wannacry | hxxps://github[.]com/kh4sh3i/Ransomware-Samples

Resubmissions

14-10-2024 23:38

241014-3mvqzawcrn 10

14-10-2024 23:35

241014-3ld2tswcmn 8

Analysis

max time kernel
204s
max time network
205s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
14-10-2024 23:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/kh4sh3i/Ransomware-Samples

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDD463.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDD479.tmp	WannaCry.exe

Executes dropped EXE 6 IoCs

pid	Process
4116	WannaCry.exe
4592	!WannaDecryptor!.exe
2656	!WannaDecryptor!.exe
3152	!WannaDecryptor!.exe
2144	WannaCry.exe
1224	!WannaDecryptor!.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
20	raw.githubusercontent.com
44	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
1692	taskkill.exe
936	taskkill.exe
4584	taskkill.exe
1984	taskkill.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 233783.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3120	msedge.exe
3120	msedge.exe
2340	msedge.exe
2340	msedge.exe
5008	identity_helper.exe
5008	identity_helper.exe
2248	msedge.exe
2248	msedge.exe
2396	msedge.exe
2396	msedge.exe
2396	msedge.exe
2396	msedge.exe
1472	msedge.exe
1472	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	1984	taskkill.exe
Token: SeDebugPrivilege	936	taskkill.exe
Token: SeDebugPrivilege	4584	taskkill.exe
Token: SeDebugPrivilege	1692	taskkill.exe
Token: SeIncreaseQuotaPrivilege	4728	WMIC.exe
Token: SeSecurityPrivilege	4728	WMIC.exe
Token: SeTakeOwnershipPrivilege	4728	WMIC.exe
Token: SeLoadDriverPrivilege	4728	WMIC.exe
Token: SeSystemProfilePrivilege	4728	WMIC.exe
Token: SeSystemtimePrivilege	4728	WMIC.exe
Token: SeProfSingleProcessPrivilege	4728	WMIC.exe
Token: SeIncBasePriorityPrivilege	4728	WMIC.exe
Token: SeCreatePagefilePrivilege	4728	WMIC.exe
Token: SeBackupPrivilege	4728	WMIC.exe
Token: SeRestorePrivilege	4728	WMIC.exe
Token: SeShutdownPrivilege	4728	WMIC.exe
Token: SeDebugPrivilege	4728	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4728	WMIC.exe
Token: SeRemoteShutdownPrivilege	4728	WMIC.exe
Token: SeUndockPrivilege	4728	WMIC.exe
Token: SeManageVolumePrivilege	4728	WMIC.exe
Token: 33	4728	WMIC.exe
Token: 34	4728	WMIC.exe
Token: 35	4728	WMIC.exe
Token: 36	4728	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4728	WMIC.exe
Token: SeSecurityPrivilege	4728	WMIC.exe
Token: SeTakeOwnershipPrivilege	4728	WMIC.exe
Token: SeLoadDriverPrivilege	4728	WMIC.exe
Token: SeSystemProfilePrivilege	4728	WMIC.exe
Token: SeSystemtimePrivilege	4728	WMIC.exe
Token: SeProfSingleProcessPrivilege	4728	WMIC.exe
Token: SeIncBasePriorityPrivilege	4728	WMIC.exe
Token: SeCreatePagefilePrivilege	4728	WMIC.exe
Token: SeBackupPrivilege	4728	WMIC.exe
Token: SeRestorePrivilege	4728	WMIC.exe
Token: SeShutdownPrivilege	4728	WMIC.exe
Token: SeDebugPrivilege	4728	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4728	WMIC.exe
Token: SeRemoteShutdownPrivilege	4728	WMIC.exe
Token: SeUndockPrivilege	4728	WMIC.exe
Token: SeManageVolumePrivilege	4728	WMIC.exe
Token: 33	4728	WMIC.exe
Token: 34	4728	WMIC.exe
Token: 35	4728	WMIC.exe
Token: 36	4728	WMIC.exe
Token: SeBackupPrivilege	1812	vssvc.exe
Token: SeRestorePrivilege	1812	vssvc.exe
Token: SeAuditPrivilege	1812	vssvc.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4592	!WannaDecryptor!.exe
4592	!WannaDecryptor!.exe
2656	!WannaDecryptor!.exe
2656	!WannaDecryptor!.exe
3152	!WannaDecryptor!.exe
