wannacry | hxxp://github[.]com

max time kernel
147s
max time network
145s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
13-12-2024 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://github.com

Score

10^/10

wannacry defense_evasion discovery persistence ransomware spyware stealer upx worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDAA44.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDAA5B.tmp	WannaCry.exe

Executes dropped EXE 3 IoCs

pid	Process
1992	Xyeta.exe
2564	WannaCry.exe
1808	!WannaDecryptor!.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
48	raw.githubusercontent.com

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001c00000002ac2d-911.dat	upx
behavioral1/memory/1992-951-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/1992-952-0x0000000000400000-0x000000000044F000-memory.dmp	upx

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Xyeta.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3572	1992	WerFault.exe	107

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Xyeta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
4312	taskkill.exe
960	taskkill.exe
3744	taskkill.exe
4804	taskkill.exe

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 264318.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 302082.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 472193.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Xyeta.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3508	msedge.exe
3508	msedge.exe
3796	msedge.exe
3796	msedge.exe
884	msedge.exe
884	msedge.exe
2752	identity_helper.exe
2752	identity_helper.exe
4312	msedge.exe
4312	msedge.exe
828	msedge.exe
828	msedge.exe
828	msedge.exe
828	msedge.exe
1012	msedge.exe
1012	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3744	taskkill.exe
Token: SeDebugPrivilege	4312	taskkill.exe
Token: SeDebugPrivilege	960	taskkill.exe
Token: SeDebugPrivilege	4804	taskkill.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe
3796	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1808	!WannaDecryptor!.exe
1808	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3796 wrote to memory of 1892	3796	msedge.exe	77
PID 3796 wrote to memory of 1892	3796	msedge.exe	77
PID 3796 wrote to memory of 4620	3796	msedge.exe	78
PID 3796 wrote to memory of 4620	3796	msedge.exe	78
PID 3796 wrote to memory of 4620	3796	msedge.exe	78
PID 3796 wrote to memory of 4620	3796	msedge.exe	78
PID 3796 wrote to memory of 4620	3796	msedge.exe	78
PID 3796 wrote to memory of 4620	3796	msedge.exe	78
PID 3796 wrote to memory of 4620	3796	msedge.exe	78
PID 3796 wrote to memory of 4620	3796	msedge.exe	78
PID 3796 wrote to memory of 4620	3796	msedge.exe	78
PID 3796 wrote to memory of 4620	3796	msedge.exe	78
PID 3796 wrote to memory of 4620	3796	msedge.exe	78
PID 3796 wrote to memory of 4620	3796	msedge.exe	78
PID 3796 wrote to memory of 4620	3796	msedge.exe	78
PID 3796 wrote to memory of 4620	3796	msedge.exe	78
PID 3796 wrote to memory of 4620	3796	msedge.exe	78
PID 3796 wrote to memory of 4620	3796	msedge.exe	78
PID 3796 wrote to memory of 4620	3796	msedge.exe	78
PID 3796 wrote to memory of 4620	3796	msedge.exe	78
PID 3796 wrote to memory of 4620	3796	msedge.exe	78
PID 3796 wrote to memory of 4620	3796	msedge.exe	78
PID 3796 wrote to memory of 4620	3796	msedge.exe	78
PID 3796 wrote to memory of 4620	3796	msedge.exe	78
PID 3796 wrote to memory of 4620	3796	msedge.exe	78
PID 3796 wrote to memory of 4620	3796	msedge.exe	78
PID 3796 wrote to memory of 4620	3796	msedge.exe	78
PID 3796 wrote to memory of 4620	3796	msedge.exe	78
PID 3796 wrote to memory of 4620	3796	msedge.exe	78
PID 3796 wrote to memory of 4620	3796	msedge.exe	78
PID 3796 wrote to memory of 4620	3796	msedge.exe	78
PID 3796 wrote to memory of 4620	3796	msedge.exe	78
PID 3796 wrote to memory of 4620	3796	msedge.exe	78
PID 3796 wrote to memory of 4620	3796	msedge.exe	78
PID 3796 wrote to memory of 4620	3796	msedge.exe	78
PID 3796 wrote to memory of 4620	3796	msedge.exe	78
PID 3796 wrote to memory of 4620	3796	msedge.exe	78
PID 3796 wrote to memory of 4620	3796	msedge.exe	78
PID 3796 wrote to memory of 4620	3796	msedge.exe	78
PID 3796 wrote to memory of 4620	3796	msedge.exe	78
PID 3796 wrote to memory of 4620	3796	msedge.exe	78
PID 3796 wrote to memory of 4620	3796	msedge.exe	78
PID 3796 wrote to memory of 3508	3796	msedge.exe	79
PID 3796 wrote to memory of 3508	3796	msedge.exe	79
PID 3796 wrote to memory of 696	3796	msedge.exe	80
PID 3796 wrote to memory of 696	3796	msedge.exe	80
PID 3796 wrote to memory of 696	3796	msedge.exe	80
PID 3796 wrote to memory of 696	3796	msedge.exe	80
PID 3796 wrote to memory of 696	3796	msedge.exe	80
PID 3796 wrote to memory of 696	3796	msedge.exe	80
PID 3796 wrote to memory of 696	3796	msedge.exe	80
PID 3796 wrote to memory of 696	3796	msedge.exe	80
PID 3796 wrote to memory of 696	3796	msedge.exe	80
PID 3796 wrote to memory of 696	3796	msedge.exe	80
PID 3796 wrote to memory of 696	3796	msedge.exe	80
PID 3796 wrote to memory of 696	3796	msedge.exe	80
PID 3796 wrote to memory of 696	3796	msedge.exe	80
PID 3796 wrote to memory of 696	3796	msedge.exe	80
PID 3796 wrote to memory of 696	3796	msedge.exe	80
PID 3796 wrote to memory of 696	3796	msedge.exe	80
PID 3796 wrote to memory of 696	3796	msedge.exe	80
PID 3796 wrote to memory of 696	3796	msedge.exe	80
PID 3796 wrote to memory of 696	3796	msedge.exe	80
PID 3796 wrote to memory of 696	3796	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://github.com
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8d2bc3cb8,0x7ff8d2bc3cc8,0x7ff8d2bc3cd8
  2⤵
  PID:1892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1820,12571294870468267212,11762815881946761654,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1948 /prefetch:2
