Resubmissions
08-04-2024 03:16
240408-dsz57sfc87 10Analysis
-
max time kernel
922s -
max time network
847s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
-
submitted
17-05-2024 05:53
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry.exe
Malware Config
Extracted
C:\Users\Admin\Downloads\!Please Read Me!.txt
wannacry
15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (55) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Downloads MZ/PE file
-
Drops startup file 2 IoCs
-
Executes dropped EXE 5 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 4 IoCs
-
NTFS ADS 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 49 IoCs
-
Suspicious use of FindShellTrayWindow 35 IoCs
-
Suspicious use of SendNotifyMessage 12 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry.exe1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa976c3cb8,0x7ffa976c3cc8,0x7ffa976c3cd82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,11588228133910610342,2362372865993016913,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1880 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1860,11588228133910610342,2362372865993016913,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1908 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1860,11588228133910610342,2362372865993016913,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,11588228133910610342,2362372865993016913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,11588228133910610342,2362372865993016913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1860,11588228133910610342,2362372865993016913,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1860,11588228133910610342,2362372865993016913,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3956 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,11588228133910610342,2362372865993016913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,11588228133910610342,2362372865993016913,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,11588228133910610342,2362372865993016913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,11588228133910610342,2362372865993016913,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,11588228133910610342,2362372865993016913,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1860,11588228133910610342,2362372865993016913,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5864 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1860,11588228133910610342,2362372865993016913,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6216 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,11588228133910610342,2362372865993016913,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4736 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\WannaCry.exe"C:\Users\Admin\Downloads\WannaCry.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 92881715925372.bat2⤵
-
C:\Windows\SysWOW64\cscript.execscript //nologo c.vbs3⤵
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe f2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im MSExchange*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Microsoft.Exchange.*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlserver.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlwriter.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe c2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /b !WannaDecryptor!.exe v2⤵
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe v3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD58e1dd984856ef51f4512d3bf2c7aef54
SHA181cb28f2153ec7ae0cbf79c04c1a445efedd125f
SHA25634afac298a256d796d20598df006222ed6900a0dafe0f8507ed3b29bfd2027d7
SHA512d1f8dfc7fdc5d0f185de88a420f2e5b364e77904cab99d2ace154407c4936c510f3c49e27eed4e74dd2fbd850ad129eb585a64127105661d5f8066448e9f201d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ffa07b9a59daf025c30d00d26391d66f
SHA1382cb374cf0dda03fa67bd55288eeb588b9353da
SHA2567052a8294dd24294974bb11e6f53b7bf36feeb62ce8b5be0c93fbee6bc034afb
SHA51225a29d2a3ba4af0709455a9905a619c9d9375eb4042e959562af8faa087c91afafdb2476599280bbb70960af67d5bd477330f17f7345a7df729aaee997627b3a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD5a263ccfcc7f3043898252dbda1de1e6e
SHA1bae33ecb1ca86d78ce54343f3fba6e231947be9e
SHA256c556265ae49be2da51d185af7940d6145a137002770f6381599e5bbdd26de9ab
SHA512bf373c69baff4b1cf220f4ddcca103df0ce97b0a671ebe24b346a33da408df81ae9a66f8eb40f10554fc5c67730394bd5827d1c20ec9acc19afdf3876f0e1e4e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
579B
MD52ebbd61422b78463e73114c90d111185
SHA196a2a4824b034c487ccfcc08f3d7defa75601565
SHA256164f96175f640e1c88954414f0d6bd4b866e8bc4004221585211df95aaeacaab
SHA512a707e87fa44ddc0f804778e849698b4b9b1a110342a9eb8abcc1a9178019d6424077d6293940adf1b3db80872e42fb70347fb927e7a6cadb2490381fb2f1b926
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5f23a1b027247db440680a432dc785480
SHA1632eb26ea3d2cdecfa49f57cb6326182528e96b7
SHA2562af9e2ed69f8969a5fe2f6ae465b8d4bd98fcf7f7c5469e5bbe64b88962371e4
SHA5124baceb67d79fab3792b023cc3ab508799c797a254c15747626ff550e98d8272ff3406b26d14a0da9838aad448e18e95326cacce2bba1b37a2fd6e6a371d8637c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5b8718db0f402d72bf0ecfa8a41841bbc
SHA1f079b53dd76add91b1d9e68aa325d2028eb57bcb
SHA256485488cbb18fa441a75fcd9786170dc0dc41365438af4ac51270028fe41f2e23
SHA512d67f148a07af5023f42d88c3a50e94e85daa3bdf4fa8666ac6c83241607d30e927f69de5ff401e11a57f4258da6d96ba4e969d979158fe36aa7ef628c1eeb2d0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5d973cccfdc3198cfe39523b45922d7cf
SHA1384190ee8b3a4a5533db7796020e6a9d766a6308
SHA256d941b939e30bb3a717b498e6f85366d1ec54f61f66bdefbb5535e43ef324e2a6
SHA512f7b300b945eefcb5f61c4011e06081c618719c120c61c758dad359752b202df6608ef3920f1c2ad77df027f9e67438dc490735f82bae14ff524242ee0d38dcad
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
874B
MD57dec80a80c95290f94d1b9c02530385b
SHA1caf71a977fa403a898fd223a4a882ab703537ab6
SHA2568e87f492ab9cb8ededa33ec95e7adfb1f3d3ecd83d8e6dd3dc3f1445f4afdc15
SHA5121574b01bdf15ebfcf8a286091c9229c14d996aaf655211fe290571cdf45a3ed929bb649a54620581bea96f6addcf928a1db0ed1faa05a12942c1a7911c70c8d9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD54ba71370b93ee9d5b72b4276d7583c20
SHA19313026455115341acfcd9e4ab8c4f942e4f2b7a
SHA2569e1ff698aea4c25889fb5773a5548e2ea13a2368341d78bfaca4131962df3573
SHA512dadd2b7a68743aba6d32561d2aa56f95405a51c67fca59c451e756605c0096139a3935379242d790f963e0e50b99e8cd843d2eb0d6b7da6d953e91b1a27cd4bd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD52ef9e4c911f481d93682c37a905e2c6c
SHA1fd01ef96f2d81c8f5eb3d8bfda7cafb85c5b71f8
SHA256d15a2ab08bde0c5d7472cf98f6d858588b7e9a99507457775e8107ceec597ab6
SHA512a386f091f6f8aad4a2ac5eca4ed80b65f407eb9595d7256681f5852450001440c30ae25a21c3a6fe28fa2cadadcbe5a176f7a396628c5d9ea5e7bb7097088529
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e05d.TMPFilesize
874B
MD5217252411c9f6fb8196709fbf7d42a63
SHA12509cb53372c21c97508ad5f0c2faa3ba3248d19
SHA256925b5db8173fa3df4952aa026859761084fb1c9c27f352a9f0262f15db99d3a2
SHA51248da3dcf441b3009b28326a60dc77cef4c719bb18574f802806fbb2b882d250b7786f1f907fd44333c2e8ecf94943ff8efc91aed79913b7c349ddb30a7e4609b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.dbFilesize
16KB
MD59a8e0fb6cf4941534771c38bb54a76be
SHA192d45ac2cc921f6733e68b454dc171426ec43c1c
SHA2569ee9211a57c3f6fa211fe0323fa8cd521e7cbffcd8ff0896645a45795dc472be
SHA51212ed22537dcc79d53f6c7d39e92a38f8fea076d793198928f5b7a5dd1234d50a3c0b4815632f3fadf8bc4ef0499773d22bd83f961d2d0ffd8afacf471bd3a5ae
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\previews_opt_out.dbFilesize
16KB
MD5d926f072b41774f50da6b28384e0fed1
SHA1237dfa5fa72af61f8c38a1e46618a4de59bd6f10
SHA2564f7b0e525d4bfc53d5df49589e25a0bccf2fcf6a1a0ca3f94d3285bb9cf0a249
SHA512a140df6ec0d3099ef374e8f3ece09bf91bc896ac4a1d251799a521543fe9bdea796ba09fa47932bd54fa939118495078f9258557b32c31d3d4011b0666a4723f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5989ddb0c8c255efbbd9d82082efeeb77
SHA17225c502968a51d3d49257a6e4028b9d3e8e8f88
SHA2566c5df9a45810d575cae10e8c600e97d4dbdb4725363d5d6aebf1fb7955284bec
SHA51261358dcd884a4ac142079ad93626cf0750d179e9b26cb11ef69f519bceef45199f1893c206471dccd5ba90e30c5a9e2f0854188981ba65926b838dbf81550a35
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5dc78dd68a4b66f9b9e2c7f4a3ef3c7b1
SHA1339920bd18ac4adc2e5fae1792b53157fea4bf56
SHA256ab1ea00db778cdd6f4042d2fc6fb566d6d9a15deac22c82e7277a4e115d7839c
SHA5127799f42de003209b613c743d8fc2ea5bfcd6f946a1a24b24840df9642deab7a6a5afd4108c6481b1c1eaeb01e2e0210255c76350129396c1f4466d90180e4afc
-
C:\Users\Admin\Downloads\!Please Read Me!.txtFilesize
797B
MD5afa18cf4aa2660392111763fb93a8c3d
SHA1c219a3654a5f41ce535a09f2a188a464c3f5baf5
SHA256227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0
SHA5124161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnkFilesize
590B
MD50c48284318e1d1dd67fdd2a6b57c40fd
SHA152923c96ee34faf3cf8f83cdbd1ca186c7555346
SHA256319bfbeece2b4bd447800ae4d2740a05c0e92e671921298e0320ab62b04c3771
SHA5125ee64fdec88b78e41e2d8b7f28b37a26be80cf88e54af42b557946fe73bbb262fb405ea69cf20c981798b7da058c2961bcf8c7a6c3bccc9039d9ddb3d3d49284
-
C:\Users\Admin\Downloads\00000000.resFilesize
136B
MD56ada626ec777675aa69ecccd737f4270
SHA1b72b6f73466c9fc5d39cd8bf7e4996373a4d7a5c
SHA256585b567ef93a5ceade19a59c93fb8dd5eb1612f9dde256782103fea05c80260b
SHA5126952ea5e634bad8a92da9a5cbb58e1d3a87eb02934a04918b7ea83792fac32ba932ad12a2f3bc55086a4f4267fc2cdf613bfc4a8491f24b643e3ae14f2ef9792
-
C:\Users\Admin\Downloads\00000000.resFilesize
136B
MD58a0b85ea2edf85410e89ce2eaee5ad59
SHA17d6c53be2a9ab91a0b75b76bea7363aed44bf9f6
SHA256b467180b0e6b1b6eb4fc497116e9741f79850c8bd76d6fafa0410f0be19e2aa1
SHA5122a7601fe5322a962f5ebad14ff0b553fd688d0e31d1e7df576b140c32a158404bc9dea9913d46742c0fcc4484db9c563803219392c70cd2064f53241bb7a2afa
-
C:\Users\Admin\Downloads\00000000.resFilesize
136B
MD53896c27fa1edf094f5410d65bc5a5c7f
SHA19e48d7a1bd3a13d4dce3126e29eb69c4f7ee7c94
SHA256465af92baac44e45a6fed9f62f83173df3bf147f11c502df31dee5c0d9b8fffc
SHA512df18ba1d15d92ef096e0f7817530b23c0ed2d2449bc9bf0fb71c5cffbc7ccccae13e639adff19b89ec4608de35d28ec7e08a72413a8f63532fa6a646f2769022
-
C:\Users\Admin\Downloads\92881715925372.batFilesize
318B
MD5a261428b490a45438c0d55781a9c6e75
SHA1e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e
SHA2564288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44
SHA512304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40
-
C:\Users\Admin\Downloads\Unconfirmed 965678.crdownloadFilesize
224KB
MD55c7fb0927db37372da25f270708103a2
SHA1120ed9279d85cbfa56e5b7779ffa7162074f7a29
SHA256be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
SHA512a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
-
C:\Users\Admin\Downloads\WannaCry.exe:Zone.IdentifierFilesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
C:\Users\Admin\Downloads\c.vbsFilesize
201B
MD502b937ceef5da308c5689fcdb3fb12e9
SHA1fa5490ea513c1b0ee01038c18cb641a51f459507
SHA2565d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1
SHA512843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653
-
C:\Users\Admin\Downloads\c.wryFilesize
628B
MD51aae7376a4d5c6c25787ef0ff6b48f20
SHA17b06f8e56fd61c596188b3d052f1d7e3a1515526
SHA2562c89fb8a92bde457622ec01152f862357bf9d3631d296ca05630418aaf329acd
SHA51227d6f2c1ae17af1dc0be3b7f0e446553eb0b857d06ea3700e677f045e30fe8494813ae4314f668bdadab03eec40db104ff314de30adc63375e213761c65715fb
-
C:\Users\Admin\Downloads\m.wryFilesize
42KB
MD5980b08bac152aff3f9b0136b616affa5
SHA12a9c9601ea038f790cc29379c79407356a3d25a3
SHA256402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9
SHA512100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496
-
C:\Users\Admin\Downloads\u.wryFilesize
236KB
MD5cf1416074cd7791ab80a18f9e7e219d9
SHA1276d2ec82c518d887a8a3608e51c56fa28716ded
SHA25678e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA5120bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5
-
\??\pipe\LOCAL\crashpad_3772_ZKAPVSZSYMHUJRZVMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/2404-325-0x0000000010000000-0x0000000010012000-memory.dmpFilesize
72KB