wannacry | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/Joke/WindowsUpdate[.]exe

Analysis

max time kernel
1200s
max time network
1160s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2024 15:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Joke/WindowsUpdate.exe

Score

10^/10

wannacry aspackv2 defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0007000000023c9f-164.dat	aspack_v212_v242
behavioral1/files/0x000f000000023b29-242.dat	aspack_v212_v242

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD9804.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD980B.tmp	WannaCry.exe

Executes dropped EXE 10 IoCs

pid	Process
4772	Flasher.exe
3584	Flasher.exe
2820	Flasher.exe
4732	Flasher.exe
5084	ScreenScrew.exe
3896	WannaCry.exe
1604	!WannaDecryptor!.exe
2548	!WannaDecryptor!.exe
3456	!WannaDecryptor!.exe
4848	!WannaDecryptor!.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
56	raw.githubusercontent.com
57	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flasher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flasher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flasher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Flasher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenScrew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
4740	taskkill.exe
1196	taskkill.exe
1412	taskkill.exe
3492	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	msedge.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 825977.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 432841.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 50906.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4736	msedge.exe
4736	msedge.exe
1884	msedge.exe
1884	msedge.exe
1720	identity_helper.exe
1720	identity_helper.exe
3024	msedge.exe
3024	msedge.exe
4360	msedge.exe
4360	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe
380	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	4740	taskkill.exe
Token: SeDebugPrivilege	1412	taskkill.exe
Token: SeDebugPrivilege	1196	taskkill.exe
Token: SeDebugPrivilege	3492	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1568	WMIC.exe
Token: SeSecurityPrivilege	1568	WMIC.exe
Token: SeTakeOwnershipPrivilege	1568	WMIC.exe
Token: SeLoadDriverPrivilege	1568	WMIC.exe
Token: SeSystemProfilePrivilege	1568	WMIC.exe
Token: SeSystemtimePrivilege	1568	WMIC.exe
Token: SeProfSingleProcessPrivilege	1568	WMIC.exe
Token: SeIncBasePriorityPrivilege	1568	WMIC.exe
Token: SeCreatePagefilePrivilege	1568	WMIC.exe
Token: SeBackupPrivilege	1568	WMIC.exe
Token: SeRestorePrivilege	1568	WMIC.exe
Token: SeShutdownPrivilege	1568	WMIC.exe
Token: SeDebugPrivilege	1568	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1568	WMIC.exe
Token: SeRemoteShutdownPrivilege	1568	WMIC.exe
Token: SeUndockPrivilege	1568	WMIC.exe
Token: SeManageVolumePrivilege	1568	WMIC.exe
Token: 33	1568	WMIC.exe
Token: 34	1568	WMIC.exe
Token: 35	1568	WMIC.exe
Token: 36	1568	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1568	WMIC.exe
Token: SeSecurityPrivilege	1568	WMIC.exe
Token: SeTakeOwnershipPrivilege	1568	WMIC.exe
Token: SeLoadDriverPrivilege	1568	WMIC.exe
Token: SeSystemProfilePrivilege	1568	WMIC.exe
Token: SeSystemtimePrivilege	1568	WMIC.exe
Token: SeProfSingleProcessPrivilege	1568	WMIC.exe
Token: SeIncBasePriorityPrivilege	1568	WMIC.exe
Token: SeCreatePagefilePrivilege	1568	WMIC.exe
Token: SeBackupPrivilege	1568	WMIC.exe
Token: SeRestorePrivilege	1568	WMIC.exe
Token: SeShutdownPrivilege	1568	WMIC.exe
Token: SeDebugPrivilege	1568	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1568	WMIC.exe
Token: SeRemoteShutdownPrivilege	1568	WMIC.exe
Token: SeUndockPrivilege	1568	WMIC.exe
Token: SeManageVolumePrivilege	1568	WMIC.exe
Token: 33	1568	WMIC.exe
Token: 34	1568	WMIC.exe
