wannacry | 6d0b760cfe0b66dfb3b535f9571183913389ad88719adaff630d9c04fd4f36fc

Analysis

max time kernel
447s
max time network
439s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 13:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mtksecbypass_v12.exe
Size

19.7MB
MD5

978ce2baacdc4a4d370d2cad1014641d
SHA1

524b43651a20a3a5da3f6c6bc7a12f2caa17feef
SHA256

6d0b760cfe0b66dfb3b535f9571183913389ad88719adaff630d9c04fd4f36fc
SHA512

ec7bc18eedd235e473469864c61a48a6cf59402235235fa37f96ecfd2f48b21cba0812183b3b70d4c615f80451a30247f0ee0cdc0c12ea559d0b7ad224aff790
SSDEEP

393216:vzmS2D1u1e3CL3rbg2cXXO5e3O/U4DW2rJJsv6tWKFdu9CJZdi:75I4Vbg2cu5D/U4DhrLZc

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 2 IoCs

Processes:

WannaCry.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDFA23.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDFA3A.tmp	WannaCry.exe

Executes dropped EXE 5 IoCs

Processes:

WannaCry.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid	Process
4620	WannaCry.exe
4612	!WannaDecryptor!.exe
2064	!WannaDecryptor!.exe
4232	!WannaDecryptor!.exe
5076	!WannaDecryptor!.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WannaCry.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
106	raw.githubusercontent.com
107	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

!WannaDecryptor!.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exe!WannaDecryptor!.exetaskkill.exetaskkill.exe!WannaDecryptor!.exeWannaCry.execmd.exe!WannaDecryptor!.exeWMIC.exemtksecbypass_v12.execmd.exetaskkill.exetaskkill.execscript.exe!WannaDecryptor!.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mtksecbypass_v12.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 4 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	Process
1328	taskkill.exe
3420	taskkill.exe
5100	taskkill.exe
3136	taskkill.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 475060.crdownload:SmartScreen	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

mtksecbypass_v12.exe

pid	Process
2804	mtksecbypass_v12.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	Process
3116	msedge.exe
3116	msedge.exe
4036	msedge.exe
4036	msedge.exe
1648	identity_helper.exe
1648	identity_helper.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
3652	msedge.exe
2248	msedge.exe
2248	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

mtksecbypass_v12.exe!WannaDecryptor!.exe

pid	Process
2804	mtksecbypass_v12.exe
5076	!WannaDecryptor!.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

Processes:

msedge.exe

pid	Process
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exevssvc.exe

description	pid	Process
Token: SeDebugPrivilege	1328	taskkill.exe
Token: SeDebugPrivilege	5100	taskkill.exe
Token: SeDebugPrivilege	3136	taskkill.exe
Token: SeDebugPrivilege	3420	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3084	WMIC.exe
Token: SeSecurityPrivilege	3084	WMIC.exe
Token: SeTakeOwnershipPrivilege	3084	WMIC.exe
Token: SeLoadDriverPrivilege	3084	WMIC.exe
Token: SeSystemProfilePrivilege	3084	WMIC.exe
Token: SeSystemtimePrivilege	3084	WMIC.exe
Token: SeProfSingleProcessPrivilege	3084	WMIC.exe
Token: SeIncBasePriorityPrivilege	3084	WMIC.exe
Token: SeCreatePagefilePrivilege	3084	WMIC.exe
Token: SeBackupPrivilege	3084	WMIC.exe
Token: SeRestorePrivilege	3084	WMIC.exe
Token: SeShutdownPrivilege	3084	WMIC.exe
Token: SeDebugPrivilege	3084	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3084	WMIC.exe
Token: SeRemoteShutdownPrivilege	3084	WMIC.exe
Token: SeUndockPrivilege	3084	WMIC.exe
Token: SeManageVolumePrivilege	3084	WMIC.exe
Token: 33	3084	WMIC.exe
Token: 34	3084	WMIC.exe
Token: 35	3084	WMIC.exe
Token: 36	3084	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3084	WMIC.exe
Token: SeSecurityPrivilege	3084	WMIC.exe
Token: SeTakeOwnershipPrivilege	3084	WMIC.exe
Token: SeLoadDriverPrivilege	3084	WMIC.exe
Token: SeSystemProfilePrivilege	3084	WMIC.exe
Token: SeSystemtimePrivilege	3084	WMIC.exe
Token: SeProfSingleProcessPrivilege	3084	WMIC.exe
Token: SeIncBasePriorityPrivilege	3084	WMIC.exe
Token: SeCreatePagefilePrivilege	3084	WMIC.exe
Token: SeBackupPrivilege	3084	WMIC.exe
Token: SeRestorePrivilege	3084	WMIC.exe
Token: SeShutdownPrivilege	3084	WMIC.exe
Token: SeDebugPrivilege	3084	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3084	WMIC.exe
Token: SeRemoteShutdownPrivilege	3084	WMIC.exe
Token: SeUndockPrivilege	3084	WMIC.exe
Token: SeManageVolumePrivilege	3084	WMIC.exe
Token: 33	3084	WMIC.exe
Token: 34	3084	WMIC.exe
Token: 35	3084	WMIC.exe
Token: 36	3084	WMIC.exe
Token: SeBackupPrivilege	348	vssvc.exe
Token: SeRestorePrivilege	348	vssvc.exe
Token: SeAuditPrivilege	348	vssvc.exe

