wannacry | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Analysis

max time kernel
29s
max time network
156s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 04:49

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

10^/10

wannacry defense_evasion discovery evasion execution impact ransomware worm

Malware Config

Extracted

Path

C:\Users\Admin\Documents\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1900	NetSh.exe
2808	NetSh.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
76	raw.githubusercontent.com
77	raw.githubusercontent.com
81	raw.githubusercontent.com
82	raw.githubusercontent.com
106	raw.githubusercontent.com
112	raw.githubusercontent.com
67	raw.githubusercontent.com
80	raw.githubusercontent.com
107	raw.githubusercontent.com
111	raw.githubusercontent.com
68	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Interacts with shadow copies 3 TTPs 7 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1680	vssadmin.exe
564	vssadmin.exe
624	vssadmin.exe
1368	vssadmin.exe
1728	vssadmin.exe
2220	vssadmin.exe
2152	vssadmin.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
1240	taskkill.exe
2840	taskkill.exe
1452	taskkill.exe
652	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2576	chrome.exe
2576	chrome.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe
Token: SeShutdownPrivilege	2576	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe
2576	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 2540	2576	chrome.exe	30
PID 2576 wrote to memory of 2540	2576	chrome.exe	30
PID 2576 wrote to memory of 2540	2576	chrome.exe	30
PID 2576 wrote to memory of 2836	2576	chrome.exe	32
PID 2576 wrote to memory of 2836	2576	chrome.exe	32
PID 2576 wrote to memory of 2836	2576	chrome.exe	32
PID 2576 wrote to memory of 2836	2576	chrome.exe	32
PID 2576 wrote to memory of 2836	2576	chrome.exe	32
PID 2576 wrote to memory of 2836	2576	chrome.exe	32
PID 2576 wrote to memory of 2836	2576	chrome.exe	32
PID 2576 wrote to memory of 2836	2576	chrome.exe	32
PID 2576 wrote to memory of 2836	2576	chrome.exe	32
PID 2576 wrote to memory of 2836	2576	chrome.exe	32
PID 2576 wrote to memory of 2836	2576	chrome.exe	32
PID 2576 wrote to memory of 2836	2576	chrome.exe	32
PID 2576 wrote to memory of 2836	2576	chrome.exe	32
PID 2576 wrote to memory of 2836	2576	chrome.exe	32
PID 2576 wrote to memory of 2836	2576	chrome.exe	32
PID 2576 wrote to memory of 2836	2576	chrome.exe	32
PID 2576 wrote to memory of 2836	2576	chrome.exe	32
PID 2576 wrote to memory of 2836	2576	chrome.exe	32
PID 2576 wrote to memory of 2836	2576	chrome.exe	32
PID 2576 wrote to memory of 2836	2576	chrome.exe	32
PID 2576 wrote to memory of 2836	2576	chrome.exe	32
PID 2576 wrote to memory of 2836	2576	chrome.exe	32
PID 2576 wrote to memory of 2836	2576	chrome.exe	32
PID 2576 wrote to memory of 2836	2576	chrome.exe	32
PID 2576 wrote to memory of 2836	2576	chrome.exe	32
PID 2576 wrote to memory of 2836	2576	chrome.exe	32
PID 2576 wrote to memory of 2836	2576	chrome.exe	32
PID 2576 wrote to memory of 2836	2576	chrome.exe	32
PID 2576 wrote to memory of 2836	2576	chrome.exe	32
PID 2576 wrote to memory of 2836	2576	chrome.exe	32
PID 2576 wrote to memory of 2836	2576	chrome.exe	32
PID 2576 wrote to memory of 2836	2576	chrome.exe	32
PID 2576 wrote to memory of 2836	2576	chrome.exe	32
PID 2576 wrote to memory of 2836	2576	chrome.exe	32
PID 2576 wrote to memory of 2836	2576	chrome.exe	32
PID 2576 wrote to memory of 2836	2576	chrome.exe	32
PID 2576 wrote to memory of 2836	2576	chrome.exe	32
PID 2576 wrote to memory of 2836	2576	chrome.exe	32
PID 2576 wrote to memory of 2836	2576	chrome.exe	32
PID 2576 wrote to memory of 2236	2576	chrome.exe	33
PID 2576 wrote to memory of 2236	2576	chrome.exe	33
PID 2576 wrote to memory of 2236	2576	chrome.exe	33
PID 2576 wrote to memory of 2728	2576	chrome.exe	34
PID 2576 wrote to memory of 2728	2576	chrome.exe	34
PID 2576 wrote to memory of 2728	2576	chrome.exe	34
PID 2576 wrote to memory of 2728	2576	chrome.exe	34
PID 2576 wrote to memory of 2728	2576	chrome.exe	34
PID 2576 wrote to memory of 2728	2576	chrome.exe	34
PID 2576 wrote to memory of 2728	2576	chrome.exe	34
PID 2576 wrote to memory of 2728	2576	chrome.exe	34
PID 2576 wrote to memory of 2728	2576	chrome.exe	34
PID 2576 wrote to memory of 2728	2576	chrome.exe	34
PID 2576 wrote to memory of 2728	2576	chrome.exe	34
PID 2576 wrote to memory of 2728	2576	chrome.exe	34
PID 2576 wrote to memory of 2728	2576	chrome.exe	34
PID 2576 wrote to memory of 2728	2576	chrome.exe	34
PID 2576 wrote to memory of 2728	2576	chrome.exe	34
PID 2576 wrote to memory of 2728	2576	chrome.exe	34
PID 2576 wrote to memory of 2728	2576	chrome.exe	34
PID 2576 wrote to memory of 2728	2576	chrome.exe	34
PID 2576 wrote to memory of 2728	2576	chrome.exe	34