Token: 35	1568	WMIC.exe
Token: 36	1568	WMIC.exe
Token: SeBackupPrivilege	4764	vssvc.exe
Token: SeRestorePrivilege	4764	vssvc.exe
Token: SeAuditPrivilege	4764	vssvc.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe
1884	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1604	!WannaDecryptor!.exe
1604	!WannaDecryptor!.exe
2548	!WannaDecryptor!.exe
2548	!WannaDecryptor!.exe
3456	!WannaDecryptor!.exe
3456	!WannaDecryptor!.exe
4848	!WannaDecryptor!.exe
4848	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 3700	1884	msedge.exe	82
PID 1884 wrote to memory of 3700	1884	msedge.exe	82
PID 1884 wrote to memory of 856	1884	msedge.exe	83
PID 1884 wrote to memory of 856	1884	msedge.exe	83
PID 1884 wrote to memory of 856	1884	msedge.exe	83
PID 1884 wrote to memory of 856	1884	msedge.exe	83
PID 1884 wrote to memory of 856	1884	msedge.exe	83
PID 1884 wrote to memory of 856	1884	msedge.exe	83
PID 1884 wrote to memory of 856	1884	msedge.exe	83
PID 1884 wrote to memory of 856	1884	msedge.exe	83
PID 1884 wrote to memory of 856	1884	msedge.exe	83
PID 1884 wrote to memory of 856	1884	msedge.exe	83
PID 1884 wrote to memory of 856	1884	msedge.exe	83
PID 1884 wrote to memory of 856	1884	msedge.exe	83
PID 1884 wrote to memory of 856	1884	msedge.exe	83
PID 1884 wrote to memory of 856	1884	msedge.exe	83
PID 1884 wrote to memory of 856	1884	msedge.exe	83
PID 1884 wrote to memory of 856	1884	msedge.exe	83
PID 1884 wrote to memory of 856	1884	msedge.exe	83
PID 1884 wrote to memory of 856	1884	msedge.exe	83
PID 1884 wrote to memory of 856	1884	msedge.exe	83
PID 1884 wrote to memory of 856	1884	msedge.exe	83
PID 1884 wrote to memory of 856	1884	msedge.exe	83
PID 1884 wrote to memory of 856	1884	msedge.exe	83
PID 1884 wrote to memory of 856	1884	msedge.exe	83
PID 1884 wrote to memory of 856	1884	msedge.exe	83
PID 1884 wrote to memory of 856	1884	msedge.exe	83
PID 1884 wrote to memory of 856	1884	msedge.exe	83
PID 1884 wrote to memory of 856	1884	msedge.exe	83
PID 1884 wrote to memory of 856	1884	msedge.exe	83
PID 1884 wrote to memory of 856	1884	msedge.exe	83
PID 1884 wrote to memory of 856	1884	msedge.exe	83
PID 1884 wrote to memory of 856	1884	msedge.exe	83
PID 1884 wrote to memory of 856	1884	msedge.exe	83
PID 1884 wrote to memory of 856	1884	msedge.exe	83
PID 1884 wrote to memory of 856	1884	msedge.exe	83
PID 1884 wrote to memory of 856	1884	msedge.exe	83
PID 1884 wrote to memory of 856	1884	msedge.exe	83
PID 1884 wrote to memory of 856	1884	msedge.exe	83
PID 1884 wrote to memory of 856	1884	msedge.exe	83
PID 1884 wrote to memory of 856	1884	msedge.exe	83
PID 1884 wrote to memory of 856	1884	msedge.exe	83
PID 1884 wrote to memory of 4736	1884	msedge.exe	84
PID 1884 wrote to memory of 4736	1884	msedge.exe	84
PID 1884 wrote to memory of 3652	1884	msedge.exe	85
PID 1884 wrote to memory of 3652	1884	msedge.exe	85
PID 1884 wrote to memory of 3652	1884	msedge.exe	85
PID 1884 wrote to memory of 3652	1884	msedge.exe	85
PID 1884 wrote to memory of 3652	1884	msedge.exe	85
PID 1884 wrote to memory of 3652	1884	msedge.exe	85
PID 1884 wrote to memory of 3652	1884	msedge.exe	85
PID 1884 wrote to memory of 3652	1884	msedge.exe	85
PID 1884 wrote to memory of 3652	1884	msedge.exe	85
PID 1884 wrote to memory of 3652	1884	msedge.exe	85
PID 1884 wrote to memory of 3652	1884	msedge.exe	85
PID 1884 wrote to memory of 3652	1884	msedge.exe	85
PID 1884 wrote to memory of 3652	1884	msedge.exe	85
PID 1884 wrote to memory of 3652	1884	msedge.exe	85
PID 1884 wrote to memory of 3652	1884	msedge.exe	85
PID 1884 wrote to memory of 3652	1884	msedge.exe	85
PID 1884 wrote to memory of 3652	1884	msedge.exe	85
PID 1884 wrote to memory of 3652	1884	msedge.exe	85
PID 1884 wrote to memory of 3652	1884	msedge.exe	85
PID 1884 wrote to memory of 3652	1884	msedge.exe	85