Suspicious use of FindShellTrayWindow 38 IoCs

Processes:

msedge.exe!WannaDecryptor!.exe

pid	Process
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
5076	!WannaDecryptor!.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	Process
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

mtksecbypass_v12.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid	Process
2804	mtksecbypass_v12.exe
4612	!WannaDecryptor!.exe
4612	!WannaDecryptor!.exe
2064	!WannaDecryptor!.exe
2064	!WannaDecryptor!.exe
4232	!WannaDecryptor!.exe
4232	!WannaDecryptor!.exe
5076	!WannaDecryptor!.exe
5076	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	Process	procid_target
PID 4036 wrote to memory of 5008	4036	msedge.exe	104
PID 4036 wrote to memory of 5008	4036	msedge.exe	104
PID 4036 wrote to memory of 3548	4036	msedge.exe	105
PID 4036 wrote to memory of 3548	4036	msedge.exe	105
PID 4036 wrote to memory of 3548	4036	msedge.exe	105
PID 4036 wrote to memory of 3548	4036	msedge.exe	105
PID 4036 wrote to memory of 3548	4036	msedge.exe	105
PID 4036 wrote to memory of 3548	4036	msedge.exe	105
PID 4036 wrote to memory of 3548	4036	msedge.exe	105
PID 4036 wrote to memory of 3548	4036	msedge.exe	105
PID 4036 wrote to memory of 3548	4036	msedge.exe	105
PID 4036 wrote to memory of 3548	4036	msedge.exe	105
PID 4036 wrote to memory of 3548	4036	msedge.exe	105
PID 4036 wrote to memory of 3548	4036	msedge.exe	105
PID 4036 wrote to memory of 3548	4036	msedge.exe	105
PID 4036 wrote to memory of 3548	4036	msedge.exe	105
PID 4036 wrote to memory of 3548	4036	msedge.exe	105
PID 4036 wrote to memory of 3548	4036	msedge.exe	105
PID 4036 wrote to memory of 3548	4036	msedge.exe	105
PID 4036 wrote to memory of 3548	4036	msedge.exe	105
PID 4036 wrote to memory of 3548	4036	msedge.exe	105
PID 4036 wrote to memory of 3548	4036	msedge.exe	105
PID 4036 wrote to memory of 3548	4036	msedge.exe	105
PID 4036 wrote to memory of 3548	4036	msedge.exe	105
PID 4036 wrote to memory of 3548	4036	msedge.exe	105
PID 4036 wrote to memory of 3548	4036	msedge.exe	105
PID 4036 wrote to memory of 3548	4036	msedge.exe	105
PID 4036 wrote to memory of 3548	4036	msedge.exe	105
PID 4036 wrote to memory of 3548	4036	msedge.exe	105
PID 4036 wrote to memory of 3548	4036	msedge.exe	105
PID 4036 wrote to memory of 3548	4036	msedge.exe	105
PID 4036 wrote to memory of 3548	4036	msedge.exe	105
PID 4036 wrote to memory of 3548	4036	msedge.exe	105
PID 4036 wrote to memory of 3548	4036	msedge.exe	105
PID 4036 wrote to memory of 3548	4036	msedge.exe	105
PID 4036 wrote to memory of 3548	4036	msedge.exe	105
PID 4036 wrote to memory of 3548	4036	msedge.exe	105
PID 4036 wrote to memory of 3548	4036	msedge.exe	105
PID 4036 wrote to memory of 3548	4036	msedge.exe	105
PID 4036 wrote to memory of 3548	4036	msedge.exe	105
PID 4036 wrote to memory of 3548	4036	msedge.exe	105
PID 4036 wrote to memory of 3548	4036	msedge.exe	105
PID 4036 wrote to memory of 3116	4036	msedge.exe	106
PID 4036 wrote to memory of 3116	4036	msedge.exe	106
PID 4036 wrote to memory of 1624	4036	msedge.exe	107
PID 4036 wrote to memory of 1624	4036	msedge.exe	107
PID 4036 wrote to memory of 1624	4036	msedge.exe	107
PID 4036 wrote to memory of 1624	4036	msedge.exe	107
PID 4036 wrote to memory of 1624	4036	msedge.exe	107
PID 4036 wrote to memory of 1624	4036	msedge.exe	107
PID 4036 wrote to memory of 1624	4036	msedge.exe	107
PID 4036 wrote to memory of 1624	4036	msedge.exe	107
PID 4036 wrote to memory of 1624	4036	msedge.exe	107
PID 4036 wrote to memory of 1624	4036	msedge.exe	107
PID 4036 wrote to memory of 1624	4036	msedge.exe	107
PID 4036 wrote to memory of 1624	4036	msedge.exe	107
PID 4036 wrote to memory of 1624	4036	msedge.exe	107
PID 4036 wrote to memory of 1624	4036	msedge.exe	107
PID 4036 wrote to memory of 1624	4036	msedge.exe	107
PID 4036 wrote to memory of 1624	4036	msedge.exe	107
PID 4036 wrote to memory of 1624	4036	msedge.exe	107
PID 4036 wrote to memory of 1624	4036	msedge.exe	107
PID 4036 wrote to memory of 1624	4036	msedge.exe	107
PID 4036 wrote to memory of 1624	4036	msedge.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\mtksecbypass_v12.exe
"C:\Users\Admin\AppData\Local\Temp\mtksecbypass_v12.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcd2a646f8,0x7ffcd2a64708,0x7ffcd2a64718
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,14609329433466043385,15459856697090388492,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
  2⤵
