wannacry | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry[.]exe

Resubmissions

08-04-2024 03:16

240408-dsz57sfc87 10

Analysis

max time kernel
927s
max time network
845s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
17-05-2024 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry.exe

Score

10^/10

wannacry defense_evasion execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 2 IoCs

Processes:

WannaCry.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDC423.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDC43A.tmp	WannaCry.exe

Executes dropped EXE 5 IoCs

Processes:

WannaCry.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid process

4176 WannaCry.exe
2800 !WannaDecryptor!.exe
3660 !WannaDecryptor!.exe
4688 !WannaDecryptor!.exe
4684 !WannaDecryptor!.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4176	WannaCry.exe
2800	!WannaDecryptor!.exe
3660	!WannaDecryptor!.exe
4688	!WannaDecryptor!.exe
4684	!WannaDecryptor!.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WannaCry.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

4 raw.githubusercontent.com
12 raw.githubusercontent.com
31 raw.githubusercontent.com

flow	ioc
4	raw.githubusercontent.com
12	raw.githubusercontent.com
31	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

!WannaDecryptor!.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1724 taskkill.exe
588 taskkill.exe
4656 taskkill.exe
2284 taskkill.exe

pid	process
1724	taskkill.exe
588	taskkill.exe
4656	taskkill.exe
2284	taskkill.exe

NTFS ADS 5 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 121333.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 510648.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 539411.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 137915.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
1924	msedge.exe
1924	msedge.exe
1632	msedge.exe
1632	msedge.exe
1616	msedge.exe
1616	msedge.exe
3668	identity_helper.exe
3668	identity_helper.exe
3296	msedge.exe
3296	msedge.exe
3296	msedge.exe
3296	msedge.exe
5100	msedge.exe
5100	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

Processes:

msedge.exe

pid	process
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2284	taskkill.exe
Token: SeDebugPrivilege	588	taskkill.exe
Token: SeDebugPrivilege	1724	taskkill.exe
Token: SeDebugPrivilege	4656	taskkill.exe
Token: SeIncreaseQuotaPrivilege	4876	WMIC.exe
Token: SeSecurityPrivilege	4876	WMIC.exe
Token: SeTakeOwnershipPrivilege	4876	WMIC.exe
Token: SeLoadDriverPrivilege	4876	WMIC.exe
Token: SeSystemProfilePrivilege	4876	WMIC.exe
Token: SeSystemtimePrivilege	4876	WMIC.exe
Token: SeProfSingleProcessPrivilege	4876	WMIC.exe
Token: SeIncBasePriorityPrivilege	4876	WMIC.exe
Token: SeCreatePagefilePrivilege	4876	WMIC.exe
Token: SeBackupPrivilege	4876	WMIC.exe
Token: SeRestorePrivilege	4876	WMIC.exe
Token: SeShutdownPrivilege	4876	WMIC.exe
Token: SeDebugPrivilege	4876	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4876	WMIC.exe
Token: SeRemoteShutdownPrivilege	4876	WMIC.exe
Token: SeUndockPrivilege	4876	WMIC.exe
Token: SeManageVolumePrivilege	4876	WMIC.exe
Token: 33	4876	WMIC.exe
Token: 34	4876	WMIC.exe
Token: 35	4876	WMIC.exe
Token: 36	4876	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4876	WMIC.exe
Token: SeSecurityPrivilege	4876	WMIC.exe
Token: SeTakeOwnershipPrivilege	4876	WMIC.exe
Token: SeLoadDriverPrivilege	4876	WMIC.exe
Token: SeSystemProfilePrivilege	4876	WMIC.exe
Token: SeSystemtimePrivilege	4876	WMIC.exe
Token: SeProfSingleProcessPrivilege	4876	WMIC.exe
Token: SeIncBasePriorityPrivilege	4876	WMIC.exe
Token: SeCreatePagefilePrivilege	4876	WMIC.exe
Token: SeBackupPrivilege	4876	WMIC.exe
Token: SeRestorePrivilege	4876	WMIC.exe
Token: SeShutdownPrivilege	4876	WMIC.exe
Token: SeDebugPrivilege	4876	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4876	WMIC.exe
Token: SeRemoteShutdownPrivilege	4876	WMIC.exe
Token: SeUndockPrivilege	4876	WMIC.exe
Token: SeManageVolumePrivilege	4876	WMIC.exe
Token: 33	4876	WMIC.exe
Token: 34	4876	WMIC.exe
Token: 35	4876	WMIC.exe
Token: 36	4876	WMIC.exe
Token: SeBackupPrivilege	2576	vssvc.exe
Token: SeRestorePrivilege	2576	vssvc.exe
Token: SeAuditPrivilege	2576	vssvc.exe

Suspicious use of FindShellTrayWindow 56 IoCs

Processes:

msedge.exe

pid	process
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid	process
2800	!WannaDecryptor!.exe
2800	!WannaDecryptor!.exe
3660	!WannaDecryptor!.exe
3660	!WannaDecryptor!.exe
4688	!WannaDecryptor!.exe
4688	!WannaDecryptor!.exe
4684	!WannaDecryptor!.exe
4684	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1632 wrote to memory of 3324	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 3324	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 2360	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 2360	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 2360	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 2360	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 2360	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 2360	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 2360	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 2360	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 2360	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 2360	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 2360	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 2360	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 2360	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 2360	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 2360	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 2360	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 2360	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 2360	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 2360	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 2360	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 2360	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 2360	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 2360	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 2360	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 2360	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 2360	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 2360	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 2360	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 2360	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 2360	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 2360	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 2360	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 2360	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 2360	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 2360	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 2360	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 2360	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 2360	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 2360	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 2360	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 1924	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 1924	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 4036	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 4036	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 4036	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 4036	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 4036	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 4036	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 4036	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 4036	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 4036	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 4036	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 4036	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 4036	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 4036	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 4036	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 4036	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 4036	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 4036	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 4036	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 4036	1632	msedge.exe	msedge.exe
PID 1632 wrote to memory of 4036	1632	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff84c183cb8,0x7ff84c183cc8,0x7ff84c183cd8
2⤵
PID:3324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,4238098336406420873,6461810032950758988,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1968 /prefetch:2
2⤵
PID:2360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1952,4238098336406420873,6461810032950758988,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1952,4238098336406420873,6461810032950758988,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
2⤵
PID:4036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,4238098336406420873,6461810032950758988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
2⤵
PID:4732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,4238098336406420873,6461810032950758988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
2⤵
PID:3056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,4238098336406420873,6461810032950758988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:1
2⤵
PID:1580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,4238098336406420873,6461810032950758988,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
2⤵
PID:2112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1952,4238098336406420873,6461810032950758988,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3264 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1616

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1952,4238098336406420873,6461810032950758988,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5756 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,4238098336406420873,6461810032950758988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
2⤵
PID:4656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,4238098336406420873,6461810032950758988,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
2⤵
PID:3812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,4238098336406420873,6461810032950758988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
2⤵
PID:2508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1952,4238098336406420873,6461810032950758988,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5904 /prefetch:8
2⤵
PID:1060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,4238098336406420873,6461810032950758988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
2⤵
PID:392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1952,4238098336406420873,6461810032950758988,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5572 /prefetch:8
2⤵
PID:1664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,4238098336406420873,6461810032950758988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
2⤵
PID:3684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1952,4238098336406420873,6461810032950758988,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1900 /prefetch:8
2⤵
PID:2448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,4238098336406420873,6461810032950758988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
2⤵
PID:3888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1952,4238098336406420873,6461810032950758988,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6152 /prefetch:8
2⤵
PID:2864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,4238098336406420873,6461810032950758988,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6156 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,4238098336406420873,6461810032950758988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
2⤵
PID:1900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1952,4238098336406420873,6461810032950758988,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:5100

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3544

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2248

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1148

C:\Users\Admin\Downloads\WannaCry.exe
"C:\Users\Admin\Downloads\WannaCry.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
PID:4176

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 155851715924900.bat
2⤵
PID:3984

C:\Windows\SysWOW64\cscript.exe
cscript //nologo c.vbs
3⤵
PID:3472

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe f
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2800

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im MSExchange*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Microsoft.Exchange.*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:588

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlserver.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4656

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlwriter.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe c
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3660

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b !WannaDecryptor!.exe v
2⤵
PID:764

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe v
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4688

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
PID:4812

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4876

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:4684

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
5e027def9b55f3d49cde9fb82beba238

SHA1
64baabd8454c210162cbc3a90d6a2daaf87d856a

SHA256
9816e980b04f1fe7efaa4b9c83ff6a0fdd485ee65a884c001b43a0cad7c39d83

SHA512
a315e1336c5ec70cbb002969e539068ba92f3ec681b6d863db95227fd1808a778fd994e2fb03f28f0e401677aa5f7c66813e315b6b99a5065384c49586f9782e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0c5042350ee7871ccbfdc856bde96f3f

SHA1
90222f176bc96ec17d1bdad2d31bc994c000900c

SHA256
b8b1cb139d4d19a85adce0152fa3c4f6adfb73a322d7253820e848c6f82afc1b

SHA512
2efdb535fa6a06c4f9702b2129f2dd07c330e37fd10b492f2236007c660c1707773c22005d1e1fa580dbf633dc1a700ada3b7b611ef9accd9555a17a244f61ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
7005dea8cf73bd3c1e53dccb9f307f49

SHA1
b76e51cde647a8a4bf414379ec511c49fc4bc5ae

SHA256
3bd1243976ba4d92da67dc1d91faf749d28a30080a3e5d90a2a2c4f840c36c00

SHA512
0b0a8626a231fa7848768aefbf29e842ec9c040f7efaa1ae4a8cee42be7bf09f3a455c46b6c0b59212840ef6c56d9e333799288e73f053e01d51db9a12409195

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
579B

MD5
7ac37464384ee7179ac68d1e99242b2d

SHA1
4ee441656cca629a32015adecc58aee62ae1f653

SHA256
e1ccebabefc990c0bc44376e9070301b5f1d57ed0260c81c4e78136e66fe2690

SHA512
ff6a8d9db51b9abeeceb69d251f38ccab6be5b670c193cab2f2b60292f5c66016db516980f14848021dbdb6e1933712d588fd3eafa7a7a36fd1657a3b55b3db1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
8a2e72de1e20c8a34de6ea6f3df9ae61

SHA1
ed52016e162fea0a1f2c0b39b63368da7fc79d7f

SHA256
c068d878d95b25cc8cc314446794ae47020daf14736e9c9abc9fb171d8188436

SHA512
3c7adaaf7b294717b5f4fa849a8c8dc39d22cb96d45e4fbe1894115f730951ad9aff6dd5feaf92aa25a48ada018d6beb5f61752550c5ac2c294d0d22e705acff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
152d8a79b826598a9e126a475f18cdc5

SHA1
7a03f366b5ed32305dd6e8c47d348a22d9551d33

SHA256
e402799b445a6eef5096aad393fc8da653aec00ee034a9b31d05a42419252b8b

SHA512
b911a73893882b7bb127541ee6a14972946e761eb9edb4266f51b4f6f65c255e75deff073caee5e67d5d413eea8fbee583ec28dd715b98c4909c178a7e20b2a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
4ea5f18499a8a532c63910201759f9ad

SHA1
256943107e2b1227a678b4e7625d328d711e27cc

SHA256
cc4113c0878a2a5560045008d7a005a6ce18e415f0a6970c72708bfb9b3271b5

SHA512
e5a092f9b304e897d619b3c42363b66d85dd3944f5531ad779044bbee226edf96394e462567fb7d0f5f2bc43e49de4a9a40ab765a70550cce3dd43ee0fa355f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
c45eecf09d66ef4859278645366ee0f7

SHA1
cd9297c06d2909ddf1094d2da6b3731642ce738e

SHA256
21b27d3bd411282f450cd42d1ed8296a7d5db04aab2dcb9039a9816e269d1818

SHA512
50dc422754f189dd776ba71b414d43ced82627862eae2641925c752d98f9654d32f90352820b697c2c1d7308b538ed34bdeb10324e3ddad78a501b5c036fa1cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
8b631a4f4f83bbc66f082f8113e8f28a

SHA1
e51b6e2c4a6de8bc020d662c41fb506a15008fec

SHA256
c5aabec5522edc7b06ae6966b65355fd76e521af4b5049e2aba697d521b12c7b

SHA512
c6cf3d91bcb61d1631f23961079765059333cdd029ff44575722f4c2c433f5b6e9b8ae95e3c23b7fb249e1b1ff27aaca437f3e7deccda727f49e648762fa70cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
08ba70ca02ada1e77b6ac5609580f9dc

SHA1
0aa3706dbb6066f3f90b8fe68244e91e78bfcb54

SHA256
5ba34c16d16de49bdd91f5af4bbf20dd521547099eae37b736a20174ddaadf31

SHA512
1f4b344b9c556f97f3c60d9bf6b7416a145c543bb557be8882c7f1c7c1c3076298f4426228a86b773e223627946a83bc1cd26b2cad2fc94519fb09ca27dd48ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
39cf8c71f3dea837471014c2a65f47a2

SHA1
ac34b279eaaf04c87ff7677245ced19bb7e13978

SHA256
aad4af259ed9d744d9924a886872a9115167e7414e19052de3fa7e90eb36a37a

SHA512
568c6bf442ed0e6e7658f3fee9866d4b7fe90a4c664179ef0ca8cbd258923ea1e533143c7327cbde2f1a11c2ded2590a64749182f0d99d8d651cdccbb31b4c3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580c6f.TMP
Filesize
874B

MD5
dc258d41d197d20c2fd9aadc9b194e0e

SHA1
812e78fe4c6f5f418b94117eaaa5553f88555654

SHA256
3110c25202b132958aa899bef1753077d8a438bae7c6e7c0e0a24927a5f33f6b

SHA512
bb5656055a746bcc26af9d98206a3d4d89bbf11755212f4e7104eb1fc736adf80d4a3c5e68ecbc48b65b923f5c346599a127b01304e50a0c82fe0c12813edff3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db
Filesize
16KB

MD5
9a8e0fb6cf4941534771c38bb54a76be

SHA1
92d45ac2cc921f6733e68b454dc171426ec43c1c

SHA256
9ee9211a57c3f6fa211fe0323fa8cd521e7cbffcd8ff0896645a45795dc472be

SHA512
12ed22537dcc79d53f6c7d39e92a38f8fea076d793198928f5b7a5dd1234d50a3c0b4815632f3fadf8bc4ef0499773d22bd83f961d2d0ffd8afacf471bd3a5ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\previews_opt_out.db
Filesize
16KB

MD5
d926f072b41774f50da6b28384e0fed1

SHA1
237dfa5fa72af61f8c38a1e46618a4de59bd6f10

SHA256
4f7b0e525d4bfc53d5df49589e25a0bccf2fcf6a1a0ca3f94d3285bb9cf0a249

SHA512
a140df6ec0d3099ef374e8f3ece09bf91bc896ac4a1d251799a521543fe9bdea796ba09fa47932bd54fa939118495078f9258557b32c31d3d4011b0666a4723f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
db84438ec4e13645200433fdfdfc9b3d

SHA1
ac120603f995832ae77956fde21986f0b5820214

SHA256
54ee35902479aa0ce4e225966120949d073f8fef1b217fd2169e6462ac77d395

SHA512
ca91cfc9680c9a53b401656fc7613ab2364961b94e29f424a120159f9112dc23448a118e3fd1dd672086541d8e3d8b31c20a19d02506cf8784b3bc97b23709ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
261530b5df30dd41b191b9b96fe67911

SHA1
7ee86d08ab5f86b0fb8f70518644404aac492e73

SHA256
6e11ad666b7e12928ea0b6701c720b388a5777285fa63f588c75cffff8874dac

SHA512
e2351a4329ee7cec41227daff95b6c3f2c66c73322f117d79001c2b63ab89b01d03b32c95ea951ef35699fb4ab037f84f8216ba6afbf17d1a961d45c9b30424c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
c1641a673f93536783d86b2401ab8d2f

SHA1
8da3a6645c4a2c61db4cca02d84925aa5bea2a51

SHA256
026cc71dc36df515856b4a6601297cd3466e004fb0932ab74a40379fe044904b

SHA512
5d8e9f6419b2a06feefbdd532138a4165a7d80f166eef3f4ea3c5099bd0382511605058f9255cd8abdf5b9f029a3d6cedec494941cf410063e6587b1447c2c8a

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt
Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnk
Filesize
590B

MD5
1b48b59e9e1ca16683e2bb2448833dcb

SHA1
c8cd8a12de00fd973559b3d9628ac79d947e8600

SHA256
4465f56ef93793b4c079a52edf384c821889a22adf354c43ef664fe0e1243aa4

SHA512
bc641a704c38276a3de446c15305035202c3203f07143dba310f038f24c5ee661b4cbd718454c0df22788e17820716419ca06e7fcc81576f6c0f3c2fffd55c9c

Download Submit
C:\Users\Admin\Downloads\00000000.res
Filesize
136B

MD5
fe7f76cf541d3e5a85a78f64cebff558

SHA1
8cdff533a4c16d1abfa43b2dd3e4047457fcd88e

SHA256
e26f09bf85df127776768bc20497792e55d2a86e78c9f7b6b9fa01cc761532d4

SHA512
0b48ca1ca5776d7710c79583f5614b5c93724dcd43ba826f4c0c8fb3a8a1dca4b4a2d82c54fd9aefc07be629a97363e1fa63568ffd85ba1bb3d17970ff21af9b

Download Submit
C:\Users\Admin\Downloads\00000000.res
Filesize
136B

MD5
7f5b4c1c40e478a5c2f70aab60beff64

SHA1
f9a6dcd02749fd78568cbcf68499136488493a90

SHA256
ef087c20e92d8080b48a9d36cbb882ad35b6cfe09ced050313ae94e72fc911b2

SHA512
0be6258c47bb3cc2d7dc46ffbdbeb8b321dcfe79e20689de7f9cd87ef249dc970fa8751ca298b1c508a14119fa55d3816f53f77beccdacd7a43a159c8d6347a9

Download Submit
C:\Users\Admin\Downloads\00000000.res
Filesize
136B

MD5
c74641f3584d2ec4c292f55ecf43a821

SHA1
b19b38f794ffa219e75308b2c6758a0d8ac0152a

SHA256
906afe20c8a0e432df40c900a1985946b2cf8cdc5926bfb90aca8cd51beb3532

SHA512
edd0c97d631c5d43c0b9b50e0cdb051daaca4f96f054689cb2f00406aa6891097b994b32751f0bffd4b9a609f34c649eed0f4f81d6b34598cf52520d258f75d0

Download Submit
C:\Users\Admin\Downloads\155851715924900.bat
Filesize
318B

MD5
a261428b490a45438c0d55781a9c6e75

SHA1
e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e

SHA256
4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44

SHA512
304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 121333.crdownload
Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier
Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\c.vbs
Filesize
201B

MD5
02b937ceef5da308c5689fcdb3fb12e9

SHA1
fa5490ea513c1b0ee01038c18cb641a51f459507

SHA256
5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1

SHA512
843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

Download Submit
C:\Users\Admin\Downloads\c.wry
Filesize
628B

MD5
c0d7006feb588cdc575d5b5bf7879695

SHA1
51bf73ad23f103102f0f4c6ab75dc720399a6f3b

SHA256
f219b1c1aeae3af9110f21ef1e696da7bd8c2b8e4de15a61dd12b92c3a0cd263

SHA512
cb18f63388859bc631268dd86cc6394172bafec530dbafa2ee3790819c196f36ece22d44af18b33cfae9e4f75638a1ef0673356b2bcff1e28846dcfe3a5a8bf7

Download Submit
C:\Users\Admin\Downloads\m.wry
Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Downloads\u.wry
Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
\??\pipe\LOCAL\crashpad_1632_LNVADSLGYBKQTYCB
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4176-391-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download