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1820,12571294870468267212,11762815881946761654,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2432 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1820,12571294870468267212,11762815881946761654,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
  2⤵
  PID:696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,12571294870468267212,11762815881946761654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,12571294870468267212,11762815881946761654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:2836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,12571294870468267212,11762815881946761654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1820,12571294870468267212,11762815881946761654,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5072 /prefetch:8
  2⤵
  PID:1848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,12571294870468267212,11762815881946761654,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2012 /prefetch:1
  2⤵
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,12571294870468267212,11762815881946761654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
  2⤵
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,12571294870468267212,11762815881946761654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
  2⤵
  PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,12571294870468267212,11762815881946761654,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
  2⤵
  PID:3012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,12571294870468267212,11762815881946761654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1820,12571294870468267212,11762815881946761654,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4704 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:884
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1820,12571294870468267212,11762815881946761654,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,12571294870468267212,11762815881946761654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
  2⤵
  PID:2136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,12571294870468267212,11762815881946761654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
  2⤵
  PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,12571294870468267212,11762815881946761654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:1
  2⤵
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,12571294870468267212,11762815881946761654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
  2⤵
  PID:3200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,12571294870468267212,11762815881946761654,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
  2⤵
  PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,12571294870468267212,11762815881946761654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:2132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,12571294870468267212,11762815881946761654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
  2⤵
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,12571294870468267212,11762815881946761654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:1
  2⤵
  PID:2420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,12571294870468267212,11762815881946761654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,12571294870468267212,11762815881946761654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6540 /prefetch:1
  2⤵
  PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1820,12571294870468267212,11762815881946761654,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7008 /prefetch:8
  2⤵
  PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1820,12571294870468267212,11762815881946761654,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6792 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4312
- C:\Users\Admin\Downloads\Xyeta.exe
  "C:\Users\Admin\Downloads\Xyeta.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1992
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1992 -s 472
    3⤵
    - Program crash
    PID:3572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1820,12571294870468267212,11762815881946761654,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=7016 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,12571294870468267212,11762815881946761654,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7068 /prefetch:1
  2⤵
  PID:3480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1820,12571294870468267212,11762815881946761654,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6992 /prefetch:8
  2⤵
  PID:4240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1820,12571294870468267212,11762815881946761654,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7268 /prefetch:8
  2⤵
  PID:4180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1820,12571294870468267212,11762815881946761654,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7260 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1012
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 253201734114026.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1500
  - - C:\Windows\SysWOW64\cscript.exe
      cscript //nologo c.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:4588
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe f
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1808
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im MSExchange*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3744
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Microsoft.Exchange.*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4312
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlserver.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4804
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlwriter.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:960

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2204

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1992 -ip 1992
1⤵
PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aad1d98ca9748cc4c31aa3b5abfe0fed

SHA1
32e8d4d9447b13bc00ec3eb15a88c55c29489495

SHA256
2a07cac05ffcf140a9ad32e58ef51b32ecccf1e3ab5ef4e656770df813a8944e

SHA512
150ebf7e37d20f88b21ab7ea0793afe1d40b00611ed36f0cf1ac1371b656d26f11b08a84dbb958891c79776fae04c9c616e45e2e211d292988a5709857a3bf72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cb557349d7af9d6754aed39b4ace5bee

SHA1
04de2ac30defbb36508a41872ddb475effe2d793

SHA256
cfc24ed7d1c2e2c6585f53db7b39aa2447bf9212487b0a3c8c2a7d8e7e5572ee

SHA512
f0cf51f42d975d720d613d09f201435bf98c6283ae5bc033207f4ada93b15e49743a235a1cfb1b761bde268e2f7f8561aa57619b99bff67a36820bc1a4d0ec4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002b

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002c

Filesize
70KB

MD5
807dda2eb77b3df60f0d790fb1e4365e

SHA1
e313de651b857963c9ab70154b0074edb0335ef4

SHA256
75677b9722d58a0a288f7931cec8127fd786512bd49bfba9d7dcc0b8ef2780fc

SHA512
36578c5aedf03f9a622f3ff0fdc296aa1c2d3074aaea215749b04129e9193c4c941c8a07e2dbbf2f64314b59babb7e58dfced2286d157f240253641c018b8eda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002d

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002e

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003c

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e4671e5289db310db1b1fd3c1cfd8233

SHA1
827f3aaf6a212b8eee2a51503b9f9264c82d0baf

SHA256
cb731ca848c13c6fe43b2d05a0d44da8fcd4b58f77c0aa74dd42f9ff79323110

SHA512
b13d5cd9f6ebcb0531cfe229c9deceef257bdac2c2de554a3f387af58e6f1d9782364b038d2dcc26b1dfabcbf995eb796196eb763a8d9d861360b3bfdb38bcdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
d10178cc8fe2eb6db461386be6a6fc5e

SHA1
ce8be134011ec6cfe70133be9a38fca95f537047

SHA256
2b038248936968346d83b1959578e3eac20ea5d196abe011b3c6c55d4b96f5c0

SHA512
adc261686f7fe3721e34d25cf2fef7c8ad63085918b3915e95952670f688af9131e754786b88e38d073837eb42e20e55f9bdc16e642d4a003ec91b3cadda88bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
2462ea2d62005e23ee184e454623e603

SHA1
f5bfe04faeba231716881a245a8af825c1eb0ae6

SHA256
ab4bb9999fab17ff5678c53c06296c250dda45b4df41e0560e3da8e2b8914a77

SHA512
a29a16ca71118a8e1669525f78ede3c5a744a13a4ad480bed2c079513b7f7e59e9edc171fd6c8496780893f37a757c7144ec6582ae9255de2471dbd6b696bbbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
c82a0f962797f98d2c68cdca52b467e8

SHA1
21f7250ea0bfbdd32c4d24f28b218b3963bd361f

SHA256
975d6c086cfbceadc0a98392af88395a0a15e00b4d831bd89d5b3e3e67b7f567

SHA512
0b1a36917683deb76c36b424ae65e18262c9e7491feef9e30474cc96263c82b1933ae477a91e32dd37298a8aa5ebbccf05d832acdfeb4e8aae79a48c75f79a1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
701B