  PID:3548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,14609329433466043385,15459856697090388492,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,14609329433466043385,15459856697090388492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
  2⤵
  PID:1624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,14609329433466043385,15459856697090388492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,14609329433466043385,15459856697090388492,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:3764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,14609329433466043385,15459856697090388492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,14609329433466043385,15459856697090388492,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
  2⤵
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,14609329433466043385,15459856697090388492,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3652 /prefetch:8
  2⤵
  PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,14609329433466043385,15459856697090388492,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3652 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,14609329433466043385,15459856697090388492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:1088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,14609329433466043385,15459856697090388492,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:2936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,14609329433466043385,15459856697090388492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:1060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,14609329433466043385,15459856697090388492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,14609329433466043385,15459856697090388492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4272 /prefetch:1
  2⤵
  PID:348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,14609329433466043385,15459856697090388492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
  2⤵
  PID:824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,14609329433466043385,15459856697090388492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:1264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,14609329433466043385,15459856697090388492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4336 /prefetch:1
  2⤵
  PID:3432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,14609329433466043385,15459856697090388492,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4456 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2200,14609329433466043385,15459856697090388492,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1968 /prefetch:8
  2⤵
  PID:1384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,14609329433466043385,15459856697090388492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:1
  2⤵
  PID:512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2200,14609329433466043385,15459856697090388492,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6428 /prefetch:8
  2⤵
  PID:2680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2200,14609329433466043385,15459856697090388492,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6172 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2248
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 111431732455185.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4492
  - - C:\Windows\SysWOW64\cscript.exe
      cscript //nologo c.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:4184
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe f
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4612
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im MSExchange*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1328
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Microsoft.Exchange.*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5100
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlserver.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3420
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlwriter.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3136
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe c
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2064
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b !WannaDecryptor!.exe v
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4400
  - - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
      !WannaDecryptor!.exe v
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4232
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1956
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3084
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:5076

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4352

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3068

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1128

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\!Please Read Me!.txt
1⤵
PID:1948

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:348

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\!Please Read Me!.txt
1⤵
PID:4856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.82.1_0\service_worker_bin_prod.js.WCRY

Filesize
102KB

MD5
020d5ad6f34b1cc437cabada753fbcf2

SHA1
910dccee121f3f6b12fe8165ba4a81858e601319

SHA256
421b2259083e581a6c5fd180d830774bc7105573efb4602526ffe334adaec496

SHA512
8552a73d2709e909f32456ac440f9945113fb701c40b17ccbb6a9ce22b347d4a694f3a01ef5ac0a781640ee16a38643410648f5886c118b29b1e70899083c78e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
73f8d378621350ce9879f48155e7e5d5

SHA1
36c789f7f3d3c76381a368533d4450fec7bc90bc

SHA256
e41e4514fe8845ab4190d5d07922c45a91b8dfcd0f0cb8de8baf35f82135fc3d

SHA512
f5f985edc6a3e524b60f2fb727465dc9d14f59cdb745c26cb4b5ff6ad0bdc27bc09efcc664f8a8b9e208bfe09a63c281c179e6ac0bc986231d685e3dd7314e7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
788B

MD5
ca2157fbd6a51e2f13eebf141c428f6c

SHA1
0201b423a081fa44c5661bb955cba14446507951

SHA256
8364ea9faad508f262e1f049412f2472fac8336cc72a72ed110a00217b9f6a3b

SHA512
27513301758b603df23d547d6f8a7c78b4540db5983d8e9ed2366414485a596a03e2257034329e2e9042ac1d93a4bca30c87fb965a999a04999a11a454e4b7be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
e28add73ffb5e9916d5aff69f11bbaae

SHA1
82102bcd38c28ad5c17ed98c980dd35c52cf3c12

SHA256
39ae6e6f6a666a5beec4da35719eada28d13fb2638bac86586674f7e3c20d0f3

SHA512
cb1cdda658f13c222171b7eba5206ed0e11d31a022e3f355e7e046e8191fe9971d180ca3b8358e64540abd1263a32012bf827ec6662a2be97a768860e6f48041

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
df1449fc3e71d3433f8971c12adba8e9

SHA1
6d44f2f2a781cc8813f5029e98406c55ba8f3b96

SHA256
0fd798bebd97e36d6f4b1f76c12ac32d84c889eef3038ea11a4860cea60356ba

SHA512
f88bb190ecffd379e931cee930425e05ccb7e89af08f83dbb9a3662e546183c5fea3e72b7db271c8c55471b82164ec204e7a75362c8c010de50f9e2aab46b6fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5ecdc0de37df775f89bedeb0636cc5d4

SHA1
ca02f179eb872e89332ca2a17559a378c271220e

SHA256
f21b6738c13c0f1a6b80f4d7cadf3799b6b6962c5db40314321ab8f70540c63f

SHA512
cb9cbf36e5adeaf4b106f9a2e1217056555a9388a612b0f2f24db52b74655b33c2874ad2f39a642f580f4ccfaa502d066d283281db40e84703d5ab1b0b8dfbb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b9e3d1d63a691805a9e2eb7c6bb91c46

SHA1
d82751e3bf532bc2087a872b0474fa96b453fae5

SHA256
2c29334d2cd02997e05b37461032fb846f53f8fb8895ae359834260006f3e0fd

SHA512
6e9091012a7e59af66bc62c0d11a6e4cd2ac7829d57708db4fa47af54fd2a00f23bddbbce7aa293aa0d29b3a71ab0393c4a3a556c3dfb3dda9dfa716d14f006f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0d6f1f23eba530d3dbee2763cff20f35

SHA1
156f6eb51086d2bf5f25a3f974b901378f009f3a

SHA256
60490cd6b70e322e059cf0cc59725bb48f250ebef53a179c6b0d8b1703e73fc3

SHA512
828ce505dd932be52d5b6a8a2cbddd685e7c9ad0fe79fab4aa66d931c8b15e6c0308d426f6aeb7c8afd7ab867c6e6798f4a6a8e634a7228be5c34bcd4f067b7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
be1c33065845f56f217991ce966dac9c