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7069758,0x7fef7069768,0x7fef7069778
  2⤵
  PID:2540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1352,i,18288882955372160086,16860566052951849102,131072 /prefetch:2
  2⤵
  PID:2836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1484 --field-trial-handle=1352,i,18288882955372160086,16860566052951849102,131072 /prefetch:8
  2⤵
  PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1576 --field-trial-handle=1352,i,18288882955372160086,16860566052951849102,131072 /prefetch:8
  2⤵
  PID:2728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2232 --field-trial-handle=1352,i,18288882955372160086,16860566052951849102,131072 /prefetch:1
  2⤵
  PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2240 --field-trial-handle=1352,i,18288882955372160086,16860566052951849102,131072 /prefetch:1
  2⤵
  PID:1988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1384 --field-trial-handle=1352,i,18288882955372160086,16860566052951849102,131072 /prefetch:2
  2⤵
  PID:1724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3508 --field-trial-handle=1352,i,18288882955372160086,16860566052951849102,131072 /prefetch:8
  2⤵
  PID:1576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3772 --field-trial-handle=1352,i,18288882955372160086,16860566052951849102,131072 /prefetch:1
  2⤵
  PID:2472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3272 --field-trial-handle=1352,i,18288882955372160086,16860566052951849102,131072 /prefetch:8
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3492 --field-trial-handle=1352,i,18288882955372160086,16860566052951849102,131072 /prefetch:1
  2⤵
  PID:1448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3936 --field-trial-handle=1352,i,18288882955372160086,16860566052951849102,131072 /prefetch:8
  2⤵
  PID:1740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3976 --field-trial-handle=1352,i,18288882955372160086,16860566052951849102,131072 /prefetch:8
  2⤵
  PID:3032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3992 --field-trial-handle=1352,i,18288882955372160086,16860566052951849102,131072 /prefetch:8
  2⤵
  PID:688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4104 --field-trial-handle=1352,i,18288882955372160086,16860566052951849102,131072 /prefetch:8
  2⤵
  PID:544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4176 --field-trial-handle=1352,i,18288882955372160086,16860566052951849102,131072 /prefetch:8
  2⤵
  PID:2204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4156 --field-trial-handle=1352,i,18288882955372160086,16860566052951849102,131072 /prefetch:8
  2⤵
  PID:2864
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  PID:1404
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c 288591732337967.bat
    3⤵
    PID:2340
  - - C:\Windows\SysWOW64\cscript.exe
      cscript //nologo c.vbs
      4⤵
      PID:2444
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe f
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im MSExchange*
    3⤵
    - Kills process with taskkill
    PID:652
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Microsoft.Exchange.*
    3⤵
    - Kills process with taskkill
    PID:1240
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlserver.exe
    3⤵
    - Kills process with taskkill
    PID:1452
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlwriter.exe
    3⤵
    - Kills process with taskkill
    PID:2840
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe c
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b !WannaDecryptor!.exe v
    3⤵
    PID:664
  - - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
      !WannaDecryptor!.exe v
      4⤵
      PID:1968
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        
        PID:1972
      - C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        6⤵
        Interacts with shadow copies
        