MD5
ecc657cff5d87528fd6f6a2b48e845df

SHA1
8eeda8a242817978aba9e646a4c91178881b88a7

SHA256
fddf417e049af7d089fa668c55473d96af1b804cbd49d7bcbfd9f3826412cd7f

SHA512
827a465364f5d0be7f5d9d4356f6beadbcbfaca725a4720b29ba6e903cabc52e0502a2b0c739c182f2541e8e16f816e68ede8c9876d897702e445b4b925523d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
945B

MD5
ecf5ea04dafa53792007ef8ea9646fa4

SHA1
f0f515b27f5c5ee5048b2f61eae030c267a6bcf4

SHA256
54c85470057b9915e9f5e887027056037abdeb78982e8ed0dcfc48aa1c45433c

SHA512
484a91969f385f7e2d881cc7d7aef8174d1b32dc3c3e9f842df499c39dec5464d1a0934ae326f3278dc7dfa80d87b9ac8a86698acdd681df3a271f0260570b58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e6cf9adc9803148e26d368ebca67c3c5

SHA1
71c45476a66cff766b7fa2a5278ba1b6780f3195

SHA256
b13050f4ab2f10d31a902906c4143b03dedca7f170d63fc2d94a2872d9da2517

SHA512
590b588b6a34e524499724131aeb8ad664be4e13f18bd8416df972a498b035ff7fe40b870aa0365f083b34d221200aa2a800bbba53d03328566281d326f79479

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
01b841a15dde860a93539788a7e6a080

SHA1
a1b9e01ea929b05d5a73c02dd61ac681dd122c1f

SHA256
db9821483daafa468e8ed4f14716691f74e41d33491bf7c1d20233e38bd56e71

SHA512
05457e42dea079bdc3d211216dd0b55211f415d9833636838bc54899e4588600a1f879fe40c5091f239d3385212ea3a242cd104e183aab01d0597aefeb8b0c1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
662c79e7b3266f42c868ab4d05bbb2df

SHA1
da43cee7bce03bf663013e9d287b30ea40add3f1

SHA256
c3bce25d2f6291299b830efc23942944021549629403c7831c2c8fc64b5ab84c

SHA512
bf641e890e95d33b4bde5aea892812f89dea2875278b1ccb159c4b9a3de313cd424e2d27c62da9881b547ea4ed231249f88186071e389af3384e0202db2ff25f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9187d284178b2052325c47a3fb6a5443

SHA1
d7915b39d699ca5181f3e8d7b0b3eba20e2548a6

SHA256
25484f229b7c180918228d9e9bb410f601cce2a34945b4d45bb8a9b0424f9e4b

SHA512
6267af7b2c7d62b5e9aee5d113fc119d9cbd3e4e694590bc7f21ae3e5a6fe544b03b62fe5d576f3a5dd97ad7b85e178985e693ca3541d8c8d0b49c50c49fec77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d2af26e7816287d10850600148a242f3

SHA1
6a789fe62b1768e5ddd873d020bf6c6c13ae86c5

SHA256
9bb233980b9e4acadddce424cf2e90aa1346907ed294a269b9011a5955724ce8

SHA512
f171e31d91f6a768165232ab5568ec45f73f775f89d382f8d72abb9a1ffbb70ac26eecb8948e6bca23ae9a90d2650d9286398641f9fc441246052922cfb3816d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
aa90e76fb00a4f1ba811cbd05afe1c90

SHA1
d2794eb451aef17337d9110c90ad23899955d5e5

SHA256
88f2a7c7143779db987cbde64401e5c672b971e8083869df999953f698cadb59

SHA512
94177733a94f09bf60edf575142f3915bdc1bd19163ed6298c15bcf85df6fc529ccee48b44dd786db2f456f342f66001555ffe4021e3bc204bcdfea2c98ff7e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7852cfd8feb262741842ba472f684b1a

SHA1
79c4f6f644f1837ebf600bf13aab50cb7a100527

SHA256
d35812a4e1a59465b27251d60feb3ba83f23646ff8d8f45bfea8a7cffd1928d6

SHA512
0e87a44d828276f26d759d01313a9ad0575fc4c871a527b1c760f29222462f5b6f30eaebe95aa181a2ec0a747e1e35e3003322927dc213d833bef75f4e50154f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b68d62c970005a533148f84d76e8c705

SHA1
9bf6ee6e6b2bde7810a696bdddff268c92aa84f0

SHA256
6dc2bf0f3442c6584c655a4d56d25f5446efa0b70df06ebaeadd69830469179a

SHA512
eb3e5f45effa6ea811e9e7dd43dea2a92319b01d54d34950faa5c71d7c336e0913926bcfa732554b45b554b548c3d2bd01fa3cd85041644ebb231b5d038d543f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ffdebb247c19ca0fa4bcf0d7c112d212

SHA1
6b49e981e9b217f5496fbdcaf1a640f862a7ccab

SHA256
7c1107929864a34208ae01e0c23c0f97c8ad7d1e24627d13c538d95a92d9baa2

SHA512
be43423e6ac82f0766a3488bd3056d2005176fc923667f84f26dc3481cee352762c04496f80c60d9a123e61229cfa6839b80307401846ca91d572df87e04b9f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
706B

MD5
5afa6aa3b48b71f5cdce2d45e004763a

SHA1
82141d3547b2ce1d94764bb20864365f432ad594

SHA256
26fa48aa7cf3f102abf275ac936b1844367dcf895644c0c5a370d41926abb39c

SHA512
e6390efcc28a4c49c5055a8c05d5f8b9e65ca9be3ff5a1fa8e40a74fe25b96d37ad7b05f8e75aff0149168cb534f6c5a114da991333984ece202a5a14f09dfac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b6ca89b9e886af8d6fa6e8b224977b82

SHA1
472d5b0175f0f891155828fec8e875f7312adc3a

SHA256
6de4ec544cef31bfc8e8ccea5a1ad060d9c6bebe2364fd83cc543c2f9332d788

SHA512
b59599bb4d76878f19ff5008999b6ddc5ee49792d5d2c0d4ae915966a8ff0cc831185598ca7cb0c53371e45b70c36f7ca9cc8f69664444f9cefedd2903c43165

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1828916928aa049047a48b525f39a89f

SHA1
511773e300f3abeff9b2ee59b9d2c5a6fb3b250f

SHA256
43f394896bd884f0ecf3b072047b530c07ee731059e3968e0ba13904e01226be

SHA512
789e4e13cb69ad61b2e634af146043b07caac948b2ca3e4804bf6282da0001090f595c87529a94ac1458b3902e3627fe28f8a7d206fc1913ee2c8a11fb9cbd54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c534.TMP

Filesize
706B

MD5
6ed1d36eb321a451bef6c2ebfcfe4d76

SHA1
4d16518c40cee391acb5a2513b4eae6464195b9c

SHA256
4ebcbc759953c00b204d05634062870de5827ebf03d12671f5eb85de31bff3b2

SHA512
cb212caf59c3d855e82f18e6fef43aca8094c928494b022ac2a2cc8cb6ccd7739acb7bb2b32451b7023a03ee7806f79d100305585e6d29ddf2e65230315a4504

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db

Filesize
16KB

MD5
9a8e0fb6cf4941534771c38bb54a76be

SHA1
92d45ac2cc921f6733e68b454dc171426ec43c1c

SHA256
9ee9211a57c3f6fa211fe0323fa8cd521e7cbffcd8ff0896645a45795dc472be

SHA512
12ed22537dcc79d53f6c7d39e92a38f8fea076d793198928f5b7a5dd1234d50a3c0b4815632f3fadf8bc4ef0499773d22bd83f961d2d0ffd8afacf471bd3a5ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
80KB

MD5
1712a9da9e5ffadebbab1cd25a265c3e

SHA1
3158eaf7330536640c5c624e749dda664eaabdf2

SHA256
b225c85737953af8f0a7bda9987f0f3c75605ac78ae6d8eedd43a84c4d34e816

SHA512
2bf4c365999212c4350cfa6c25daf3a37a3240cae236fdd5d46917473559507b5ccc2263dca598a21ab800545dc7b761ce2c37cd0d2d2f6ca88b69b80a36c4da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\previews_opt_out.db

Filesize
16KB

MD5
d926f072b41774f50da6b28384e0fed1

SHA1
237dfa5fa72af61f8c38a1e46618a4de59bd6f10

SHA256
4f7b0e525d4bfc53d5df49589e25a0bccf2fcf6a1a0ca3f94d3285bb9cf0a249

SHA512
a140df6ec0d3099ef374e8f3ece09bf91bc896ac4a1d251799a521543fe9bdea796ba09fa47932bd54fa939118495078f9258557b32c31d3d4011b0666a4723f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
37e2b322cb0635a9391329230edd4b22

SHA1
807a21c367edb55859b1fa087ccd915e82ada2d6

SHA256
342f8f058d79b009aa7619e9b387c2b965658a908879dfb414b4b03378dbaee8

SHA512
b2ac6bd6eb02ad687a33223387700db0c6a8effa13f1f54095bd75eace0feb848a4d2e1c2c3949308f0c6bca623bb70188a9dc11764c7f887f98c8603c02ad56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
679582ed27cd71493959f156ac859eaf

SHA1
bf342f74d70b2007859f84dd47a9aefb706c5420

SHA256
9f553ed1e23bf5da2f39568ff34888cbf38b539d9a8d905c3298b89189bc2450

SHA512
eab3829245de86dc5f2724ca449308aff61e0bfff2e2b52fe943e1753371e373f72c8987a9430fcba44fdc6d38f75fcb172d2618321e43f1c560a544027c244e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
eab42d4e2999f83b1357a3a934451c55

SHA1
3be4c565740cadb9903d3d3db48c38b2fd02144f

SHA256
d39466b8a1352343b59775dc28af31b29a26603ccd43a9bfd1286a223593cb63

SHA512
b659a20e0a5c29f74d88e4a0cd7fcd271b184d1d98b33443f7b0942b85f982c0703b908d33d6ac9d598ccca433a5f44c4765c6b9a83ead79e4e76be19e8cdf4f

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
108ff70e4aaafb6c0633c58e55bd11b1

SHA1
c0941addeee36f82f1dd62070f083a01bcd162af

SHA256
8505cda06dbab2fe2c621c37a911607774f93a6c0f9d7aeeeaa7a616ee8af5ca

SHA512
86324ddf6035fa80c870a4fea3807f3597d066d820b53f71bcd33f8410f2dac7b4c64b002e12865ab89f9159a780b1e566e4a5e4a36dd5f82a01d10eb0b665aa

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
ad8bf2806e4e7653550509b02ca8b8e0

SHA1
6be059d1b24faa7def22250fe7a6019843d41d03

SHA256
5f772e8276a108cd0470c94e81fa932cf1b31fe2249caf2f1c09f6596f955988

SHA512
318b2215fafcd52d9ec5a22e8367a0fe8ef745c229f095dc574a8b777ddf8e286f47055c1a3d87f100638064e0dcfc2c8533031fb7528c201c7206ab6c73e12a

Download Submit
C:\Users\Admin\Downloads\253201734114026.bat

Filesize
318B

MD5
a261428b490a45438c0d55781a9c6e75

SHA1
e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e

SHA256
4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44

SHA512
304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 472193.crdownload

Filesize
84KB

MD5
9d15a3b314600b4c08682b0202700ee7

SHA1
208e79cdb96328d5929248bb8a4dd622cf0684d1

SHA256
3ab3833e31e4083026421c641304369acfd31b957b78af81f3c6ef4968ef0e15

SHA512
9916397b782aaafa68eb6a781ea9a0db27f914035dd586142c818ccbd7e69036896767bedba97489d5100de262a554cf14bcdf4a24edda2c5d37217b265398d3

Download Submit
C:\Users\Admin\Downloads\Xyeta.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\c.vbs

Filesize
201B

MD5
02b937ceef5da308c5689fcdb3fb12e9

SHA1
fa5490ea513c1b0ee01038c18cb641a51f459507

SHA256
5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1

SHA512
843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

Download Submit
C:\Users\Admin\Downloads\c.wry

Filesize
628B

MD5
9e7ade9bae04875f1f1e3ea0b9378778

SHA1
2b191edf160ada7394971136dc321a87c217d33d

SHA256
c28b8cf04cedbc001de6d67a0c76709fcf947326904c915f31353211a1fc8654

SHA512
4afcc955251d9ac8f35fa27382fdeacb1b9c1d87076724ce9486c5b6b646a4af0409a68181e508d7f18b9bbe391f4a046203466f988159c6932a792ec0aed8f4

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
memory/1992-952-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1992-951-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2564-1036-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download