wannacry | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry[.]exe

Analysis

max time kernel
146s
max time network
154s
platform
windows11-21h2_x64
resource
win11-20250207-en
resource tags

arch:x64arch:x86image:win11-20250207-enlocale:en-usos:windows11-21h2-x64system
submitted
10-02-2025 08:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry.exe

Score

10^/10

wannacry defense_evasion discovery persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD1A4.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD1BA.tmp	WannaCry.exe

Executes dropped EXE 23 IoCs

pid	Process
2688	WannaCry.exe
1852	!WannaDecryptor!.exe
1240	!WannaDecryptor!.exe
2116	!WannaDecryptor!.exe
4908	!WannaDecryptor!.exe
1880	!WannaDecryptor!.exe
2904	!WannaDecryptor!.exe
5076	!WannaDecryptor!.exe
948	!WannaDecryptor!.exe
248	!WannaDecryptor!.exe
4676	!WannaDecryptor!.exe
3860	!WannaDecryptor!.exe
1148	!WannaDecryptor!.exe
4456	!WannaDecryptor!.exe
4048	!WannaDecryptor!.exe
4632	!WannaDecryptor!.exe
1504	!WannaDecryptor!.exe
1092	!WannaDecryptor!.exe
1880	!WannaDecryptor!.exe
3056	!WannaDecryptor!.exe
3144	!WannaDecryptor!.exe
2896	!WannaDecryptor!.exe
3860	!WannaDecryptor!.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
73	raw.githubusercontent.com
74	raw.githubusercontent.com
75	raw.githubusercontent.com
76	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1387034853-841019411-4036473919-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	msedge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wermgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4320	MicrosoftEdgeUpdate.exe
1504	MicrosoftEdgeUpdate.exe
4888	MicrosoftEdgeUpdate.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	wermgr.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Kills process with taskkill 4 IoCs