        PID:1680
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        
        PID:2936
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    PID:2092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1340 --field-trial-handle=1352,i,18288882955372160086,16860566052951849102,131072 /prefetch:8
  2⤵
  PID:736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1588 --field-trial-handle=1352,i,18288882955372160086,16860566052951849102,131072 /prefetch:8
  2⤵
  PID:2716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3980 --field-trial-handle=1352,i,18288882955372160086,16860566052951849102,131072 /prefetch:8
  2⤵
  PID:1652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4032 --field-trial-handle=1352,i,18288882955372160086,16860566052951849102,131072 /prefetch:8
  2⤵
  PID:2084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4180 --field-trial-handle=1352,i,18288882955372160086,16860566052951849102,131072 /prefetch:8
  2⤵
  PID:1240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4028 --field-trial-handle=1352,i,18288882955372160086,16860566052951849102,131072 /prefetch:8
  2⤵
  PID:1296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1052 --field-trial-handle=1352,i,18288882955372160086,16860566052951849102,131072 /prefetch:8
  2⤵
  PID:2808
- C:\Users\Admin\Downloads\Annabelle.exe
  "C:\Users\Admin\Downloads\Annabelle.exe"
  2⤵
  PID:2936
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:564
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:624
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1368
- - C:\Windows\system32\NetSh.exe
    NetSh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:1900
- - C:\Windows\System32\shutdown.exe
    "C:\Windows\System32\shutdown.exe" -r -t 00 -f
    3⤵
    PID:2000
- C:\Users\Admin\Downloads\Annabelle.exe
  "C:\Users\Admin\Downloads\Annabelle.exe"
  2⤵
  PID:852
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1728
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2220
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2152
- - C:\Windows\system32\NetSh.exe
    NetSh Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:2808
- C:\Users\Admin\Downloads\Annabelle.exe
  "C:\Users\Admin\Downloads\Annabelle.exe"
  2⤵
  PID:1480

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1800

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2940

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2216

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Direct Volume Access

T1006

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1e0af94a0479a5bfc64e09777ca1629

SHA1
f74b2ba026f835c0c4e2f3f6f3b0a78d3fc2c681

SHA256
4854382d3612b5202b986b0ebfcd875ee484bd2a4490c3468430fd7d326aec10

SHA512
f11e0ef6875314143b8b6342bb2facda203971049899be51ae0777eac64df3958b6367debe05379b241e5b5a51d0c82ad181af5b0d3385868ed13c2b6b436b41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\8cfba07c-abfc-49f8-94d4-061c573ad7c2.tmp

Filesize
6KB

MD5
3d1349bf602e10346f77258ecd5850f2

SHA1
ef50d63fc43e2dbb3b0d633b745e919f1b2558dd

SHA256
37bed8d5cefe2e9839938115ec52c19ffffff461d1664c1c4b3870b81cd8364d

SHA512
3acad7aee66270e0d2849eee52b1ea8496e60404ef88e39d4633f25dc6c98f5dbffa5feee6772d4114c1e265cf8b47b123b1fa7e7c965707d2e1baff52952993

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
18KB

MD5
2e23d6e099f830cf0b14356b3c3443ce

SHA1
027db4ff48118566db039d6b5f574a8ac73002bc

SHA256
7238196a5bf79e1b83cacb9ed4a82bf40b32cd789c30ef790e4eac0bbf438885

SHA512
165b1de091bfe0dd9deff0f8a3968268113d95edc9fd7a8081b525e0910f4442cfb3b4f5ac58ecfa41991d9dcabe5aa8b69f7f1c77e202cd17dd774931662717

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
106fd28d98e186693d98757194b26e75

SHA1
a9faf7e2117d5523013ebd31d8142fe24e907db8

SHA256
d83146c5fda8ef476c1e9ab123351ef3e79994027cca04f4e5428dccd1e877c6

SHA512
0166971e7c372776a2b25fe3b4b4f30e483d507cec626b177d7beb89c109a82baa7aa0be9d012cd419b02ae75196d1eed3048df003ee07c59d51fec3c69849e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
987B

MD5
b6f42aab99889e6b1d636dc3c9003bd4

SHA1
a3667eb27ffb4ec2960cc4fb2efec5ec879aa529

SHA256
e215fa2c9ff9df8bbccdcd7bd5030289cbc3abc7e3db5b0c043c08be158a3eba

SHA512
9af222048c3a1d38b0b2a60376bf5e90fda8e34cc4c6e49cb7504f276696c8d712339ceef5d5f92e88e5472b86636b3e29b196bbacaf2f79e12363d6a889a227

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
943B

MD5
2b3d904eb52839f3f7bb5572ea4989f8

SHA1
ff8599ffa0f6555c473371c467665eaf9b87bdad

SHA256
af1a2f6ea1983ae8bc3b648c23dd350930b9217baa1aab63c0e9e46faeef1afa

SHA512
0eaff83490e5cf9cec8b4fddf7bbda5eb8910057d4611f3ffadb3fb2f120124eab58ffae47e1b60ab60199e5642a6b2456ec2240eca206f99f396f23107cab23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
853B