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Joke/WindowsUpdate.exe
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc0a8746f8,0x7ffc0a874708,0x7ffc0a874718
  2⤵
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,5458935163290696579,12119772314857898580,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
  2⤵
  PID:856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,5458935163290696579,12119772314857898580,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,5458935163290696579,12119772314857898580,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
  2⤵
  PID:3652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,5458935163290696579,12119772314857898580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,5458935163290696579,12119772314857898580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:1832
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,5458935163290696579,12119772314857898580,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,5458935163290696579,12119772314857898580,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2040,5458935163290696579,12119772314857898580,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5068 /prefetch:8
  2⤵
  PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,5458935163290696579,12119772314857898580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
  2⤵
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2040,5458935163290696579,12119772314857898580,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6084 /prefetch:8
  2⤵
  PID:3852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,5458935163290696579,12119772314857898580,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5900 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3024
- C:\Users\Admin\Downloads\Flasher.exe
  "C:\Users\Admin\Downloads\Flasher.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4772
- C:\Users\Admin\Downloads\Flasher.exe
  "C:\Users\Admin\Downloads\Flasher.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,5458935163290696579,12119772314857898580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4592 /prefetch:1
  2⤵
  PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2040,5458935163290696579,12119772314857898580,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,5458935163290696579,12119772314857898580,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4360
- C:\Users\Admin\Downloads\ScreenScrew.exe
  "C:\Users\Admin\Downloads\ScreenScrew.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,5458935163290696579,12119772314857898580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,5458935163290696579,12119772314857898580,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:4312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,5458935163290696579,12119772314857898580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1892 /prefetch:1
  2⤵
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,5458935163290696579,12119772314857898580,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:1
  2⤵
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,5458935163290696579,12119772314857898580,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5056 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,5458935163290696579,12119772314857898580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:3360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2040,5458935163290696579,12119772314857898580,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,5458935163290696579,12119772314857898580,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6304 /prefetch:8
  2⤵
  PID:5052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3152

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1020

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1860

C:\Users\Admin\Downloads\Flasher.exe
"C:\Users\Admin\Downloads\Flasher.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2820

C:\Users\Admin\Downloads\Flasher.exe
"C:\Users\Admin\Downloads\Flasher.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4732

C:\Users\Admin\Downloads\WannaCry.exe
"C:\Users\Admin\Downloads\WannaCry.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:3896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 260731732895897.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3444
- - C:\Windows\SysWOW64\cscript.exe
    cscript //nologo c.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4796
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe f
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1604
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im MSExchange*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4740
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Microsoft.Exchange.*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1196
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlserver.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1412
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlwriter.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3492
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe c
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2548
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b !WannaDecryptor!.exe v
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4900
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe v
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3456
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      PID:4984
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4848

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0e9fe701-49f9-4bc7-b669-d31742e41798.tmp