defense_evasion

pid	Process
3836	taskkill.exe
2072	taskkill.exe
2060	taskkill.exe
4632	taskkill.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1240	!WannaDecryptor!.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2072	taskkill.exe
Token: SeDebugPrivilege	2060	taskkill.exe
Token: SeDebugPrivilege	3836	taskkill.exe
Token: SeDebugPrivilege	4632	taskkill.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
1852	!WannaDecryptor!.exe
1852	!WannaDecryptor!.exe
1240	!WannaDecryptor!.exe
1240	!WannaDecryptor!.exe
2116	!WannaDecryptor!.exe
4908	!WannaDecryptor!.exe
1880	!WannaDecryptor!.exe
2904	!WannaDecryptor!.exe
5076	!WannaDecryptor!.exe
948	!WannaDecryptor!.exe
248	!WannaDecryptor!.exe
4676	!WannaDecryptor!.exe
3860	!WannaDecryptor!.exe
1148	!WannaDecryptor!.exe
4456	!WannaDecryptor!.exe
4048	!WannaDecryptor!.exe
4632	!WannaDecryptor!.exe
1504	!WannaDecryptor!.exe
1092	!WannaDecryptor!.exe
1880	!WannaDecryptor!.exe
3056	!WannaDecryptor!.exe
3144	!WannaDecryptor!.exe
2896	!WannaDecryptor!.exe
3860	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2688 wrote to memory of 4608	2688	WannaCry.exe	104
PID 2688 wrote to memory of 4608	2688	WannaCry.exe	104
PID 2688 wrote to memory of 4608	2688	WannaCry.exe	104
PID 4608 wrote to memory of 4044	4608	cmd.exe	106
PID 4608 wrote to memory of 4044	4608	cmd.exe	106
PID 4608 wrote to memory of 4044	4608	cmd.exe	106
PID 2688 wrote to memory of 1852	2688	WannaCry.exe	109
PID 2688 wrote to memory of 1852	2688	WannaCry.exe	109
PID 2688 wrote to memory of 1852	2688	WannaCry.exe	109
PID 2688 wrote to memory of 3836	2688	WannaCry.exe	110
PID 2688 wrote to memory of 3836	2688	WannaCry.exe	110
PID 2688 wrote to memory of 3836	2688	WannaCry.exe	110
PID 2688 wrote to memory of 2072	2688	WannaCry.exe	111
PID 2688 wrote to memory of 2072	2688	WannaCry.exe	111
PID 2688 wrote to memory of 2072	2688	WannaCry.exe	111
PID 2688 wrote to memory of 2060	2688	WannaCry.exe	112
PID 2688 wrote to memory of 2060	2688	WannaCry.exe	112
PID 2688 wrote to memory of 2060	2688	WannaCry.exe	112
PID 2688 wrote to memory of 4632	2688	WannaCry.exe	113
PID 2688 wrote to memory of 4632	2688	WannaCry.exe	113
PID 2688 wrote to memory of 4632	2688	WannaCry.exe	113
PID 2688 wrote to memory of 2116	2688	WannaCry.exe	121
PID 2688 wrote to memory of 2116	2688	WannaCry.exe	121
PID 2688 wrote to memory of 2116	2688	WannaCry.exe	121
PID 2688 wrote to memory of 4688	2688	WannaCry.exe	122
PID 2688 wrote to memory of 4688	2688	WannaCry.exe	122
PID 2688 wrote to memory of 4688	2688	WannaCry.exe	122
PID 4688 wrote to memory of 4908	4688	cmd.exe	124
PID 4688 wrote to memory of 4908	4688	cmd.exe	124
PID 4688 wrote to memory of 4908	4688	cmd.exe	124
PID 2688 wrote to memory of 1880	2688	WannaCry.exe	126
PID 2688 wrote to memory of 1880	2688	WannaCry.exe	126
PID 2688 wrote to memory of 1880	2688	WannaCry.exe	126
PID 2688 wrote to memory of 2904	2688	WannaCry.exe	127
PID 2688 wrote to memory of 2904	2688	WannaCry.exe	127
PID 2688 wrote to memory of 2904	2688	WannaCry.exe	127
PID 2688 wrote to memory of 5076	2688	WannaCry.exe	128
PID 2688 wrote to memory of 5076	2688	WannaCry.exe	128
PID 2688 wrote to memory of 5076	2688	WannaCry.exe	128
PID 2688 wrote to memory of 948	2688	WannaCry.exe	132
PID 2688 wrote to memory of 948	2688	WannaCry.exe	132
PID 2688 wrote to memory of 948	2688	WannaCry.exe	132
PID 2688 wrote to memory of 248	2688	WannaCry.exe	134
PID 2688 wrote to memory of 248	2688	WannaCry.exe	134
PID 2688 wrote to memory of 248	2688	WannaCry.exe	134
PID 2688 wrote to memory of 4676	2688	WannaCry.exe	136
PID 2688 wrote to memory of 4676	2688	WannaCry.exe	136
PID 2688 wrote to memory of 4676	2688	WannaCry.exe	136
PID 2688 wrote to memory of 3860	2688	WannaCry.exe	137
PID 2688 wrote to memory of 3860	2688	WannaCry.exe	137
PID 2688 wrote to memory of 3860	2688	WannaCry.exe	137
PID 2688 wrote to memory of 1148	2688	WannaCry.exe	138
PID 2688 wrote to memory of 1148	2688	WannaCry.exe	138
PID 2688 wrote to memory of 1148	2688	WannaCry.exe	138
PID 2688 wrote to memory of 4456	2688	WannaCry.exe	139
PID 2688 wrote to memory of 4456	2688	WannaCry.exe	139
PID 2688 wrote to memory of 4456	2688	WannaCry.exe	139
PID 2688 wrote to memory of 4048	2688	WannaCry.exe	140
PID 2688 wrote to memory of 4048	2688	WannaCry.exe	140
PID 2688 wrote to memory of 4048	2688	WannaCry.exe	140
PID 2688 wrote to memory of 4632	2688	WannaCry.exe	141
PID 2688 wrote to memory of 4632	2688	WannaCry.exe	141
PID 2688 wrote to memory of 4632	2688	WannaCry.exe	141
PID 2688 wrote to memory of 1504	2688	WannaCry.exe	142