MD5
6686abbb20c82bbcbe64630455ddb11c

SHA1
c00ed248d66ba505b5539e9bcc5b13f8c4dd2f7a

SHA256
570e6f789fcd4bd2d798ab1f8d21891781b96ac62c568aa1837aa54bd4f8cc56

SHA512
a8122410e843bbe02fec6098a7031f4f5542d570ca8a9fa48154110a59e48f9c91c42a9d1f7db9233cbc6c37fcc5019149b40f552bc064b5f26d1d28df18ca4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
853B

MD5
231294cf9d9796b87d4078ce102ed9fb

SHA1
c31ae656e0a19a84b0cc0087a794f85c3492db39

SHA256
3be5c6c3d9f5aaae360bf4121afe6c56b138b781a158c6e17096963456b2a378

SHA512
f36d3b0d442d0127ada14db19ebd216a63b896f58e2d6ded81cdd9321ba7a9e72405a868dfdaa57a09fca3cc724f9764d5390e54342d664b031271921d068766

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
853B

MD5
51e9fc6f963ffa5f7288fd8c5928367b

SHA1
60dff2d10d83690307287529fa306de91f754334

SHA256
6f3632ca11caeb1c097a96901e331acdd6cec10b813f10ff71a966d087478112

SHA512
0a3d0c3432c44f108c5a8d2dc341889b3e0c6f0eb6c402412a69dc5cc1dfbc7050fedf5faa087dd17098641687f20162773f8f8d94764872d703ea56570f0a18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
853B

MD5
0b8055322eb5bc5955f647dae8628b91

SHA1
edea1b6717daf7f99edd6c2f79553e9b627a0af0

SHA256
4020bade0e7e24f98419fd63664cabbf7d7344582c2a03dd46d9408986de2da9

SHA512
efa64339ba8b0bcde06edb8e2d3f9bd6f29423a305bf26c9aaf2816433c73b024a30017271bf33f941e116c0e841bf6fa6d23dad3b9ae194e4dea0de8a1da057

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
853B

MD5
8b6a9d3344dbc032c1369544504bb232

SHA1
502dcdd5a293119ca6d5307c8067ec29b4804b55

SHA256
32e630adab1ad0531416a69322d7d3518dfd0713c39323a6c5f1ca373f1f7f78

SHA512
141674ebb2c7ec4acba61750aa25243a7631592259218c69e3997fc8cc106362c2c0fb3fea9ac4b74932c696a0da855306c43cb4c2f8e51ba0ea5d8163c69a8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
853B

MD5
9b6b47ef3d8999567e92da282c53d30f

SHA1
83ccae4bc08b05b446e0ea25873608d3a2c19b98

SHA256
b01344918d424a9a64b85d4e7678849ac1095f79afc1c26fba5b0adb5bc02320

SHA512
e264caf645dc2cea2567c2bf3e7fe4a70ac60e974a09473488c1301124002eef8f47b5723edb1669c11fdf1c4edaabc5d2dcf9f210662978c6dba869154e04a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
853B

MD5
f55900152f54141ad76e303acb7a9c51

SHA1
a42a983713f1b4ab89635a4e1a583f93092c5576

SHA256
4a49230d81e91304ef44e9a6924425b6bc3903b3779f1ab6ba6e650275602908

SHA512
755482bac8953132c11c3da0e5c8eb070d7b75fc70ea3c9065e44021a91aff73a543521903de13900591e0f0c4d931e5746b609251befb2c8102a57a937c68d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
853B

MD5
4323b252447571b6409247f60a381560

SHA1
873a3bb12cb7f26be64e7dd31ea97d49278bcc86

SHA256
6c3a7dc17a7567ef7c7af1f067ca4fe0b23d1d01a5d553c8a6a80c5ae2e49c52

SHA512
8cea1e5cdc86a6c10737c24e8aa5734ff8a3ca920524f8f8546c0a9b7d09b3ddef52b6eb7ab614f1d2a481da7042c0dbd31dc5113d031e0816805c0a8453545a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
853B

MD5
545f002a376fdad72ae5a929c9eeb179

SHA1
f7e38d4d6a1767dfc9ef5d7f0bdd44ad06c2fb04

SHA256
e2915249caeca1e15d89d2a751e456898e5b06c28a4c7687306d963d3d4b8846

SHA512
3a71165be9a2e0385c832a966c23e70eaade894dbcffb50b9a05754f5dc736512a754683cb39c065f4ef9a3488bc7fc257a51702d37c7e74d61d998ff95d9185

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d29d4739bda154c95745709a6de65c9e

