wannacry | be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

Analysis

max time kernel
106s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
13/04/2025, 19:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WannaCry.exe
Size

224KB
MD5

5c7fb0927db37372da25f270708103a2
SHA1

120ed9279d85cbfa56e5b7779ffa7162074f7a29
SHA256

be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
SHA512

a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
SSDEEP

3072:Y059femWRwTs/dbelj0X8/j84pcRXPlU3Upt3or4H84lK8PtpLzLsR/EfcZ:+5RwTs/dSXj84mRXPemxdBlPvLzLeZ

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDBCFE.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDBD14.tmp	WannaCry.exe

Executes dropped EXE 5 IoCs

pid	Process
5652	!WannaDecryptor!.exe
5796	!WannaDecryptor!.exe
816	!WannaDecryptor!.exe
5336	!WannaDecryptor!.exe
5156	!WannaDecryptor!.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WannaCry.exe\" /r"	WannaCry.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3027557611-1484967174-339164627-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Kills process with taskkill 4 IoCs

defense_evasion

pid	Process
4592	taskkill.exe
2140	taskkill.exe
1468	taskkill.exe
3816	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133890475302526776"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3027557611-1484967174-339164627-1000\{C176131C-E235-4B8E-A645-DF2BF7FD313B}	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5336	!WannaDecryptor!.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1200	msedge.exe
1200	msedge.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	2140	taskkill.exe
Token: SeDebugPrivilege	4592	taskkill.exe
Token: SeDebugPrivilege	3816	taskkill.exe
Token: SeDebugPrivilege	1468	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3048	WMIC.exe
Token: SeSecurityPrivilege	3048	WMIC.exe
Token: SeTakeOwnershipPrivilege	3048	WMIC.exe
Token: SeLoadDriverPrivilege	3048	WMIC.exe
Token: SeSystemProfilePrivilege	3048	WMIC.exe
Token: SeSystemtimePrivilege	3048	WMIC.exe
Token: SeProfSingleProcessPrivilege	3048	WMIC.exe
Token: SeIncBasePriorityPrivilege	3048	WMIC.exe
Token: SeCreatePagefilePrivilege	3048	WMIC.exe
Token: SeBackupPrivilege	3048	WMIC.exe
Token: SeRestorePrivilege	3048	WMIC.exe
Token: SeShutdownPrivilege	3048	WMIC.exe
Token: SeDebugPrivilege	3048	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3048	WMIC.exe
Token: SeRemoteShutdownPrivilege	3048	WMIC.exe
Token: SeUndockPrivilege	3048	WMIC.exe
Token: SeManageVolumePrivilege	3048	WMIC.exe
Token: 33	3048	WMIC.exe
Token: 34	3048	WMIC.exe
Token: 35	3048	WMIC.exe
Token: 36	3048	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3048	WMIC.exe
Token: SeSecurityPrivilege	3048	WMIC.exe
Token: SeTakeOwnershipPrivilege	3048	WMIC.exe
Token: SeLoadDriverPrivilege	3048	WMIC.exe
Token: SeSystemProfilePrivilege	3048	WMIC.exe
Token: SeSystemtimePrivilege	3048	WMIC.exe
Token: SeProfSingleProcessPrivilege	3048	WMIC.exe
Token: SeIncBasePriorityPrivilege	3048	WMIC.exe
Token: SeCreatePagefilePrivilege	3048	WMIC.exe
Token: SeBackupPrivilege	3048	WMIC.exe
Token: SeRestorePrivilege	3048	WMIC.exe
Token: SeShutdownPrivilege	3048	WMIC.exe
Token: SeDebugPrivilege	3048	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3048	WMIC.exe
Token: SeRemoteShutdownPrivilege	3048	WMIC.exe
Token: SeUndockPrivilege	3048	WMIC.exe
Token: SeManageVolumePrivilege	3048	WMIC.exe
Token: 33	3048	WMIC.exe
Token: 34	3048	WMIC.exe
Token: 35	3048	WMIC.exe
Token: 36	3048	WMIC.exe
Token: SeBackupPrivilege	5700	vssvc.exe
Token: SeRestorePrivilege	5700	vssvc.exe
Token: SeAuditPrivilege	5700	vssvc.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1200	msedge.exe
1200	msedge.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
5652	!WannaDecryptor!.exe
5652	!WannaDecryptor!.exe
5796	!WannaDecryptor!.exe
5796	!WannaDecryptor!.exe
816	!WannaDecryptor!.exe
816	!WannaDecryptor!.exe
5336	!WannaDecryptor!.exe
5336	!WannaDecryptor!.exe
5156	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 4456	4956	WannaCry.exe	87
PID 4956 wrote to memory of 4456	4956	WannaCry.exe	87
PID 4956 wrote to memory of 4456	4956	WannaCry.exe	87
PID 4456 wrote to memory of 2732	4456	cmd.exe	90
PID 4456 wrote to memory of 2732	4456	cmd.exe	90
PID 4456 wrote to memory of 2732	4456	cmd.exe	90
PID 3668 wrote to memory of 4480	3668	cmd.exe	91
PID 3668 wrote to memory of 4480	3668	cmd.exe	91
PID 3668 wrote to memory of 4480	3668	cmd.exe	91
PID 4956 wrote to memory of 5652	4956	WannaCry.exe	95
PID 4956 wrote to memory of 5652	4956	WannaCry.exe	95
PID 4956 wrote to memory of 5652	4956	WannaCry.exe	95
PID 4956 wrote to memory of 2140	4956	WannaCry.exe	96
PID 4956 wrote to memory of 2140	4956	WannaCry.exe	96
PID 4956 wrote to memory of 2140	4956	WannaCry.exe	96
PID 4956 wrote to memory of 4592	4956	WannaCry.exe	97
PID 4956 wrote to memory of 4592	4956	WannaCry.exe	97
PID 4956 wrote to memory of 4592	4956	WannaCry.exe	97
PID 4956 wrote to memory of 3816	4956	WannaCry.exe	98
PID 4956 wrote to memory of 3816	4956	WannaCry.exe	98
PID 4956 wrote to memory of 3816	4956	WannaCry.exe	98
PID 4956 wrote to memory of 1468	4956	WannaCry.exe	99
PID 4956 wrote to memory of 1468	4956	WannaCry.exe	99
PID 4956 wrote to memory of 1468	4956	WannaCry.exe	99
PID 4956 wrote to memory of 5796	4956	WannaCry.exe	112
PID 4956 wrote to memory of 5796	4956	WannaCry.exe	112
PID 4956 wrote to memory of 5796	4956	WannaCry.exe	112
PID 4956 wrote to memory of 3292	4956	WannaCry.exe	113
PID 4956 wrote to memory of 3292	4956	WannaCry.exe	113
PID 4956 wrote to memory of 3292	4956	WannaCry.exe	113
PID 3292 wrote to memory of 816	3292	cmd.exe	115
PID 3292 wrote to memory of 816	3292	cmd.exe	115
PID 3292 wrote to memory of 816	3292	cmd.exe	115
PID 4956 wrote to memory of 5336	4956	WannaCry.exe	117
PID 4956 wrote to memory of 5336	4956	WannaCry.exe	117
PID 4956 wrote to memory of 5336	4956	WannaCry.exe	117
PID 816 wrote to memory of 3408	816	!WannaDecryptor!.exe	119
PID 816 wrote to memory of 3408	816	!WannaDecryptor!.exe	119
PID 816 wrote to memory of 3408	816	!WannaDecryptor!.exe	119
PID 3408 wrote to memory of 3048	3408	cmd.exe	121
PID 3408 wrote to memory of 3048	3408	cmd.exe	121
PID 3408 wrote to memory of 3048	3408	cmd.exe	121
PID 1200 wrote to memory of 4300	1200	msedge.exe	133
PID 1200 wrote to memory of 4300	1200	msedge.exe	133
PID 1200 wrote to memory of 5600	1200	msedge.exe	135
PID 1200 wrote to memory of 5600	1200	msedge.exe	135
PID 1200 wrote to memory of 4760	1200	msedge.exe	134
PID 1200 wrote to memory of 4760	1200	msedge.exe	134
PID 1200 wrote to memory of 5600	1200	msedge.exe	135
PID 1200 wrote to memory of 5600	1200	msedge.exe	135
PID 1200 wrote to memory of 5600	1200	msedge.exe	135
PID 1200 wrote to memory of 5600	1200	msedge.exe	135
PID 1200 wrote to memory of 5600	1200	msedge.exe	135
PID 1200 wrote to memory of 5600	1200	msedge.exe	135
PID 1200 wrote to memory of 5600	1200	msedge.exe	135
PID 1200 wrote to memory of 5600	1200	msedge.exe	135
PID 1200 wrote to memory of 5600	1200	msedge.exe	135
PID 1200 wrote to memory of 5600	1200	msedge.exe	135
PID 1200 wrote to memory of 5600	1200	msedge.exe	135
PID 1200 wrote to memory of 5600	1200	msedge.exe	135
PID 1200 wrote to memory of 5600	1200	msedge.exe	135
PID 1200 wrote to memory of 5600	1200	msedge.exe	135
PID 1200 wrote to memory of 5600	1200	msedge.exe	135
PID 1200 wrote to memory of 5600	1200	msedge.exe	135

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\WannaCry.exe
"C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 40621744573851.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Windows\SysWOW64\cscript.exe
    cscript //nologo c.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2732
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe f
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5652
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im MSExchange*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2140
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Microsoft.Exchange.*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4592
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlserver.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3816
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlwriter.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1468
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe c
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5796
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b !WannaDecryptor!.exe v
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3292
- - C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
    !WannaDecryptor!.exe v
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:816
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3408
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:5336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\WannaCry.exe" /r
1⤵
- Suspicious use of WriteProcessMemory
PID:3668
- C:\Users\Admin\AppData\Local\Temp\WannaCry.exe
  C:\Users\Admin\AppData\Local\Temp\WannaCry.exe /r
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4480

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5700

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
"C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1200
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x238,0x23c,0x240,0x234,0x264,0x7ffd545df208,0x7ffd545df214,0x7ffd545df220
    3⤵
    PID:4300
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1912,i,6990788036935276184,18236128340270477331,262144 --variations-seed-version --mojo-platform-channel-handle=2312 /prefetch:3
    3⤵
    PID:4760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2264,i,6990788036935276184,18236128340270477331,262144 --variations-seed-version --mojo-platform-channel-handle=2248 /prefetch:2
    3⤵
    PID:5600
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2624,i,6990788036935276184,18236128340270477331,262144 --variations-seed-version --mojo-platform-channel-handle=2756 /prefetch:8
    3⤵
    PID:5032
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=1716,i,6990788036935276184,18236128340270477331,262144 --variations-seed-version --mojo-platform-channel-handle=3456 /prefetch:1
    3⤵
    PID:2652
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3400,i,6990788036935276184,18236128340270477331,262144 --variations-seed-version --mojo-platform-channel-handle=3508 /prefetch:1
    3⤵
    PID:5744
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4948,i,6990788036935276184,18236128340270477331,262144 --variations-seed-version --mojo-platform-channel-handle=4956 /prefetch:8
    3⤵
    PID:4320
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5180,i,6990788036935276184,18236128340270477331,262144 --variations-seed-version --mojo-platform-channel-handle=4260 /prefetch:8
    3⤵
    PID:2456
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5236,i,6990788036935276184,18236128340270477331,262144 --variations-seed-version --mojo-platform-channel-handle=5284 /prefetch:8
    3⤵
    PID:5416
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6036,i,6990788036935276184,18236128340270477331,262144 --variations-seed-version --mojo-platform-channel-handle=6060 /prefetch:8
    3⤵
    PID:5732
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6036,i,6990788036935276184,18236128340270477331,262144 --variations-seed-version --mojo-platform-channel-handle=6060 /prefetch:8
    3⤵
    PID:5488
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5124,i,6990788036935276184,18236128340270477331,262144 --variations-seed-version --mojo-platform-channel-handle=5128 /prefetch:8
    3⤵
    PID:6048
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5068,i,6990788036935276184,18236128340270477331,262144 --variations-seed-version --mojo-platform-channel-handle=5044 /prefetch:8
    3⤵
    PID:3292
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6400,i,6990788036935276184,18236128340270477331,262144 --variations-seed-version --mojo-platform-channel-handle=6424 /prefetch:8
    3⤵
    PID:4592
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6416,i,6990788036935276184,18236128340270477331,262144 --variations-seed-version --mojo-platform-channel-handle=4288 /prefetch:8
    3⤵
    PID:1920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=560,i,6990788036935276184,18236128340270477331,262144 --variations-seed-version --mojo-platform-channel-handle=5972 /prefetch:8
    3⤵
    PID:388
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5060,i,6990788036935276184,18236128340270477331,262144 --variations-seed-version --mojo-platform-channel-handle=5996 /prefetch:8
    3⤵
    PID:1864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6000,i,6990788036935276184,18236128340270477331,262144 --variations-seed-version --mojo-platform-channel-handle=6112 /prefetch:8
    3⤵
    PID:3840

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:5400

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:5924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:2848

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\64.png.WCRY

Filesize
3KB

MD5
50ad9501b89671926e352a429c4fe56f

SHA1
a02b43ed8a67e50e1c9f3056d8656464f525a9bb

SHA256
5c9b53f179fd50859eaff943da8d10b8550b2bfa0a8c9421065ab3fc55ba4435

SHA512
53922aff1842fed44ae6c5dc7d43a0b97aee06af20ad28d84389b2eaf84804a55369ed4166c7c730cd428a89c185e64417cfc833828aa8ef365b0cb08a595d0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fmgjjmmmlfnkbppncabfkddbjimcfncm\Icons\96.png.WCRY

Filesize
4KB

MD5
4e378b17d860f9ea2ae32f736c2eef30

SHA1
af33f854f796d4af444c7c5476e28b6394e0e941

SHA256
2a6ae5b1266d678d7ac8b943a1f8950af052e208d38587c482097f9bf6331508

SHA512
dfb46db2b0701dee15cec31f723c7823c28a56d8ffbfeb2c82ed1ce981a58ac06a4cc90246fd099e95a6a12315b782a63823067d9ded9c6ac3806ce024377a11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
991dd8fbe9a0cd6dc3637646bc73b6fe

SHA1
cd33a4c3c2cea06b41e5388826af365691769de4

SHA256
7e873150a039c5eda07ab3768e2b49127c3f824319d28909fe07f31d6f3119a4

SHA512
b8c1dbb54394674bb88fd7cf368214885e0c328e51651ee8f412aa1ab85151582c70189a292e24d551a8144de29f82e8e9b51ca5a695d33dc0e3326a78d05263

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
37673054798d6d3586728e0a1f4c9e40

SHA1
2c9815e68b1826ae5bc28c8fc38e50f45700ec9e

SHA256
86ab26a6d8119208cdd64e3316fc94042647fc60b6717cfee82b228d7ae454e0

SHA512
fbcb67bdc729aa24c2bf6a36318bc62e1b4d8c4dafc5ce841a9d1c41fddc1b63372bbe2e52f37aeb09c24a1d129cfee5f3b9f667473d6a2f545c7e17fd96f8a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe593138.TMP

Filesize
2KB

MD5
8ab61fe57ac4e0e3cf6e52888dd41110

SHA1
fb0c739a53d9af202323dfe8958fe87febe49b28

SHA256
40909c4fc910d14d65fb97d184ba6a0b61a5fafe7ef5f3246b8c9f64d08dca7c

SHA512
f848ea2324da0805c2c6f1941ee7b89e50ef62e7f544add98ab01eef7709e65917841485df0fd478f97e0cf9c9c639072735b410c7ee89debe605932fcfcd029

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_0\content.js.WCRY

Filesize
9KB

MD5
2cf9b6024810f6a2a322f1f60e38a47b

SHA1
c6678c36dadf9729dd4f54c6062656605996716f

SHA256
1af27bf97a48f70eb5bd8fad051062346cdfbbc36e289e2657248397eb74632e

SHA512
767f898ca823e26e49a9fc8d079d374153c4ddb84c2353686d7606db077ba2e12e702781768c59491734be56770cf3dd95486375bf2d8c6a95ef2f9991f19024

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_0\content_new.js.WCRY

Filesize
10KB

MD5
edd3d77032217cdfbc48a26943b8851f

SHA1
38c805978c7f962a46a4a5495a9e3e6a3671ab0f

SHA256
95b1e623bb3965529ce0a5cc216d0432561b41f80defe53217e4e3db3a154643

SHA512
88e94c67165ef7cbcff8d008372d83d8947af0bab975950ba707ac31a9e37df0af2e7459a02c5e36e39209da930eecfb0777069a23e4199f4c2639f11cc6a6ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_1\content.js

Filesize
9KB

MD5
3d20584f7f6c8eac79e17cca4207fb79

SHA1
3c16dcc27ae52431c8cdd92fbaab0341524d3092

SHA256
0d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643

SHA512
315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
2b66d93c82a06797cdfd9df96a09e74a

SHA1
5f7eb526ee8a0c519b5d86c845fea8afd15b0c28

SHA256
d4c064db769b3c109da2ed80a53fbab00987c17421a47921e41e213781d67954

SHA512
95e45c0aea0e704be5f512dffaae377d4abef78da99b3bca769264d69be20f2570daf2f47905645217e1b2696e42b101f26149219f148b4d6dd97a6c2868b6f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
bd6a9982bc93ebb21dbccd1c42098ef1

SHA1
6d57b1126294fe24bc73c558bc205a9cb95c8cd6

SHA256
01dfd0ab157cbf5760e2c361e61d1957b9735ccc7e15900127d2ef63f74dfa5e

SHA512
52d83a77a834105aa7d58afe77f5eda0c52205d84dc9491c081e274555e5243530b890107b28b4faa669b6161a30a914b96eac11348a21a256272d18cf94f6a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
c558a945ffd576402aade932baca7efd

SHA1
ef795a3aa4d45a90fa92b85a13b1d12e2ad6084c

SHA256
31d378af01e7316e8f9c4582ecad2e58b282cd4b679b50a34e818fd5ea0abae8

SHA512
bc44c3e352ad0f9c731bf23247376ed51874632c7453c9df84ffc805ed1eb44fa979db84fd1ea7d2a5f5eba5ba56e1dfca7fabb8947d2d33b7cdce6869ba2828

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\3ae4e3f2-ef46-4782-bdca-d1b61b80fac6\index-dir\the-real-index

Filesize
72B

MD5
f1f35a9d573c799da2d57da6471e643c

SHA1
1128217186866716eb76f47f8a3d4532b0960883

SHA256
b0318c416fa67da563535d7200dc003bfab977f9ba95eb9abb28dcbd5e1e900c

SHA512
54bf916600d17da29ad0b2e9f2c8c5bc6a7f0b3d856bb79ae6137d1d7357eb73f857e56b51dd1b1e76a0eb668b114d20a2d9118f851793134e54bd997fe99019

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\3ae4e3f2-ef46-4782-bdca-d1b61b80fac6\index-dir\the-real-index

Filesize
48B

MD5
b70d1ea4082b3094d66fdca5f3e98f44

SHA1
596a79e7efd801f45c4b7cb4be1be4c97d433f45

SHA256
533adc5df8b5a456c0efaf55751e665ab3853c6dc4754fb7cf4e1350e32e6ba3

SHA512
2aac55fb05f46dd4c9953712d25a556d0b99e20e265663bf9241281a54732e03ff3a804305aa5468f7655460fd3c0bdd4d6009b9cf58501afb1d5aad7fb3da22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\3bf0a6ee-ef13-4c91-8a85-e9201fb349f3\index-dir\the-real-index

Filesize
2KB

MD5
a2b1ba255c8a79b10d2291c33f016897

SHA1
a324c192469c1d919b2c12ce44bbc5c9581a8ea4

SHA256
a19682bfff628b42167d8b7fc1d635f2ba3c0e9a9c09fdc7b66ddaafc0b13993

SHA512
0afc77b290fb8c49df7b8269ef19b2623b775021247433d0346ed736501876c764dcc4ec8c460371f4b4b423075a90594182f01e4b3406f022a3f5d2bb3bb458

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\3bf0a6ee-ef13-4c91-8a85-e9201fb349f3\index-dir\the-real-index~RFe593c92.TMP

Filesize
48B

MD5
fa43f732ec91ec816e5aa883894c17e3

SHA1
ca761ed0777627f0c36f52f172d6b96527817ce6

SHA256
5b42e052a30eadd49b184ae92c8b432e03c8ffa336f6e4971d4ad527851e99f5

SHA512
7325895be1e4ccb31a729f8c935c8f19295edea6694d8fc1ef445654662a35fff7a0088fe3015fe80d9892e3a8a90515d69481101bce67067accfbd32815c3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
192B

MD5
5afdb3ac09927fe86f3d1e8f9cfdaf99

SHA1
4b401be9ed2948e85e57ac72871d7377498ec211

SHA256
9680ecfcc4823a05f4f057112e2f8c16c38add6f5d20c2dca1bc358a5003dec7

SHA512
8330c59f7bc430cc9d6674895ac89b3e77d4de82ea10388512f5cb06a0d5b9c0f53dfd6f4a8633d0dc79ac627a47919b649cbaa7aeb3d46cf4004d1ef95916b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
257B

MD5
d6e26a0fe63e7934b963fbb9ab91798e

SHA1
1246bca4e0f99e79fa16614232535bcc6b1f34ba

SHA256
b1e69e65192c27a8a1df8e159e1ece29709258e0158524e1e65d8a3af2ca458a

SHA512
f5d1e3c0c453b738ea540ff6bc7c584934dc6baf1e67fefd6fa8e993548fb88af74d96b337c6ae3385b572a7878ec02a7f29402ff797fea33a6e8f87a2473296

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
253B

MD5
03e17cecebdbc1fb606e768da62bc1f6

SHA1
c3c3b2bee782be4db80c3a8a1baa506fb08d3fbc

SHA256
4da95e1f3ac2158bfe481f83b038b8c7e2cde8e022863d3ea44a0b77b15298b0

SHA512
27901696aa986d496bca8f29350e8bb04c8937250c4fb93647d6e470d5f07c46e1b48222ba9bf5f9006dcb35e08c690d5688fc1a59c7eb4e33b7d9da8c10be7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt~RFe58c55e.TMP

Filesize
119B

MD5
94391c33f0820bbc4e4a2d70c9e60ba3

SHA1
1ff23437cf4c09f964a70494ec63e53e5882cada

SHA256
6be1ed27bfdd78a5e8d83f42e5c988f62b5d9fdb72253e10faafac6d6afa17c7

SHA512
22266691f16cfd5b911c7baf8b56ad6976cad3752f1a4e20e19b92bebcb84ba315a4113168003a0fe5424bba74364686436c9e44327583a0e96f9c53ca2fc0cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
c4d650481f0b85a6018401c1d2efb092

SHA1
77ebef47e9ab2a33ed548cf5d65699303b2a4d2d

SHA256
a1d5caf8b5b98642a586785412a670189cea6a167fb683146c7ddb3686de1cc5

SHA512
9e59db575bedd6fba5f44ead39c396f714418996054b71c796f94d0acb9e6ecedcc15bad037489bbe2594816de9174729b4c37d9876dcb9fb5cba1f40064e931

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe591515.TMP

Filesize
48B

MD5
c47a6346e82e7fb80105ac3a2f09761d

SHA1
054ba4aadb13ee73b20b466a1256d4c04ce1f264

SHA256
848d86e0e7430ed05c0036fb18f774cc6a2e0bf11b1c1f178ca47dd590b41660

SHA512
30dd82d2a8a94e89e37af44b6c9fb7f5f86d881fb6359e308e06bc1aa695c2f36918de253979be22d950a6e07f82cd31a953797c8172bd483ea1b06cd6a0dd2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
b2315042c5d1c9db6f8e4a33ab36c5ba

SHA1
fe9d99805a3087c30d76d184ee2d8a1927780a74

SHA256
7dfc576421b6bff36c8e9772c562195cbfc1579da73856057ba01fba616488b4

SHA512
8b5e74fdd9c2be23ca787232e0f2302b4f461f37f7a4120378405a4c8965951eaa32a13bc119a0795b5e9d3c4fc9fbd5d4b7b09448537b9260d539c4350630f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\EADPData Component\4.0.3.10\data.txt.WCRY

Filesize
113KB

MD5
f31f3b9631227c31573db6f9d28d305a

SHA1
7c2169403e8c79865fa15d35a5de73bdb461be5d

SHA256
d65cdd4de5a6c26339103baf8a6d9a9a10ebc226d97b9d7651c5e1b91ef0cc32

SHA512
84ba8ba26cf39a9c22d71484e400e26e831204d9a47b51deaae18de9d0555c7545559e2e01e69cd3f4c98960c0ae1bf9b59a5734c3498060d9a976f1c3277be9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Notifications\0.0.0.46\arbitration_metadata.txt.WCRY

Filesize
343KB

MD5
70edce3d7c13cecdfb1f0e9fa06ac8ab

SHA1
3da622d0741f612114092b9d6905406f24d8db7a

SHA256
b003f56f3ddd632d96e1a68f7e8298f0c26efbc2a2893e1580f5857d9001e08b

SHA512
c397120cc94da2ef2747eb565b9dcad7b4d6a8d3c681f0b736bfdb3f4dcc56b517e267e0e25566a938c20c4bcf4b32597ec789c2253e12b14a8559c7ef6f5fbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
ed83839c883f2472c4d03e22ce79047f

SHA1
28c113787060765dd351ccbbfe3da3754e84fc32

SHA256
bb9829080ad356eba921c884523b2adaf081896d1889b6b7f28f7330fe8191ba

SHA512
b477d066bca38ff74ffb312bcffe7f6c0fd495df59b8e08155da9ef761eb1b069d95ae236d7119dbaa9f046c91bcb80c25eed4728922eceba096a3a28c3f0510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
f346a79bc1d53da83044d827d694eeeb

SHA1
f22bb871719dcc81ffd1428e695dcc53d2e8f3dd

SHA256
9ee5d55abae4ec43dc2ed95d51ba51fa7bc256c4334b8783c19cc401784feefd

SHA512
8cf8a159c6d86a5407b916dd5a60a35ecafce178c2c43eb71ac5ae1d417b6e947276a3e2f61045f64c709aed0e48498028c86e55fd4f27003b04da2af579fefa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
fa002b6327ebfe54c1e8f1f780582f03

SHA1
3cf63cb390f10a23ee70a2c38f048d4675ff1cfa

SHA256
006a459586409b7a528c981d30aa9210494e24dd3bb1866c2f4fd66c68054281

SHA512
589863f3727bc877107216dc7b146fe83cdcdf8c2fd15c540e430f3e501d4a6d7e56ea4b517a82bb0bbe9b0511d318ed44adb3c56078ac97e51c3fad96cb316e

Download Submit
C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk

Filesize
1KB

MD5
a944204505b3679a08b43a11440b756a

SHA1
13e2e3fd9be2851c53ca5ae5c440db8b6ca56dc5

SHA256
dbdbc04f6f6cbbf444b922dfb6fa5dbb33016473c3dbdf0d44bf5dbf8f39c5d7

SHA512
246231a32fcf0ca70fba82ccb6a35b4417f332ba15e3c658711328c8a14520c4253a2d07b49d019efdf94d5f9dc04469c22e9248b57fa2aabc8735a9dac41c24

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.eky

Filesize
1KB

MD5
a6705be9ed603661e7d0b0cee891804e

SHA1
1ee849584b9913706fcd826249f7033c85fd0b7c

SHA256
9f7f1847b00700a2ea35fc1d9f29bfe10d352691bca07335e05ffd7a2ac76431

SHA512
bfb797275f55b0dcd632e33a3bd16b99697049c0e59c904e77d4caa6b0d1421e61c027d41e05e0c02eb4a6557c2580a858dc88612937f5f51cd7e31f69f4eaeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
6da1f1e2c8b826e4a9f9b96f939eca1c

SHA1
6f2f2527510d7e6807ca0f15f372c08d436b4783

SHA256
6e8bd360d5cbff50d102892630d94c90764c553d6f8d58c30464ac124974b592

SHA512
26400ca23fefb3460eb9004c89c0be06932b5de4ec8eda163e05a2dde8519eac985f3ff2323ca541047c286216d1b46563f7545b834bd0e25721ddbe010ea7ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
d10edc41a9547f35166b49143eb730fc

SHA1
0acf4fbfdb71bbb8a37dbd4fc2f8756fda536efd

SHA256
f45c99638ba3d338477c50d6d0516de7eb58e090495c9cc79aec4a7277d97ea4

SHA512
6c795c98e712bed756678aeacfcfcf7f7eb117684c240a3ad8f4ac85650a0196efa3a5b9d9344c7c0ab484e477bf419c77d97db3e71a71cff9d76673b6c23d08

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
de4239bd4ad777828ec8d3ecd63730c3

SHA1
763a50a9afc3e87b544b78302b0f4a59683dc0e5

SHA256
62dae97c2cd6256570e8458ab2190e0b18f918c6d0e15822fcb8a9237bd8c0d9

SHA512
6dc0c96119b0a0744b49fc42b0d9b9e06c0f5e37552136767ad0c13d8c094ada6f469b4428c54909caa3294e33b9e2706af54b0633b3a97b3c371aa233755bac

Download Submit
C:\Users\Admin\AppData\Local\Temp\40621744573851.bat

Filesize
336B

MD5
3540e056349c6972905dc9706cd49418

SHA1
492c20442d34d45a6d6790c720349b11ec591cde

SHA256
73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc

SHA512
c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.vbs

Filesize
219B

MD5
5f6d40ca3c34b470113ed04d06a88ff4

SHA1
50629e7211ae43e32060686d6be17ebd492fd7aa

SHA256
0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1

SHA512
4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wry

Filesize
628B

MD5
b6b0dc971ccd8f908fe3febaf75180f1

SHA1
d8c7daf7065a418dfe314d6a0e03d085b3c9fcc8

SHA256
34ed75870ab037e5b8fea67820bb0934b7dabc04818cc540dbb93c701b05f461

SHA512
2cec67f04d265f7de44e9c0dd2da222f46437086718da2173712bdebd982e7b69f510323eba1520778613778d11935bd0da161e893a4cf846f6f1ed5d0a2532e

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wry

Filesize
628B

MD5
663e55df21852bc8870b86bc38e58262

SHA1
1c691bf030ecfce78a9476fbdef3afe61724e6a9

SHA256
bf22e8e18db1638673f47591a13d18ee58d8c6019314bab5a90be82ae3dc9538

SHA512
6a54be1fa549633a2fd888c559207437b8f6efda98bb18d491c8749f39e9754f1e680fa8e2d623777b5f665b2c04d19385c75ce4e61fb251db16018963a9a6f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\f.wry

Filesize
441B

MD5
bebdb650c25e420477b75fb6ed572feb

SHA1
3c38afd53eb08b21d9132cac057bf395c81718fb

SHA256
24898fd2e40c56c4dfdfdc688c713f043b66890ac82935f2ede457b2a3ee67de

SHA512
261cd973824a9771ef5d3d45ad970b5a97b242847d0a5813bcd3d1ced079b9457dfb751786f9a3aa756a2084bc1564b1cf4891c0926b8a8cadae40c1d46e5f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\AppData\Local\Temp\r.wry

Filesize
729B

MD5
880e6a619106b3def7e1255f67cb8099

SHA1
8b3a90b2103a92d9facbfb1f64cb0841d97b4de7

SHA256
c9e9dc06f500ae39bfeb4671233cc97bb6dab58d97bb94aba4a2e0e509418d35

SHA512
c35ca30e0131ae4ee3429610ce4914a36b681d2c406f67816f725aa336969c2996347268cb3d19c22abaa4e2740ae86f4210b872610a38b4fa09ee80fcf36243

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1200_1814261482\00beb722-1c5b-4b70-8f25-73fb1a2157b2.tmp

Filesize
10KB

MD5
78e47dda17341bed7be45dccfd89ac87

SHA1
1afde30e46997452d11e4a2adbbf35cce7a1404f

SHA256
67d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550

SHA512
9574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4876_957996442\CRX_INSTALL\offscreendocument_main.js.WCRY

Filesize
122KB

MD5
d4059a875e8211d5d45c2013585ad48d

SHA1
09e2e528896e48c3a7f4d8683124934b75c7ffc5

SHA256
7d5a08165427f94e0fa8d694a94aa9f50efa88fede24a003725d0060a258253e

SHA512
5eaae797760b054ff3dca9d538b4c37a29c521d63f2d79c75271f33a49f056387ddbc70638a5501cf805476df9c09ca3a34b88ee687a66808e4a5733d02ad13e

Download Submit
C:\Users\Admin\AppData\Local\Temp\t.wry

Filesize
68KB

MD5
5557ee73699322602d9ae8294e64ce10

SHA1
1759643cf8bfd0fb8447fd31c5b616397c27be96

SHA256
a7dd727b4e0707026186fcab24ff922da50368e1a4825350bd9c4828c739a825

SHA512
77740de21603fe5dbb0d9971e18ec438a9df7aaa5cea6bd6ef5410e0ab38a06ce77fbaeb8fc68e0177323e6f21d0cee9410e21b7e77e8d60cc17f7d93fdb3d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\Music\GrantNew.m3u.WCRY

Filesize
451KB

MD5
9013ed11a5be3ae222c84fd990c37b6c

SHA1
064576f6fbcccabae33257976eb5244808142c41

SHA256
e55056bdff6a11cb4711677273407413faebb8d31bada407c8174c2d85c71ba8

SHA512
0e375270e211cef18ac609d2544c067eb54aba3e95d53d2b015a205e99cdd15f9522ea87b184e7e3f0bd918022c6054117af2ee22f3425486fc55980e7ef9049

Download Submit
memory/4956-6-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads