.exe	81
PID 2312 wrote to memory of 860	2312	msedge.exe	81
PID 2312 wrote to memory of 860	2312	msedge.exe	81
PID 2312 wrote to memory of 860	2312	msedge.exe	81
PID 2312 wrote to memory of 860	2312	msedge.exe	81
PID 2312 wrote to memory of 860	2312	msedge.exe	81
PID 2312 wrote to memory of 860	2312	msedge.exe	81
PID 2312 wrote to memory of 860	2312	msedge.exe	81
PID 2312 wrote to memory of 860	2312	msedge.exe	81
PID 2312 wrote to memory of 860	2312	msedge.exe	81
PID 2312 wrote to memory of 860	2312	msedge.exe	81
PID 2312 wrote to memory of 860	2312	msedge.exe	81
PID 2312 wrote to memory of 860	2312	msedge.exe	81
PID 2312 wrote to memory of 860	2312	msedge.exe	81
PID 2312 wrote to memory of 860	2312	msedge.exe	81
PID 2312 wrote to memory of 860	2312	msedge.exe	81
PID 2312 wrote to memory of 860	2312	msedge.exe	81
PID 2312 wrote to memory of 860	2312	msedge.exe	81
PID 2312 wrote to memory of 860	2312	msedge.exe	81
PID 2312 wrote to memory of 860	2312	msedge.exe	81
PID 2312 wrote to memory of 860	2312	msedge.exe	81
PID 2312 wrote to memory of 860	2312	msedge.exe	81
PID 2312 wrote to memory of 3120	2312	msedge.exe	82
PID 2312 wrote to memory of 3120	2312	msedge.exe	82
PID 2312 wrote to memory of 688	2312	msedge.exe	83
PID 2312 wrote to memory of 688	2312	msedge.exe	83
PID 2312 wrote to memory of 688	2312	msedge.exe	83
PID 2312 wrote to memory of 688	2312	msedge.exe	83
PID 2312 wrote to memory of 688	2312	msedge.exe	83
PID 2312 wrote to memory of 688	2312	msedge.exe	83
PID 2312 wrote to memory of 688	2312	msedge.exe	83
PID 2312 wrote to memory of 688	2312	msedge.exe	83
PID 2312 wrote to memory of 688	2312	msedge.exe	83
PID 2312 wrote to memory of 688	2312	msedge.exe	83
PID 2312 wrote to memory of 688	2312	msedge.exe	83
PID 2312 wrote to memory of 688	2312	msedge.exe	83
PID 2312 wrote to memory of 688	2312	msedge.exe	83
PID 2312 wrote to memory of 688	2312	msedge.exe	83
PID 2312 wrote to memory of 688	2312	msedge.exe	83
PID 2312 wrote to memory of 688	2312	msedge.exe	83
PID 2312 wrote to memory of 688	2312	msedge.exe	83
PID 2312 wrote to memory of 688	2312	msedge.exe	83
PID 2312 wrote to memory of 688	2312	msedge.exe	83
PID 2312 wrote to memory of 688	2312	msedge.exe	83

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3388	attrib.exe
4076	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/0rbianta/WannaCry
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe57513cb8,0x7ffe57513cc8,0x7ffe57513cd8
  2⤵
  PID:2508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1744,15709016378831615613,4476690250225453271,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1744,15709016378831615613,4476690250225453271,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1744,15709016378831615613,4476690250225453271,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
  2⤵
  PID:688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1744,15709016378831615613,4476690250225453271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:4148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1744,15709016378831615613,4476690250225453271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1744,15709016378831615613,4476690250225453271,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1124
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1744,15709016378831615613,4476690250225453271,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5764 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1744,15709016378831615613,4476690250225453271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1744,15709016378831615613,4476690250225453271,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:3768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1744,15709016378831615613,4476690250225453271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1744,15709016378831615613,4476690250225453271,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3372 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1744,15709016378831615613,4476690250225453271,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1
  2⤵
  PID:2828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1744,15709016378831615613,4476690250225453271,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1
  2⤵
  PID:4276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1744,15709016378831615613,4476690250225453271,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6512 /prefetch:8
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1744,15709016378831615613,4476690250225453271,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1744,15709016378831615613,4476690250225453271,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3372 /prefetch:8
  2⤵
  PID:2608