Filesize
5KB

MD5
501f684e9909a0a15569fc0593f419e4

SHA1
bd671ed0d65d4ccbf309e76f22bbb30c622bce04

SHA256
5fed0385367d3636954ea67eb36e2cd4c4fa35e4199abd25c13bc9d40b6fb363

SHA512
14b09ea9fa40d83f9e6cce82225274bd3955fe4b3de69abf416297be2aa6ea4f79e42e0e983356b1e96eb3c9139f2020734ccd1eaebd3af2566fcb6ae3502c67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
50719bde59c65b02ba706574141a154b

SHA1
9b371bff3db9b047fcac6c9d1b66172aa758cf44

SHA256
f9b3ec7e5e3871c6df7c0e523129994f12781537348740ec407b04ee41ec6cfe

SHA512
2463539c6f223e99ff5180180214ff8feb7d39da985cddb5fed0d8b5b04ef865a898398c5d41e7f419bc8f61a840beef587cf37df329b8231d3674e2153bff07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
ed5f4213c17629776cd75510648fc019

SHA1
ebfa685dca9b7c920cd5ad521c03e4ad0ce435b9

SHA256
e969795f0e63ec8a35cdf34d5bc43867ca0825bebfed9734943e69b34ed2ad87

SHA512
71bcc166ae5a48f7a79aa5de7ecc7e10dce22c39240ca9ffe9d0f9340f40fc2a2429529cfee8b2b5d7082efe94921fa7df3454852d5313ff4093bfdffc189627

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e8954ef5cf3ac4734b95a0e424aa148f

SHA1
26a93e41e2d9b76295ec1c75017015456475322d

SHA256
c2127bc00d725f888bfead7979f841a465427d5ea74b2d491b3a93119bd21f1a

SHA512
b6e02b0c7a9b7f53f00185ae441f5e9200b0ad769475067aa4837712ec52e394369656cf592362d2824308bb755a027e42f3d385af0e2dec1cc923bfaea74d7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
42e55aace0df7c5409f377c61e2f6b42

SHA1
52dc951ad94c55f75e4ddd141aad237a88b8513e

SHA256
59d504e5b00a504ccdceb4b13c8114aa0bd56e146c6c61b53a743e772a4d1a46

SHA512
fa2bf5e1e879b555ce73fc37190605f79e87a3cc5fcfb2920cbab2508a738b1f106225da9e292f6e80d812b3339a4528d7b25ad0d223b967528ef7639748ee61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
768e108d737be96d20798c8dccf7567d

SHA1
ee65be26826007e7dd96bf230f9933198e06aeeb

SHA256
ce28c61165be6cd9fcfad810adcfb1380af3bbc95b731cfc20541c24e9c8dae0

SHA512
5447c6967704d36688010902fdc60eb3b4fe92e490d2f1b1074bd4008daa919c84f51e21ee7a8f2ee1cfc1859948a53b8e75b98d122d6bacb26c83b6e1df3740

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2858c9eb7edeb6bbc639c5ee9d063d4a

SHA1
104537e37c87228faf5b5de1337ae07a6e55155c

SHA256
614623bcbcea2a849090073cadd14c76a563089bc0d272e90c756cd6d0631a56

SHA512
8e9ee3235c4554f5b774082aa99de8060d5cbb7916e09b9b294c901fd5cd796faa867da5a6f75f849cc38d4db540e6f77cac3dd38c55e191d9a5f839ab305585

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3bb904eb43bf6acb0e5e258f1762155d

SHA1
99d1fcad133c5a1e47818e9f5124ba62762b2800

SHA256
e1f1655d547c7053d6d41d62400be040bbf1d896f28468c753f844614d53ded5

SHA512
3ad19aa9698226b0096af8bd0311c56065eb9438f47a2731bbafd7854667d93a0fa6c0166a80b98b50fc48e2d9fdc8ac0b33ddf0f3ce84f408ccc9c810fe8a45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
eeffe9138fdff71dff81cf431f0a155c