3152	!WannaDecryptor!.exe
1224	!WannaDecryptor!.exe
1224	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2036	2340	msedge.exe	80
PID 2340 wrote to memory of 2036	2340	msedge.exe	80
PID 2340 wrote to memory of 1028	2340	msedge.exe	81
PID 2340 wrote to memory of 1028	2340	msedge.exe	81
PID 2340 wrote to memory of 1028	2340	msedge.exe	81
PID 2340 wrote to memory of 1028	2340	msedge.exe	81
PID 2340 wrote to memory of 1028	2340	msedge.exe	81
PID 2340 wrote to memory of 1028	2340	msedge.exe	81
PID 2340 wrote to memory of 1028	2340	msedge.exe	81
PID 2340 wrote to memory of 1028	2340	msedge.exe	81
PID 2340 wrote to memory of 1028	2340	msedge.exe	81
PID 2340 wrote to memory of 1028	2340	msedge.exe	81
PID 2340 wrote to memory of 1028	2340	msedge.exe	81
PID 2340 wrote to memory of 1028	2340	msedge.exe	81
PID 2340 wrote to memory of 1028	2340	msedge.exe	81
PID 2340 wrote to memory of 1028	2340	msedge.exe	81
PID 2340 wrote to memory of 1028	2340	msedge.exe	81
PID 2340 wrote to memory of 1028	2340	msedge.exe	81
PID 2340 wrote to memory of 1028	2340	msedge.exe	81
PID 2340 wrote to memory of 1028	2340	msedge.exe	81
PID 2340 wrote to memory of 1028	2340	msedge.exe	81
PID 2340 wrote to memory of 1028	2340	msedge.exe	81
PID 2340 wrote to memory of 1028	2340	msedge.exe	81
PID 2340 wrote to memory of 1028	2340	msedge.exe	81
PID 2340 wrote to memory of 1028	2340	msedge.exe	81
PID 2340 wrote to memory of 1028	2340	msedge.exe	81
PID 2340 wrote to memory of 1028	2340	msedge.exe	81
PID 2340 wrote to memory of 1028	2340	msedge.exe	81
PID 2340 wrote to memory of 1028	2340	msedge.exe	81
PID 2340 wrote to memory of 1028	2340	msedge.exe	81
PID 2340 wrote to memory of 1028	2340	msedge.exe	81
PID 2340 wrote to memory of 1028	2340	msedge.exe	81
PID 2340 wrote to memory of 1028	2340	msedge.exe	81
PID 2340 wrote to memory of 1028	2340	msedge.exe	81
PID 2340 wrote to memory of 1028	2340	msedge.exe	81
PID 2340 wrote to memory of 1028	2340	msedge.exe	81
PID 2340 wrote to memory of 1028	2340	msedge.exe	81
PID 2340 wrote to memory of 1028	2340	msedge.exe	81
PID 2340 wrote to memory of 1028	2340	msedge.exe	81
PID 2340 wrote to memory of 1028	2340	msedge.exe	81
PID 2340 wrote to memory of 1028	2340	msedge.exe	81
PID 2340 wrote to memory of 1028	2340	msedge.exe	81
PID 2340 wrote to memory of 3120	2340	msedge.exe	82
PID 2340 wrote to memory of 3120	2340	msedge.exe	82
PID 2340 wrote to memory of 3476	2340	msedge.exe	83
PID 2340 wrote to memory of 3476	2340	msedge.exe	83
PID 2340 wrote to memory of 3476	2340	msedge.exe	83
PID 2340 wrote to memory of 3476	2340	msedge.exe	83
PID 2340 wrote to memory of 3476	2340	msedge.exe	83
PID 2340 wrote to memory of 3476	2340	msedge.exe	83
PID 2340 wrote to memory of 3476	2340	msedge.exe	83
PID 2340 wrote to memory of 3476	2340	msedge.exe	83
PID 2340 wrote to memory of 3476	2340	msedge.exe	83
PID 2340 wrote to memory of 3476	2340	msedge.exe	83
PID 2340 wrote to memory of 3476	2340	msedge.exe	83
PID 2340 wrote to memory of 3476	2340	msedge.exe	83
PID 2340 wrote to memory of 3476	2340	msedge.exe	83
PID 2340 wrote to memory of 3476	2340	msedge.exe	83
PID 2340 wrote to memory of 3476	2340	msedge.exe	83
PID 2340 wrote to memory of 3476	2340	msedge.exe	83
PID 2340 wrote to memory of 3476	2340	msedge.exe	83
PID 2340 wrote to memory of 3476	2340	msedge.exe	83
PID 2340 wrote to memory of 3476	2340	msedge.exe	83
PID 2340 wrote to memory of 3476	2340	msedge.exe	83