SHA1
6af657b6239229c21838e4eb01ed09be8941848a

SHA256
2efc4b4a437fe1504e289efa42eeea54b5271a1ec22c9e2ca7248e7c152cb11a

SHA512
a1d259ef1b5cd5f2437b536c97db37c7ac4bfaafab192a8d43ea97f4adffbc8c7ef23f8ff027edbe9fd667240792b42db03e3e36c0918ecd61392e0eedc2618c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ea75704b057391e6419bca595d1d3518

SHA1
68464483f2c124c783f17e73b51d1eaa4ebd73ae

SHA256
5c7ddec6ba0687bebc93d452680908aab62f7036c50f75931260faa0d44464dc

SHA512
705a50f3549fbf09d6f8c8e5c1ba53c303cf2d95ca79de1e920fbcee9f7528f714ffa7be693335c1353db91d18153d12e7e7e48ad8a499b2dc54930a19263bf6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ad621a4f118199e07364000e75597303

SHA1
c07f9f0574572555969a2fcd9c690431c3ee64c6

SHA256
a28e8bf570733f0d2ce1ac650afd2ee5931c9fbe6a43b6cedfc04213466855e8

SHA512
7424aed0037415e680e14a310fc61fc1994ccd8cff9abb8d8aeb2581921d2283c954818f07d64355a2b0b0fa3da9b8831e1cf850b290c0b73bed54afbd85d1d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9380f327cb58c85a5b5cc846a5fe376b

SHA1
7ee87169b0a49855f61521d4ba06341c0076d7ca

SHA256
4c0535951c03fcf6cb76e6efaf5053733622b0a0f4715f2d47353ae9d6ce23a6

SHA512
50703eb78374faa3f2f039fcd91ca7b42062b847bbf9312a2cbbf724cbb16631e89cd2ca97a8e5299d77733dc61655f876e97c96e12a62f19ea9d5cabe91a974

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
42923903442599f1ec4b50da4b3336ec

SHA1
a625fec5bc1c08ff2c4a3d39e808963ac970fd60

SHA256
ce53840d1b6f3f37693f41241de6dd3ae2ae28e501564d48c74ccbd40577e6c0

SHA512
d125ba77a412a5bfcb8e20359d3714cd96b494fa177abe4dc81ebe50d837c0a8083b2315958d60d5ca7287aaaa781566d304049a023dd7deadd4dccb4532567e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\af62a119-3dd8-407a-9be4-d94213f7baf1.tmp

Filesize
6KB

MD5
76d933154805fc29fb281afecbfafcb3

SHA1
4fb4e1f511d7d2c9860f9d7d3fb8ed7d697d6d81

SHA256
ae83b5c254f0a51a6151a68b92d2b9726f9d82c9c9c05ef8afb3024864a42c1c

SHA512
63663f164e3ea17c6f534d6e8b7a22fdd2cd17ecaabfdd0cf3965f774e75b7deafc7b0fd493b448afc18f2ba7516ea3267881cabe45837c4ca8d3fee9f206aff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
168KB

MD5
56fba8929d8de7fedcaaf79a32cc04e9

SHA1
d7631bd05a9fb5b24536e07f019f84905085ccf9

SHA256
377d84b114409f2ed6b44bdb1cde64c6d7f0cea5fa649252a72619a7f2618b0a

SHA512
9a7347af58eacb7a83e0b83b2a5da535bb3d71d79e447015f43f90ef4c9fe7c5414f50404dc6e71b762e1d6020d68a6a3ef2d8dc89d1e53143a460682def31bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
168KB

MD5
099e14386b2944014f470b4008ee3639

SHA1
e915818675bc0a66d9048f9416fb996c8f90d242

SHA256
2e3f8e04807d2c1289f81759a9af1e4a708576b6166fc18c32f72c64b247fc1e

SHA512
ab767747dfac6ee7139d05e11970c33d2d4e494fcce6b37ca47a69d2b0a3849229439fc5211aa85c7dd724bb7c556956d2af7e61db5c36ca030990cdbbc5ea6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBDD5.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBDF7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Desktop\!Please Read Me!.txt.ANNABELLE

Filesize
800B

MD5
81c1845fff664ca86f152adc8fe842ff

SHA1
8c1e93c4a80cadc66690b01734e3faddf886b2d2

SHA256
146bab79fe96119a1be2c3c8a62d188685b5e9cd0817551b5a5377cabcd55c7d

SHA512
c37490ada3296d8e555748bcadce5a7223f6ad255f6c14ae52643640031882591211c9a05dabc988a9fbc437dad8ca6b8af7b996956118774bf8f507b3e9d10b

Download Submit
C:\Users\Admin\Desktop\!WannaDecryptor!.exe.lnk.ANNABELLE

Filesize
672B

MD5
7b984bd78fbd95db391ec6781e2f2b1e

SHA1
904c66f35059e051cffe65a83309551666f54998

SHA256
47a63c728e6cd4148ca70caeaa52d01ccf56246b6d69d4eeabb2ec0876a41d48

SHA512
c25ff7cfe1ddaf8f30967c913b5e40a17390037531a28bed5337e53d9804f387850c047273e56b8f04d52e7d5bc2df639dabbc9bd3db01a0fda7f8db3fb1a212

Download Submit
C:\Users\Admin\Documents\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Documents\CloseRestore.potm.WCRY

Filesize
796KB

MD5
3f8169136eff54437a89c4f6e261d5f6

SHA1
1a533989bafbdfda35c788f6b7fc1441695e1be7

SHA256
3ea678c214d5f2ef839ff1ebfed0af0e6d2d1d8f34fecc007ee4ceadd5fcd25a

SHA512
f9dad1b4af867cf80fe33bdadd7a9b8a6ba41caea7c5d599d0841c7e85b57dcf8610ae894af1b4149eb11b48a5a072e8f9c4e786d8219caadd87d5ccd61db7f4

Download Submit
C:\Users\Admin\Documents\CompareSwitch.xlsx.WCRY

Filesize
13KB

MD5
dec67acfbf8708773537b98ae86b76d6

SHA1
52dea2e8fc8505dc3e070022f015e8ff970ee219

SHA256
e1ed88f738a7819aa789ad07a1334b371a6d4e026208c5f2401b8c867fed79a6

SHA512
b4ce7713a458198793463d0658c6ff971cbc7f0caa385d0d8aaa3776a6a367d8d58d4c466386c0980840d7477c6b29e262deed3cabbeb1451ee63ed385d56d53

Download Submit
C:\Users\Admin\Documents\ConfirmOut.ods.WCRY

Filesize
1.2MB

MD5
ed9f83426106d0d91104a06c2c5a3620

SHA1
f7e3f68896624f0b918b8ea90904a1ae6a1e6cde

SHA256
c20440cde4cdc349f1ba3804ff6454655f052fb8ce7f30a776ceb1896eaeeee2

SHA512
79ae2472abda9a252962b9bfbfd3e51e01d6f6cadfd22a53f5c91b62c26d4792971c8ac40b2b2f3ffe22e047b0f5e56b5db334c4291b44233637778595370c8e

Download Submit
C:\Users\Admin\Documents\ConvertFromTest.docm.WCRY

Filesize
853KB

MD5
18e2b5b352ceb2e442e63bda903f0a6f

SHA1
b71ec23dc98b704dc1cd9c5ce15021767a48a425

SHA256
8d413026cff1e4950b3323cbdd6d98fec0a80c8e18456b75d7112472a7c9af29

SHA512
18039ce17aef9c7fefe78213c40f4f2ab6d13f1eb77de0670c88e150550d33d943cda54616c201a045511b5b8e56ff77ea4632136eeec0340e32a1d48a42a181

Download Submit
C:\Users\Admin\Documents\ConvertInitialize.xlt.WCRY

Filesize
739KB

MD5
60a81162d6fa5d15cca7c28a97e02d5e

SHA1
2b3ac83c7d582536093fa9db44fe8888664fe01c

SHA256
aef5c833cf6964ceeb981ea8239f158d54f443715356bafe3cf040607d526d26

SHA512
d4a13d0d55a0653812aa63a974ca39b51d25ad8f4ab0857daafdee8d953c751fa09bf1a5f0ad480104cceffc3fa86e7a9c573859b3f4dded5b1c7f1efcd5eb75

Download Submit
C:\Users\Admin\Documents\CopyTest.pptm.WCRY

Filesize
1.1MB

MD5
aa65f05bf2108a749ccaeb8246075be5

SHA1
c0d2f4c724327ed93bafae85d6ce1202c13a4485

SHA256
5e460cc63dcfb16ca5296a64b3de87746589b152a9755d26dcb40d777cf780d1

SHA512
19852cf4b8e51806bae0dd6ed2c59127414b93fda7f99fe4f9cd7c3e490f23130b26b147d8518e4e1822dc8f3de79e3bc68cfc62f8c45e8b4f629c6b32460223

Download Submit
C:\Users\Admin\Documents\DisconnectClear.pptx.WCRY

Filesize
1.4MB

MD5
dcdf0416a4d5939a3f8e8a92878858a7

SHA1
bbad492153a082546b2c5c6cffe56b38f6a5ebe1

SHA256
d613ade966aa2f63246b5122e41b55945cd5f339d2ffba33cbaa385242e68ef9

SHA512
0a04105ca114bf07d32c465f4da20ffb612c75c84178b8e3c5784006cedc781234b118f3443900d173c24dd4232556554d3cd19a6dca9746115c49cf67ef5eb3

Download Submit
C:\Users\Admin\Documents\EnterUpdate.xlsx.WCRY

Filesize
1.1MB

MD5
3293e9e377675438875d9f70395fabcd

SHA1
7d63b012936432652b94befe41f6f1ca3361934f

SHA256
3b8447495a1c03daad7ff4d4f4a838afb9728206b2fb4a23f9d2bcff015e18e3

SHA512
04aa82bd6c3d93efa438638045e45cf7ffbda9590370b72834cdf71c7b30f04fb1d05203572b3c011718998091b34408f923c84d63bbcde9a7c3ce49ef18c052

Download Submit
C:\Users\Admin\Documents\ExitTest.docx.WCRY

Filesize
17KB

MD5
57032b9cf6cd62af24242be5d42512db

SHA1
66cb646fbe6e46119637c24b564662552ba120d9

SHA256
751c3ba71294ed34381424baebb82d1a687ec215c0d3de5b461fbb4258344dd1

SHA512
af30cce2a2726a607e44d0aa6b72bf992f9d42b850598187678fc84fb963e79ad7c17f15d9cb8a67c0425cf448df255c673f893f084afdff432ac6315a4b6983

Download Submit
C:\Users\Admin\Documents\PushDeny.xlsx.WCRY

Filesize
1.2MB

MD5
fe3a19874dd0b8baff8b47fe2ffba390

SHA1
871fb158e621a9c968c92763f2d5503631514c7c

SHA256
976c00d82a824d36d0b82c8eaa062c2cbd622fa1e382c1f54e13696f5124baf6

SHA512
1605dcf282c6001c2cbac8d3b28c5da0b32706eaf6f295b56f06eb1edc8a3bf4ba5614a0a90e54ec7f04eeb5be6a63e85ea1289c272731e796b2502dfb644d3e

Download Submit
C:\Users\Admin\Documents\ResolveDisable.odp.WCRY

Filesize
682KB

MD5
e415189da49f5b3aeb318a4f7bc2516a

SHA1
4fcdbd89657cf64cf2a553172c7d81256d16088f

SHA256
ed42f2f3aa6d00e43f0c3118f740ee02fca169ccad84c63f0fde7594c86350ee

SHA512
f9dbff557ec3231b4a4af584f54c49849e0b796c4922dea48383856104102490da1acfdb6e3eb69cb273cb303504a12fcf54d5ca9401c57e594bbe27163e45e6

Download Submit
C:\Users\Admin\Documents\SearchUnregister.pot.WCRY

Filesize
1.3MB

MD5
a5c2014096d0f9aafe54e3eef047f20f

SHA1
e801ef62cf50bed1fbd64f849b56acb91b70bcec

SHA256
84a8c5c46e1c99245abae10284259227092b8009bc290622ceefd8dcdb76c01f

SHA512
cc90d3353e0de4cbc2385200e0207081a91f51563541baba1e19fcb7ff746ed97b855a7aadecf7305ed2a6b942f4c55f9953582527e4a0412dda0e81a36bdfcd

Download Submit
C:\Users\Admin\Documents\SetExpand.ods.WCRY

Filesize
1.9MB

MD5
d5741e776e71a8d1d5ce1708a49675ad

SHA1
bd41716aa53ab13c0019b54d2219cf56a9a84154

SHA256
09e06db81ff2a217df31ff00776ecd7531f7322eb53431d2f57d3ba37b22c4e1

SHA512
c1773258a19720aa69fd48bef71a3680febb77bed2eeea630c63e38dd7d22493076aac844db4b88bf3782e9ffe0d5bc0e10d6fa10a1460a48853b8e2edc794c6

Download Submit
C:\Users\Admin\Documents\TraceMerge.xltx.WCRY

Filesize
1.0MB

MD5
8e555b77eadeb1cf0d38b4bba2c349ea

SHA1
857f6509b005e2c0316e1aef20a84f8382989d33

SHA256
7ab68e70444080c7e56e2bb131af5c0e7efefaaa6fce3e54b4c1a34f513bc6fc

SHA512
dc66e37b8218cd6659c80d5873877b49862c0269e227dd572e7df87796d1a03c8c22513e2e57fa0a3839deec64e2b34ea137916fb8687d1a66f63a52ec5775de

