wannacry | 2e5d63057adec0e8d39f369d77f010b03efb0bf16b90cdd05676e346a930d7b6

Resubmissions

11-12-2024 15:13

241211-sl1wgsxphs 3

10-12-2024 18:36

241210-w8wrtstkev 3

10-12-2024 17:54

241210-wgzdms1rdx 10

Analysis

max time kernel
777s
max time network
776s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
10-12-2024 17:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

241209-wte6jawnb1-behavioral1.pcap
Size

21.0MB
MD5

71ec93443f4d7d8bf391a5b02856c246
SHA1

d4847d5a2bd26173da036f0d8a7b851c7e7d128b
SHA256

2e5d63057adec0e8d39f369d77f010b03efb0bf16b90cdd05676e346a930d7b6
SHA512

3966071c8ab7e0d2e57738814fc7d9da2db0d5ac0e1a7a7d58a55d07419d8d555d4f34c631e8713919d8bbdda632848a5bcf87a16ecaab249c8b38b3d43c505b
SSDEEP

393216:cQCU8iszVrdcwEyaqGl0NziHnzXzKuhmdZ8Sk5HQnCxqD:EU8imJdcbZsiHnzjKuhOZOtGtD

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD7E6.tmp	WannaCry (2).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD7FC.tmp	WannaCry (2).exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LOGON.exe	DeriaLock (1).exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LOGON.exe	DeriaLock (1).exe

Executes dropped EXE 10 IoCs

pid	Process
1924	WannaCry (2).exe
4816	!WannaDecryptor!.exe
1748	!WannaDecryptor!.exe
932	!WannaDecryptor!.exe
912	!WannaDecryptor!.exe
5064	!WannaDecryptor!.exe
2908	!WannaDecryptor!.exe
4036	WannaCry (2).exe
1688	DeriaLock (1).exe
4360	DeriaLock (1).exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry (2).exe\" /r"	WannaCry (2).exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
34	camo.githubusercontent.com
35	camo.githubusercontent.com
36	camo.githubusercontent.com
37	raw.githubusercontent.com
45	raw.githubusercontent.com
125	raw.githubusercontent.com
21	camo.githubusercontent.com
33	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WannaCry (2).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\DeriaLock (1).exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DeriaLock (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DeriaLock (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry (2).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry (2).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
2072	taskkill.exe
2896	taskkill.exe
1928	taskkill.exe
3156	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 10 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 918863.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCry (2).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 472922.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 219251.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 961613.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\DeriaLock (1).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\15e029c3834435150c76741e714540fcb799662db8cc2c61ba4ef192a781727b:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\15e029c3834435150c76741e714540fcb799662db8cc2c61ba4ef192a781727b (1):Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 815399.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 912185.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1908	msedge.exe
1908	msedge.exe
4868	msedge.exe
4868	msedge.exe
72	msedge.exe
72	msedge.exe
4940	identity_helper.exe
4940	identity_helper.exe
2252	msedge.exe
2252	msedge.exe
1212	msedge.exe
1212	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
3180	msedge.exe
4356	msedge.exe
4356	msedge.exe
2968	msedge.exe
2968	msedge.exe
2100	msedge.exe
2100	msedge.exe
2484	msedge.exe
2484	msedge.exe
240	identity_helper.exe
240	identity_helper.exe
2440	msedge.exe
2440	msedge.exe
1688	DeriaLock (1).exe
1688	DeriaLock (1).exe
1688	DeriaLock (1).exe
1688	DeriaLock (1).exe
1688	DeriaLock (1).exe
1688	DeriaLock (1).exe
1688	DeriaLock (1).exe
1688	DeriaLock (1).exe
1688	DeriaLock (1).exe
1688	DeriaLock (1).exe
1688	DeriaLock (1).exe
1688	DeriaLock (1).exe
1688	DeriaLock (1).exe
1688	DeriaLock (1).exe
1688	DeriaLock (1).exe
1688	DeriaLock (1).exe
1688	DeriaLock (1).exe
1688	DeriaLock (1).exe
1688	DeriaLock (1).exe
1688	DeriaLock (1).exe
1688	DeriaLock (1).exe
1688	DeriaLock (1).exe
1688	DeriaLock (1).exe
1688	DeriaLock (1).exe
1688	DeriaLock (1).exe
1688	DeriaLock (1).exe
1688	DeriaLock (1).exe
1688	DeriaLock (1).exe
1688	DeriaLock (1).exe
1688	DeriaLock (1).exe
1688	DeriaLock (1).exe
1688	DeriaLock (1).exe
1688	DeriaLock (1).exe
1688	DeriaLock (1).exe
1688	DeriaLock (1).exe
1688	DeriaLock (1).exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
912	!WannaDecryptor!.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 32 IoCs

pid	Process
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

description	pid	Process
Token: SeDebugPrivilege	1928	taskkill.exe
Token: SeDebugPrivilege	3156	taskkill.exe
Token: SeDebugPrivilege	2896	taskkill.exe
Token: SeDebugPrivilege	2072	taskkill.exe
Token: SeIncreaseQuotaPrivilege	568	WMIC.exe
Token: SeSecurityPrivilege	568	WMIC.exe
Token: SeTakeOwnershipPrivilege	568	WMIC.exe
Token: SeLoadDriverPrivilege	568	WMIC.exe
Token: SeSystemProfilePrivilege	568	WMIC.exe
Token: SeSystemtimePrivilege	568	WMIC.exe
Token: SeProfSingleProcessPrivilege	568	WMIC.exe
Token: SeIncBasePriorityPrivilege	568	WMIC.exe
Token: SeCreatePagefilePrivilege	568	WMIC.exe
Token: SeBackupPrivilege	568	WMIC.exe
Token: SeRestorePrivilege	568	WMIC.exe
Token: SeShutdownPrivilege	568	WMIC.exe
Token: SeDebugPrivilege	568	WMIC.exe
Token: SeSystemEnvironmentPrivilege	568	WMIC.exe
Token: SeRemoteShutdownPrivilege	568	WMIC.exe
Token: SeUndockPrivilege	568	WMIC.exe
Token: SeManageVolumePrivilege	568	WMIC.exe
Token: 33	568	WMIC.exe
Token: 34	568	WMIC.exe
Token: 35	568	WMIC.exe
Token: 36	568	WMIC.exe
Token: SeIncreaseQuotaPrivilege	568	WMIC.exe
Token: SeSecurityPrivilege	568	WMIC.exe
Token: SeTakeOwnershipPrivilege	568	WMIC.exe
Token: SeLoadDriverPrivilege	568	WMIC.exe
Token: SeSystemProfilePrivilege	568	WMIC.exe
Token: SeSystemtimePrivilege	568	WMIC.exe
Token: SeProfSingleProcessPrivilege	568	WMIC.exe
Token: SeIncBasePriorityPrivilege	568	WMIC.exe
Token: SeCreatePagefilePrivilege	568	WMIC.exe
Token: SeBackupPrivilege	568	WMIC.exe
Token: SeRestorePrivilege	568	WMIC.exe
Token: SeShutdownPrivilege	568	WMIC.exe
Token: SeDebugPrivilege	568	WMIC.exe
Token: SeSystemEnvironmentPrivilege	568	WMIC.exe
Token: SeRemoteShutdownPrivilege	568	WMIC.exe
Token: SeUndockPrivilege	568	WMIC.exe
Token: SeManageVolumePrivilege	568	WMIC.exe
Token: 33	568	WMIC.exe
Token: 34	568	WMIC.exe
Token: 35	568	WMIC.exe
Token: 36	568	WMIC.exe
Token: SeBackupPrivilege	2572	vssvc.exe
Token: SeRestorePrivilege	2572	vssvc.exe
Token: SeAuditPrivilege	2572	vssvc.exe
Token: SeDebugPrivilege	1688	DeriaLock (1).exe
Token: SeShutdownPrivilege	3164	explorer.exe
Token: SeCreatePagefilePrivilege	3164	explorer.exe
Token: SeShutdownPrivilege	3164	explorer.exe
Token: SeCreatePagefilePrivilege	3164	explorer.exe
Token: SeDebugPrivilege	4360	DeriaLock (1).exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
1120	OpenWith.exe
2204	OpenWith.exe
2204	OpenWith.exe
2204	OpenWith.exe
1120	AcroRd32.exe
1120	AcroRd32.exe
1120	AcroRd32.exe
1120	AcroRd32.exe
4816	!WannaDecryptor!.exe
4816	!WannaDecryptor!.exe
1748	!WannaDecryptor!.exe
1748	!WannaDecryptor!.exe
932	!WannaDecryptor!.exe
912	!WannaDecryptor!.exe
932	!WannaDecryptor!.exe
912	!WannaDecryptor!.exe
5064	!WannaDecryptor!.exe
2908	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 3232	4868	msedge.exe	82
PID 4868 wrote to memory of 3232	4868	msedge.exe	82
PID 4868 wrote to memory of 4000	4868	msedge.exe	83
PID 4868 wrote to memory of 4000	4868	msedge.exe	83
PID 4868 wrote to memory of 4000	4868	msedge.exe	83
PID 4868 wrote to memory of 4000	4868	msedge.exe	83
PID 4868 wrote to memory of 4000	4868	msedge.exe	83
PID 4868 wrote to memory of 4000	4868	msedge.exe	83
PID 4868 wrote to memory of 4000	4868	msedge.exe	83
PID 4868 wrote to memory of 4000	4868	msedge.exe	83
PID 4868 wrote to memory of 4000	4868	msedge.exe	83
PID 4868 wrote to memory of 4000	4868	msedge.exe	83
PID 4868 wrote to memory of 4000	4868	msedge.exe	83
PID 4868 wrote to memory of 4000	4868	msedge.exe	83
PID 4868 wrote to memory of 4000	4868	msedge.exe	83
PID 4868 wrote to memory of 4000	4868	msedge.exe	83
PID 4868 wrote to memory of 4000	4868	msedge.exe	83
PID 4868 wrote to memory of 4000	4868	msedge.exe	83
PID 4868 wrote to memory of 4000	4868	msedge.exe	83
PID 4868 wrote to memory of 4000	4868	msedge.exe	83
PID 4868 wrote to memory of 4000	4868	msedge.exe	83
PID 4868 wrote to memory of 4000	4868	msedge.exe	83
PID 4868 wrote to memory of 4000	4868	msedge.exe	83
PID 4868 wrote to memory of 4000	4868	msedge.exe	83
PID 4868 wrote to memory of 4000	4868	msedge.exe	83
PID 4868 wrote to memory of 4000	4868	msedge.exe	83
PID 4868 wrote to memory of 4000	4868	msedge.exe	83
PID 4868 wrote to memory of 4000	4868	msedge.exe	83
PID 4868 wrote to memory of 4000	4868	msedge.exe	83
PID 4868 wrote to memory of 4000	4868	msedge.exe	83
PID 4868 wrote to memory of 4000	4868	msedge.exe	83
PID 4868 wrote to memory of 4000	4868	msedge.exe	83
PID 4868 wrote to memory of 4000	4868	msedge.exe	83
PID 4868 wrote to memory of 4000	4868	msedge.exe	83
PID 4868 wrote to memory of 4000	4868	msedge.exe	83
PID 4868 wrote to memory of 4000	4868	msedge.exe	83
PID 4868 wrote to memory of 4000	4868	msedge.exe	83
PID 4868 wrote to memory of 4000	4868	msedge.exe	83
PID 4868 wrote to memory of 4000	4868	msedge.exe	83
PID 4868 wrote to memory of 4000	4868	msedge.exe	83
PID 4868 wrote to memory of 4000	4868	msedge.exe	83
PID 4868 wrote to memory of 4000	4868	msedge.exe	83
PID 4868 wrote to memory of 1908	4868	msedge.exe	84
PID 4868 wrote to memory of 1908	4868	msedge.exe	84
PID 4868 wrote to memory of 1072	4868	msedge.exe	85
PID 4868 wrote to memory of 1072	4868	msedge.exe	85
PID 4868 wrote to memory of 1072	4868	msedge.exe	85
PID 4868 wrote to memory of 1072	4868	msedge.exe	85
PID 4868 wrote to memory of 1072	4868	msedge.exe	85
PID 4868 wrote to memory of 1072	4868	msedge.exe	85
PID 4868 wrote to memory of 1072	4868	msedge.exe	85
PID 4868 wrote to memory of 1072	4868	msedge.exe	85
PID 4868 wrote to memory of 1072	4868	msedge.exe	85
PID 4868 wrote to memory of 1072	4868	msedge.exe	85
PID 4868 wrote to memory of 1072	4868	msedge.exe	85
PID 4868 wrote to memory of 1072	4868	msedge.exe	85
PID 4868 wrote to memory of 1072	4868	msedge.exe	85
PID 4868 wrote to memory of 1072	4868	msedge.exe	85
PID 4868 wrote to memory of 1072	4868	msedge.exe	85
PID 4868 wrote to memory of 1072	4868	msedge.exe	85
PID 4868 wrote to memory of 1072	4868	msedge.exe	85
PID 4868 wrote to memory of 1072	4868	msedge.exe	85
PID 4868 wrote to memory of 1072	4868	msedge.exe	85
PID 4868 wrote to memory of 1072	4868	msedge.exe	85

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\241209-wte6jawnb1-behavioral1.pcap
1⤵
- Modifies registry class
PID:2624

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x110,0x114,0x118,0xec,0x11c,0x7ff9f28c3cb8,0x7ff9f28c3cc8,0x7ff9f28c3cd8
  2⤵
  PID:3232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,10794722317986112963,3716229253107093888,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1948 /prefetch:2
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,10794722317986112963,3716229253107093888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,10794722317986112963,3716229253107093888,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:8
  2⤵
  PID:1072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10794722317986112963,3716229253107093888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:3200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10794722317986112963,3716229253107093888,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:2920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10794722317986112963,3716229253107093888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1
  2⤵
  PID:240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10794722317986112963,3716229253107093888,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2924 /prefetch:1
  2⤵
  PID:872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1932,10794722317986112963,3716229253107093888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4896 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:72
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,10794722317986112963,3716229253107093888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3504 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10794722317986112963,3716229253107093888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:3796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10794722317986112963,3716229253107093888,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10794722317986112963,3716229253107093888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
  2⤵
  PID:4040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10794722317986112963,3716229253107093888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10794722317986112963,3716229253107093888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
  2⤵
  PID:4260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10794722317986112963,3716229253107093888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:4204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10794722317986112963,3716229253107093888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10794722317986112963,3716229253107093888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:1192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10794722317986112963,3716229253107093888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,10794722317986112963,3716229253107093888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6292 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,10794722317986112963,3716229253107093888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6284 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,10794722317986112963,3716229253107093888,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3804 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10794722317986112963,3716229253107093888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4412 /prefetch:1
  2⤵
  PID:1068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10794722317986112963,3716229253107093888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
  2⤵
  PID:3424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10794722317986112963,3716229253107093888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:1
  2⤵
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10794722317986112963,3716229253107093888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1932,10794722317986112963,3716229253107093888,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6660 /prefetch:8
  2⤵
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1932,10794722317986112963,3716229253107093888,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6644 /prefetch:8
  2⤵
  PID:2948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1932,10794722317986112963,3716229253107093888,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6656 /prefetch:8
  2⤵
  PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10794722317986112963,3716229253107093888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,10794722317986112963,3716229253107093888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4356
- C:\Users\Admin\Downloads\WannaCry (2).exe
  "C:\Users\Admin\Downloads\WannaCry (2).exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 262671733853622.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1692
  - - C:\Windows\SysWOW64\cscript.exe
      cscript //nologo c.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:2624
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe f
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4816
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im MSExchange*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1928
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Microsoft.Exchange.*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3156
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlserver.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2896
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlwriter.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2072
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe c
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1748
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b !WannaDecryptor!.exe v
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4188
  - - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
      !WannaDecryptor!.exe v
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:932
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2084
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:912
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=how+to+buy+bitcoin
      4⤵
      PID:3224
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff9f28c3cb8,0x7ff9f28c3cc8,0x7ff9f28c3cd8
        5⤵
        
        PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10794722317986112963,3716229253107093888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
  2⤵
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,10794722317986112963,3716229253107093888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:1
  2⤵
  PID:4820

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3728

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3600

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3236

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2204
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\15e029c3834435150c76741e714540fcb799662db8cc2c61ba4ef192a781727b (1)"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1120
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2892
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3A6199D1B18F72F1882E4657D3726D62 --mojo-platform-channel-handle=1776 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:2388
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=CBB618001E5F1C0C92E76ED604289D4B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=CBB618001E5F1C0C92E76ED604289D4B --renderer-client-id=2 --mojo-platform-channel-handle=1784 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:2184
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=05CD602BF9873D2FC7126A428B185848 --mojo-platform-channel-handle=2316 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:3428
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DF2AF48B58B4C96FA2F49FBC844E9BA8 --mojo-platform-channel-handle=2488 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4876
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A7B40570576F052A3D40863152284048 --mojo-platform-channel-handle=2332 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:1784

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1048

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
"C:\Users\Admin\Downloads\!WannaDecryptor!.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5064

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
"C:\Users\Admin\Downloads\!WannaDecryptor!.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:2100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9f28c3cb8,0x7ff9f28c3cc8,0x7ff9f28c3cd8
  2⤵
  PID:2532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,10396607537007727166,7226236311635021773,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2008 /prefetch:2
  2⤵
  PID:3792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1972,10396607537007727166,7226236311635021773,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1972,10396607537007727166,7226236311635021773,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
  2⤵
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10396607537007727166,7226236311635021773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:1
  2⤵
  PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10396607537007727166,7226236311635021773,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3680 /prefetch:1
  2⤵
  PID:1912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10396607537007727166,7226236311635021773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2424 /prefetch:1
  2⤵
  PID:3444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10396607537007727166,7226236311635021773,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
  2⤵
  PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1972,10396607537007727166,7226236311635021773,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10396607537007727166,7226236311635021773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:1860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1972,10396607537007727166,7226236311635021773,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5440 /prefetch:8
  2⤵
  PID:2208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1972,10396607537007727166,7226236311635021773,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5580 /prefetch:8
  2⤵
  PID:904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1972,10396607537007727166,7226236311635021773,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5600 /prefetch:8
  2⤵
  PID:976
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1972,10396607537007727166,7226236311635021773,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:240
- C:\Users\Admin\Downloads\WannaCry (2).exe
  "C:\Users\Admin\Downloads\WannaCry (2).exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10396607537007727166,7226236311635021773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10396607537007727166,7226236311635021773,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10396607537007727166,7226236311635021773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10396607537007727166,7226236311635021773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:1944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10396607537007727166,7226236311635021773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10396607537007727166,7226236311635021773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10396607537007727166,7226236311635021773,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6444 /prefetch:1
  2⤵
  PID:2184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1972,10396607537007727166,7226236311635021773,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6500 /prefetch:8
  2⤵
  PID:3260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1972,10396607537007727166,7226236311635021773,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6844 /prefetch:8
  2⤵
  PID:2528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1972,10396607537007727166,7226236311635021773,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6292 /prefetch:8
  2⤵
  PID:1344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1972,10396607537007727166,7226236311635021773,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6660 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2440
- C:\Users\Admin\Downloads\DeriaLock (1).exe
  "C:\Users\Admin\Downloads\DeriaLock (1).exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,10396607537007727166,7226236311635021773,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1744 /prefetch:2
  2⤵
  PID:2908
- C:\Users\Admin\Downloads\DeriaLock (1).exe
  "C:\Users\Admin\Downloads\DeriaLock (1).exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4360

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3268

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2800

C:\Windows\explorer.exe
explorer.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\48.png.WCRY

Filesize
2KB

MD5
b9726a998afce1b6abb491bbb15eaacb

SHA1
85a9148bd7aad8f9ed8325e811c930b221d44330

SHA256
645d20c048344b7415229c228c016fb2814dff26926283f28f3a356a0fd7bb8c

SHA512
b47466c8aced84b49ca85f0df71c8bce1a48d1a3fc295d38658fe388fae7a90d0f2feff9d7918d29d5fc0533805ae1d4020641b910351a23af4b6df1c68f5259

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
554d6d27186fa7d6762d95dde7a17584

SHA1
93ea7b20b8fae384cf0be0d65e4295097112fdca

SHA256
2fa6145571e1f1ece9850a1ac94661213d3e0d82f1cef7ac1286ff6b2c2017cb

SHA512
57d9008ccabc315bd0e829b19fe91e24bab6ef20bcfab651b937b0f38eec840b58d0aed092a3bbedd2d6a95d5c150372a1e51087572de55672172adc1fc468a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d66d1f0d79490ed6f8888a1d44159da0

SHA1
3c5115be6f0f644724e981b8bb951a4899204d82

SHA256
25da8891ed9910326fe60be34c34e7de0e4bc6db05c09a5b7d4aedc5c1e81c03

SHA512
1184e1845682b798960a053059ff34d333b7526039863536d7801cc3c7d12c2b2a19edc1512220fcddb1259231f268235b6d7bc22a5710aca2353d616fd26833

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a28bb0d36049e72d00393056dce10a26

SHA1
c753387b64cc15c0efc80084da393acdb4fc01d0

SHA256
684d797e28b7fd86af84bfb217d190e4f5e03d92092d988a6091b2c7bbbd67c1

SHA512
20940fee33aa2194c36a3db92d4fd314ce7eacc2aa745abec62aa031c2a53ba4ff89f2568626e7bd2536090175f8d045c3bb52c5faa5ecc8da8410ab5fc519f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

Filesize
420KB

MD5
c49856a3df308e8b1739b357832c8e9b

SHA1
1b8aec9750e643ce27b82bbf1c2a78dedcbcc212

SHA256
15e029c3834435150c76741e714540fcb799662db8cc2c61ba4ef192a781727b

SHA512
a764383d7eeed4d94eb39235754304282c59b6ebcdc2272862ee13cf654b6223aeaf46ace487ad58ad268d9d4db10c0f4ffef15d57452f1004561ffda3a45e67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000027

Filesize
484KB

MD5
0a7b70efba0aa93d4bc0857b87ac2fcb

SHA1
01a6c963b2f5f36ff21a1043587dcf921ae5f5cd

SHA256
4f5bff64160044d9a769ab277ff85ba954e2a2e182c6da4d0672790cf1d48309

SHA512
2033f9637b8d023242c93f54c140dd561592a3380a15a9fdc8ebfa33385ff4fc569d66c846a01b4ac005f0521b3c219e87f4b1ed2a83557f9d95fa066ad25e14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\622f12e313d906fa_0

Filesize
1KB

MD5
c5d963f65958de4dbe500bdeea6e1537

SHA1
97c3e7c5d6f7ca3656365a54b9d832f8f589fc6b

SHA256
304899126bdd37bc9b099bd1d4f8d2d6f4af04643bf69932b0c82db97598ac28

SHA512
27fc9595f34d3791f193f7442b22aa35eedcbe50e4463c48cd98d0d0e5e875e17c8f11ed561715693f7470a3dd77f826b2b16f8c85078c8ecb2935b3c96d94cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
1c2eab1fb6649d8346670e2f27223910

SHA1
f8822368e564f4b3d626f3c9b4792d61d1ab711c

SHA256
52f4475e046499d4ec9a1520d2d0ddc2f40a74d9780473fafd6a94d08a5d1ab0

SHA512
0d9331e98b31bbba824de104522ee3630a757f03820b7ade8bec33e4b690e241faea2893248ed86fe7ffaf08d8456d79317bd51f00c1745f85bb0572f07fc1cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
abad88b790cbcb7ebb44d3344a76664a

SHA1
e288336d4832669de78a07e75f12093e2669d3cc

SHA256
caa64342ee02cbebe2283d181193b6a416567b775df10293c3de83c6945f6d68

SHA512
688c12ef3494372569c2fb864e919637059e759f45a9c61987fc0f052f782b0117136f22fcd3d9e424b7b1c0150bb242723becb8143485d9335ff840c4db06d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
baf8e2e5b97a66572c731c2460293265

SHA1
1f8c405a52086e7ab2ab66ca6564c85513f75f58

SHA256
459bdd863a3afb5b09b672ad1ee80888e61f315a6be4131ca492d13763e8c399

SHA512
3c57768b8eee71416c7c8cd6007e7e4ad64e2615554bdec594bcd81967760b2bf38584076c67aa55d0a683997b111aa67b10df0dfb9f9ed0708e95eb25e4d49f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
33ac1e01b962352abd03b64b20ac2a27

SHA1
95a8ff617b44d11bc9cb28bf6fe290e65a19267c

SHA256
0a6388ad7025801f92ad16da55d69645576fb5c2426c41859a0cf9f5a9a7b901

SHA512
91168ee9a21e9e11471040a58f548aeadd30ee21a4e2aea4b0edd08f6b50451ed1dabc3a66ee40cb618b9b68b7bba22253b997ce6ea5df0d646a70b11bdba6dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
b7e153bd3c9bc9c08767d593d55e96d0

SHA1
33d15c97d0ba16b119f097940d80fd8d6dd05a81

SHA256
c6f5fc23f61c43d2925c96b3104d90ef91205dac3afef4733714a08f315bd3b1

SHA512
96f7a07913bf71096e892b296f49e0ad9750e3d03efd0c0d037d5025fc3d96b4f6c9c7dbe39a8d5bc6ff5807a5be32e55dd3c8d44aa8b9351f4bb05dd20a02ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1024B

MD5
2523431465605be3016fc4d324c90c9d

SHA1
a681479a7fa204c1027f99a5fcb7ba2d88e1fadd

SHA256
3fa6dd9d02d4f8770b3642ea69de88527fec70bf7c643de44715dc261e69a609

SHA512
6f00f7e8caca9d213145c5cb061aeb31ff9d6d1cb0850ef21c1b1e40b6e19091665daa198f68064a24c05061141aa75c79eac3dcb3f4959cf6ba5e1c9a99da11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
803f7708e4d8c28008a78485944cc094

SHA1
2560cb506143cfa1d103e8c274f3330a572b5e2b

SHA256
2b76da889b4029b9bb940eab9c4ceef5618118ac5eea1dbdbdc4196fd0aedc5f

SHA512
672c2a02b66602d440297e497257a8ac66ec1ee71c271315c9612c4832357c03c32cf379cba28e14c234332cf2dcdabfa34d8ca9910bb922fa8e8c528d8af52b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
b54f796b1661810dc4cb7b22b25b4f66

SHA1
895b067a10c83ba5c0524b92f6e13532f40ffe5c

SHA256
ca3a514ec8b9791d9f319f78c704e2b3f0cb59bebccc40d4b4ec0ea48d0fc62c

SHA512
009ebbd8320ffecf5f5b18b2ab559f28fc4aa11d2963816cfd2d00981ab6bb073b18be6cdda707dda6d08770c671ba5042fc7fe194b9fce194cd653abff4c673

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
a24639bdc46766520c41b932c261185a

SHA1
6b8e32c039c161b35404ae9bd0f5c0750bdda756

SHA256
6c3d67f7654172f7b3950cabab2767a67be4799bff366ea5d1220399ea6fbf4e

SHA512
e70d379b2467166aeaa19d74795692be4faaffd982621c5944a6e7adc32672e0bd6ffba705571a750e1eeb9bfb3d10b79c7e5524c9af5ebf2817761bddc5c7ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
d2ed7d8ebf6ebfd0f760f165e64e7f9a

SHA1
fda6915853944dd4f732d24fdf5a03d697a7ee5c

SHA256
4cb1a7d2f58ec04ce75c83c263807dcfd612f8c9a1aa8d700ff5f8f274af96f4

SHA512
38bf87e02192b07f267b430a59ed878f2290e1372c9757dafa740dad6f873cc0f4a062560c9ffa3e9dcc415de80e64be1c49593f6d47ecf4a2d7516ef30d6e31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
541702d67a1b07284d8489d69b0fbe09

SHA1
c86ae5e52551caf9f8de54df81df69e8dcf57d30

SHA256
2db0792080e4dc8c40f67c9a3cffc7536a4d61296e1726290452e7cebed7fa09

SHA512
3a6c8e25f3e34bf59d7da9b26cad69216c08617399c1a6bb7a31abba1913cb3ef0a218440a329e4a894928444e18fb56f0b38faccf573a7309a4e9f887088f34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
e5342c5f6fea6c6c0041e2c091427a45

SHA1
b26dae535c3e37bf9a4abf2328137fc87ecc3c94

SHA256
1e6b2bc5d728d212507c3878475bdb65b9bc08b40aa09827dc38bfe215cea43e

SHA512
2741f874a80f140d7c76f2280a3a165450a4e9397275d3f2cf08255f750764d0a1d37dd6fe8defbba0d8070b47080fbf9e22c7839d885931faf8d4bb259285a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c37d409164c77722ec69e29717d2d238

SHA1
0f603e836b6544163d42eeaeeb87d0a199fd203e

SHA256
524cf619bd2062a47ceb33aa7e8c325ac7a9c07a766cb88325746730ff3b1aeb

SHA512
5fa65b08f7ce6c56ad4ac509daaea1b2d19dac44e0389108b4a645636b047217d983a0819c9b943eb2fbc02608b00d1b2910e15439711b16067bae87e84193d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b1e06ecf890ed77af5ffa525ce93cf4d

SHA1
cf28c12cfcc19def51ffabb292e7ae04fcc1fd66

SHA256
ec1c155a3d4161ce816e959d2716a94e4a7b312adff2131e90499d4af0d8dea1

SHA512
27bcfa5b54eeaaf5c198d79af9021f3a9794589529ddd50cc646a8e403e125fc28c25b8e2cd09a4a86ca25ca44628a1db6909b15fa2abf5e5d7a075309967d31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1e7a639564a1d9c7020c2907446922cf

SHA1
b45344c39e7c8a513e416e0d18ac34854bce6192

SHA256
04308fe0337ef495551ef6acb874d49e323dcd4bb0eae47d4f88ca9ac58201ee

SHA512
0a2e24b72d8c1b814bbb3eb261cd711e7e9dc38faaa91fa39b9fd75fca7d8ec4f123c4a0ee1e43a3e31b8c33bcc7c9ef8546b0579314307e44da498d3dce08e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
358eee10ff9a36f7847a624ac92ab015

SHA1
3326fe5bed330446ef383d7e0e55b9882f6f56b9

SHA256
5c76a6daeb3e9637671c9e59e47ce6fc298d095147f18cdf2c740fa5c7045252

SHA512
ee5712bf149e589fffad64e5e9a2a842cb8be4de18b811a5019398ba6bc90de07817bfe2f514c72d195c7633914d5e612fc432c6f6ddc4a5dc6583caf308103e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fb9014b36e8efbdc1ebf04a5ebd34987

SHA1
aa78626d2073c8bc5d292f4164dbd1f22c702e27

SHA256
d00646c62d9014faa12862e2bea9d91832aa44c84ab4c5d934c2fa9d92591112

SHA512
a57d7ccb90ccbfb598dc2319f905a7ac7cd4ccfbe55d757381d0ec1b67bc5a81448d60567f8836c112877c9df03eacbb0e9414e412e0c46fe676b25693adc0a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
57e3ba6c2b7e6bc80a20032ecab02154

SHA1
72f601586560cd0e92719e1e155e12743bbb0d8c

SHA256
19d86f997a153ce37b0b5640a1a438125d8591415dee981d29020e69f97c13aa

SHA512
7d790cef718141fea6e03a259448a4592b99741f7bcc74b9220fd93dadf85bf392c4c3d4781c8b33b75ca2c044f247593c6e4e052735cb9296d54117e5412f7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
620df58c71ef132532dd43b88c1db90b

SHA1
0495fcba2a75b0bf3c9523a9a0bf44fc3d9dd3cc

SHA256
e3bc7584ee09cf2dd450ae3663affa32ac8145392e6178a35402f4cce126c1d3

SHA512
9b3dcd64e2bfd114128a068f7c61a63c77c3f97dbf0a7ed5a9b8935f487c21aea3b63afea227eb40fbe1be34ad0343914ccfb936077d3802d234216d6ccc5782

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4f6eac71f41e1654729defa0f3a615a5

SHA1
aea073d862abd3760fadbb1be7b8deb8f560e538

SHA256
f583a5566d7f28ae674b957aa86ebff13bec1d987d6ffc0fb9df2ec0b1525e03

SHA512
c8046a2489c465a1858ffaa049d6f21956a7f517555db5614c6e45e1efb3c4f1d36d1c89c8259bf19e303f8dfd57b71000468f8062c0a79b63a55243b2befbe3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
472697c0dc39aeb612606823d77307db

SHA1
57b6b363fc0735b79ea39fa401350683bb875b3d

SHA256
aa407465fa96ede67d039cefb55f1b19495d0db9003820a0bd0e8cda03abff32

SHA512
c9dc3d08820e175058937333630b8e46bf85da3d8b67befacb80be098658e3cbd23f4a122210abda519bf1398164e2d6e647d417e263c376f07a84b52f4ec004

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
95bf4513bf7074d8bd6666186b65a7c9

SHA1
ad3a477207b0583c566d4e215b9e1e5e7a4c69af

SHA256
06362ec68d4216b7edca6a82e05a5e1731be1c5b1b8b438707e92401522c7038

SHA512
1a621b10ad253424b528cf22df0836d1e055224405b571dad3d01250db5ca6189f676b84fed2923b5171b5b990fa57dfccc5bb831587e6b863f2db4638946e12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8953625bd7c27929ce785ed731e35866

SHA1
3cb6c4e90d809a5785991577ea065421f1c3fd86

SHA256
91ebe8c335fcc0008f731798bda653fd8ec14c6f4af78c1e0bbf28cf57a37424

SHA512
84ea8f81aad711c5938b369cfe53a04b4875eebfe573957512505efbbf5e45a06ba1fbe90dc28cf5995915eae99904f30ddef3e9843ac9b9ea2d604e71acfa56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e78a5a49aa927ac68c3c6d46ebf773f3

SHA1
ca1033fffcde8e52e787918b33cca14c2a7a2e4e

SHA256
60a760ce3edc6e1e731565d56ceb7b75b070ce8e5e7e80c3ec46a595960ff65b

SHA512
cdf7b1d099805d6663710c69a3247613d9fed290777fb8cc7042683461abb92271c45af6cb71c828fa246f4e004133944db2be86e93932cda8042e2843a8e6fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
15523f56f626d3f2bede7d9577756282

SHA1
f0a833af9149acbbd37e93f7efae9961250af7fb

SHA256
6147c88c6dc10b2ac71839e5b6fa9a3e6b4b2ce3328189ef9388b5cf66fc8e4d

SHA512
14b5b3a3c2291df1c93f91d0e40a5aca76b32500da2b418dee804d185aaa625f7095295b74dece95063e3759928100325b66903a5ac43abcda2e6b75625bd393

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7199caf7d133be528b089679b6cac56f

SHA1
25388060d6241295679fc44976be84983981b814

SHA256
ad5e4bc97e16338491b3b7ee76d1f941ea705b60ba00af881763f9065ae760fe

SHA512
b865b9155e2beb98a78d49dfee5a9823956e930f075697ab0811c9889a3480dfe8fd711bb6044143efdd1dd55c0a87c7ad317b186e2667ad3bbf5877109fddbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8f2e3a331650c9e219eb43a2bf3b1401

SHA1
f4bc80fdb04d42350b75ab9742ff15d5879e6885

SHA256
8f22d2132fda3d6bd21d3ed982b05ab7916fa2b4ccbcbf06ba00d12aae205583

SHA512
99a616102bb6788d296d11d92d7ad676c115079f796b78656f25b989e287387d520aa6ab9d373950ad1c74c9038ee2206c8018c80d54f2064bfa33d46fe27496

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7c07a4ace89efca48e4c931334b8fd99

SHA1
12f26d1f55a43f5791ba98ecd24b9e8a27af42f8

SHA256
5d09e36cdc2223952b44ef53c3dad57a5d2a20d927eb0a361bfe5a4451d2e61c

SHA512
2f1ab715a09fe735ab18a119f2d67fa0a9796a466d77b1d95c4d72f5370461449e8b2e977b4bfb474041cfa733a6da3f428cbe664b97a7fe9a1a573692adad84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e944f6899314d108df9000af19b9915f

SHA1
0249393f814820c5f1e345fa4d8281879278fdd4

SHA256
f4103bdb9524a2299225a3cc350226ccbc3111cc096ee972c3400c4571c0ad50

SHA512
19a2b76958964507bc20d781610339c00b20f8fa6763ca751d8073f59a962697f486b2f6abd1199ea61423e6b4567eccd687c281bdaa5f2ae7af00c350faf975

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
466ff9c5932acd397337504d8d9b7460

SHA1
c0dc6d1d05e249857edf2e3c164139e3587f9887

SHA256
171d6d15b0b3210daa1d48533776ae6620b6b4e47099250799127342baec0871

SHA512
3db537ca62d4e7be2c2970f43003a76008ddd6c97f4c1d5e7e49d41e77a7c58a954cdb4ebfb8a4b071d03b83e22fd2adab78970d169b8b2c0541802e969a91cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5b264df9ca9d9bf5bc4b49ada7153e1f

SHA1
f8799d05b044444bae7126d1a6ca5b45516a2a6b

SHA256
d6ebf0185d735bef04dd6bcf99fc683b129e74f7b6280115dc74c50000b130cf

SHA512
2f22ead5fb0bf9c4461544d5bc17308f3de49d885f872ac50f95b4ff539b189de0228b8b4e9a1d784d5cac87b87d63de18c72aefee550287802c3ec49389578f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
13ed60f34eb8b600d8e083f015cfc59f

SHA1
7a13cd110908e3f3e75a5a4206e6d762621a412a

SHA256
0a3ae7badbaf4302801b77f36caed7aea413a73378f6c16b163be68f6ff79f54

SHA512
857640319a4d9b251bdf984abfb9a31ece84d287f5c24ba114d0753d82a15019c3a1e21ca64a518585c3e1492c066db4610c54cfc6da4f7c9336a9d83bf54b1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cdc80d1f630a7706c098aab0920da1b2

SHA1
a20778d63495d34423b5503a7a195927487f007c

SHA256
0ed1e15eba19221460fead128dfb09eadb1d5fa9bfd882a8be2cd3d44cd6feec

SHA512
b3f31e1156e3fe943b750871702ff8e58196c1769d4b16d388d8f0325c7e954d32f31915794cba1aa5d3f911280c64235d1cc283a520b4e7a88d57e11887d086

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9d8864d20f3e59ea4746c646df18e92f

SHA1
62deb9d472d9f836e30b46a5bfd649660834bd52

SHA256
eff0a715fdbda32e9e2dd3833a35f4dfceaa953fa673ed92511430d34dfe627b

SHA512
52bf408fd6163e208486cfae93469a59afc60fe4bbef6e6f45e6e00be05b9838c8de35cc45ccecc54f292e28755791a09ed1fa79617fbecb1fd2811f6db6f253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a6d766f965bb94f6e87f895014aaf3d7

SHA1
b409293105cb62e8786ab3bae0a6936e94d84de6

SHA256
2ccc8c79255fb7a23c6b2a6fc499df9644ebb0975814906eb910f630e9060e2c

SHA512
9a823a50c72c73703585b000c38178d648a5db319de35b062a9a4ca35aaf763297a2c9987fd2800e1839faf93c68a42e18de38ba1ac962b9010070914699199b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
247c80aeea09181e91dbdb44954a8805

SHA1
3b33144db4bf0bfd0dd4acc81dd3600fbc396dc6

SHA256
65aadb82ecf9fdadc41a14e85052e5ea800fd6a8d976c51eb0a7ee8e8d5843d7

SHA512
538741d02cc98e15af3197db38794e2015e69566d187d205f9f9368c56cd98d0b965ac2db3d17f6a3cbea615ce0a14a0bf224eba9bdd24c9fe05863f8e0523f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
290ea016338e70618de5f159b140e73f

SHA1
3c809ae138b06f5601386f2c2a7fd4e26ff8e329

SHA256
2ff919d6617fa50c5fcb8f1ec3475251559b9648e25fb9b4653622277a6ed42c

SHA512
87260ec3bf08be5799f1162d94ba5245a3d979dc498e732ba55f5841c55d4cd45fd79b35e7158bf9c78a7c2d09c99f8eb3ee96eeb4a60280a8c278d836055c4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
965337a3b8d40425b22a7ef6c4160fd5

SHA1
291a2376f6e85e6ec91d39853e09a4a53fffb761

SHA256
9dad87ffd579829f2a93e7e5730adcf287179b0e7ef51c5b41e95bd3d44863b1

SHA512
f887242625f94e1cd446e0eac92fa127a50f98f7423cf8eec090d22d7b9f95256209afa4c0f6962589671edc11e2b396e8c7f6c8413886420365ea1debb09058

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8cd5a8f5f8cc5ae1972354376a7739f6

SHA1
e7466e622e3687cd0e34c1cfed3b6dc8b60c41e3

SHA256
e422a73b7514b15165a4b43c8203461b38e92cf772b6c92a7ade550a25d163e4

SHA512
a64832373be8d42a26bb17ffe6a4b60cf03a66ad131f512e0a52eb6ec7f78b46b74205f8b6d8c46040f85f3fef4790fda4de3368cc58c37d5b1663e3a08dc054

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2446d47515dedbfdaa58a97945d010ac

SHA1
d5764035de51d5868f32a68d6e39246e527c00b3

SHA256
581c6884c8822b732aff324c48b23eab62580a208ef0bd593283e39d942cd9cb

SHA512
2e14a6b45317f4c428986855cb6c16260a53296094ab9392c8e645e1d99467d20aa49c42809ef7c968f4a90b0dbd4dd42cb386f6994ff1cdfd35d5f535747506

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5f0d33c68986dc82f7aaec64e33560ff

SHA1
b32b8ac9733cb7a6ca129abc3d01a5a52b180c5b

SHA256
0afb2f4215a99322d9daa9cc16aaea6d5e81ae33faae2de819d408fdd452a22b

SHA512
0a953ddd2b356049bbfcedaa430959bc8a57bf81349bf77182fc1154d0536b018954cfe8c40d0f76d1ff6afc41adc6f9b840f8e8a325c1b301a4836e7e71fb7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
370dcf20d78887bc24b99fe74a446c6e

SHA1
57a2e19fb5075fce686b755903ff006a5d8a1c87

SHA256
b2d775db7b4444c4f9e799d3187324ca91fe55b9bd1b92bac8a66bdaa387885e

SHA512
bee181325118b3f652ced89ff64ec6b8954df35b77fee7863cbf10a8a402fdab92eb239afa03ddfcca823e7b765d8ef260d8e24194a3d7f9d46bf3396a74f398

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a61e84e1d3e129c468c49037f64cdfdb

SHA1
3f9b8db3c95e695c8ce44215c6eb0ff2c2b16856

SHA256
a70f3e23e47f05745664a08557cfba2f41b4b4e2602485d1a5ea4ab0f5b0e44d

SHA512
550e80eaf2c6a0057100c389a1482d71ae9b58cfde512bc52dddc5a7a6a1ebec32d57e0f97f5035f6829e5202c1dcc95ae1abd35208a4a12c75760d498c8aa19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
06956ad38e24c84c6c5980a139b06750

SHA1
d9f2cfcda0d233926df10988cdd0d2f283fcbcc1

SHA256
5e9b370a208c98eb9a552796d2ca0f549a4ce975ba22af9f32f1b5894a1fb673

SHA512
6443ef0bf60960bd914471c7b917880b1fee061f1d874367d922a03c437615f3c333390f1969758108efcad060e87e6fd57812a98493968a3f4b6158e67a5372

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
73fb04201313f288f202070fdffc08c3

SHA1
cdfede5ea039ab1e2c0a34cda69831c033fdc5b4

SHA256
32a2155d7802b5a0091d8166e00656ceb5931797959399bc2605c369044403df

SHA512
94fa79993ca1cf19b0c3dfc3d66714f5347723a94e430e8a29768e4f22c1a57b5f67263edb04924525e970bfb1754edefe4af532a036f712e94fa14d7cb510e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1454ca746ead7ba8002449c81c600843

SHA1
f630e8414fb0da8de8f3869cf51d362646d4da99

SHA256
975fe7376ccbfdc6e01eddc772c7f63046cf74e54db0afbc44725fb4bdc6f017

SHA512
9797e90b72a530c1e38ce1b5e8926fc4b3c6337570405095bac3fcac6067c78de5b06063724c59603d147045301551d2e56b6ed5c4478dd754174826b0f3e74a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe584f63.TMP

Filesize
538B

MD5
c2f8005d513137e35526eb40a297132f

SHA1
e2c2ee160d847ad6e6b79e1acbafe173759ba81f

SHA256
d00acbcd6a06afbb19170c511e0ab205b6fa0781b0fa842a183b330a9baa71d1

SHA512
4ad45d537bfc3daa58c611c96d0a9f81a555821402f0d33ad6a31f2c47ac3304c6d725f883a0177f4a57d72906bc824d12b12e9223d5ba58f57b5dd00d5b4e2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
76KB

MD5
5a298c4b2b084a763f1efd7fedb10761

SHA1
40cce9df2710553422e4578c40bcdf4fe9d2d8b8

SHA256
5865b5118035e75a6c0d44a7e39de580a69f3ba8c59810e3088e71b6e9a51b1e

SHA512
c6b980394ae3fb4f6476627053ce58068b3fefdededfa2e75a0a265ac7b715d67b5a15a7aea77f5c6044b2f269422e779f185946eca6c687ff20d8ddf7ab4fe5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3f1e397bd90f0d22dc261e93f7d18ff0

SHA1
4a0a6f20bc672ff0c52a78a8003b6464fc7d1069

SHA256
6198517d67239eb33963100c86cb4c8d471ce555c52f331d2cc995bbb1cba147

SHA512
ef993bf2147c33d464202826768695ad3dc83d95422f20fa9b7f84f86d9f11ef54352d44b6a87be2183685529044a92fbf4a52faa97396dbe9081d662bfcd6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
250bc5c6441aeb18eca36ac2a60d6d09

SHA1
7858b418912318b9b658c7bd473a2e4e9048d836

SHA256
d0d2616b85f52285a5f2d5bba169e01532fc61e5eda34897bcd750a055053f4b

SHA512
c844d61917a1e0ec341f6be1be01dcb4b842c434bd824d48ff5121536e5555f9e3267bcb83a3e3ee5d3afbe4d942c408bcd2f966c95d58c3471c9826ca2995be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0542f1f4814810d46b901be747362e69

SHA1
f2313f580bee325a1766bbb58c32c40d566a51e3

SHA256
4efc500a78842d89b02d6d0fad6ee065142d6d2b30f3301667ad2ae5bf5a6836

SHA512
913372b43aee5007fde9b5e0158f38682804856ab5869578567b82fe8c13ac952b87cca9ee3f3f2218eaf8250acd07ce17766e177658b890fb860d4a462553ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
82fd8b265b07802ed26b0d136a65f819

SHA1
2b9cf60b54dce2d7d58a05fb253554358748eb0c

SHA256
f6729886d25daef357856110ed0b0f3af98fc86200be7c1ac5034e31d2773c4e

SHA512
dc2fe11c3d4da27ee74f151ee27f59a61418c683d76905b3a34b900fc2825af5a4dc78d964ce7e356c1a638918367eb42d38eb1dc2705be25a8f1fa63768608d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0c80ae4cefb9a977433669fdfa38acfa

SHA1
fbaa5bc87f8cd8e619162bae23f4586c99a64d7d

SHA256
060a4f5a0892efa8864cc395261977f961338d8eac3464fb5e5af35d1c99fa56

SHA512
c1cb38b0b85fe44b97136ed0852d707b34c9cfb36e33e9ea06e276bb9a45e578cf5b0cd30a4dae44fff389c738721862b335743a4b4b9d3bdaae83f9f568f099

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b64ad561efb296c0b3e5e184969bada1

SHA1
2c83955b7912578527f72b077e2fc090defb0077

SHA256
868447436c3eb5ca5061fcc45fae773d9a989d4e1c5ed5f9a676b6cabb599cbc

SHA512
598ee62c49472b40479db1aae2dadd9fb0bf151a508538a86a337f1f3ba2e52a95b49abdbaa0375b6a650f83aa15e507107c243a7fabbb6e585ebd6a547ccbec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9c0eb6b53bad8e632c2393de8b1a6df5

SHA1
a005d4cfd3f5859cbb80617bf3103159bb709c97

SHA256
6042b171ba1efae4f8826eb75c55d88b634dc0329535debe95675a926b443953

SHA512
7cc9272d333c8b33f8610c8a3774b9b064b44b498c64ed0bf919a9c9f2850ecdb25f25b1fa4bc76d2265bca5a9bc3be3f86db7db8e462725d10d2597408f674c

Download Submit
C:\Users\Admin\AppData\Roaming\SyncMount.tiff.WCRY

Filesize
541KB

MD5
364b87de832abba31c663683dd4adcef

SHA1
aea5a548836b7d4b225fdf2c9ddfcc05484dcd22

SHA256
37c2659b99b25cf3ec67d3be98e11b72cf03f30974a6e13f95f8151c6c8ea721

SHA512
a48c306bdd9d5ff44bdcf7e20fab00803f52309026a46be1afe60780206819f3b118cdd5479de62e4689ad6098db6fa8e59b7ce0c332e0ed17470dcc5e4b2fb7

Download Submit
C:\Users\Admin\Desktop\!Please Read Me!.txt.deria

Filesize
800B

MD5
efd3eb54e1b1f627f670906bbc91ac0b

SHA1
2e94ad1a4bd120f698fcc942ae3fd29305072aa3

SHA256
d669b3427f876268e983283a97dc0720cd05dc278cf82441d30e2a9b76f457af

SHA512
1d1614ec8f67e18c547a77b0e09649e2f09f7c777172dda36023ccc84790a8fb5a04b17b5ef1f89ac06a79026adcdf0b1477eaf7561304d3ab977da7fb4a78eb

Download Submit
C:\Users\Admin\Desktop\!WannaDecryptor!.exe.lnk.deria

Filesize
592B

MD5
62002b1be0667d8891ce8b9c31727fde

SHA1
7085d9e706f76f23d1cdbe34f9d04f306886963e

SHA256
3da6f29f660cd812ddb5321549005af738e25d4a369b8313f18eaaa146572619

SHA512
292937c687acc61af082f497b12f24057b1c9ce012b56c5768b65b56e52bc650442841f5733e626e1a8e65d88848e4f26244c21489817ca67552bc9498ee052e

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
0505634adf9ad5f34b1d1522fdc7eb1b

SHA1
47a4b7fc53dc0babe01245a83cb16fa02fef353b

SHA256
98ce918a4cd9b2d3ee4ffa899b1e8edd6ab1a6fff580ca63e81f58e3331c3bf6

SHA512
e7c512d0a67b24fb333fe48cffb7a08bb87c26a17baafa81edcf442f1ffee47b24bd196848ad79696ae25338c39d77dbe53823ce6a32d7e55b53404d4a1a4932

Download Submit
C:\Users\Admin\Downloads\00000000.eky

Filesize
1KB

MD5
34f1df20990c21adc23335e5d57c341a

SHA1
0d3eb5cdaf227971829a21fbe042b47c2f096d2f

SHA256
a4c73f320996799d6147793578d052b5b3d45ed045f3c49d1dcb95c5f76c592b

SHA512
37f35b5ba0ac40ea50f015ac72e93c118271646496e3f75d3640b706f2abea8bf9f23ba016971d2cbfaf3b20971a8331085d875f6cf99af48343d344e7507aa2

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
056980660235658643a8e9d55ac5f49f

SHA1
41783ec67710bc69f0b16aba050b0fd68dc79910

SHA256
2020b1fff55c07a6357c67109f1eec307733322c110fa1a01e153d30194951c3

SHA512
057be99d60f7f050da4763619f9ec806cfea084e9503bf9457581c00143717d2da98bbad731e510ac717489e3b6a23214957f933a555035a2ef064d5ad9d08d4

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
14b0ffe80ee2837aadc1d828ba2afc07

SHA1
78313b2c0c9f401b09aee5368fe5616501c15977

SHA256
31b5c3e8d0d053812441e02fa9baeb2c59034769c484d9ab5eff00f7464f55e0

SHA512
2023cb3fc8d7ae054db7d20cf358d015a0e63c17351c42abe5ec314458677959f5069fddbf4244a9b46028fcbb101d2396177e52571f2e0c78714674e17345f7

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
c522b460a5177a72933ccdca76c7c70a

SHA1
a7d8c02669b55afd3e8cae3263f3ff733171706d

SHA256
cd9630278958eb4efdf662e8c22e08349ad6e621d437195f0690e09547a3c00c

SHA512
c4f743f839f6e2dd58a980fd08e5ec134518ba8fe8355b9515c706f69c4543a2eb51f24f57bcfb188aede47ca308db69bc540b17be0900d5fca22f7d2c70a23c

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
059139365fd2ac2ac5a0b99e3a6ac52c

SHA1
634bae3540909c57aa8715da52336707b48f7482

SHA256
6e3416932cbbef54c7dff7804183044cfa7bb0f15cec78c4ce44d5a49e57f0d3

SHA512
da6014f02e293ec9384b38721a0d7b55091d6de446bf267497887da0380cc9f72375be8f98973e0696bde1e9049d01db951e693dc0f8a2b5228af284738a22c4

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
989cad3cbbc97f78bce34b7fa524a07e

SHA1
7439e56cfd645662d2f3b1a525090800a64d0e4c

SHA256
08cc33e43b51b327dd569b446bf6ca110317ec4e08c3f3f1a8b06cfe2744c553

SHA512
3e8c3ac29437e2a826f6f48cf11c45aa5a8c99ab418a495c3b3e58e75ce9eb22b64fe20314a4691b8a212e9ad98767a52c918f7ed4de7ec2b41433aa9b4ece5b

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
26d2f2a90f59974f38d392f47df5caf9

SHA1
43477e072e325fc089f4e8599d6f3ef790ce7eb5

SHA256
6e11208d0f71fe9ad942dc984bd1b3a895cdcc164d25e2961b0e3dc3277edc22

SHA512
fe93c3a7fb5226a397425abc2db223e0ab21b2b1644b272f96b1eca0e900f35447f5d83baf0671dfae912718a81ed574d7a36ee36323bfe15a0b98d1aea0c216

Download Submit
C:\Users\Admin\Downloads\15e029c3834435150c76741e714540fcb799662db8cc2c61ba4ef192a781727b:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\262671733853622.bat

Filesize
318B

MD5
a261428b490a45438c0d55781a9c6e75

SHA1
e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e

SHA256
4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44

SHA512
304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

Download Submit
C:\Users\Admin\Downloads\TaskHost\t3117.tmp.deria

Filesize
16B

MD5
089e1478ef397d25f21efcd8155c523c

SHA1
c14362a50de14be99a17b654acee55be83ae65db

SHA256
0b1cdf7dce718a9f29733c9d9228630fe255db9a7f47aa76595277da253258b3

SHA512
5fb32911b765e2063ddb0825376538073adb6ea9b276b52756d1425f04ded443722d456648ae5f005dc63cd667bd5383ef9ad9e35233f9028f36d2744e4306dc

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 219251.crdownload:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\WannaCry (2).exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\c.vbs

Filesize
201B

MD5
02b937ceef5da308c5689fcdb3fb12e9

SHA1
fa5490ea513c1b0ee01038c18cb641a51f459507

SHA256
5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1

SHA512
843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

Download Submit
C:\Users\Admin\Downloads\c.wry

Filesize
628B

MD5
ec2bc08247e9fed4b372ce42e3166b32

SHA1
5787f0cd8cd2ce3840eec044b06b93998a32e8c5

SHA256
1e9e5783e890ad4574f6fc94ecdf219321ad0d6bd8876d5eab1f9268e8bf6907

SHA512
6f54d66b1e6d08aca4d9f1dea349cc7c05e173e73ad07b7ad3e71ff01fa539a3b168d452ab01302beb68edbd83abceccb5a36c0a6069a1b9a2d7c1b28246592e

Download Submit
C:\Users\Admin\Downloads\f.wry

Filesize
256B

MD5
36524b885b3c171670bdc530b8d99332

SHA1
04baae72a2be4247017afb1c13e66903fc8d6954

SHA256
980d215bbaf512681d833a0d7f6e506d2a879293260f6ddd609e42dfc9a67171

SHA512
e90e4d6e78c22a1396ea0f70e249a5a22aac5a43553b9926acdf2a1206ac483e7caf06936931b55a042b5cc34802ab8483119f942396392916042a71af72d2bb

Download Submit
C:\Users\Admin\Downloads\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
memory/1688-2776-0x0000000005730000-0x00000000057C2000-memory.dmp

Filesize
584KB

Download
memory/1688-2777-0x00000000056E0000-0x00000000056EA000-memory.dmp

Filesize
40KB

Download
memory/1688-2778-0x0000000005920000-0x0000000005976000-memory.dmp

Filesize
344KB

Download
memory/1688-2775-0x0000000005CE0000-0x0000000006286000-memory.dmp

Filesize
5.6MB

Download
memory/1688-2774-0x00000000055E0000-0x000000000567C000-memory.dmp

Filesize
624KB

Download
memory/1688-2773-0x0000000000B00000-0x0000000000B82000-memory.dmp

Filesize
520KB

Download
memory/1924-970-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download