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3804

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe57513cb8,0x7ffe57513cc8,0x7ffe57513cd8
  2⤵
  PID:3512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,10882128068630353956,2529736627357426554,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,10882128068630353956,2529736627357426554,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,10882128068630353956,2529736627357426554,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10882128068630353956,2529736627357426554,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:3508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10882128068630353956,2529736627357426554,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10882128068630353956,2529736627357426554,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
  2⤵
  PID:2148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1932,10882128068630353956,2529736627357426554,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5256 /prefetch:8
  2⤵
  PID:3604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1932,10882128068630353956,2529736627357426554,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5236 /prefetch:8
  2⤵
  PID:3200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10882128068630353956,2529736627357426554,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
  2⤵
  PID:1148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10882128068630353956,2529736627357426554,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:1528
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,10882128068630353956,2529736627357426554,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5772 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10882128068630353956,2529736627357426554,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:1908
- C:\Users\Admin\Downloads\WannaCry.EXE
  "C:\Users\Admin\Downloads\WannaCry.EXE"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  PID:2008
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h .
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:3388
- - C:\Windows\SysWOW64\icacls.exe
    icacls . /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    - System Location Discovery: System Language Discovery
    PID:1964
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 299701726180010.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2752
  - - C:\Windows\SysWOW64\cscript.exe
      cscript.exe //nologo m.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:4988
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s F:\$RECYCLE
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:4076
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected] co
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4932
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b @[email protected] vs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2736
  - - C:\Users\Admin\Downloads\@[email protected]
      @[email protected] vs
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4152

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2160

C:\Users\Admin\Desktop\@[email protected]
"C:\Users\Admin\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

Filesize
585B

MD5
d70ab3015463a99a447da5cf36033545

SHA1
796ec10c6fa26a33e604516d51abb9b5271cb667

SHA256
f2d6f4e66bbf5d438f41a23578333255fac324711348286525b3aa5360b365dc

SHA512
7fa9f6189955641916252b6152b899a3ed0987cf884c7144a6314277fcc321218044ecb1dad58e43561fe06f899c386173a8ecd61f8a66ab166d6eb843598b25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9828ffacf3deee7f4c1300366ec22fab

SHA1
9aff54b57502b0fc2be1b0b4b3380256fb785602

SHA256
a3d21f0fb6563a5c9d0f7a6e9c125ec3faaa86ff43f37cb85a8778abc87950f7

SHA512
2e73ea4d2fcd7c8d52487816110f5f4a808ed636ae87dd119702d1cd1ae315cbb25c8094a9dddf18f07472b4deaed3e7e26c9b499334b26bdb70d4fa7f84168d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8ba0b6ff6683322d692ca87c08bb63c8

SHA1
b6c57f29d38e85609e45a07d3c3d430d045030e1

SHA256
6f6ce1648fad65ed2d73836d3e225833cd4ca5ab67783e2b9d196e84030d69a0

SHA512
fa3a90fc1fbcf4b5cb9fa2f266b5890ce7ce03ab7a9381bf70eff4bfbbe8fbe14ff54a21a71fb2c14fbda3b3a32a2886777b79fff4fd7094a4c29285bbfbfc31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e3f7096d04542d62148590f73c281554

SHA1
885f699061ead40fdc5e8a7b81b312ef0962efc8

SHA256
a1f557a6ce1a123d30ef495e699d1c40c654c741b92db7714511eda9a1300648

SHA512
20cd44a5b37f0c29ac05e03ccf9e2a52c4a627eed108be0fe4c9550c352fd7f714e447d20fc3fedc7fac25d328165b759175e8f360b4479ac8d280892b13f730

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6fdbe80e9fe20761b59e8f32398f4b14

SHA1
049b1f0c6fc4e93a4ba6b3c992f1d6cecf3ada1f

SHA256
b7f0d9ece2307bdc4f05a2d814c947451b007067ff8af977f77f06c3d5706942

SHA512
cf25c7fd0d6eccc46e7b58949c16d17ebeefb7edd6c76aa62f7ab5da52d1c6fc88bde620be40396d336789bd0d62b2162209a947d7ab69389e8c03682e880234

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2847dafc-38fc-4ca5-85f7-8b77c49b820d.tmp

Filesize
6KB

MD5
d286f2a4739acc9ce5d784311ba7c307

SHA1
8f1c1b464c0afda02789097f76a794d366669c06

SHA256
41a935caebeec1ab364b0fa8b5106f38aebf2f1877d780cfb80fed3490e7714e

SHA512
2bad4607da0813a683b7578da2dac1f6556cf285d9dcdb54969639ed0a1059a7bb0af5c28ba3e00ccf8e71ec82956037fface4fe545af7af0892c90a698cbd04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
111f91072389af8edd2ec947b3b748fa

SHA1
2e5a6f622251801242cdbfadbf6e20617ac54efc

SHA256
26d50d1d90db3ff6cb62a08554e1296646bfc93b2339d8dafbfe6c6a90fa0742

SHA512
793dee1c8e9de8dbd7eec2b04bcbe0d332561ea7c313189d0c1fb3d8696eb6ffaff074dceeba649ccd4e7240cf95abadf8c0badd72974fa94b179977437f4212

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
a4217e74f32f5190247571e22e6658dd

SHA1
e8337f39a95642be5644ba00bbe87a2fd9913134

SHA256
300879921207991f8149ee975e09914a38dccf27cb403bb396fe4e36d0c29cd1

SHA512
bb796321a264679b56a9bffa95472f24106edaf53422c249b86bd7ffeb889c40b8b1e150a34f1f1b44d1340f13bd63849e87129ddff7706ad63320dd30122ed5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

Filesize
1.0MB

MD5
93331460ebd338e996af5c261e4f9f44

SHA1
73a17402ccf767d6cafdffc426288515ab3676cc

SHA256
de97c8f60b42322321d1d23aa835d1e1ea29acb5b98e777df49f281ee7773f03

SHA512
d75a5bf1f95b1da18c3fef70c0b6e4b687ab9fe4ed2373ae689e4adce6cfde893496ff0fe256e6486aa8c002bc1353b1e1dcb137eb3ce5457d752b0d1a676788

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
4.0MB

MD5
785346c1b1c7e80fca775869aeab9540

SHA1
d60eb0b946f04f590719ec80ee6ee833e0521292

SHA256
2f0c726ca2335c31fa7f89fa2a4a5d7c6a251c3d80368d4f4dcd041e2a1adaf3

SHA512
0650b78bfccca1aee816c647f40f392db6e2ac2f2d38d8a0175ec69f620d8cdd665f04d711921ab1337d9eabd5aa51011303a7bf59d1a2f9884976004d5284cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
bdf2fe6d84074d9f929a41e0aaf5d042

SHA1
9b328c0f3eebe9044406a8c7bc727e302f906546

SHA256
83c2eb86e5b7b46eeb79a83c4f0019a1d4207df74093c911600ff4dab1fcedd1

SHA512
77a827ab5f0dec3c399df672cac9db363e6d1bcfd79757972719632a777c69560327a0f614e200346213fb06a6a5979514fec5405bda1f248802a84a6cf0cf4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
6d1790dcbdb8380d4b0034c63db783f3

SHA1
607d123e12ec1638ddc614c95b9f75c99a858eab

SHA256
9469ac887530a531676306057bf3bd365cbcc8a51de687d527163503b69e9c43

SHA512
34c207238ec08a4a81f920cacbe55b994eb80ac955b6aa4ae556dc7764543071c92c756c9ff1e464a4a2b0eed6ea02c4888373510dfbc042d7fb6ba0f4a97ef5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies-journal

Filesize
12KB

MD5
6542ae070df10a4e03ab9bd046e3f108

SHA1
e00eaaf9b6ee68de6597506ca8227107dc051f62

SHA256
fc0bbca49b09202a7e42714565950924df43e59da9de518d82d96edb2b76b89e

SHA512
9924c5724af70dd89d070d28f15deaaba157b0a1d0396998a64ced149aebfccdc184973e1865031020bc1b04f6403cee8321a6da922df6811a01e2132eb2ce4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
20KB

MD5
ded3b0f0fd0be461029636434cd6482c

SHA1
25ed49935e12561c7a3c8558aeec886a3cd12b1b

SHA256
68bee081fbfc7e2f28548208e95010c08826ec904bc51de08e7a83397aefa5da

SHA512
e0b0e511bc18a7ee855375c5df21c5085fce173399c81569fb51f43947004384190aa2fa14a6232e90b666f07980ff365f8f3391fa73f084730def6e10e8d550

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
de96f0a77871b9aecac1c2a001d170eb

SHA1
9d2326dc66d44ac6b1af2732226e44028e096be3

SHA256
3f797c7b53d59ba3bd978a8fcdcc996647d4d60f7adefae65016f59f76cf9ebb

SHA512
57a09a1eb7932828b5d9a20eb900b2b58bb29c7b344bd26c19aa75621dd5621a925d57dc81364bb918ebe3883bd401cd867f18d703c6caed7bdb2ed9b4ea8d6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
1KB

MD5
6419cff4ebcaf083ef00173a41608781

SHA1
bd1b53c369b14043a9865e4f59889f7f0f90020f

SHA256
9116807a6b9afc74076b699a75a9608aaa3d7686330abbdc6a4151d6786b231a

SHA512
dc2ff76ebd617c10488582ceec92927b6d59d64b244e7365c26f126ab894a5bb98f25b4d098a1faa10fd0ba83e6b8c7730ea052470597a6ee17560060a218116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
15KB

MD5
66ade093ce98794193cfb2883bb26b73

SHA1
f43bb0d0895846129060e7a9e2b1e82dd8d062ef

SHA256
70b6a78272c9c7e25cf0a0484d3c65275f45f888069962868acec97505a986e4

SHA512
ceb8a95b5509201ec943a355765447ecbada3712552b1d35e8ac381070f861fa596efa9dc8afa8c5623e1a0f4967d029098e1d793870b272e0646fc61c3c1bd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
56e00cd1f72e31916fa60acdf1fcd4bd

SHA1
3e091936a4c8e3c2f47542dd525b140d2d2936ba

SHA256
6576258ce114707706b02eb6a868a76ad50b05c583a4d2e84af929a56ab8f017

SHA512
a89685b456bb33a8784f153d1184b0a69d4b6917a5aaa0e1b73703727ca93e540a53c6e448823651d01128f078159188b368da44cf3e6db938f17de53eb919f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
b4f30e6aa58c8d557c10d4ec7e813ee1

SHA1
7c3782df51486e878cceaecc2c993abe9d01918b

SHA256
bd940d63c926a04f6160582e0b10e7266ad43cf6da403c09f254821a7316427d

SHA512
87b3aa728695d04857e083727754e4dc897bd1a340be1f97e7ea349e76fe73ac2e526280c1b815846c777669b412f0d08530796cb1d7c662ffaaf88879b148c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
a814b489d0c0458c5d6e456de0641759

SHA1
7d3135254b82529a5a73d2b56bdd950b7fbb10c5

SHA256
0fa9691945032f4d3d3a3b56656b8d8338a55d098e5e57651e1f6af218adce48

SHA512
f1e0042dd98a8b8552e77535016bfd46d08bfa7ace7b84784263644f780d81a25e1b76d40e21ba2c37d8fdd1ea138a153233497abd4eca414d9be59f2d150c92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7831516805398be4478fd98163096959

SHA1
cec7b70052f39f13f138795c1c23a7d27896a58c

SHA256
d3fd694e5606a49a353f116767524515a4b60c0ac6edb55997874894a796646b

SHA512
42392a0b371bd62508493047c171639aa6bef430d5371cfa8f6801cefd92d9aa5290dc2da9f7493458e2d5f7ce5a685ef86e764b03420dc78f7f11fe6f903493

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9e81d2beca0b64fb7d719b5350a46cc3

SHA1
61c23c99eed7e09c85fa45dddbb650ee22cbab89

SHA256
719e7bf8c77e083622b06ba9a3f6e33655cdabf321b3cfd6d4f3101fb179695d

SHA512
a59f07892a53064624c9b054dde5343768948029a4b98a1d8c507ff9e340ff415a208305907943da9f0f04a409ed574009b340bdf7946d120209f0091bea1f68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ebda1dbcb23dff0b52aac4ef1e74e1a2

SHA1
1db078a3193b44a130e42dcf7352263531960081

SHA256
55bd1af83db9d2e2f21afd4a967307e9379db8ef79616f0fc94292c07e60088b

SHA512
264e75ee73150bfa1c35d08b85650242f407224276cba81a199a8c62ae43206f4f85476c1f80863b62a3c5a5b2e389083cdb381e01c20acfefff340006741277

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ee0384d472e0a55258e3675b9a623800

SHA1
babd644cb4b0b451f2fc9fecb5a47c57d9096580

SHA256
10de14ecdfc23c8088da6c966a94185da2e5995c8884e9e0b7bf90f4b32397e9

SHA512
7b4393d4fad23411417528029b4d63ff3f5b1f16ec2a29c723dc6a7f225af0fa01d059a2c79cb0c690024b73d6fd01eb33c53f761e2c9332c94bb8968b3e88ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
1KB

MD5
f821b8259fdda803b04c00236aa4cd21

SHA1
db4d848d7e82b77f3a22b454f7f5b322ac08e8cf

SHA256
5c3abbb5bbb0efe8b4e2fb747f7b04852ee0613bb6943dfb705be9adc8eb5b33

SHA512
0d24d0cc31df897b17c24aad1f594e2e0c884221fe752d072ae9111949e21310c103f7fe6adb4d176536406ab1e6919c4f699545fa3bc7fc14f582401a03e81b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
5a00e9ed2bc06ffffffe7d9d9b09b083

SHA1
87c326e62d3611f08bc8f33ca042db90a6267d3e

SHA256
bb3099fd736de548397aba4dcaf365f44abcdc38a633859d1ff32b3472c65ce1

SHA512
cfe627e85e07125c8f9095f8c382cfad120e183c91a8baa651bc32b8dc5e11c54d67a70fd2f3af3d6f17e2c6707654d59a8761092fa40a0baf1dec0a3e5a5e52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13370653585098815

Filesize
8KB

MD5
4eccc804ae9b67f1d4a2d1f58776f50c

SHA1
3a20254ec3a87624dc381e1f5c13c288f02cdb09

SHA256
2ce7747938e236816303e568df2e4ed9cb75c00278cd97c8cd9b6a3469f4d6a0

SHA512
3c5a1698c007099e522d284fd87d41172319dc00b8b974aa5f34bf79bbf00fddf820259f34d032931e9972d38bb65f0c5541a2c6e30a4c82f0cae2e7e27614d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13370653585250815

Filesize
4KB

MD5
225928215f8015f49274c79d9e3b09da

SHA1
35d5fb60cade2a4a7aa60e74397c4c18acfff193

SHA256
854677d257c50b78396fb140bf260565f909a1e4adfb4178e0b92097b8288148

SHA512
b96bcc2703e9004a7b0318f6cf82a3b6dd4e833520bef66ef171b35ad51a833db1e8c12559a03339b0dbf737cd05dcf8ccf24ccc8f5744a62615f84352130896

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
655d2e93f6a9d57fd3f7eb205171a55f

SHA1
ba0db59aefccbe2a89ee88a8f2d1ffe63e15fcba

SHA256
342d642e90ae7298211c8f3556a473958d74672a6923ee22da36d03bba180221

SHA512
5d0cd59bd2cc46c84e9c2a2fbfdd2ce7218f10b1eea6a91052d78c7b2caa06a5405f9856b52e80c6e19b73becc143b28e12a2e5c305c1fb0e15952dd54e55a68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
32315255db71d40a2e518810dd8bc3f2

SHA1
19be140abc0fe13ba8dab4a77c052e9a83596ad0

SHA256
c047d9477ca9ffc730b96ecf6a90b6222828e4ed7930c7700eadfea6d968a113

SHA512
45342f5384e2ead77aaa13d3c2cfc9da2049d6362de7a4c8bab57d7c5870d1769cf6cbaef85ef3b3209fd2e25fba25ff8392053be4d9e935d2f986495128376d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
d5a5f973dc2de5179ab49e22f4b02f70

SHA1
56d0802221d02aa23ac3ab5fdf95c400a1776226

SHA256
34443ea2167f3e3b538f5ba7e3744d4836850cbaefa33367c7a9fc11bb3a7b7c

SHA512
8c6664733f4bf374f39bc71e205d909d75476666720a51fea3ef3d0dd8ec01e19fab17b38a30b72285c3649c9cc49dfc82d4f849fbedfe04d7e14fab8698cde9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fa6a2e738f78907dd9f70c2cf5bf31aa

SHA1
e6077609ee0f73ef052b02a340b070f32e8e0e90

SHA256
d9889ed7f310aaae0ad73c29a8ba49c2d0cd79f83a6a3098730f1b6bb36cfaef

SHA512
887f238a6eaaa874eb4cf8f8c5a4faff010f1acb88634a77c47306014b00a1d0d56b6eb19cd755adcd0e5bb37397df7be6901df24bba38ba892115e72db93d42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c033.TMP

Filesize
1KB

MD5
55d131b7d4856238dbcfe9228ab6c0bb

SHA1
26ef7e495339e2109b61bb1a68c6d291d2654d61

SHA256
6f9ce3c118d88d39b684dbad79fca46779375bc9e17d9a432b3099d48edb4847

SHA512
38b7c3057ee7c5b51f67cc6418ce48766bb695cb3aaf9047000bfec86a4a77f477fbbd9cbdfb3509dee6af525f5b2416da3b5c9725e5ee1e397a632b49a10273

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
a34497348ca44a6f9af05750e36ebbec

SHA1
798716a80c8c98db347a1e626da0db10f8d84d50

SHA256
619135cc60298a508f5276e9c3f56ba81ccb0903901af9015e8ababb7dd4e694

SHA512
de26ef9168db775567103a9362c1fc09e6dc6bb15b494e9765a4612347788ca885b82398d069e3c186f866b38eea0fadc248720887688531c283ea319cbc5ef3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
72KB

MD5
b0bf2306a7b30c7451513eec87c28aac

SHA1
4439cb130febbc21b984f91bc760d545fba3bce4

SHA256
10af46e3da7a003d0375f500ab194bab9bdf3bda7537ea28be59efbcf1e254e3

SHA512
d99e8738e77cb58f0b0e8817fb35aead1462fcce793ba7fdfbae053c84785713906619a23126feb6a667b1e13b88b4532dcd96cf69625106eea045041a604ee0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
6KB

MD5
94a3c5e140c28d193a26e68891f2695f

SHA1
43c42e5a753570f14454973f549c098c09d86f82

SHA256
443249ebeff67c7a58a8e0bc6779fb8aca58609142de49aa6958c6c664a3b9df

SHA512
c50751dd209fd4bfe131af24bc660bafc373186e2867c96a2333530c45c6ef01748c2e6692f5aa36c048db71d2bd18e79f9d6b4c6695442576b08e8222ce4066

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
3f92265cede0f6e096f412cf2b05d586

SHA1
0095a5122f3b0f9864c1cd44a91ce27c5c1af6b2

SHA256
fdf0d125cb225614d49032848adbde1966b03a521eb0c5cc8b6d97a261f31c36

SHA512
2e7a41347bcbd956d0d296a6b73f9627287dda2e336e1e9fdfdd91256e894a06f622d397e4e807308f1c41715937ac024d8ea5a66f55eb2c6c43e0db86a45864

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
e1f38883b702c380c6210e305bbba6d4

SHA1
926004dc9cd76aa36cda208023951ac09b00c02c

SHA256
9fe5ef07a95427cc0009c376d16d7581c08bb3f2b10255537287a0da729e19d1

SHA512
95bc51cb04c266b6ca8e50a4d2cd1b7fbe523ee7a4d156df3a998323dbc06603c5cd535a2f9b484fd0a24b4c92840664fdf650ac0830361d914d2433c4d1c7cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
72d27f68e307598cf84ef20aac6ac9f3

SHA1
76abe0a9b6032de2a1f26189b33654536c7bedff

SHA256
13a08ad67350933811d18f66f1ebf6062a860a010020d0f2ed0ddf2ae0ce8539

SHA512
f2331968c3a3eb82176244381115ec8c50ae5d8a76e2517a3bb1eff00f422334ea6ad09f966c724f7086949768fd093bb46e750234a90e8eb7cae89b10434058

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
e34989e8192e6c4aa8e06827ba6e47ba

SHA1
b61f40adb4709f431b6c95c5a45ebe16bb57d80a

SHA256
f901055adce62b46068d55c18e6048e62af06613ce1e9140cdd2f5e14424c340

SHA512
bcca337e6c00bd7013d2e3a9a84603f35878aa1b3e94925f19655670ab4602756b71abc8ede693a45fe64e102b1ebd7483cc0769405e0efa1c2fca5b2deb4794

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
6dc603163aee8b0422feb358eec687b0

SHA1
f67bcddb94dd1b0fbdae46f35e64f74c45e5376e

SHA256
e52b407559dd51922998c1b8609829bb80cc2b44cb6981c7afb24be3c13fc71f

SHA512
f7b6c0730927b88210478494dc39e065b170ae93c2004011bb95ffe746ff4aa7d695bca6aeb9b367efea52286e8bf25ddeeb2fa32ff23e1823e712faaeab5238

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
762761ac1dbb8f9bf7e4ede030d69e9b

SHA1
c3f4e2f8ccffb26abf75dde4ceb83f4fe886d200

SHA256
2337ed452fb96b92569226ffb94b3c6b14620c4bd5be98a7f95ced7787b3a255

SHA512
8907a7104d6aa86b9d715b4d0e13513835696c2e04a999b4c56c19f5d6e6ebb89bb27bb556c1d6ce3b2e40525252d15629d2df3cd3a58b95608d041fe81c68ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
99150d9c4380164e1c7df4603520ba11

SHA1
e495bb607ee0f70b911434821aaaaf4e66d74c92

SHA256
644bf2ee2e7c4642c03894361f5310d243c01af1547a13da6b0362b2fcefda9d

SHA512
b9ceca343996f995e41a4cc860f7aa12f3dcbf5ab9bca5920706e36dd2f177c11a1b6190468e0f2e3d501f325f81b1e5199147ad28c0fafb84b517d5cb010e9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c21ffe8f5b27b1b9dafb7c75a4ce1955

SHA1
874ff294040a06228247c7ce4adcb4f177e76095

SHA256
1f3b3e21d969cda975fd1cf1896a30e44966a3483912e106b77efab7f983eecd

SHA512
9b616a58cacf50daee39912c9ccbe2cd378650992211f27f20a618ef09229980868028b81776999553544b3dd4e13911bfa973a92307e06dd19cb4b6905972ef

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
933B

MD5
7e6b6da7c61fcb66f3f30166871def5b

SHA1
00f699cf9bbc0308f6e101283eca15a7c566d4f9

SHA256
4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e

SHA512
e5a56137f325904e0c7de1d0df38745f733652214f0cdb6ef173fa0743a334f95bed274df79469e270c9208e6bdc2e6251ef0cdd81af20fa1897929663e2c7d3

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\WannaCry.EXE

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Default\Desktop\@[email protected]

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
memory/2008-478-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download