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry.exe
1⤵
PID:2316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --always-read-main-dll --field-trial-handle=3960,i,15826894020639999873,4923887073650822821,262144 --variations-seed-version --mojo-platform-channel-handle=4508 /prefetch:1
1⤵
PID:1516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --always-read-main-dll --field-trial-handle=3888,i,15826894020639999873,4923887073650822821,262144 --variations-seed-version --mojo-platform-channel-handle=5484 /prefetch:1
1⤵
PID:2092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=5748,i,15826894020639999873,4923887073650822821,262144 --variations-seed-version --mojo-platform-channel-handle=5760 /prefetch:14
1⤵
PID:4080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --string-annotations --always-read-main-dll --field-trial-handle=5768,i,15826894020639999873,4923887073650822821,262144 --variations-seed-version --mojo-platform-channel-handle=5920 /prefetch:14
1⤵
PID:3440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --string-annotations --always-read-main-dll --field-trial-handle=6592,i,15826894020639999873,4923887073650822821,262144 --variations-seed-version --mojo-platform-channel-handle=6612 /prefetch:14
1⤵
PID:1548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --always-read-main-dll --field-trial-handle=6600,i,15826894020639999873,4923887073650822821,262144 --variations-seed-version --mojo-platform-channel-handle=6732 /prefetch:1
1⤵
PID:2780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=7136,i,15826894020639999873,4923887073650822821,262144 --variations-seed-version --mojo-platform-channel-handle=7160 /prefetch:14
1⤵
PID:3848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=6260,i,15826894020639999873,4923887073650822821,262144 --variations-seed-version --mojo-platform-channel-handle=7236 /prefetch:14
1⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:3564

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MDIwNDEwMzgtRTMwRC00ODJCLTg0RDgtQjgxMDNEOEJBNkU5fSIgdXNlcmlkPSJ7NEIxODU2NTMtNzFBQy00N0U2LUI2ODEtNUIzNzAwRkE3QUVGfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NjYzQkFCRjItOEZEOS00NkI1LTlEREItMjQ1QURFRkIxOTk1fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjIiIGluc3RhbGxkYXRldGltZT0iMTczODk1NjY0MSIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNDI5MjY4NjIxMDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU0NjA5ODM3MTYiLz48L2FwcD48L3JlcXVlc3Q-
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4320

C:\Users\Admin\Downloads\WannaCry.exe
"C:\Users\Admin\Downloads\WannaCry.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 137771739176406.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4608
- - C:\Windows\SysWOW64\cscript.exe
    cscript //nologo c.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4044
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe f
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1852
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im MSExchange*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3836
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Microsoft.Exchange.*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2072
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlserver.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2060
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlwriter.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4632
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe c
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2116
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b !WannaDecryptor!.exe v
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4688
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe v
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4908
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1880
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2904
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5076
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:948
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:248
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4676
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3860
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1148
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4456
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4048
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4632
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1504
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1092
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1880
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3056
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3144
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2896
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --string-annotations --always-read-main-dll --field-trial-handle=6000,i,15826894020639999873,4923887073650822821,262144 --variations-seed-version --mojo-platform-channel-handle=6372 /prefetch:14
1⤵
PID:2404

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
"C:\Users\Admin\Downloads\!WannaDecryptor!.exe"
1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1240

C:\Windows\SysWOW64\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "3912" "1172" "1168" "1260" "0" "0" "0" "0" "0" "0" "0" "0"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:3836

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MDIwNDEwMzgtRTMwRC00ODJCLTg0RDgtQjgxMDNEOEJBNkU5fSIgdXNlcmlkPSJ7NEIxODU2NTMtNzFBQy00N0U2LUI2ODEtNUIzNzAwRkE3QUVGfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins3NTJDQzlGOS0wQ0VBLTRGRDgtQURBMi1BOUVDMEM3ODI5OTJ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSIxMzIuMC4yOTU3LjE0MCIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjIiIGluc3RhbGxkYXRldGltZT0iMTczODk1NjE2MiI-PGV2ZW50IGV2ZW50dHlwZT0iMzIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjQiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU4MTM1MTA2NjQiLz48L2FwcD48L3JlcXVlc3Q-
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=6880,i,15826894020639999873,4923887073650822821,262144 --variations-seed-version --mojo-platform-channel-handle=6400 /prefetch:14
1⤵
PID:3896

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MDIwNDEwMzgtRTMwRC00ODJCLTg0RDgtQjgxMDNEOEJBNkU5fSIgdXNlcmlkPSJ7NEIxODU2NTMtNzFBQy00N0U2LUI2ODEtNUIzNzAwRkE3QUVGfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins4QUE1NDJBNS1BRDUxLTRFQkMtOUJGRi0zOEMwNjdFN0YxQUZ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTk1LjQzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMiIgY29ob3J0PSJycmZAMC4wOCI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSIzIiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9Ins2RkJBQTk1RC1FM0UzLTQwRkEtQUVCNS0wRUIwMjZENjY4QTB9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjEzMi4wLjI5NTcuMTQwIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9IjIiIGNvaG9ydD0icnJmQDAuMDciIG9vYmVfaW5zdGFsbF90aW1lPSIxODQ0Njc0NDA3MzcwOTU1MTYwNiIgdXBkYXRlX2NvdW50PSIxIiBsYXN0X2xhdW5jaF9jb3VudD0iMSIgbGFzdF9sYXVuY2hfdGltZT0iMTMzODM2NDk5NjE1NjI0NzUwIj48dXBkYXRlY2hlY2svPjxwaW5nIGFjdGl2ZT0iMSIgYT0iMyIgcj0iMyIgYWQ9IjY2MTIiIHJkPSI2NjEyIiBwaW5nX2ZyZXNobmVzcz0ie0M4QkYxQzI4LUYxRTYtNEU0Ri1CMzE4LTIyRUMyMTQ4MjU0N30iLz48L2FwcD48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iMTMyLjAuMjk1Ny4xNDAiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBjb2hvcnQ9InJyZkAwLjI1IiB1cGRhdGVfY291bnQ9IjEiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iMyIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7MkIyOUY3QkItN0QwRS00MzVDLUEyQjAtQTU2NzNEQkQwRjhFfSIvPjwvYXBwPjwvcmVxdWVzdD4
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=7044,i,15826894020639999873,4923887073650822821,262144 --variations-seed-version --mojo-platform-channel-handle=6424 /prefetch:14
1⤵
PID:2204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=4416,i,15826894020639999873,4923887073650822821,262144 --variations-seed-version --mojo-platform-channel-handle=5984 /prefetch:14
1⤵
PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
326KB

MD5
91d4c503beb8866b75de0082cb3aa9d4

SHA1
90984481cb8a8f30c1169fa9ffb6641329b457d4

SHA256
8e0df918eac4d41832913ce33ac6e787344074fbbd17eada91bf2efd5f87e924

SHA512
6a732a15200228826d951d96e83b2ba451c003501d05f5d693785368b188f33e6fce60f87c00093b474392e4d3197bd5087f86b8599c2bcf1f5ea7f12774d1d0

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
346KB

MD5
d8b986aa31d2e3b5029bea216896e425

SHA1
711934d0e1a31b78d30903460779fc464fb9cc76

SHA256
a8e44ba1b53b2580e13d1a7fa8ceda606bac60fd79f3bbe2cfb74b89c751c1ca

SHA512
e5954fea3db97a4214077fcb2a417de35f3786e0edbc4ec332d62fa656a417d19eeae06fdfbd3702cc68fc29ab27482bf05a4979c7c652a7287c77a3ad602060