SHA1
592e66a46f65021623e897c7e5596240e18a4eb5

SHA256
4281602b6ca43f4a68d563fa85747557696b1dcfa2c126b09d28a51074ffc652

SHA512
ab3f5d8b7ea74efae773b42978931f432f4b1ee31cf02f4558f975d897154bed649ed987e2beb186e65a7b0bc0858cc74bab7e4e5e546d7e7eca27329a9bba0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b2d16dd51af874529a0990fa2d9528cd

SHA1
8db5f55dfaf813becba8f25fc3e717df0fe1c367

SHA256
6357120d82633c10a75cadd9823380909e5ffc890c7d7cf844d69cdbb43899c9

SHA512
b45c1eb23eac52d041f338b3f8952d5a7d3f4ae593ed9d9170916ab0c784bf4c9bc0b82ddbba1bed112ce5a04e20a9524984e33a020590d7107b4b9bef6a7196

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8315f81dc1f2b4e31dadeab9c7c1304e

SHA1
3cc4c40697b09025fcc223c374716912b2ab3d8c

SHA256
13b0ddac8e21577fb1ed473570689c86f490f3fa8f50861c832076a9e387e41a

SHA512
1416061c1b05efc7f383fb83414816b30f47ca54941482f73b766b30196b275237366005a61e7439b70265fb93fdbb25fca4c4204a0a514b24d233b6b4f0177d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a6258628943039381974cbad735f55b1

SHA1
99bc111ad687d4e6e02dacfaaac94bf9b1901b34

SHA256
f0eb99b2c5cba392887773d4fda287197cc45d08ba9f47f34462629cf29e6cad

SHA512
ba75b2334eb0fd1140a525689d58aaf0c0097543e9aab23c9c6351ecb255b68c23264080843c052798928c7ef649a83988f01c1513e1eecc74dcb05fd193e41c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
70e9fc1ed33504d7c8f8d7ff6a17c502

SHA1
a105cff7ce5309c371db11534d7fd46e0e62f8e1

SHA256
686d4b240f37328d7410c4f5e67ac6948624c56460364345eeccdcb0f27d0d84

SHA512
b0a6cfb814a699656e9f76eecb92d207442c442fd5a66c800c6a11669c2003cf8d1f593e87c33864ad712b02ba7a874a54284782109a09bfb14755da28607d4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8df13915cfd2432f466b7fd68e945aca

SHA1
c07a8e130ccbe6b9a72b25ee54dc9717b1c87968

SHA256
aa70921431c2885862a97bbc426c12ec287ed0dcb4dae26ccf1626c13046f75a

SHA512
9ee135dfdb372871b3ee06894ac04b467c342781eb5239e3068b056cc423c892ab9ad60381b71ef53d7e9f32f3218550e41cbf5584ca5217b5ca2c5d0e7c62ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2c598d385f4a169cd342603622fa835d

SHA1
1fee8d536e1c46694aea35061dcfd7ae6fc1b095

SHA256
018d82857552424acff4d1cc567f419397f3783c74adb8c2972e683592673aef

SHA512
19c56c7900f681f57f8d14f060b195d39185c69f42a4a0ce0291e749b3b1bc8afe221f311e797e41147fd632beec23534f2648ccdd01520b7d07f8ea9972ff3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59387b.TMP

Filesize
536B

MD5
ff6b1ca42f86e7886524434255ce5b34

SHA1
4b30bcc7f650c24816a6d856de9ce4ad66208055

SHA256
86039f3efe0c10511c399d18e8fa23a331e48c50024bd9abdee1e388cc1c3d27

SHA512
59d8c21ab477f5c85aa6745b2b54b5e391b664cd7b2657cd27349fdfc4e8ee46e2e42dd2bc264d0cdf5d231478f919763919ce720d45763a3b5fb6876052c30d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\acb03d22-cf8a-4557-9c4d-0145063056de.tmp

Filesize
1KB

MD5
cb68d336e14387a52bb10bc5d6013bc5

SHA1
a6eaf45354798e24f89b0b5dbde9dba74df12925

SHA256
99448f198860148b7850ca490b08321d66fad830cd8c89549f8158e046c88ccb

SHA512
0a6b542b201027e48074b5eb9b76d1036f94583757ae869e0bb438b69edab5e7563e950d657bb2b6e39ee09b7df8684867a3ce91bcca0bd49de3aebb30da653c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db

Filesize
16KB

MD5
9e02552124890dc7e040ce55841d75a4

SHA1
f4179e9e3c00378fa4ad61c94527602c70aa0ad9

SHA256
7b6e4ce73ddd8b5e7a7c4a94374ac2815d0048a5296879d7659a92ee0b425c77

SHA512
3e10237b1bff73f3bb031f108b8de18f1b3c3396d63dfee8eb2401ce650392b9417143a9ef5234831d8386fc12e232b583dd45eada3f2828b3a0a818123dd5cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
af3aa09134f8b4451de183bffd092232

SHA1
d232db59267f2c37302fb2beea08d772d5c27a0d

SHA256
20303e4af7175d704445e5736d189adc0e047abd74936afb10344a730d31bf5b

SHA512
41a95edf616040a03c03cae939f071c011728fd2c401654f63c3b1ccc4a21d2bcb65976dbc209c918f9be195221167a639b6c2ce86a89e5fed64f008bbaa19d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fcd451d36c227440dd6b07466f4ce198

SHA1
490f36db825533f3715dca731f5736880f486097

SHA256
b5ac411ec879d0b54013f05dfda26c9df798b7388ae8afc7c1497a6b15a66bd1

SHA512
fa0ef376a8edd46c5597d28f022d008eaa63710ee5472ab806e8d98940bbc6205102eeeed321180b88c1458b315eaa26d18d4e54779c60dd4a472601bc66caba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
78539e41786e93aa93d6beac81491f20

SHA1
17f4d9e304a17e90313cfdb852f1da810a4045f8

SHA256
f7c6006ce802981c6473a6229ac5779b015562ba81b44bd8beb177f16a0662cd

SHA512
af2f97308974b1f153489941297fc12292181bcc556bb9f222416ec6430f4e7cf68c75ed52e91efd99409f720f2269bc2bcb613d37560599da937190d5488287

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\images\recycleBin.svg.WCRY

Filesize
3KB

MD5
65d37ea2a7b1e8f72e71c3bacafba8dc

SHA1
bb174dd9ff2ca739d1c7a0614e70addde87a8432

SHA256
c27786236276e23040fe2cbf3ee6b1e1ad4a75386f3fb6c1ffa52cc7a36af47f

SHA512
51ff378541381ace471d6caa9eae222cd4636f0cfbffa6ff75eb61352b9cca2c046433bb1a42ad3e33ee49a9a088b2e9efd06a57718fd6d5719c2552bc35d4b7

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
21536cb15f017196dc72baae2fb4382e

SHA1
df5fd7c5af108dbf5f4bf2bb1925ae802be34202

SHA256
b8c2663617070cfc330eed2ee4cb12dc7d9b264cf87621c9bffac8112e304e9d

SHA512
78a1ee56dacbd140a5fe3385be27bd34cede9a85e1c16a0702f1b91dd9bc534735e67b2ba1a1013477aac6d71ad188f5393e4bfc6ff966a99dbeccc03773324b

Download Submit
C:\Users\Admin\Downloads\00000000.eky

Filesize
1KB

MD5
376f2c9deb41475d8abfefa182f191a3

SHA1
4d4572a188517a85130a709f9d48997a29238238

SHA256
3341b634e9339d271b9af320164c973e636d31c5b62938a0f4f7c14898dde995

SHA512
5d54f98e2a338666991db9b1a6d1e3eccb2ff2684665c5e336753205bb4f16b59e81a7e775a2ee7836598da7caec7874feec7d4de5ddf90b53a3d8cdaf539a5b

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
54705d44d60f40c9124af7eb701f5764

SHA1
2c3301a526b6d8f386e6bcdd3fbd8c56ead12eab

SHA256
800014f449b6902d65fb22600d847133b4656e0b54c25738a50d5c171de8164e

SHA512
0a1b2d9dc0c536f39a70c9aac3fbd691c3cf0f0792529f6272af224acba78372790e3e44fc3895341fb1d90c4277e961670a29c5fb8723f8eed59650df2d6e6f

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
877b7b3db2f1df672303d20562210bab