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/kh4sh3i/Ransomware-Samples
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa20f53cb8,0x7ffa20f53cc8,0x7ffa20f53cd8
  2⤵
  PID:2036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1724,5788818079217876883,7692500843123361422,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1724,5788818079217876883,7692500843123361422,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1724,5788818079217876883,7692500843123361422,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2560 /prefetch:8
  2⤵
  PID:3476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,5788818079217876883,7692500843123361422,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:2856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,5788818079217876883,7692500843123361422,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,5788818079217876883,7692500843123361422,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
  2⤵
  PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,5788818079217876883,7692500843123361422,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1
  2⤵
  PID:4268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,5788818079217876883,7692500843123361422,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
  2⤵
  PID:712
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1724,5788818079217876883,7692500843123361422,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1724,5788818079217876883,7692500843123361422,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,5788818079217876883,7692500843123361422,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:4748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,5788818079217876883,7692500843123361422,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,5788818079217876883,7692500843123361422,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:2208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1724,5788818079217876883,7692500843123361422,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5284 /prefetch:8
  2⤵
  PID:2108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,5788818079217876883,7692500843123361422,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,5788818079217876883,7692500843123361422,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:3444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,5788818079217876883,7692500843123361422,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
  2⤵
  PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,5788818079217876883,7692500843123361422,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
  2⤵
  PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,5788818079217876883,7692500843123361422,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,5788818079217876883,7692500843123361422,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
  2⤵
  PID:1480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1724,5788818079217876883,7692500843123361422,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4736 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1724,5788818079217876883,7692500843123361422,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6308 /prefetch:1
  2⤵
  PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1724,5788818079217876883,7692500843123361422,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6708 /prefetch:8
  2⤵
  PID:2120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1724,5788818079217876883,7692500843123361422,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6576 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1472
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4116
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 291851728949256.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2936
  - - C:\Windows\SysWOW64\cscript.exe
      cscript //nologo c.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:1540
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe f
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4592
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im MSExchange*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:936
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Microsoft.Exchange.*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1692
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlserver.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1984
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlwriter.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4584
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe c
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2656
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b !WannaDecryptor!.exe v
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4496
  - - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
      !WannaDecryptor!.exe v
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3152
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4996
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4728
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1224
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2144

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3712

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4072

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004E0
1⤵
PID:2952

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
554d6d27186fa7d6762d95dde7a17584

SHA1
93ea7b20b8fae384cf0be0d65e4295097112fdca

SHA256
2fa6145571e1f1ece9850a1ac94661213d3e0d82f1cef7ac1286ff6b2c2017cb

SHA512
57d9008ccabc315bd0e829b19fe91e24bab6ef20bcfab651b937b0f38eec840b58d0aed092a3bbedd2d6a95d5c150372a1e51087572de55672172adc1fc468a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a28bb0d36049e72d00393056dce10a26

SHA1
c753387b64cc15c0efc80084da393acdb4fc01d0

SHA256
684d797e28b7fd86af84bfb217d190e4f5e03d92092d988a6091b2c7bbbd67c1

SHA512
20940fee33aa2194c36a3db92d4fd314ce7eacc2aa745abec62aa031c2a53ba4ff89f2568626e7bd2536090175f8d045c3bb52c5faa5ecc8da8410ab5fc519f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
67KB

MD5
929b1f88aa0b766609e4ca5b9770dc24

SHA1
c1f16f77e4f4aecc80dadd25ea15ed10936cc901

SHA256
965eaf004d31e79f7849b404d0b8827323f9fe75b05fe73b1226ccc4deea4074

SHA512
fe8d6b94d537ee9cae30de946886bf7893d3755c37dd1662baf1f61e04f47fa66e070210c990c4a956bde70380b7ce11c05ad39f9cbd3ea55b129bb1f573fa07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
4944e6719518e86c13d9a5285b1de6eb

