Overview

overview

10

Static

static

1

URLScan

urlscan

https://github.com/D...

windows11-21h2-x64

10

Analysis

  • max time kernel
    66s
  • max time network
    66s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    14-09-2024 13:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    https://github.com/Da2dalus/The-MALWARE-Repo

Score
10/10
wannacrydefense_evasiondiscoveryexecutionimpactpersistenceransomwarespywarestealerworm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note
Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �
Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Downloads MZ/PE file
  • Drops startup file 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

    When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

    defense_evasion
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 4 IoCs
    evasion
  • NTFS ADS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
    1⤵
    • Enumerates system info in registry
    • NTFS ADS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff978e63cb8,0x7ff978e63cc8,0x7ff978e63cd8
      2⤵
        PID:3708
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,5517313020124789015,790493838774604297,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1868 /prefetch:2
        2⤵
          PID:4664
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1872,5517313020124789015,790493838774604297,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2212
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1872,5517313020124789015,790493838774604297,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2596 /prefetch:8
          2⤵
            PID:1556
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,5517313020124789015,790493838774604297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
            2⤵
              PID:2712
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,5517313020124789015,790493838774604297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
              2⤵
                PID:1040
              • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1872,5517313020124789015,790493838774604297,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:5056
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1872,5517313020124789015,790493838774604297,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:8
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:4740
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,5517313020124789015,790493838774604297,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
                2⤵
                  PID:4680
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1872,5517313020124789015,790493838774604297,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5944 /prefetch:8
                  2⤵
                    PID:2544
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,5517313020124789015,790493838774604297,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5648 /prefetch:8
                    2⤵
                    • Subvert Trust Controls: Mark-of-the-Web Bypass
                    • NTFS ADS
                    • Suspicious behavior: EnumeratesProcesses
                    PID:3728
                  • C:\Users\Admin\Downloads\WannaCry.exe
                    "C:\Users\Admin\Downloads\WannaCry.exe"
                    2⤵
                    • Drops startup file
                    • Executes dropped EXE
                    • Adds Run key to start application
                    • System Location Discovery: System Language Discovery
                    PID:988
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c 9171726320039.bat
                      3⤵
                      • System Location Discovery: System Language Discovery
                      PID:4976
                      • C:\Windows\SysWOW64\cscript.exe
                        cscript //nologo c.vbs
                        4⤵
                        • System Location Discovery: System Language Discovery
                        PID:4972
                    • C:\Users\Admin\Downloads\!WannaDecryptor!.exe
                      !WannaDecryptor!.exe f
                      3⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of SetWindowsHookEx
                      PID:1732
                    • C:\Windows\SysWOW64\taskkill.exe
                      taskkill /f /im MSExchange*
                      3⤵
                      • System Location Discovery: System Language Discovery
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1104
                    • C:\Windows\SysWOW64\taskkill.exe
                      taskkill /f /im Microsoft.Exchange.*
                      3⤵
                      • System Location Discovery: System Language Discovery
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4644
                    • C:\Windows\SysWOW64\taskkill.exe
                      taskkill /f /im sqlserver.exe
                      3⤵
                      • System Location Discovery: System Language Discovery
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4996
                    • C:\Windows\SysWOW64\taskkill.exe
                      taskkill /f /im sqlwriter.exe
                      3⤵
                      • System Location Discovery: System Language Discovery
                      • Kills process with taskkill
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1724
                    • C:\Users\Admin\Downloads\!WannaDecryptor!.exe
                      !WannaDecryptor!.exe c
                      3⤵
                      • Executes dropped EXE
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of SetWindowsHookEx
                      PID:1620
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd.exe /c start /b !WannaDecryptor!.exe v
                      3⤵
                      • System Location Discovery: System Language Discovery
                      PID:3984
                      • C:\Users\Admin\Downloads\!WannaDecryptor!.exe
                        !WannaDecryptor!.exe v
                        4⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of SetWindowsHookEx
                        PID:5020
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
                          5⤵
                          • System Location Discovery: System Language Discovery
                          PID:412
                          • C:\Windows\SysWOW64\Wbem\WMIC.exe
                            wmic shadowcopy delete
                            6⤵
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of AdjustPrivilegeToken
                            PID:552
                    • C:\Users\Admin\Downloads\!WannaDecryptor!.exe
                      !WannaDecryptor!.exe
                      3⤵
                      • Executes dropped EXE
                      • Sets desktop wallpaper using registry
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of SetWindowsHookEx
                      PID:1200
                • C:\Windows\System32\CompPkgSrv.exe
                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                  1⤵
                    PID:3436
                  • C:\Windows\System32\CompPkgSrv.exe
                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                    1⤵
                      PID:244
                    • C:\Windows\system32\vssvc.exe
                      C:\Windows\system32\vssvc.exe
                      1⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4212

                    Network

                    MITRE ATT&CK Enterprise v15

                    Reconnaissance

                    Resource Development

                    Initial Access

                    Execution

                    Windows Management Instrumentation

                    1
                    T1047

                    Persistence

                    Boot or Logon Autostart Execution

                    1
                    T1547

                    Registry Run Keys / Startup Folder

                    1
                    T1547.001

                    Privilege Escalation

                    Boot or Logon Autostart Execution

                    1
                    T1547

                    Registry Run Keys / Startup Folder

                    1
                    T1547.001

                    Defense Evasion

                    Indicator Removal

                    1
                    T1070

                    File Deletion

                    1
                    T1070.004

                    Modify Registry

                    2
                    T1112

                    Subvert Trust Controls

                    1
                    T1553

                    SIP and Trust Provider Hijacking

                    1
                    T1553.003

                    Credential Access

                    Unsecured Credentials

                    1
                    T1552

                    Credentials In Files

                    1
                    T1552.001

                    Discovery

                    Browser Information Discovery

                    1
                    T1217

                    Query Registry

                    1
                    T1012

                    System Information Discovery

                    2
                    T1082

                    System Location Discovery

                    1
                    T1614

                    System Language Discovery

                    1
                    T1614.001

                    Lateral Movement

                    Collection

                    Data from Local System

                    1
                    T1005

                    Command and Control

                    Web Service

                    1
                    T1102

                    Exfiltration

                    Impact

                    Defacement

                    1
                    T1491

                    Inhibit System Recovery

                    1
                    T1490

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                      Filesize

                      152B

                      MD5

                      9828ffacf3deee7f4c1300366ec22fab

                      SHA1

                      9aff54b57502b0fc2be1b0b4b3380256fb785602

                      SHA256

                      a3d21f0fb6563a5c9d0f7a6e9c125ec3faaa86ff43f37cb85a8778abc87950f7

                      SHA512

                      2e73ea4d2fcd7c8d52487816110f5f4a808ed636ae87dd119702d1cd1ae315cbb25c8094a9dddf18f07472b4deaed3e7e26c9b499334b26bdb70d4fa7f84168d

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                      Filesize

                      152B

                      MD5

                      6fdbe80e9fe20761b59e8f32398f4b14

                      SHA1

                      049b1f0c6fc4e93a4ba6b3c992f1d6cecf3ada1f

                      SHA256

                      b7f0d9ece2307bdc4f05a2d814c947451b007067ff8af977f77f06c3d5706942

                      SHA512

                      cf25c7fd0d6eccc46e7b58949c16d17ebeefb7edd6c76aa62f7ab5da52d1c6fc88bde620be40396d336789bd0d62b2162209a947d7ab69389e8c03682e880234

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                      Filesize

                      2KB

                      MD5

                      4bf71be6c9cc5cd16fcc9841c1387fd9

                      SHA1

                      b12a383986cba44d62bc61f6465ca0bcf740d026

                      SHA256

                      c367b2d4a3a694a19ce14675d63723615c0ad5e235e6df125d9c4c8b2443acfd

                      SHA512

                      5916989e57d7e79430823556e608428070901b1c3fcc94a37760eb8209a371747e4e1370eccdd155d00720e7e54e374dc74a2791f4fd476340d13fa7cd0cf098

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                      Filesize

                      5KB

                      MD5

                      2ef703462c90d697e1562fab41f21e8b

                      SHA1

                      317b4348b72696aef554cf52fd2118724b5a23c5

                      SHA256

                      772bbacabf056fb0ea23daa4cf4aedf515d936adcf1ddca6a54ba7817b2515a0

                      SHA512

                      9a7fa031951e26e9843a3b363c601ea59d4674aa21ded1b100de9e35dc35c0eff3bd063e58c03cc5aeca78ca420e86e3ec21b16196c8b6100bafa45cb9dc9657

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                      Filesize

                      6KB

                      MD5

                      69d0603147a39880a2190afe4f8f1a4a

                      SHA1

                      099a1ea6d03f5e737ac95ec35b66d82f743e2da4

                      SHA256

                      23b0baad5ac46dcbc65c1167d11b721594a35f3567965357cd0e11dd222040c9

                      SHA512

                      6ba99db07a32665b0530f3adc4f5c0b6d8f36d26a0e6c11fe93c09191051391bc80779095ce8eb08f742e767c883d7c7cedde469464225d854e9c74e043e8608

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                      Filesize

                      6KB

                      MD5

                      4faaf41b82085becaed6a592c6c5b571

                      SHA1

                      e6244d74bf5c98cf0d1ceb9e14b3d0700aeb4702

                      SHA256

                      aa8f437a6bfb631e3d87da5300d804aea89fc6c70c18249acfc52130960f06ab

                      SHA512

                      2317862bc6980fe1d7da5012d2f2781c08ccb1faf09f8a49f9f6efa43750610333ea7977eee7abb19c4a630880424981686783fe020d6f9ee2c116a1ded3c2cf

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                      Filesize

                      1KB

                      MD5

                      cae0b302610620559afa8adcabc40a1d

                      SHA1

                      80d547b0d3d893de773061320368b2c48c815ccf

                      SHA256

                      d71da51efe772f6cb3527cfa76d097ffccc8bbf3bc891a70b630845b3dcd08f6

                      SHA512

                      c7b8232fbabb8cd6a01daba7566ba6cb6a6e0c2df71ad341d64d177fc0bfdb673a3d289359096654c88f2c550bf7b72d754a1e8d6a392c86b3645fdae675860f

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                      Filesize

                      1KB

                      MD5

                      c21f32ea51b3c437a4c9c5f7d26dc9d1

                      SHA1

                      98ab69d8370c16c70ef39803511c5b15a10da2d2

                      SHA256

                      1fbb2af2ed13763d0c791710823a00edeaef8e17bcc7d554f3e38a5ced59a353

                      SHA512

                      e7e6be493c5814e19ee71afce5be3bf0f5d8c90dbcea4aeefcc50369818992b1710a26e657b8f0e7ff4abe1c96f8ce5780958457ed7d1fbdfb2877b188912dee

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ff9d.TMP
                      Filesize

                      874B

                      MD5

                      05fd33ca465f0c5be037731a12dd83ef

                      SHA1

                      abde6679311184e977c0571d34359cea653cff04

                      SHA256

                      7e66091dc0d653cd2d997ed0b2e165005d0b8c129c2bcf6dfc3ec45d7d417d52

                      SHA512

                      ce90094a7b9c82291c9e20a168ec37ce505b39e943e6c67a9e2b4b536dd3b3ddb99710540a6c5c5b3b02fc657b02089e550736bfe1ac089a18654f972176db9c

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                      Filesize

                      16B

                      MD5

                      46295cac801e5d4857d09837238a6394

                      SHA1

                      44e0fa1b517dbf802b18faf0785eeea6ac51594b

                      SHA256

                      0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                      SHA512

                      8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                      Filesize

                      16B

                      MD5

                      206702161f94c5cd39fadd03f4014d98

                      SHA1

                      bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                      SHA256

                      1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                      SHA512

                      0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db
                      Filesize

                      16KB

                      MD5

                      9a8e0fb6cf4941534771c38bb54a76be

                      SHA1

                      92d45ac2cc921f6733e68b454dc171426ec43c1c

                      SHA256

                      9ee9211a57c3f6fa211fe0323fa8cd521e7cbffcd8ff0896645a45795dc472be

                      SHA512

                      12ed22537dcc79d53f6c7d39e92a38f8fea076d793198928f5b7a5dd1234d50a3c0b4815632f3fadf8bc4ef0499773d22bd83f961d2d0ffd8afacf471bd3a5ae

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\previews_opt_out.db
                      Filesize

                      16KB

                      MD5

                      d926f072b41774f50da6b28384e0fed1

                      SHA1

                      237dfa5fa72af61f8c38a1e46618a4de59bd6f10

                      SHA256

                      4f7b0e525d4bfc53d5df49589e25a0bccf2fcf6a1a0ca3f94d3285bb9cf0a249

                      SHA512

                      a140df6ec0d3099ef374e8f3ece09bf91bc896ac4a1d251799a521543fe9bdea796ba09fa47932bd54fa939118495078f9258557b32c31d3d4011b0666a4723f

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                      Filesize

                      10KB

                      MD5

                      48f935f4f2066125cc7173fa234eec13

                      SHA1

                      fa0c0c688fca9caf95eb2c58760e680cdcec2787

                      SHA256

                      7be86af1a2a873fd4315d5d635ed754b188c9f14a2bb484142c0760d38ebfc42

                      SHA512

                      045b59c5e470c1e7af8d0286fa2a2d661811023b827d9fb572631859ab1cb2823c3dd5692252a31da827791b57b2604acdf922d9eebd05b6eedfb7cff2dac43f

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                      Filesize

                      10KB

                      MD5

                      91d0f9f79d957a2c711bd10641e6ef5f

                      SHA1

                      5b763161bfa38c26f527d6c28d744133f1c2f1ea

                      SHA256

                      6d59656d9129a97e87422049b2695c393df350e10db99f6525ab237202d3a892

                      SHA512

                      bd3b1ca6f492b1e9836285e7d0af248fef37d6fc96f94427ab84716ee73bb81c7757787372eec93c36ec6154005986f2a94457c95a283cd7ffec8d1bc11dc21a

                      Download Submit

                    • C:\Users\Admin\Downloads\!Please Read Me!.txt
                      Filesize

                      797B

                      MD5

                      afa18cf4aa2660392111763fb93a8c3d

                      SHA1

                      c219a3654a5f41ce535a09f2a188a464c3f5baf5

                      SHA256

                      227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

                      SHA512

                      4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

                      Download Submit

                    • C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnk
                      Filesize

                      590B

                      MD5

                      9d2423a89dad638496a7428905c8f7ca

                      SHA1

                      49ffbcbf36de2d6686e8f5f629d3cc2968c755e9

                      SHA256

                      fb7b512a06bf10100448d230ca3f26db6a20d012060e20b36b4832ba667bba8b

                      SHA512

                      320e55796a2a1b21c6cc25be905efdcdc3f88b9c9e8a3785b821efd0fe47b86e6711eefacc96f5bd986901ad1c45cc6f297d456ab57e4f8dd77da0f5a3dc8d7d

                      Download Submit

                    • C:\Users\Admin\Downloads\00000000.eky
                      Filesize

                      1KB

                      MD5

                      1e7119c7fadffc612f2336d7758b1abc

                      SHA1

                      9cf5826b0f3ccadef36e2f11fab6109f15d0fe6b

                      SHA256

                      903c4262ce3b109a15d00b7fab8e595c5ac00a412d7a637ade71b0a26ca86d42

                      SHA512

                      2fd0746b871a69567a8f4bfba9e99701f1bc9cea53d8a2f729a0b8376bd95c5c169ca741a1e2289f1530ee3f746b00582905bc0cb7b32b1189d2a4c39b249543

                      Download Submit

                    • C:\Users\Admin\Downloads\00000000.res
                      Filesize

                      136B

                      MD5

                      074609d53a5e06acf460578bb4511119

                      SHA1

                      d1e3402f63bff06ff827a9d1b3bad0e37e06f40f

                      SHA256

                      6f1aa9f7057705f8641ecc4bc714698bbf29458294205eed2810386eb0c3a5fd

                      SHA512

                      5172dc81a4418522165d28f3210bb610abdbf1c38b35da9b1084a330ef7f2c6a8325ab9513256b3253f0c5357d1f40b2c52942b6c31473216f85f681c4ee4ec8

                      Download Submit

                    • C:\Users\Admin\Downloads\00000000.res
                      Filesize

                      136B

                      MD5

                      055fe6cdc681cf328b7a2218483daa8c

                      SHA1

                      17642316dcefbc74d211ca36d8773c14c4f3140e

                      SHA256

                      74f877c3c694c7069ad4533c41ed04b54ea56728b344506c2284c191cbb38a01

                      SHA512

                      4b3bf76972ef666ec4108f4bf9a3df1f65796cf99c4564f7c6fabe0cc20e49ea147df3fcc6be8325285400a1dc43b9ef7dc8d6d825913ab8d81378681bfb3bb2

                      Download Submit

                    • C:\Users\Admin\Downloads\00000000.res
                      Filesize

                      136B

                      MD5

                      421bb1db226c1a3b06bbeb1b0bce40f7

                      SHA1

                      4d56fc957411bd0fad25f8a20bcc8a1196f2167a

                      SHA256

                      275d6ccb29c96296f8ff2fec0df1eba5b1da40159dfcb1efc674a3db85c69d48

                      SHA512

                      fef19f9b055e380ff04b6439f239242a4b216c292ccc15280d37d392327be6772845768d2c16a4889236066e256e5dbebf18ff8717fd841f68fd7a67cc748c72

                      Download Submit

                    • C:\Users\Admin\Downloads\9171726320039.bat
                      Filesize

                      318B

                      MD5

                      a261428b490a45438c0d55781a9c6e75

                      SHA1

                      e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e

                      SHA256

                      4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44

                      SHA512

                      304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

                      Download Submit

                    • C:\Users\Admin\Downloads\Unconfirmed 65640.crdownload
                      Filesize

                      224KB

                      MD5

                      5c7fb0927db37372da25f270708103a2

                      SHA1

                      120ed9279d85cbfa56e5b7779ffa7162074f7a29

                      SHA256

                      be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

                      SHA512

                      a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

                      Download Submit

                    • C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier
                      Filesize

                      55B

                      MD5

                      0f98a5550abe0fb880568b1480c96a1c

                      SHA1

                      d2ce9f7057b201d31f79f3aee2225d89f36be07d

                      SHA256

                      2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

                      SHA512

                      dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

                      Download Submit

                    • C:\Users\Admin\Downloads\c.vbs
                      Filesize

                      201B

                      MD5

                      02b937ceef5da308c5689fcdb3fb12e9

                      SHA1

                      fa5490ea513c1b0ee01038c18cb641a51f459507

                      SHA256

                      5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1

                      SHA512

                      843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

                      Download Submit

                    • C:\Users\Admin\Downloads\c.wry
                      Filesize

                      628B

                      MD5

                      6c4a1aa92517dd758d87402b79543628

                      SHA1

                      ca8492f566558209ecf46f27e0adb0562f0dbbf5

                      SHA256

                      7a8ddd60c5cbc4c308733a6489b57e8dfdbe54de36f7e7dca1d85d447796737c

                      SHA512

                      afc04129708e2ac57a1b789358d6894631340ea07a583348acce7f49b2f4ef3c9fcfe67f408d25cec87ec6ae9837b3c1e5de6a46ccb74ae71cb9e147658e36cc

                      Download Submit

                    • C:\Users\Admin\Downloads\m.wry
                      Filesize

                      42KB

                      MD5

                      980b08bac152aff3f9b0136b616affa5

                      SHA1

                      2a9c9601ea038f790cc29379c79407356a3d25a3

                      SHA256

                      402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

                      SHA512

                      100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

                      Download Submit

                    • C:\Users\Admin\Downloads\u.wry
                      Filesize

                      236KB

                      MD5

                      cf1416074cd7791ab80a18f9e7e219d9

                      SHA1

                      276d2ec82c518d887a8a3608e51c56fa28716ded

                      SHA256

                      78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

                      SHA512

                      0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

                      Download Submit

                    • memory/988-261-0x0000000010000000-0x0000000010012000-memory.dmp

                      Filesize

                      72KB

                      Download