SHA1
b829472a4bee6021d68c236c3d3f5da6d2234c23

SHA256
b3c89f7a037310dc253abed06a43af98857c6a540d0cbd0806662e0fa4bf7fe0

SHA512
01f98b11be67ff82376aead578df03e3ee0dfa05420411f950989d86003347dd7cb992a79148ce410e6f80f2e8eb6f5f8ac5575bb1bb5f9925dcf1dad4d2bcfb

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
1723720af50c8a7680f3c906b68e677a

SHA1
ce4a4be9e27874d484b28ae5bd888c8792c9f96b

SHA256
c4ddebd0ab19a64b769dd15229435e28623bc370cc5812743d879fca181808c2

SHA512
5f79f961672521ddee16e01a6d7e8088b25acdf96c08d1015feec53e0a2bf6153f4766d13297b624ecce7ec5a539f62251c7ef379a5313da916afeba2f899da1

Download Submit
C:\Users\Admin\Downloads\111431732455185.bat

Filesize
318B

MD5
a261428b490a45438c0d55781a9c6e75

SHA1
e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e

SHA256
4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44

SHA512
304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 475060.crdownload

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\c.vbs

Filesize
201B

MD5
02b937ceef5da308c5689fcdb3fb12e9

SHA1
fa5490ea513c1b0ee01038c18cb641a51f459507

SHA256
5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1

SHA512
843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

Download Submit
C:\Users\Admin\Downloads\c.wry

Filesize
628B

MD5
9159f71beecbc60dcf5aec4c5a2a5977

SHA1
e952c4c5b9a89380364632ea2b668ed81d9dcd81

SHA256
b3958f58a9c969856e6455da0e4fadea8e114e82da4e55d0518392c0e9ac88fe

SHA512
9609c841c1fb17f07b007dfe786ad9e97452f8aeb579ff770dc14775b93910a4a251b32898020ed49ae183e137591318a11ebdb68f4a4b1bcf90a21116f2c685

Download Submit
C:\Users\Admin\Downloads\f.wry

Filesize
369B

MD5
c1a73c51a8153c753e1fdffb28c6e4c4

SHA1
002ea6a8df6d8d1bce810b9ac750099b2ed8b625

SHA256
44d48d317ec6a59c14909b5a93988bf70ebc5adde2ca7e7951f1bca885da1a28

SHA512
072577782699b2d3c8b2592ca1aaf69fa6cd3393c2ddba516c52246ed29aabb90e77abe45af35858238be9ae56361d6b54260e3bd447d4ef368a6f587979ef17

Download Submit
C:\Users\Admin\Downloads\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\Music\PingDisable.xlt.WCRY

Filesize
571KB

MD5
4376fd72b404fa6191ddef3d415d164b

SHA1
c2e7b19ee7cb4142e22b28ede4d94554bc3766c2

SHA256
61d98af279ae9eb26d5d17935d21b5b97322a221e2fa9adb0851a70ef5a70845

SHA512
46e8fa68f567c1f4a08c5c68dec71a7493810d241f6547a5fb17a1f35a274cf8375e3c85848a66ecbcc75e383d9b2e9fc46a50771df37a7e7ff99903bba15671

Download Submit
C:\Users\All Users\Microsoft\Windows NT\MSFax\VirtualInbox\fr-FR\WelcomeFax.tif.WCRY

Filesize
101KB

MD5
a7d4475a49974dfc94db79ad7442f425

SHA1
2be8e2b6fe584fe62bfdf37b2bd956fe38d6208a

SHA256
e19602fda90dcef96d2cfb2cb40eca7db793c49df50efc4bd3c62b6a53118fe6

SHA512
32c7351b1939b4922b2818c7ffc9bb55334fe19aac4497548c70226ad6b42b262820e600a165d2a6af4732e86c7e4cd192754e7a99150023fd73b46a21b8e4b7

Download Submit
\??\pipe\LOCAL\crashpad_4036_OWPKORYDDOMOWBDG

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2804-3-0x0000000000400000-0x00000000017BD000-memory.dmp

Filesize
19.7MB

Download
memory/2804-2-0x0000000000400000-0x00000000017BD000-memory.dmp

Filesize
19.7MB

Download
memory/2804-0-0x0000000000400000-0x00000000017BD000-memory.dmp

Filesize
19.7MB

Download
memory/4620-496-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download