SHA1
d07bcf6bc39ea2a8db4a1d673aa2b8c4341cdc7e

SHA256
33af13b96325c523b2c25a48e99b741a0a62684206a7b2b256b6c86ce0f00556

SHA512
1af87d93f5d57d6eb16b718d407487183fa08bce4c85c1b438792e4f248fad45d74d50fae4a39912c69185ee9817f4410c8c221155b2fa0b209f080d5a295efe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2cc4caa540db540e4eca58c49d18ecfc

SHA1
33ee9cc592193d2c09668153118b66be32e76f36

SHA256
acf7a99e567b2fcd67018d9f1b4aab7b1ae35f475a205e2398fcb64cad43c7ec

SHA512
7d9a9590244bc14fc4727df31fb2d5ec947a7c5e1d930cf6f9695c00f0b43d5afc9a237cb4bc95ddf9df8cdf13c1ff3a78bb5fce6a14ffbce356a9facd2cc180

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8bf67000fec4ce433b9acc5e1cb29620

SHA1
523fbdfb3786a029b2c84c21d2bf3660d54ce4c2

SHA256
dc1595b3f1da1ca4246728c4c6788dc73316121079ead6c9257e523588e5a076

SHA512
8d958729d9135038cb714f9acefb8ee48f814aa942d676fb041ad3ed7ed7a5c92bfe4ababeb16ff6f1b12b50c9510027a5678ff6f7567fd57e6a7453d4efdb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57cb5e.TMP

Filesize
874B

MD5
f3a3deefc54e332b5a1f93ed33e900ab

SHA1
64c6fa0ba268f1cb39d5c4dc8fbb1d81265d1000

SHA256
6f44c583a102a93d6af7198f663bd0f793caf7c2ccf261e02c753e853ed7ffc2

SHA512
2415af19763e2dabebccfff0d2ea451935c117043558c5877c727261a432b5af1a20f787c6d9ded9fb13bb5e06d75439045b57296505103be91703e5d15b6e9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5eeaff03cee804d244860992c083ae43

SHA1
3518af3f1bebff9522a26c4f4a27ecbdb11da34d

SHA256
29ca50366106cf2d5c398b8cd9f9c4b8dbf83e95661d413de1d526a9b9d70546

SHA512
cad52473694589b09b5130c7e918049f37c29527373b6bee94e4c3893dbf60103bba531f4a005f7adb989df2bb31ccba5bd6d408cfc2129a959ce23fa4d3924c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
439a074691f0b9ea195e0e8ee6631813

SHA1
56696db0e283886bc21f11cba41773bd4807036b

SHA256
3ae773727a2e446861f1746d8623894bece4ce1e1726cb6f334a02abe30a2d02

SHA512
b55eb9bf73cb73d944f0182c400edacdb8b26dcc6cb56194aaf59c9f1d24e3536add5af51ddec0364d06a4090bfd4f8af1ca499f724a24749939aa534921e1db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0cf166ed534446b7e5aab8b3159b1342

SHA1
a9ea2c2e7b4919818780ccc7d475dc3734238890

SHA256
dd9fd54e50e4381a11016982b08928a688261d9137fd4353dceecc29ff598166

SHA512
8da6e34c62fdd7a729c879bf59f4226a7b01c0939fab0ac4e63c010a313b971facf898f818a599b1ed053eef2dafaf652e5a6b4d6ecad6c5144a9674b63a69ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
313dfcb0e10a45270d9330e14baff0d7

SHA1
c449dc388bab9007a1d9a64aa1e76ed0a36f9669

SHA256
6c63607bbddd183f3960dd454a3e227bf807d8814c893772af19d08466352b25

SHA512
fdcb4e1b345297b3922906534cc8bf16fe1ec2999b949774d1129a9b39050eb2039702fd443ec7028be203164a1d92011b35ece60688239a63570f572e7d6266

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
916436333baa94b65a6372f0dd585226

SHA1
61a6e4546a4be1894663d3f7014da6de199e45f8

SHA256
c1a16a787c184e502873b8a62da7235ae2d384aeb7c51ddc9239048f8967245e

SHA512
23f7e916286fa3096928f352ae13ccc8d87fee475b59c5686f84c1caee797739637deb3b0bd36a19cff0fbefeb476962758498ae497852796f8d8f357991af93

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
58a7bfdfe58b262e9a045ee2ab35a1ce

SHA1
9120c065a9551d0cf7730e1d79c4f99435fcbf2f

SHA256
bcc936c4ce0774d32768ed6302bc6ceaf7a616d9c1774f7b987fdea0df2adba8

SHA512
f1389e32c63f26e6ccdf4dd91c8bd4fd4557d6361223a7f89008400deb13ef3eda6f1b9c4abcddc8e859dae7f33d27c212509b3b7fb64afa9786f2941fd94f18

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
df7a0c6ff507198041615e0ad6f11bad

SHA1
7de79aeab3e28e918117608abd83902dffd99669

SHA256
fec23a4c3760df9e8279c102d56a28ab537db6d6ecb8ac0a6c7b0db404c19aee

SHA512
9906f42213ce3be84047503766b220730b93f30b307aa00e8c267a3d6668ef7965dc103464a769e357d8bf7a40b9808089aa284f3865a737e92b756b892e4efc

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
66b1e82db9b370873583d931f7d55b5a

SHA1
227207b9f9b901f1c7ca2109ee34fc28c0d1efbc

SHA256
16b4ac9ba3bf99ca7c807ac16955c6d8853a3df7d515351b7e7b00d092d7c057

SHA512
dcb1fd9f57522f545b19c8f10ac23ee42510ae98f6875fb9fcdcb213c13b5d950d964698a21999aff901f1d8849a457f556ef7b059aa0b6a4dbdd667aeb9c694

Download Submit
C:\Users\Admin\Downloads\260731732895897.bat

Filesize
318B

MD5
a261428b490a45438c0d55781a9c6e75

SHA1
e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e

SHA256
4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44

SHA512
304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 432841.crdownload

Filesize
111KB

MD5
e87a04c270f98bb6b5677cc789d1ad1d

SHA1
8c14cb338e23d4a82f6310d13b36729e543ff0ca

SHA256
e03520794f00fb39ef3cfff012f72a5d03c60f89de28dbe69016f6ed151b5338

SHA512
8784f4d42908e54ecedfb06b254992c63920f43a27903ccedd336daaeed346db44e1f40e7db971735da707b5b32206be1b1571bc0d6a2d6eb90bbf9d1f69de13

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 50906.crdownload

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 825977.crdownload

Filesize
246KB

MD5
9254ca1da9ff8ad492ca5fa06ca181c6

SHA1
70fa62e6232eae52467d29cf1c1dacb8a7aeab90

SHA256
30676ad5dc94c3fec3d77d87439b2bf0a1aaa7f01900b68002a06f11caee9ce6

SHA512
a84fbbdea4e743f3e41878b9cf6db219778f1479aa478100718af9fc8d7620fc7a3295507e11df39c7863cb896f946514e50368db480796b6603c8de5580685a

Download Submit
C:\Users\Admin\Downloads\c.vbs

Filesize
201B

MD5
02b937ceef5da308c5689fcdb3fb12e9

SHA1
fa5490ea513c1b0ee01038c18cb641a51f459507

SHA256
5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1

SHA512
843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

Download Submit
C:\Users\Admin\Downloads\c.wry

Filesize
628B

MD5
d3f19a616e703d2ee6856b04bbc39979

SHA1
989e709819116f979881dd4a31870eede946f50d

SHA256
4823e832fb971e9a1f301ad4979442d88500e0fc9ebc624bf6d0ab50c42d6687

SHA512
ebd14cdc784595008475ab02b971cadb62c420575e1d3f0b22ebbacf414131cf09683f4af799b7022049526312bc9e26a9035447663d41a697a366ef3d36812f

Download Submit
C:\Users\Admin\Downloads\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
memory/2820-349-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2820-232-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/3584-334-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/3584-216-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/4732-236-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/4732-350-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/4772-333-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/4772-215-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/5084-421-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/5084-332-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download