Download Submit
C:\Users\Admin\Downloads\!WannaDecryptor!.exe

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnk

Filesize
668B

MD5
68d94562bd3da4a80a0da096e1de88a9

SHA1
e58d0c4aa90ce67fd32fb5cc4402cb0044a23e88

SHA256
549eb3e4c6eca0b98d8107acc15e7f681ee13d8f07ec5ccef4779d4babd07ab6

SHA512
53515e23ce25c75d6a569b790caa302e8b5540281a73c312996b07da9758b3de0f3088697201e0bad8461d8045bd4f3d6fec9a987dff5a8565edfd6f03dbe810

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
db43d117ffb049f24005fd63985d5071

SHA1
ccbe6ff5bd28c5c6d5e467e1e1835eee0c4baee7

SHA256
650fa658aff25bd33430ef7966244812ca65379d72ac389b32c66dc44c98bfa0

SHA512
747380fabb715c9d1abd95954cb93ffc1fa38e2dd02472a82aaf6c088b545f01951ae1e20058e4ad08cc5b8dccdd0d25f220abd6f7d1228a527d836dc33aced0

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
b7ad084e2d72c102b7765fc7fca1a15a

SHA1
2674f76c6d561ed4985ff6fbdf854001cf3788a9

SHA256
309601941e2633d6dd820bf9b99fb01344afdb1d09e38cf49f2715212e788d21

SHA512
1e2b20d1eefb156f84edef996995717a240baa10ad0c2197af97e1246b4073899caaecf2d4842a5b863f2a24a11066c6ce49857c5fa7b3535125ff7460e692ae

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
a543671fe3b5ce8f1cd7051f3e56f7a0

SHA1
e57c66787560b42fb7b64363b9e2620c4251c54a

SHA256
1068096e8d640d0a21895ba024d393c5aab91a6f0f51e328e05b83697b07b39d

SHA512
248aac4ed1ce76a62d768c106b5e72ef47229b4f47eceec612572950cd7ab83c7a5843a9bb3d7119907ef0d873169bf6c8ab0f527f7b3762b540702a80fe05f7

Download Submit
C:\Users\Admin\Downloads\288591732337967.bat

Filesize
318B

MD5
a261428b490a45438c0d55781a9c6e75

SHA1
e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e

SHA256
4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44

SHA512
304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

Download Submit
C:\Users\Admin\Downloads\Annabelle.exe

Filesize
15.9MB

MD5
0f743287c9911b4b1c726c7c7edcaf7d

SHA1
9760579e73095455fcbaddfe1e7e98a2bb28bfe0

SHA256
716335ba5cd1e7186c40295b199190e2b6655e48f1c1cbe12139ba67faa5e1ac

SHA512
2a6dd6288303700ef9cb06ae1efeb1e121c89c97708e5ecd15ed9b2a35d0ecff03d8da58b30daeadad89bd38dc4649521ada149fb457408e5a2bdf1512f88677

Download Submit
C:\Users\Admin\Downloads\TaskHost\t43F7.tmp.ANNABELLE

Filesize
16B

MD5
52488ef3f42a79048b8cbb5503816741

SHA1
56651900d95ee36de389c29b7a7e6dedbb421eff

SHA256
9ce5f9abb2fb204df9fc5db071bdfe0fefeb86da178d8c7b8e4ea29784c48154

SHA512
d42a0c76a4d24d930a9b6ee15205a02a6edec97ca16e9febc6eb47d05ff7d6f2af7c3d430d416bf464dc561289428d412acc856718aa5ead58de51b1e8facd5e

Download Submit
C:\Users\Admin\Downloads\WannaCry.exe

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\c.vbs

Filesize
201B

MD5
02b937ceef5da308c5689fcdb3fb12e9

SHA1
fa5490ea513c1b0ee01038c18cb641a51f459507

SHA256
5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1

SHA512
843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

Download Submit
C:\Users\Admin\Downloads\c.wry

Filesize
628B

MD5
c1130d53aefa2062d4b299e6a3799959

SHA1
9853863f091dbeaddc71be30fea9319ae9b472f2

SHA256
b179d01f86e756a7c09a356c98d737271dc95751adfa6ec5a5080473354bf601

SHA512
337314159fe94903eb7521d076f56c0339834390b5b10718845eb4e0f283c0452558016d8c4f3c5d6e350d0cecf4c2eef0920a8f0a15be880dcc0d6fc601907f

Download Submit
C:\Users\Admin\Downloads\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
memory/1404-528-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/2936-1566-0x000000001C390000-0x000000001D91E000-memory.dmp

Filesize
21.6MB

Download
memory/2936-1556-0x000000013FC20000-0x0000000140C14000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads