wannacry | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry[.]exe

Analysis

max time kernel
112s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2024 08:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry.exe

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\WannaCry.exe\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD6B91.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD6BA8.tmp	WannaCry.exe

Executes dropped EXE 4 IoCs

pid	Process
5424	!WannaDecryptor!.exe
6100	!WannaDecryptor!.exe
5292	!WannaDecryptor!.exe
4436	!WannaDecryptor!.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\\WannaCry.exe\" /r"	WannaCry.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
94	raw.githubusercontent.com
95	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
2576	taskkill.exe
3876	taskkill.exe
2320	taskkill.exe
4128	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4764	msedge.exe
4764	msedge.exe
5072	msedge.exe
5072	msedge.exe
1236	identity_helper.exe
1236	identity_helper.exe
4300	msedge.exe
4300	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	4128	taskkill.exe
Token: SeDebugPrivilege	2320	taskkill.exe
Token: SeDebugPrivilege	2576	taskkill.exe
Token: SeDebugPrivilege	3876	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3260	WMIC.exe
Token: SeSecurityPrivilege	3260	WMIC.exe
Token: SeTakeOwnershipPrivilege	3260	WMIC.exe
Token: SeLoadDriverPrivilege	3260	WMIC.exe
Token: SeSystemProfilePrivilege	3260	WMIC.exe
Token: SeSystemtimePrivilege	3260	WMIC.exe
Token: SeProfSingleProcessPrivilege	3260	WMIC.exe
Token: SeIncBasePriorityPrivilege	3260	WMIC.exe
Token: SeCreatePagefilePrivilege	3260	WMIC.exe
Token: SeBackupPrivilege	3260	WMIC.exe
Token: SeRestorePrivilege	3260	WMIC.exe
Token: SeShutdownPrivilege	3260	WMIC.exe
Token: SeDebugPrivilege	3260	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3260	WMIC.exe
Token: SeRemoteShutdownPrivilege	3260	WMIC.exe
Token: SeUndockPrivilege	3260	WMIC.exe
Token: SeManageVolumePrivilege	3260	WMIC.exe
Token: 33	3260	WMIC.exe
Token: 34	3260	WMIC.exe
Token: 35	3260	WMIC.exe
Token: 36	3260	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3260	WMIC.exe
Token: SeSecurityPrivilege	3260	WMIC.exe
Token: SeTakeOwnershipPrivilege	3260	WMIC.exe
Token: SeLoadDriverPrivilege	3260	WMIC.exe
Token: SeSystemProfilePrivilege	3260	WMIC.exe
Token: SeSystemtimePrivilege	3260	WMIC.exe
Token: SeProfSingleProcessPrivilege	3260	WMIC.exe
Token: SeIncBasePriorityPrivilege	3260	WMIC.exe
Token: SeCreatePagefilePrivilege	3260	WMIC.exe
Token: SeBackupPrivilege	3260	WMIC.exe
Token: SeRestorePrivilege	3260	WMIC.exe
Token: SeShutdownPrivilege	3260	WMIC.exe
Token: SeDebugPrivilege	3260	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3260	WMIC.exe
Token: SeRemoteShutdownPrivilege	3260	WMIC.exe
Token: SeUndockPrivilege	3260	WMIC.exe
Token: SeManageVolumePrivilege	3260	WMIC.exe
Token: 33	3260	WMIC.exe
Token: 34	3260	WMIC.exe
Token: 35	3260	WMIC.exe
Token: 36	3260	WMIC.exe
Token: SeBackupPrivilege	1016	vssvc.exe
Token: SeRestorePrivilege	1016	vssvc.exe
Token: SeAuditPrivilege	1016	vssvc.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
4436	!WannaDecryptor!.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
5424	!WannaDecryptor!.exe
5424	!WannaDecryptor!.exe
6100	!WannaDecryptor!.exe
6100	!WannaDecryptor!.exe
5292	!WannaDecryptor!.exe
5292	!WannaDecryptor!.exe
4436	!WannaDecryptor!.exe
4436	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 3200	5072	msedge.exe	84
PID 5072 wrote to memory of 3200	5072	msedge.exe	84
PID 5072 wrote to memory of 1420	5072	msedge.exe	85
PID 5072 wrote to memory of 1420	5072	msedge.exe	85
PID 5072 wrote to memory of 1420	5072	msedge.exe	85
PID 5072 wrote to memory of 1420	5072	msedge.exe	85
PID 5072 wrote to memory of 1420	5072	msedge.exe	85
PID 5072 wrote to memory of 1420	5072	msedge.exe	85
PID 5072 wrote to memory of 1420	5072	msedge.exe	85
PID 5072 wrote to memory of 1420	5072	msedge.exe	85
PID 5072 wrote to memory of 1420	5072	msedge.exe	85
PID 5072 wrote to memory of 1420	5072	msedge.exe	85
PID 5072 wrote to memory of 1420	5072	msedge.exe	85
PID 5072 wrote to memory of 1420	5072	msedge.exe	85
PID 5072 wrote to memory of 1420	5072	msedge.exe	85
PID 5072 wrote to memory of 1420	5072	msedge.exe	85
PID 5072 wrote to memory of 1420	5072	msedge.exe	85
PID 5072 wrote to memory of 1420	5072	msedge.exe	85
PID 5072 wrote to memory of 1420	5072	msedge.exe	85
PID 5072 wrote to memory of 1420	5072	msedge.exe	85
PID 5072 wrote to memory of 1420	5072	msedge.exe	85
PID 5072 wrote to memory of 1420	5072	msedge.exe	85
PID 5072 wrote to memory of 1420	5072	msedge.exe	85
PID 5072 wrote to memory of 1420	5072	msedge.exe	85
PID 5072 wrote to memory of 1420	5072	msedge.exe	85
PID 5072 wrote to memory of 1420	5072	msedge.exe	85
PID 5072 wrote to memory of 1420	5072	msedge.exe	85
PID 5072 wrote to memory of 1420	5072	msedge.exe	85
PID 5072 wrote to memory of 1420	5072	msedge.exe	85
PID 5072 wrote to memory of 1420	5072	msedge.exe	85
PID 5072 wrote to memory of 1420	5072	msedge.exe	85
PID 5072 wrote to memory of 1420	5072	msedge.exe	85
PID 5072 wrote to memory of 1420	5072	msedge.exe	85
PID 5072 wrote to memory of 1420	5072	msedge.exe	85
PID 5072 wrote to memory of 1420	5072	msedge.exe	85
PID 5072 wrote to memory of 1420	5072	msedge.exe	85
PID 5072 wrote to memory of 1420	5072	msedge.exe	85
PID 5072 wrote to memory of 1420	5072	msedge.exe	85
PID 5072 wrote to memory of 1420	5072	msedge.exe	85
PID 5072 wrote to memory of 1420	5072	msedge.exe	85
PID 5072 wrote to memory of 1420	5072	msedge.exe	85
PID 5072 wrote to memory of 1420	5072	msedge.exe	85
PID 5072 wrote to memory of 4764	5072	msedge.exe	86
PID 5072 wrote to memory of 4764	5072	msedge.exe	86
PID 5072 wrote to memory of 1800	5072	msedge.exe	87
PID 5072 wrote to memory of 1800	5072	msedge.exe	87
PID 5072 wrote to memory of 1800	5072	msedge.exe	87
PID 5072 wrote to memory of 1800	5072	msedge.exe	87
PID 5072 wrote to memory of 1800	5072	msedge.exe	87
PID 5072 wrote to memory of 1800	5072	msedge.exe	87
PID 5072 wrote to memory of 1800	5072	msedge.exe	87
PID 5072 wrote to memory of 1800	5072	msedge.exe	87
PID 5072 wrote to memory of 1800	5072	msedge.exe	87
PID 5072 wrote to memory of 1800	5072	msedge.exe	87
PID 5072 wrote to memory of 1800	5072	msedge.exe	87
PID 5072 wrote to memory of 1800	5072	msedge.exe	87
PID 5072 wrote to memory of 1800	5072	msedge.exe	87
PID 5072 wrote to memory of 1800	5072	msedge.exe	87
PID 5072 wrote to memory of 1800	5072	msedge.exe	87
PID 5072 wrote to memory of 1800	5072	msedge.exe	87
PID 5072 wrote to memory of 1800	5072	msedge.exe	87
PID 5072 wrote to memory of 1800	5072	msedge.exe	87
PID 5072 wrote to memory of 1800	5072	msedge.exe	87
PID 5072 wrote to memory of 1800	5072	msedge.exe	87

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry.exe
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8974b46f8,0x7ff8974b4708,0x7ff8974b4718
  2⤵
  PID:3200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,6924927125838598051,16436873929476454309,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
  2⤵
  PID:1420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,6924927125838598051,16436873929476454309,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2468 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,6924927125838598051,16436873929476454309,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
  2⤵
  PID:1800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6924927125838598051,16436873929476454309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:1924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6924927125838598051,16436873929476454309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:1656
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,6924927125838598051,16436873929476454309,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  PID:1636
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,6924927125838598051,16436873929476454309,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2052,6924927125838598051,16436873929476454309,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5368 /prefetch:8
  2⤵
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6924927125838598051,16436873929476454309,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6924927125838598051,16436873929476454309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
  2⤵
  PID:848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6924927125838598051,16436873929476454309,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
  2⤵
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6924927125838598051,16436873929476454309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6924927125838598051,16436873929476454309,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6924927125838598051,16436873929476454309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
  2⤵
  PID:1804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6924927125838598051,16436873929476454309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:2412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6924927125838598051,16436873929476454309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
  2⤵
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,6924927125838598051,16436873929476454309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
  2⤵
  PID:3768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2052,6924927125838598051,16436873929476454309,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6256 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4300

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:636

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1352

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5232

C:\Users\Admin\Downloads\WannaCry.exe\WannaCry.exe
"C:\Users\Admin\Downloads\WannaCry.exe\WannaCry.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:5748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 159601729239422.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6028
- - C:\Windows\SysWOW64\cscript.exe
    cscript //nologo c.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6100
- C:\Users\Admin\Downloads\WannaCry.exe\!WannaDecryptor!.exe
  !WannaDecryptor!.exe f
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5424
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im MSExchange*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4128
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Microsoft.Exchange.*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2320
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlserver.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3876
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlwriter.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2576
- C:\Users\Admin\Downloads\WannaCry.exe\!WannaDecryptor!.exe
  !WannaDecryptor!.exe c
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6100
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b !WannaDecryptor!.exe v
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6124
- - C:\Users\Admin\Downloads\WannaCry.exe\!WannaDecryptor!.exe
    !WannaDecryptor!.exe v
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5292
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      PID:5452
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3260
- C:\Users\Admin\Downloads\WannaCry.exe\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:4436

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Users\Admin\Desktop\WannaCry.exe
"C:\Users\Admin\Desktop\WannaCry.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:6036

C:\Users\Admin\Desktop\WannaCry.exe
"C:\Users\Admin\Desktop\WannaCry.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3528

C:\Users\Admin\Desktop\WannaCry.exe
"C:\Users\Admin\Desktop\WannaCry.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:5708

C:\Users\Admin\Desktop\WannaCry.exe
"C:\Users\Admin\Desktop\WannaCry.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
79043a6bdfc3de19bf06dc617f7d3114

SHA1
e1f996da4cb3d6dc3c3b301a908319da5c40b38a

SHA256
22b417b88f2cb31d5aa527396ed449e27401c53b92b11d1303c6524de9aabe05

SHA512
8d87bf521f052d482d0437f49e193e4780e6508f97f622876e4cd8906faafb7d5660f882e401bbc4f338e33a3f22bf6cf263ccda28860c938d2e214fa46933e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
89e234856815afe46392378921aefd15

SHA1
da678d64d1533bb817b3d6a4c38d978802dcc409

SHA256
ec0fd49c78f05b54ce942409ddea05fed70bebec816afb1f67306d0f3f5d6778

SHA512
443012228a1b2bf09230970fc1c7af3ac90a63849a93865618cbd22aa3a1bb75983cb458ac97278f2bc4c7aae21dbb0f26ed49d6d2be7f18fc16834b83b4580d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6a86d0a72051b3dab094299f769ba87b

SHA1
e3498f184ae2895a3fcc8270bb3f2e78cc784761

SHA256
b2d63fe0310d442b74565f7fc8e6a6d9b4b84ac40a043c88bc43137134557955

SHA512
c9a50bae5ef107311481ff6e092a3c9e609a0df6c75dcdf5463d2a44883a3f57c07e9f649c326d93ece24354ab209aa5c64c1c4b4fc7b9b393a50d02d27f3d7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5114243d17419e22ffa8ba508246a2a7

SHA1
f5c23b75d36ca3087e7dacab3f0bb83ceafdd44c

SHA256
d4ed02c69b840e7b46ae52dcf6b2c1166d2b2061466d6d86f7bedc94842af063

SHA512
fc45f9ce7aaf094a54c0e0a63f9bbb2bbd481671dfe060c9483cede281a7e945e229ec6a26f20acc4a46f556436569db9d541609a2a0607a7052a5cb90c253da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
55ac2722fb0f2670d43c9d1ae601bd7d

SHA1
b644cae2343249ca0d96746dbba27d3237244700

SHA256
96b080786d5b65e36dcac7b8e7cebbb66aa0559927d829f236ef4d7ee9dd090f

SHA512
ea00b7387b36b5469b882648dfb659321bd86f817195c6102aacddbc076928508263fe0626f8d1964fd2cdcd0b0b133ad65abec256c1bf8e5c9264f7c1c25b14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
05c14890f1058f614c920f0913530a6b

SHA1
04de22ca89c4a4b16fffb9442703eb8d85e8e747

SHA256
ecd16b89fd851ea3ef8c463341228282210db7860b87bef84fbdfd044f43d988

SHA512
666aadc0327f806ce62ce141e7d65813ae129ff9aa6e5a8749f5b8d388c09873f3ab8634bc147692194e388c46840f8d0b443a3302c0cdfc1935592a28820885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5d554cdfc3f74e1e219af84a88df23e8

SHA1
3f0de99b51394162fede389f084af344488d29ae

SHA256
3508ee73b3281e4f7ef775b1f8eab3251500749e9029c87e15acc6a575a07b0c

SHA512
e8fda8c3819c908f2e2c10c65be13b3766d40672f8a61811fd2057fb176a8eb2d0a3bdca01401201d1510565054dffbcd27129fff71d1c449e20a6afeb024628

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58265f.TMP

Filesize
874B

MD5
7400dc399a91181cb1b1bea0f2243bdf

SHA1
a65c224538ce7c8a75486e175ee40f1c27f751a9

SHA256
0ffc0ce11a4e38a70351313f205a8c8a63dff54046689216183eeb9c432f1443

SHA512
1d54db826fadd67626932d94811436747e04b6e7123b2dc5e25223062309f8294e165b1cacdb0f1b4fd78e079857c8c30e67c2dbc303ad3169bcee64c3db36c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db

Filesize
16KB

MD5
9e02552124890dc7e040ce55841d75a4

SHA1
f4179e9e3c00378fa4ad61c94527602c70aa0ad9

SHA256
7b6e4ce73ddd8b5e7a7c4a94374ac2815d0048a5296879d7659a92ee0b425c77

SHA512
3e10237b1bff73f3bb031f108b8de18f1b3c3396d63dfee8eb2401ce650392b9417143a9ef5234831d8386fc12e232b583dd45eada3f2828b3a0a818123dd5cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
56837b92de54033e5f10a8f93c0f4140

SHA1
85ea32d1566127d034daf90204273c187ba873f0

SHA256
d987aee6bd991468c77722ad8faadfa4b0b75c18792748554784605f93f4d7e3

SHA512
b683eb8fa6e14078f96839b893d33a83d2c0389512f51839e9d8853b1ac4a4ce9ab7a1dff426711d74e0650f84749ba82219c96ec5aa8619f340f903aed9390b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1f14cd6bf12ac277cf34edb91f4fd4fb

SHA1
176e6c9e8006f7841b782bdd1bc5c120c5de35ea

SHA256
124d98c5fe4d104f50c98a369b46f30c7286fde262b612e1f16e2cc9915f8497

SHA512
993090d0847ef6eed2c77156a35593fcd8e7b9bdc68e96b8fd72b90853f55587330849e2a82ba82a11acac51be2653aa93cb31487e64cf88ad2d896462a6d607

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d8b6dc4ff6b4b1c61cd928e7176f9cff

SHA1
1d9276e6ef4a58f71ce213cf38ecf9f4fe866885

SHA256
8b5e0967825b4eb24354f0505bb1ecd0b898ec94c53978842c7c1205dda75f0e

SHA512
687799112e931ffbb8ef083af00601e278086e1049a511445ca65345542269a661018d13b371733e8082ea18e74d74e64ad2739ad8f5207b669b662ba6012f04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\images\warning-symbol_grey.svg.WCRY

Filesize
536B

MD5
a45ddeae7cca617716557875f6510db9

SHA1
be5156876eb00c82545e1d6769d415dd74fc048d

SHA256
7ff7147c98acc766258f4c35c1f12525342d7511cfa2cd4ad3bc35082be065ef

SHA512
e81b143bf7f763fc528c8e208dd0f9728d40040ed37896c892cee8833abd7a13432ea913a69168ac9d1eacc9e8d898e0089d9bc25cc56a788d10322bb9967427

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db.WCRY

Filesize
3.0MB

MD5
5e91f928e846fb5a91b87df932b20a45

SHA1
8c01e35003339fee0d8ecd0839d69b8d3304120d

SHA256
dd53ba6a5a94ce6b89da5dfd3d94e73c9f75cbae535007141793686361c4f0d2

SHA512
efc781b5541b639f747ed0543b84088eb1812526efffaca02e224379ccd7884215501aab63b59a6036149dfe9948f4103a8c5881f66210ee1223f377b6e9ff34

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState\PinnedTiles\38975140460\squaretile.png.WCRY

Filesize
2KB

MD5
b64e6ce7ab31089c533154f1020b938e

SHA1
6fc5f5d6a0a3f492dacbef9e4a86db416664f483

SHA256
d63c6b596fa77477a449ffb287ad573d36dce2783254918c8a5c4e953f2f3712

SHA512
a7cb2618ecb56a88dde65f3a18de8fe8371cb7b1cfd866391c026cd3e805d9c5d2a87e65f59e07bc048bd50f708cbd4800aa1f0d427fa220ab2648eb8e961d80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Desktop\c.wry

Filesize
628B

MD5
663e55df21852bc8870b86bc38e58262

SHA1
1c691bf030ecfce78a9476fbdef3afe61724e6a9

SHA256
bf22e8e18db1638673f47591a13d18ee58d8c6019314bab5a90be82ae3dc9538

SHA512
6a54be1fa549633a2fd888c559207437b8f6efda98bb18d491c8749f39e9754f1e680fa8e2d623777b5f665b2c04d19385c75ce4e61fb251db16018963a9a6f9

Download Submit
C:\Users\Admin\Desktop\r.wry

Filesize
729B

MD5
880e6a619106b3def7e1255f67cb8099

SHA1
8b3a90b2103a92d9facbfb1f64cb0841d97b4de7

SHA256
c9e9dc06f500ae39bfeb4671233cc97bb6dab58d97bb94aba4a2e0e509418d35

SHA512
c35ca30e0131ae4ee3429610ce4914a36b681d2c406f67816f725aa336969c2996347268cb3d19c22abaa4e2740ae86f4210b872610a38b4fa09ee80fcf36243

Download Submit
C:\Users\Admin\Desktop\t.wry

Filesize
68KB

MD5
5557ee73699322602d9ae8294e64ce10

SHA1
1759643cf8bfd0fb8447fd31c5b616397c27be96

SHA256
a7dd727b4e0707026186fcab24ff922da50368e1a4825350bd9c4828c739a825

SHA512
77740de21603fe5dbb0d9971e18ec438a9df7aaa5cea6bd6ef5410e0ab38a06ce77fbaeb8fc68e0177323e6f21d0cee9410e21b7e77e8d60cc17f7d93fdb3d5e

Download Submit
C:\Users\Admin\Downloads\WannaCry.exe.zip

Filesize
224KB

MD5
fbc1004b517ee0aa3f5c1be4ff804297

SHA1
70aca13d06d75772d9de32927dfa4e94ae3e8db6

SHA256
b3d5c6793e7e2e01c1a23bca7d384bec632287450e7f51c949c54d1b9ef8dded

SHA512
fb320a5847f4472a02bf4548ed7bdd21d0e8b92627ff9a7e27c50620c38c93074d551560260d39d5f8ddb9f6a01456db5b226577ad29d0303a324b18011bcb71

Download Submit
C:\Users\Admin\Downloads\WannaCry.exe\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\WannaCry.exe\!WannaDecryptor!.exe.lnk

Filesize
705B

MD5
a9f522273dc34511a22380c41cb7a165

SHA1
5458e78c8c13f2b78fd87fa26c1e9e7985440934

SHA256
2f4eb2d3f0cec1c198ead6a361418982c27484badac398f39f8c2fdad8bb4340

SHA512
e929b3e56f99fe90da8e7c4960b7fa1dec13c45da1ce81684b00111754232fb7871adcd0b3c733cd222835b013b89251bce325762b010bc79e1688c5eb75b109

Download Submit
C:\Users\Admin\Downloads\WannaCry.exe\00000000.res

Filesize
136B

MD5
20e2b6eb7f982a456c358123157b71e6

SHA1
94dd2c0ae542d1c0d849c576c3be68d22883bc2e

SHA256
e86ce2fb3a00634ca8780cbfff6df59cc3f78893afe3db0440595ab19a97442d

SHA512
af0cf5c2e582d485294c489598ea611b571f8b17c3d42ff45999e780a5f10203cd8d4fc6cdea0daa167f2e79905facb263820dc032330a44dada996dfa921d55

Download Submit
C:\Users\Admin\Downloads\WannaCry.exe\00000000.res

Filesize
136B

MD5
06990fb34a25b4359dfc82e2a03738c9

SHA1
18bb73af048b69338f4f8d24e007002af915b760

SHA256
ef33941dc88a6fe9031f3af6cae65851f06a4a432a56f304082a4fd39268bb81

SHA512
07f9e034a0cdbe5076c895b233323cc3b0f0bf11c718806050d8bc535aa9e1d8d710f358fdaa0bba873644f9822a682da6b46a0b0b075a7dedcf27b6b42e0327

Download Submit
C:\Users\Admin\Downloads\WannaCry.exe\00000000.res

Filesize
136B

MD5
af2d3a051fc5f04178df8a7e1b38f4a8

SHA1
6e01160e3dba9d7cfa0da52983183fde41c62956

SHA256
794f17581de3716458596df100ba57989f604693646492a4a3f5e457ae94a2fb

SHA512
41470a3f20e2697816f028334435c6c6c374773f069cd673bed74c61098655cf4d8e17f19e244f488613ab7618827766f5d91f705cb00c2187ddf459452bc370

Download Submit
C:\Users\Admin\Downloads\WannaCry.exe\159601729239422.bat

Filesize
344B

MD5
c4c03739fbd0df522d575bc749682c87

SHA1
2b34b4444852e610e1635db1115f12ebdfd39098

SHA256
d663de65c87b6ab411be48d8f6180b94e7553f966e36939ffa0ae64793fde625

SHA512
94a7c55fff1e481ea03183ca781f749089186c46a92f5b9a3e2b1d5943af56145fd98d956d7e5ef9b531cdf0627af1150aa127a2c520e2d403f5942b5fd27393

Download Submit
C:\Users\Admin\Downloads\WannaCry.exe\c.vbs

Filesize
227B

MD5
b4a2f721da9d2153a71a770f91c4803c

SHA1
8eb1673ea6b9e1dc364ee208e86ba4823a0966ae

SHA256
be1055c2cff103549a2135e1c4781064802c2f222683adb9bf238c274786155d

SHA512
3b825351286afbe7360d7f42a677355792fcc52944dbcadfda90c18339c2a2a6c8fc3c18d24e8689a081b2c553f4ed2686bfbc6b937f482646b19355813768b9

Download Submit
C:\Users\Admin\Downloads\WannaCry.exe\c.wry

Filesize
628B

MD5
5ffaaaf0f7177cbcc74d525fe71d3612

SHA1
151181ebc58da8b31c59795f23cee35afc3e2fb5

SHA256
d0fd649a61e7d62f05234e4264ff3d1ca382de765b19cffaf91aba04306a82ed

SHA512
41eabc86b7a15fe527b6b1c9fdb0616ae5a7901fee6e039cacbd5868ad7740385d64d1c4eccc7c3bb5d523bd6d0c56f3ab9ad6ece53096b3370b683446ff1480

Download Submit
C:\Users\Admin\Downloads\WannaCry.exe\f.wry

Filesize
313B

MD5
32ba440ec109b3a286f1c299634bee72

SHA1
dd3bacfbbc97dd6e09a183c1be23a7d60a5367ad

SHA256
0f2157ae38437d9e6ea3a01b05d3fcf7fcc96e195861ebd8f3367c3474bfcf5c

SHA512
308c86030934f650b3e5c823c4df8b01f6b5b27d69bad1c35d6030fb57091ce13abb67d29e7fb43771e66cd0c4f0b3f2559abac53b4462cf5309fe47c2b242c1

Download Submit
C:\Users\Admin\Downloads\WannaCry.exe\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Downloads\WannaCry.exe\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
memory/5748-1865-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5748-285-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download