hxxps://github[.]com/kh4sh3i/Ransomware-Samples/blob/main/WannaCry/Ransomware[.]WannaCry[.]zip

Resubmissions

24/08/2024, 13:02

240824-p9vsla1elf 6

24/08/2024, 12:53

240824-p4ybja1cjd 10

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 13:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/kh4sh3i/Ransomware-Samples/blob/main/WannaCry/Ransomware.WannaCry.zip

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
68	raw.githubusercontent.com
69	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\in\Ransomware.RedBoot\1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887	7zG.exe
File opened for modification	C:\Windows\system32\in\Ransomware.RedBoot\1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887	7zG.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4412	msedge.exe
4412	msedge.exe
5060	msedge.exe
5060	msedge.exe
4984	identity_helper.exe
4984	identity_helper.exe
4920	msedge.exe
4920	msedge.exe
4864	msedge.exe
4864	msedge.exe
5236	sdiagnhost.exe
5236	sdiagnhost.exe
1808	msedge.exe
1808	msedge.exe
5364	msedge.exe
5364	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
3968	msedge.exe
5968	msedge.exe
5968	msedge.exe
6132	msedge.exe
6132	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeRestorePrivilege	5564	7zG.exe
Token: 35	5564	7zG.exe
Token: SeSecurityPrivilege	5564	7zG.exe
Token: SeSecurityPrivilege	5564	7zG.exe
Token: SeDebugPrivilege	5236	sdiagnhost.exe
Token: SeRestorePrivilege	1840	7zG.exe
Token: 35	1840	7zG.exe
Token: SeSecurityPrivilege	1840	7zG.exe
Token: SeSecurityPrivilege	1840	7zG.exe
Token: SeRestorePrivilege	4392	7zG.exe
Token: 35	4392	7zG.exe
Token: SeSecurityPrivilege	4392	7zG.exe
Token: SeSecurityPrivilege	4392	7zG.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5564	7zG.exe
5696	msdt.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
1840	7zG.exe
5060	msedge.exe
5060	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe
5060	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 3948	5060	msedge.exe	85
PID 5060 wrote to memory of 3948	5060	msedge.exe	85
PID 5060 wrote to memory of 4136	5060	msedge.exe	86
PID 5060 wrote to memory of 4136	5060	msedge.exe	86
PID 5060 wrote to memory of 4136	5060	msedge.exe	86
PID 5060 wrote to memory of 4136	5060	msedge.exe	86
PID 5060 wrote to memory of 4136	5060	msedge.exe	86
PID 5060 wrote to memory of 4136	5060	msedge.exe	86
PID 5060 wrote to memory of 4136	5060	msedge.exe	86
PID 5060 wrote to memory of 4136	5060	msedge.exe	86
PID 5060 wrote to memory of 4136	5060	msedge.exe	86
PID 5060 wrote to memory of 4136	5060	msedge.exe	86
PID 5060 wrote to memory of 4136	5060	msedge.exe	86
PID 5060 wrote to memory of 4136	5060	msedge.exe	86
PID 5060 wrote to memory of 4136	5060	msedge.exe	86
PID 5060 wrote to memory of 4136	5060	msedge.exe	86
PID 5060 wrote to memory of 4136	5060	msedge.exe	86
PID 5060 wrote to memory of 4136	5060	msedge.exe	86
PID 5060 wrote to memory of 4136	5060	msedge.exe	86
PID 5060 wrote to memory of 4136	5060	msedge.exe	86
PID 5060 wrote to memory of 4136	5060	msedge.exe	86
PID 5060 wrote to memory of 4136	5060	msedge.exe	86
PID 5060 wrote to memory of 4136	5060	msedge.exe	86
PID 5060 wrote to memory of 4136	5060	msedge.exe	86
PID 5060 wrote to memory of 4136	5060	msedge.exe	86
PID 5060 wrote to memory of 4136	5060	msedge.exe	86
PID 5060 wrote to memory of 4136	5060	msedge.exe	86
PID 5060 wrote to memory of 4136	5060	msedge.exe	86
PID 5060 wrote to memory of 4136	5060	msedge.exe	86
PID 5060 wrote to memory of 4136	5060	msedge.exe	86
PID 5060 wrote to memory of 4136	5060	msedge.exe	86
PID 5060 wrote to memory of 4136	5060	msedge.exe	86
PID 5060 wrote to memory of 4136	5060	msedge.exe	86
PID 5060 wrote to memory of 4136	5060	msedge.exe	86
PID 5060 wrote to memory of 4136	5060	msedge.exe	86
PID 5060 wrote to memory of 4136	5060	msedge.exe	86
PID 5060 wrote to memory of 4136	5060	msedge.exe	86
PID 5060 wrote to memory of 4136	5060	msedge.exe	86
PID 5060 wrote to memory of 4136	5060	msedge.exe	86
PID 5060 wrote to memory of 4136	5060	msedge.exe	86
PID 5060 wrote to memory of 4136	5060	msedge.exe	86
PID 5060 wrote to memory of 4136	5060	msedge.exe	86
PID 5060 wrote to memory of 4412	5060	msedge.exe	87
PID 5060 wrote to memory of 4412	5060	msedge.exe	87
PID 5060 wrote to memory of 1260	5060	msedge.exe	88
PID 5060 wrote to memory of 1260	5060	msedge.exe	88
PID 5060 wrote to memory of 1260	5060	msedge.exe	88
PID 5060 wrote to memory of 1260	5060	msedge.exe	88
PID 5060 wrote to memory of 1260	5060	msedge.exe	88
PID 5060 wrote to memory of 1260	5060	msedge.exe	88
PID 5060 wrote to memory of 1260	5060	msedge.exe	88
PID 5060 wrote to memory of 1260	5060	msedge.exe	88
PID 5060 wrote to memory of 1260	5060	msedge.exe	88
PID 5060 wrote to memory of 1260	5060	msedge.exe	88
PID 5060 wrote to memory of 1260	5060	msedge.exe	88
PID 5060 wrote to memory of 1260	5060	msedge.exe	88
PID 5060 wrote to memory of 1260	5060	msedge.exe	88
PID 5060 wrote to memory of 1260	5060	msedge.exe	88
PID 5060 wrote to memory of 1260	5060	msedge.exe	88
PID 5060 wrote to memory of 1260	5060	msedge.exe	88
PID 5060 wrote to memory of 1260	5060	msedge.exe	88
PID 5060 wrote to memory of 1260	5060	msedge.exe	88
PID 5060 wrote to memory of 1260	5060	msedge.exe	88
PID 5060 wrote to memory of 1260	5060	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/kh4sh3i/Ransomware-Samples/blob/main/WannaCry/Ransomware.WannaCry.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffeed946f8,0x7fffeed94708,0x7fffeed94718
  2⤵
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,13259687567855170703,15788765288008319798,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
  2⤵
  PID:4136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,13259687567855170703,15788765288008319798,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,13259687567855170703,15788765288008319798,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
  2⤵
  PID:1260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,13259687567855170703,15788765288008319798,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,13259687567855170703,15788765288008319798,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:2132
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,13259687567855170703,15788765288008319798,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 /prefetch:8
  2⤵
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,13259687567855170703,15788765288008319798,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,13259687567855170703,15788765288008319798,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:1144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,13259687567855170703,15788765288008319798,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
  2⤵
  PID:1320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,13259687567855170703,15788765288008319798,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
  2⤵
  PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,13259687567855170703,15788765288008319798,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3788 /prefetch:1
  2⤵
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2160,13259687567855170703,15788765288008319798,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5736 /prefetch:8
  2⤵
  PID:1072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,13259687567855170703,15788765288008319798,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:3552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2160,13259687567855170703,15788765288008319798,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5716 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2160,13259687567855170703,15788765288008319798,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6004 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,13259687567855170703,15788765288008319798,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:1388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2160,13259687567855170703,15788765288008319798,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5584 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2160,13259687567855170703,15788765288008319798,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,13259687567855170703,15788765288008319798,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5032 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,13259687567855170703,15788765288008319798,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:1
  2⤵
  PID:5952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2160,13259687567855170703,15788765288008319798,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1932 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2160,13259687567855170703,15788765288008319798,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6088 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3584

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3820

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5188

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Ransomware.WannaCry_Plus\" -ad -an -ai#7zMap10051:110:7zEvent27043
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5564

C:\Windows\system32\pcwrun.exe
C:\Windows\system32\pcwrun.exe "C:\Users\Admin\Downloads\Ransomware.WannaCry_Plus\Win32.Wannacry.exe" ContextMenu
1⤵
PID:5668
- C:\Windows\System32\msdt.exe
  C:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\Admin\AppData\Local\Temp\PCW5B3A.xml /skip TRUE
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:5696

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5236
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lwjar4n5\lwjar4n5.cmdline"
  2⤵
  PID:5376
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F80.tmp" "c:\Users\Admin\AppData\Local\Temp\lwjar4n5\CSC51778C63EA2F430BAB58FD97F9FFBAE0.TMP"
    3⤵
    PID:5412
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\enbolbip\enbolbip.cmdline"
  2⤵
  PID:736
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES601C.tmp" "c:\Users\Admin\AppData\Local\Temp\enbolbip\CSC2D8323A791E6490BB6E8E6F246DF535B.TMP"
    3⤵
    PID:5480
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4laxvwcq\4laxvwcq.cmdline"
  2⤵
  PID:924
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6387.tmp" "c:\Users\Admin\AppData\Local\Temp\4laxvwcq\CSC18538A39AAC48B787884C921ED763F.TMP"
    3⤵
    PID:4716

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Ransomware.Petrwrap\" -ad -an -ai#7zMap5917:100:7zEvent24350
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1840

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Ransomware.RedBoot\" -ad -an -ai#7zMap409:98:7zEvent18562
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\733862231\2024082413.000\PCW.debugreport.xml

Filesize
3KB

MD5
dd9b11887c41ae811e0c792b11cd9bce

SHA1
8ef9ecf3b8089ac56d5b5fa06e98905ce63746bf

SHA256
b5cb0fe468ed3b2ace89dbbd4d31037617f3a803d611ca54927c6a410f21f19b

SHA512
f0933f29ce81b1b0e42dd486b5fa8ffb8dc919d904572dbd111af8f813f743afd933f23391c87cc03c4aefa8d25424cf7993f217d2a7ebf80650ed25cbf421de

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\733862231\2024082413.000\results.xsl

Filesize
47KB

MD5
310e1da2344ba6ca96666fb639840ea9

SHA1
e8694edf9ee68782aa1de05470b884cc1a0e1ded

SHA256
67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c

SHA512
62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
111c361619c017b5d09a13a56938bd54

SHA1
e02b363a8ceb95751623f25025a9299a2c931e07

SHA256
d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc

SHA512
fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
983cbc1f706a155d63496ebc4d66515e

SHA1
223d0071718b80cad9239e58c5e8e64df6e2a2fe

SHA256
cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c

SHA512
d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
2.3MB

MD5
5641d280a62b66943bf2d05a72a972c7

SHA1
c857f1162c316a25eeff6116e249a97b59538585

SHA256
ab14c3f5741c06ad40632447b2fc10662d151afb32066a507aab4ec866ffd488

SHA512
0633bc32fa6d31b4c6f04171002ad5da6bb83571b9766e5c8d81002037b4bc96e86eb059d35cf5ce17a1a75767461ba5ac0a89267c3d0e5ce165719ca2af1752

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
1.1MB

MD5
6884a35803f2e795fa4b121f636332b4

SHA1
527bfbf4436f9cce804152200c4808365e6ba8f9

SHA256
cf01329c0463865422caa595de325e5fe3f7fba44aabebaae11a6adfeb78b91c

SHA512
262732a9203e2f3593d45a9b26a1a03cc185a20cf28fad3505e257b960664983d2e4f2b19b9ff743015310bf593810bd049eb03d0fd8912a6d54de739742de60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
1.2MB

MD5
51250dabf7df7832640e4a680676cb46

SHA1
74ba41bb17af6e5638171f7a6d9d49e978d8d3b3

SHA256
7fa2bf61405ac573a21334e34bf713dcb5d1fc0c72674e6cebc48d33a4a14d44

SHA512
43f898d7e5752312a79138dcce94c117a20fb6efd9e522fc1ed3cc2d407d13cacf5b6f810c7c1966c4c03217aeb51fce641feb31b26620ff239756132b17f57a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
2e3dff96152a2ee721913d2df72f072c

SHA1
fade1be69016ccd6a2eb5970802fe9f2914226e2

SHA256
2d5844eaeab4bbf55b5f2b1dc46e717ad98d6dd27bd6ad5ac978af91fb0b154a

SHA512
4a42188bb641d4f55eb4314e1ae2551afec838b94936f0d1749eafee6342dababaa499b63621066bf2f08e9966da7831d6f0be848e98b8d124a1afd381744a03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
ed5f4213c17629776cd75510648fc019

SHA1
ebfa685dca9b7c920cd5ad521c03e4ad0ce435b9

SHA256
e969795f0e63ec8a35cdf34d5bc43867ca0825bebfed9734943e69b34ed2ad87

SHA512
71bcc166ae5a48f7a79aa5de7ecc7e10dce22c39240ca9ffe9d0f9340f40fc2a2429529cfee8b2b5d7082efe94921fa7df3454852d5313ff4093bfdffc189627

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5dcad6f5ab951339ec1d7080551ed88f

SHA1
ea2f5ad07ed51e66ea8db9958ad043511ae26cea

SHA256
f7765312075fffd5df33972da0c899c97cde3f1931ef128c273b7136c7afece6

SHA512
d123b44efdad3e282114769863d845f99fe96fbca70ebd16bf588e466ae1f09babc4bafe053c153a59e304a89efe97b0cf3e9adab2812a4efd1bb21212c91b92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
609f95c3072a97bdfc7e2e4741b2aebe

SHA1
789d52a84929a92725c29d528f9611e2d2665f6b

SHA256
780ff3530fbfc5bac0fd3368dbfc94301fef183771e7de982e23688cbf38c9ba

SHA512
96aeb37ea0a1948cdc19c8784d1690d5e95f0edf8eb1d1fa4db3717630b974fa6a9b3c125275b90f8b915a155a775b811ac749d6c17ee56433919417925fe502

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
51df3d5d6a9cdffd389061092b7f7894

SHA1
54d6ce4b5ceb7d7306e66abcf262e0604229f4c0

SHA256
c0c3182d0e021570228625413e6bca914245548fdbd445cb8654592da652b9fa

SHA512
eb909aa6204b275485ddbb9731362ff2874854df1a9b62183f0ba67c8227489f80c00feedbaaa5f1d6088a566fef02bfbc0da7c99f1ba3c343b4d4e8342e9cf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bdc8a43a1f6167fd9d485872ca8db88a

SHA1
c004784bb4c470fa46e1573f1182f3483439d6d2

SHA256
38e14c5de66d09dfb0d0aebaf24a0f5d395bb62403c7988950bf0ec1a57e23b8

SHA512
b17207e40dac0330bc564b977877006e5f7f0a458810890bd9bf37aa52adf3a1c1023edbd2dd2eb2f14232ae32480ac8f8506674323c34e2d135f4be8be50bc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0f0ddd3dd462eb795805a2c0d8d641c9

SHA1
9a1a66b9af91ead6ae54f0fa7783e08e4564c27e

SHA256
e1d26fccf704162901918db6a9f2cdb793f6daede17160b2fabf8ae1bec33b6c

SHA512
1a660c243ca01a847083944ec8cd99c7c0498aa3bc2f48449d818dfa2763c0ce6e2a5d4b4bb8223423092309fc3949726199c5a68c5e445008e3eef7fb82aea3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d01b59c137c0ccc015d016ed9e7ea372

SHA1
bfae097de59d923161c5c5303b791da46cb55c3a

SHA256
7e0ee3612675b4e85ad2216286a5af75f5a416d9b262264af7602a3c47acee75

SHA512
bc02d6cb2fbb1269530e0d28eff84ddaa79da405c92f7e6740cf66f0c4bafdbe5ebba7fede39eb3f625c083292019f00505a6b0c756ac7a9ec4e2c81dd2777fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2ad79522a6879ab32eb128b6fdb5f0a0

SHA1
2e6e0faa5eeab32b73c77be5ca1567e47f8026dc

SHA256
40014e46752492143dfc8b7559df04c79bd81e4ac2815140305bdb254f6e1159

SHA512
31d4e6b80787ee5494a63b572c0690cafc6a222ebdc3c9bcfde9fe36087960e9ddd07941d9ae9d06f20bcefe8eff7b16edb7aadcb3f7cb750c2a18ca1aebb4ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
08d2c9443237dad3c5fa295955eb9f16

SHA1
8108da60396cbb183ec9ecca8a2cdb6453c4156a

SHA256
9eabf13e0ff9c97b607567ca22e1beb0acf976b99c60c8e5f69429bc130ed10f

SHA512
bfc8c039a0b6272e6bfb8ea15616d338030f71080866764827b9163678c0253f9267f4a302bb70980a013406a0b13295c61afe249567d4032754fab8f3344896

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e280.TMP

Filesize
874B

MD5
90e7d08370a71e134dc9ecf5f085b070

SHA1
da86ae8cded7fb5b0286245133397e3c10522f19

SHA256
53b82b8a7e5d0f92d4a136e4381eb554b18e7295b1518e163449abc7908678b4

SHA512
497a31138fe638f7ef2b80fbce73c6efdec7233eca518627ff5197b55983feb91a6536eafbac30ab3a09b9efd71d53e55cfdd1c7b2349b2b90252156783db181

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
cddf959839a0173c97b69c9c994df383

SHA1
bbf53ed2e1ed872447a65f363349af6283eb6b56

SHA256
a21dd0ba17bcfbc5d65c2d9aa671c3ad083611f1e7612a31ea2970ca5c25d96f

SHA512
15bc0a114711b9d90cf7d89459d3b891905edd9215b0cb04def1a1e2047532df302d72cbbc10b9c1c235ee89b581c030f152b436b8665341e820ab6be5f60657

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
123e891842119544f247b8315d239273

SHA1
9b775d350f410cfec856e90d14e78f13734c1d50

SHA256
472aa2a51bef50c281c99db499e88d5d5c99916d4ae32026b83897c7c11b3967

SHA512
bb285838e93cde620de1ab801ed0b87fa1ba15058f59519a2ea307aff1061c3d1d7635458bbe0096b556c64c40d98561760cbaf9674c758feb60e3a7372a447f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d29dc9875db76bc19652cb2b516df46f

SHA1
afb1f9e5b3d9537b3d3441df896b31d3c0db9efe

SHA256
71bd813f297ea08163e8a01248c8169461eba66cc70d5fe52174d541019a454b

SHA512
0f1bbd9ca0ae77694b79feebd3afe6d47d5a47938b8052e6db229c9f8f2c8875a5be0f8e66b016a5036502a8ebf55ada6f3e1b32766eddec6504e9528467ac15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
f9822c42c9bc1776f19526742a820546

SHA1
a0fd0516141def6b6c0c15cdddc79256d6f5678c

SHA256
e038b55e478994060ce59d7ad30a2189ea186be45c008f4ca69a12d5bb8632c7

SHA512
b10fd5ee4266da0faa506d951c122e99454932b0175a5a3b7ed29ff319576c02347003d41715180439ef7b676af46fbcf10b76841a83ad0125af43babfcdd878

Download Submit
C:\Users\Admin\AppData\Local\Temp\4laxvwcq\4laxvwcq.dll

Filesize
9KB

MD5
10cc0cbc6ec2779e4b08cbb311dbf992

SHA1
4ffcd084025dbd513c5f734128f66799477db238

SHA256
08d37be53aa6d5bbececa50f387613ed4515097b2326ecf477e013771f5cabe3

SHA512
ab9f416398ebea886f4f11d76658934aee871fd89bc7a2378d8854fdfae597d9a60a0ce660747b1a2822fc181e002cbff0a60af4d1c3f0b5ff436073ed4d7dd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCW5B3A.xml

Filesize
776B

MD5
f62da78dac7357a41bf5e3f55c52ee19

SHA1
20b640818509db4483332a911aa4edcce51e9c2c

SHA256
810af6a0e38252145bc552f2fec09ae7ad36afa4b79b75f7e013eec44c3b6eba

SHA512
2efd4524ab92db25e7ffabd94943b27f385c6eb2dfb1092c77fc40b0ffd8d8b17fede4585bbc1f496620e9dcaae3f69692e5f4a51ead47a3a9b3622648e6bf10

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5F80.tmp

Filesize
1KB

MD5
8846bdefaed65da362d7553e044d86a3

SHA1
d3d0ec9530408a74f9078671e4fa9e1d1a10b893

SHA256
d8dff24365ffa0f2c3fa52983d82299515e65f4dd22c307da5cdae3ee51b880b

SHA512
ff7c5c312591c2f27b284310a342f9080dcdb93a4e1dda65d37e31242ab9680d934f6c29c63ac3649b983a17f686149cdd6cd16873f0a60b66735fb6a7583010

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES601C.tmp

Filesize
1KB

MD5
c7c95266ec339aebbef38e3af9e88bf0

SHA1
a1aec3e5bda3d26773b866437c66019efb60621d

SHA256
15c25bdabb788e5e78174a033447d86a2b4eb173c95ab7a559761bf8d44ebb55

SHA512
467c4fece2ace1ad1e7fa1298355c44b1cc83b62435e3b2b88e0b9f83a9fc1acf43ccf25b9a085081e68cdab875556df3d25b010864602d64027f041237f90a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6387.tmp

Filesize
1KB

MD5
90355048c3e2624f8eeb6bc10598686e

SHA1
9e8b25cb7649dabf4c9a57e054d21d843699a997

SHA256
d2f31e799e2099a3dcdadcbaa3e71361b827d5eca68c11bf44a109b8dcbb035b

SHA512
de297487a03b79ffd5a328dcbed1798456551b6fa97a984d5becea89e8e164bcd3c49f7fca4400d9d3ae826a92afe0e078931397c1cc23a0ebf57cc45ca87fca

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_x5bmf4qq.hp5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\enbolbip\enbolbip.dll

Filesize
3KB

MD5
a159bc6e4774f3240a72ebf5b6d46c69

SHA1
1c4afb330b0cb213bfc6acbb62ab482f8bd344ac

SHA256
a0c99503633e476c008919a0b3e356b54518a1c4a82171c9e9cc70502e738326

SHA512
4005cdc749bb098740facefecf7d24389162270ed0328a1571cce9902c07a029ca2d567e2ee905bafa09102a789e24ac4408ee458f535e4c3be10084f5f8592f

Download Submit
C:\Users\Admin\AppData\Local\Temp\lwjar4n5\lwjar4n5.dll

Filesize
5KB

MD5
82fb6872721a70bd8b5897d7cd87520e

SHA1
aff61de987e3cac5c303e6054c653967b70af00f

SHA256
9e08a1a76e3dd829d280ab0b5373080bb6f65089f34d2a42af8ebaf1e0d0bb62

SHA512
ce07de6a7135d6c44d4ec8100b310dd8b1df232f0e412f06ec7d747149db22ff31aa4f1f42ecc9147b91ae676d513e3d07b52ff1330272b7ce18d33b9ffadbe0

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry_Plus\Win32.Wannacry.exe

Filesize
5.0MB

MD5
30fe2f9a048d7a734c8d9233f64810ba

SHA1
2027a053de21bd5c783c3f823ed1d36966780ed4

SHA256
55504677f82981962d85495231695d3a92aa0b31ec35a957bd9cbbef618658e3

SHA512
b657b02506f768db3255293b0c86452b4dfdd30804629c323aaa9510a3b637b0906e5963179ef7d4aaedc14646f2be2b4292e6584a6c55c6ddb596cff7f20e2a

Download Submit
C:\Windows\TEMP\SDIAG_369ae744-0ab4-4f41-97c7-552c855d6cf8\RS_ProgramCompatibilityWizard.ps1

Filesize
49KB

MD5
edf1259cd24332f49b86454ba6f01eab

SHA1
7f5aa05727b89955b692014c2000ed516f65d81e

SHA256
ab41c00808adad9cb3d76405a9e0aee99fb6e654a8bf38df5abd0d161716dc27

SHA512
a6762849fedd98f274ca32eb14ec918fdbe278a332fda170ed6d63d4c86161f2208612eb180105f238893a2d2b107228a3e7b12e75e55fde96609c69c896eba0

Download Submit
C:\Windows\TEMP\SDIAG_369ae744-0ab4-4f41-97c7-552c855d6cf8\TS_ProgramCompatibilityWizard.ps1

Filesize
16KB

MD5
925f0b68b4de450cabe825365a43a05b

SHA1
b6c57383a9bd732db7234d1bb34fd75d06e1fb72

SHA256
5b1be3f6c280acfe041735c2e7c9a245e806fd7f1bf6029489698b0376e85025

SHA512
012aadec4ed60b311f2b5374db3a2e409a0708272e6217049643bf33353ab49e4e144d60260b04e3ae29def8a4e1b8ada853a93972f703ca11b827febe7725af

Download Submit
C:\Windows\TEMP\SDIAG_369ae744-0ab4-4f41-97c7-552c855d6cf8\en-US\CL_LocalizationData.psd1

Filesize
6KB

MD5
2c81a148f8e851ce008686f96e5bf911

SHA1
272289728564c9af2c2bd8974693a099beb354ad

SHA256
1a2381382671147f56cf137e749cb8a18f176a16793b2266a70154ee27971437

SHA512
409c2e953672b0399987ec85c7113c9154bc9d6ca87cf523485d9913bb0bf92a850638c84b8dc07a96b6366d406a094d32dc62dd76417c0d4e4ae86d8fcb8bbb

Download Submit
C:\Windows\Temp\SDIAG_369ae744-0ab4-4f41-97c7-552c855d6cf8\DiagPackage.dll

Filesize
65KB

MD5
79134a74dd0f019af67d9498192f5652

SHA1
90235b521e92e600d189d75f7f733c4bda02c027

SHA256
9d6e3ed51893661dfe5a98557f5e7e255bbe223e3403a42aa44ea563098c947e

SHA512
1627d3abe3a54478c131f664f43c8e91dc5d2f2f7ddc049bc30dfa065eee329ed93edd73c9b93cf07bed997f43d58842333b3678e61aceac391fbe171d8461a3

Download Submit
C:\Windows\Temp\SDIAG_369ae744-0ab4-4f41-97c7-552c855d6cf8\en-US\DiagPackage.dll.mui

Filesize
10KB

MD5
d7309f9b759ccb83b676420b4bde0182

SHA1
641ad24a420e2774a75168aaf1e990fca240e348

SHA256
51d06affd4db0e4b37d35d0e85b8209d5fab741904e8d03df1a27a0be102324f

SHA512
7284f2d48e1747bbc97a1dab91fb57ff659ed9a05b3fa78a7def733e809c15834c15912102f03a81019261431e9ed3c110fd96539c9628c55653e7ac21d8478d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4laxvwcq\4laxvwcq.0.cs

Filesize
11KB

MD5
acf1a7b8aab4c6efda423d4842a10a85

SHA1
ac55b84b81527ad1224a85640c5a2555b19b685d

SHA256
af0a7036a5f650570990f2d562a7c7636b6eaa54f53b6ce3f43aaa070188dafa

SHA512
22e5a8b633a0189e836adb0c34c84b5029e8069e2f0a77803da91ce2b0da14b8fa231ddd1f1b164992d534b8a4ccc51c270e8ff2ff3f2f34536432b4abfc04e5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4laxvwcq\4laxvwcq.cmdline

Filesize
356B

MD5
f1dec85e7ee2e90a0e85ca7ce43a5358

SHA1
bc7370fb2f18b0704db6da5d2c81f15467f52ffd

SHA256
4e617fb9219d40a20de4d217bdd0fd6813d693f95062127e89de81bd5f392f24

SHA512
0cc1a94d5ef23d868a6f1d579ea96966210cbb8199e55108109e4d956474eb0e8c98b169e0846f1f99c0c5ca424eee5fc8dcb5bdced85e2265723962e1bf0271

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4laxvwcq\CSC18538A39AAC48B787884C921ED763F.TMP

Filesize
652B

MD5
1d7b28f2b55a6648c08077f8ef0dbab4

SHA1
2e188d154d9311ca9fc2e288fafdb7d9f2af9746

SHA256
2ed6038cc2765fb115213b2aad18c06bf3cf87704c406ec17ea6029f1aea7b8b

SHA512
4a1f1e6da7f40dd26a73251686cd3c60bb6df653fb88e7039af436c06d35d4943da426d5eb3704c13491c08fb68462b3e1876326f1dd6699a8c1753007fa0a64

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\enbolbip\CSC2D8323A791E6490BB6E8E6F246DF535B.TMP

Filesize
652B

MD5
a8ab906c7eeb23e24cd107512476b638

SHA1
3499b82e8246e35de75cd9a1dce64781c37ec127

SHA256
2144f0fab6035ee410440544fc549e18f95e9f9174e6d13f7815273a25bc8289

SHA512
4633a2985a914bfb7e8310ac9f1af1e07162cb5e53f6d2d2bf341e52c5e0a7b60caeb18c71f2c0d91bde721158f29e73504e99242944e387a01c2d89e9982264

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\enbolbip\enbolbip.0.cs

Filesize
791B

MD5
3880de647b10555a534f34d5071fe461

SHA1
38b108ee6ea0f177b5dd52343e2ed74ca6134ca1

SHA256
f73390c091cd7e45dac07c22b26bf667054eacda31119513505390529744e15e

SHA512
2bf0a33982ade10ad49b368d313866677bca13074cd988e193b54ab0e1f507116d8218603b62b4e0561f481e8e7e72bdcda31259894552f1e3677627c12a9969

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\enbolbip\enbolbip.cmdline

Filesize
356B

MD5
9e5ed025d50576e728823562f75e8214

SHA1
07a4ad67f3dd5f567a3e65f876d4640bcdf67dc8

SHA256
42c630fed0c9757082ffa4fdd9f529cb64a877a547c9bcf5ecd173070a08f40e

SHA512
19e22ff8a4b6122e79b7b5f3e68ee3c7ab91bfbd11d4427773cc9c3187987674ac283063ad452f5dd3dabfe38b2bad95c39f29d821b3cd83c7f43daf5755a4f3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lwjar4n5\CSC51778C63EA2F430BAB58FD97F9FFBAE0.TMP

Filesize
652B

MD5
9ab1a2ecc07ee5f732af08bc772750bd

SHA1
daffdc75359bccbec8dcdd63c31806c957acc42c

SHA256
17fc69ab80be5311da39a2ba23e8e9e1a4a28984f957cf0b79de0494b7447bf4

SHA512
b3c8448119ab87612838929cb59960d7ff8001269b2cd24d7382bcf03e444a9b5332d6247ecc6961efdc51ec231bbb04c15454aca1d924930d00ebd63129b83c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lwjar4n5\lwjar4n5.0.cs

Filesize
5KB

MD5
fc2e5c90a6cb21475ea3d4254457d366

SHA1
68f9e628a26eb033f1ee5b7e38d440cfd598c85d

SHA256
58fcc3cfb1e17e21401e2a4b2452a6e5b8a47163008b54fdcdcc8cadff7e5c77

SHA512
c54b9ce28fa71d7e3629cdd74ac9f23cba873506f1b5825acc2aa407414ed603af4c846dcf388c579f8324e3538e63b26f90421ea9d7fcdd3b277c21bad1a5b6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lwjar4n5\lwjar4n5.cmdline

Filesize
356B

MD5
b3489e7d4e64c477358e4adc6b3a3115

SHA1
31897f6eb73957b3e9cdd1c8d9428f08eab5bcd5

SHA256
a9db8ad7c95d295bfa4617583da19d24e866a9aaf06a056960c72ad9bc17fcdf

SHA512
2912f55611d6454ce79b8c7d80752cb358ff158e8574144962025ea7e5621a42957a627efd81de1b932f0a76e6c4ae9af4b9fd71addc9707fd27d9aaf96f3243

Download Submit
memory/5236-428-0x00000216B18A0000-0x00000216B18A8000-memory.dmp

Filesize
32KB

Download
memory/5236-413-0x00000216993D0000-0x00000216993F2000-memory.dmp

Filesize
136KB

Download
memory/5236-442-0x00000216B18B0000-0x00000216B18B8000-memory.dmp

Filesize
32KB

Download
memory/5236-458-0x00000216B1C20000-0x00000216B1C28000-memory.dmp

Filesize
32KB

Download