SHA1
df3d552521f40fceebf8719d9d9945f5e5689da4

SHA256
eae5595b61d80bd7a3db28b447186c8930802d85cdf62bb3fa7cd4ac574eedf4

SHA512
038d008705fbe2ef691a8c1eca388bc9814ce8d8dcb925f053d25a85793a6e41b2d9a2ceedb6fb20e6817ce04e6c3f6aa67d3c6add3f25f3abe41500f7ea3f8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
931B

MD5
4cdaa97d2481e517f649e88e129a7ded

SHA1
7f71a92aec743ff41871e6fdc91edbcfc8b19560

SHA256
a8ca1f798b10922afa19ec37de0e7350051afc46798cf88db2b5bae232a93f88

SHA512
29694f87e5286e98be6f20bd8aeafbf9e96ac2a3371a15802c6a17349b5057cb6c02639c8b5308b99da4ff702b41f6153a3dba9c5709523daa9b68f6e960b309

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
db1170ef7f31640a02bc057067d6a18c

SHA1
2a2aec1f8e5bceac132873a3b3bc51962574a2ec

SHA256
f9a7cd606d8346ea6324507c8a271ea7b3003e10523923f6f389cf7da20d30ef

SHA512
7d7fc6a5118fdbd89f97f851936dc67adef8dfc935a6414ecaca933676d5e847d5df9b289863f765e951da3ce2d8a4a7ecb7fcf196b85a0d94b4a0662ee4bf3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c7b5d30d0589f68dd4372f0b2b9f10ce

SHA1
0ad671878b833c41fe13a0392e92b16bf178e072

SHA256
f87bfc5df35c4e3eb124e87f6a5adb504c1fa7534ba5e5701cde4f2d3951e83f

SHA512
ebd78be202744a94d4596b819fd56af64ebc2b854aecf5ce0f694f5964a50e2b6f85d8c3d56a4528fe45b9f269d54e8ebade95033089ad0ee3f5871c66f85761

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3fc5161cf84f2eac10278ec0738340f7

SHA1
75aa17c01222698f07bf5e9a491ef88d031051f4

SHA256
fde2cd5379bcace0ebaba7ceb09387fa92bf973694e6c6218b0c4f39506bb957

SHA512
d38450dda436b461a67077f7ac72a939a5ada8c9316414887909a3dcea7751b7ccf5588d29b8fb85c37ed10e7593e207e1e90d8d02fb2dfdb362338816fc5451

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
34a9e6531e3c707e96f7cc93104a05b1

SHA1
6eb001e34923dd91c356c5969890466ad9ba0cc9

SHA256
7492c74e12c0683aed82ac6ff6836f37e249f6db97800a456cd7336162e43f21

SHA512
67f751362067f7f07c76d13104f5e60668e3b45dd414be7a2571086ef2dbe768b6a8e97e985ff7171f0f3e8eb37a64abcf6ffd13a6aa249fa4c02d8e43653b04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
35a388503a07b4370441afaa13836c13

SHA1
b58c839b06efdbe30922b6f09e19dfb6fbcddb96

SHA256
35ed48bffc1650c672065c727eefc8d205abcbf93b6eb8753f79872f5f151d6a

SHA512
51276df66eb02ad6a4c0d677596c8f4527ff525296f74a3edcb5effb8c67c237269c82232bda8907e59bed484e2a8435ae574404539118a743a38fb30b44d46f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b6e29b58d3dff66b5b6308c791c339b7

SHA1
5e64661e75c156c29aeb1c2c03f97d825fa56307

SHA256
4d95204842dfbfb6e33f4cb9c9962163579ac711091c136bba6864531e2952a6

SHA512
3a9c921a32e5a0ac9c76d6188dd9e83f0e1506f5c957724fe2ddab4fd7837cc7b40b53ac4c1840b6d9941143526bc5b5174ec74af3a413fb9aef9ecab7a6f6b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7b3adb0d44ff9a1cfda2a0eef750e2ff

SHA1
17a890779f6a3ea9b1f9adbbd34044a6624ad5b5

SHA256
d4f7794cfa83499b8930d6a75ff48246270588e9985ca4ad65337fe7b80e4db2

SHA512
9f124c89aca4cadfa425a7bca6a904b139c3397b121ecf49f8b14e62c5200765e09749fbad481c6bbf89e1ef3525e129c7941dd96f10c8062a7844a7bbaf6e42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
df2a388147f2ace3bd1f4f33c1a9fb1f

SHA1
edf15d7edbb30cf299ccee84ee8d8274cf61210b

SHA256
567611b3181569a718463eb583b78cbd55ce13bff9ac9a3cdf36ae16dd34314a

SHA512
92eaaa9c36b5f3f9f15d4e45c4722ede1b7e736d64c3cd05bae033d2f1d7e24c4afb206f50d8fefbe7765e7b97bcecac050263080c8f55b5b47f366fbd5c8776

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
73f7bc1eda11b90a0f8d3384a8289f0e

SHA1
1f7100bc817cc34a75ec85004e9b3757fc366341

SHA256
89097b82de5a677931d212738cb986139fd6625adb5990417e8926997f638572

SHA512
998f4e93f0a0347e3a23ceac17dbb87a7978ee9b1dc30a30b80f01a51e7f993a9f34747f5c61ddf5a7a74ac5f09fd936c351fc3abe6cba6c2fe9f84b7b651893

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d1a30b870d73619764c27fb395a10bb7

SHA1
2b0e80d5ec67a7369336af92c3a962f77b1c88f3

SHA256
e81066fdd763356ed8239324bd82b98ba488b9dbed834e465b19442e93c274c6

SHA512
706ed81845d4d4b869181d4c51b13013105eee239fd2a2fe207c42e9dcca4cd0da1dc35b02b7c5cf0ec3161fb61f5bc4839daef6d0f8e22c1b2fa28e3f1bfaa4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e86c.TMP

Filesize
1KB

MD5
05b79e5b9272aa60916dc573da670446

SHA1
eaf65c1d7e318642eb19af7eeec5a38ea169952c

SHA256
9e2bb45d05b0c89b74200315c89c16aded175cb480a2955b14d430d81f761d07

SHA512
7e4acc5fd5b29aa1b8533334fabb4c9f859ff5484ad195bec0621ac411a4fbdf87fc49c4a6eb766c6688b52a92ce7f02e40e8cfe60d8c5898bede7f9e093bb65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
76KB

MD5
99d42eb13167ea387b23037f27ef44c3

SHA1
6945be637dbfc9caa9d4379f6c666301efed2107

SHA256
8ee4b948de4d5527e1d6dc49776df5f9dd6ae70e1616bfdfa4674c1c38b3282a

SHA512
c8ab161c58d51cb661e934e1bcc5829402efff6757dfde6c0b6fafe809c3e158ea14b65192905553527910e2df5932794c9d178b63f210730205487eea641467

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a42ed00255b1ad779f2c9468e2c08a5f

SHA1
9606dfcdafb702e6146e39c9375a188897fbdb2d

SHA256
4d09470f51ebdfbdfdb298a6fd3460c35fe1d31e5460d346d42b64309e0f7564

SHA512
c49bbeb4c3166dbd760a1fca0ca353d3a479387cfcddae4c1512120815039cf4f568c51f54ae9c70a74638c74e170e183d43fbb03143416b46ef2ad743706e7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d65e48d079af2d61b884c0116d0dc9f8

SHA1
ea355e22173947325a70e529b53b22991beae217

SHA256
28d283a861f56b693b839c20a267d1f120ad1498c66ed13cc9dc20c0d68ae8d4

SHA512
bc92548d04af40e3a4c8f4285f6ff77d3bff9cb278a54082cb604fd807a56fc45f67a1e7576c35cd22db00658a7443802539e4e53f56eb18c6fa3040b3856536

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
85a1ec0295f2744f5be0093aabcfe285

SHA1
b7f78dd5ba3c6693c8ed60862734cdaf793c823a

SHA256
ae8243957c4b07afba60e9184de6a45b585b4e8358897176e2bf56d024474899

SHA512
0e6c0cc9e79366f83502c736a1852cbd55e88559133b050fe7aae5e3092ad2a0054c0f4fa5715ebf600b069a6d6452312556451c1737227e77295d34fb51ed91

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
3b630143441788a663488eb4f1abf56d

SHA1
09638a475a237335df8a847e20a3b814d154460a

SHA256
44fde319d7431df8f76efa7fe5f1bcb24af6eb5f8c3882ee850038ef11bc41d0

SHA512
a01bf43b27a101d1f6d0cb26e40d0777af7fb574564fc73ad5655c7fa0f821a44b2d731d062ae9e7b734133945793114d74a689421bcf1d57ae7c6a40281e31b

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
dd7bb0b6cf2c8c263c8b07514388d933

SHA1
0d7eea839ade89eb8d3adad35a93124f68687da5

SHA256
c0ade44358cc056cbf09ba307c3f15f5d71513e1bb73f81708f455f3a6903fc7

SHA512
5822cfaac7694e25be1d8a731c552662350294c728b98fd9aeb7d9f2320167a50b088f72799bd0c3c77f6e11ef4b8e8abdb711d6f06854a49a5e607aa99f966e

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
d1f69a372ac8b86f19d67a2ef7285b3a

SHA1
5d16fa5dd0397d0e2ee346063a31ace2613cbd74

SHA256
ba6365a38c93e7ad4b144aa5ea91ab6a62a810b4e29b7c95079668348c01928e

SHA512
96b68491130b4412b134d6706354d36a90d825ad345062ed8366b43660c5e7dbe0459862794ac61380737aa50c16f7627e3813b1e1be83f797c53640ef3b7e48

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
d6b5baa8c8db58542dd6d033c98fdae8

SHA1
16dabf07311d4b7516ab836fb2297455269931be

SHA256
2d5c1a510c302c142513841e97b5a28a3198936d4ae031387b8d77abc476f77f

SHA512
89556d173dff4046f250659c7b079b2a0241736be7239c6e84d19cd3ff69e82470f04bf913fb671b40f85e178252fa7468c8ce918a87bf4d9cef9e311903af9d

Download Submit
C:\Users\Admin\Downloads\291851728949256.bat

Filesize
318B

MD5
a261428b490a45438c0d55781a9c6e75

SHA1
e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e

SHA256
4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44

SHA512
304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 233783.crdownload

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\c.vbs

Filesize
201B

MD5
02b937ceef5da308c5689fcdb3fb12e9

SHA1
fa5490ea513c1b0ee01038c18cb641a51f459507

SHA256
5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1

SHA512
843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

Download Submit
C:\Users\Admin\Downloads\c.wry

Filesize
628B

MD5
e5597e7387a34c8c21fb5fed5cd9b301

SHA1
0e6d9cb09a1bf59b5228e73bf31bc865478ceac2

SHA256
826d97991cd33f0c19c7b80b1fb04de85d8640cf51859c9e7c342a4ef5555021

SHA512
13381943ec171d302ad6d79794b9fdb61a6fb724aa7547a6dac204942d3848507df52928f24ab848d5dea9e9b4a0d3ea46a8a45736cbf0daa99e38cae1fd4970

Download Submit
C:\Users\Admin\Downloads\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Downloads\r.wry

Filesize
729B

MD5
880e6a619106b3def7e1255f67cb8099

SHA1
8b3a90b2103a92d9facbfb1f64cb0841d97b4de7

SHA256
c9e9dc06f500ae39bfeb4671233cc97bb6dab58d97bb94aba4a2e0e509418d35

SHA512
c35ca30e0131ae4ee3429610ce4914a36b681d2c406f67816f725aa336969c2996347268cb3d19c22abaa4e2740ae86f4210b872610a38b4fa09ee80fcf36243

Download Submit
C:\Users\Admin\Downloads\t.wry

Filesize
68KB

MD5
5557ee73699322602d9ae8294e64ce10

SHA1
1759643cf8bfd0fb8447fd31c5b616397c27be96

SHA256
a7dd727b4e0707026186fcab24ff922da50368e1a4825350bd9c4828c739a825

SHA512
77740de21603fe5dbb0d9971e18ec438a9df7aaa5cea6bd6ef5410e0ab38a06ce77fbaeb8fc68e0177323e6f21d0cee9410e21b7e77e8d60cc17f7d93fdb3d5e

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
memory/4116-754-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download