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db.WCRY

Filesize
312B

MD5
35b2f8fefcfae883d6082b937a1efaf6

SHA1
6d47293fc1107c23b2d9dcfe827afd43702daab5

SHA256
00ddb3ff8cbad72e161ee1d8992e0cc5a37de3db3b041983bcc746d41e669ecf

SHA512
914a6d82c582935c4b9bc2b85e0eca56977a7c9fca48212e81eefd6140bc18db847b40e53205ddea6604a767fce93d4083b1565cbaadfcaa9fc8b998a641939d

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
ce33a3ee80d8a4f9951b3cb4c931e817

SHA1
bb94c49f7b137312997bb7d0cb94b6220887103e

SHA256
f22a43a51ead289217800dc01469bfdb4cda0961fc65ca402bd7a6f6de00449e

SHA512
31de9e3873a15012e28d987b57a00243dc456d3f36560ae00ae9c892d09b822cd940924c7a78ffc5ce2e08eda01316722bd69a222be059ef54286c1d8e70f816

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
62ef4eb762873a548f183dfb65422e70

SHA1
e287ed1edb6803bbbf889c9a11980481fb3421b0

SHA256
9128bcff36bc18154662b55d95f9e6c092f9a49ca41f4b0a7d6fdfbc9d40a05c

SHA512
a3304cfaf95ab6e2fa64739074c5a451bffccdd4bcfd65c8ae7519346474d889e08e6e5cf60b7830be55ed1647ea5cbcd6fa488ba431d61436d94c9476b5e14e

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
e4772a181db3c3c00318da226ba0114f

SHA1
0b66aac59e0dfe884c424a91d1d6076a392d3e44

SHA256
ebca7959f11c3b51973fdb2589a10486e3a625994c23252086cc84a49ada8fa0

SHA512
cd9a432f56732b2ce3cbbe8a7117a42a7c99153f36d941392722ed4288644e2d5c10b0ed64fd0f3dbbb6a0eb8a110132b2c2a163c12a89a2b8f9dc5cdddff52e

Download Submit
C:\Users\Admin\Downloads\137771739176406.bat

Filesize
318B

MD5
a261428b490a45438c0d55781a9c6e75

SHA1
e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e

SHA256
4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44

SHA512
304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

Download Submit
C:\Users\Admin\Downloads\WannaCry.exe

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\c.vbs

Filesize
201B

MD5
02b937ceef5da308c5689fcdb3fb12e9

SHA1
fa5490ea513c1b0ee01038c18cb641a51f459507

SHA256
5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1

SHA512
843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

Download Submit
C:\Users\Admin\Downloads\c.wry

Filesize
628B

MD5
a643cfbf42566cd504325cf56db761d9

SHA1
4d1b69900281bb724ac6c3f38737a5f3ed926718

SHA256
055cf3dc0578dbd9d573a2fb103d3a317421298b2b08a8022fe8362438604a9f

SHA512
cab4254cf8f10c60a48baf4f5e8dfa6e6f8105d25b8f8d240af0bce6d821b1848d9008bd2d399aa26441dcb8209da4b0f77cd926cb685ee471b8061dc680f35d

Download Submit
C:\Users\Admin\Downloads\f.wry

Filesize
90B

MD5
caf434b8d2909e2156ba993364c0a63f

SHA1
be096a8e2217bd2bea5943d919c569ffb292f611

SHA256
f5838e28bdc56672b5206ae51bae4592d3fbed1bd981bd795335e72d7c6df32f

SHA512
eb70f602c609a2dfcc74f60e1584d348951e0b737f1f578b2fe8cd54c339b131acb197a69c2036cbae1e72ba6a4be7ddce0fecbdd5db7a334c76afc6d82f21b7

Download Submit
C:\Users\Admin\Downloads\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
memory/2688-11-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads