wannacry | 0f5e1ad4815e0d0e967c8e2e594cf495152911d4337bb8f5270ed590879722c4

Analysis

max time kernel
4294209s
max time network
125s
platform
windows7_x64
resource
win7-20220311-en
submitted
04-04-2022 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
Size

232KB
MD5

8dd63adb68ef053e044a5a2f46e0d2cd
SHA1

1bc604573ceab106e5a0e9c419ade38739228707
SHA256

201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9
SHA512

c7c267b3be9f50783b394ae9ae960d5ff636c63a58c645764712fed28ce9be616344c2a248782da7f50ede465d3f1e8ec7267d62ebc5e86490ad472518ab1526

Score

10^/10

wannacry ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $200 worth of bitcoin to this bitcoin address: 1QAc9S5EmycqjzzWDc1yiWzr9jJLC8sLiY Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) https://www.dropbox.com/s/c1gn29iy8erh1ks/m.rar?dl=1 rar password: wcry123 Run and follow the instructions! �

Wallets

1QAc9S5EmycqjzzWDc1yiWzr9jJLC8sLiY

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 3 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid process

1540 !WannaDecryptor!.exe
1232 !WannaDecryptor!.exe
1224 !WannaDecryptor!.exe

Modifies extensions of user files 24 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\SplitRepair.tiff.WCRY	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File renamed	C:\Users\Admin\Pictures\UpdateCompare.raw.WCRYT => C:\Users\Admin\Pictures\UpdateCompare.raw.WCRY	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File created	C:\Users\Admin\Pictures\WatchRead.png.WCRYT	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\Pictures\UpdateCompare.raw.WCRY	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\Pictures\WriteUse.tiff.WCRY	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File created	C:\Users\Admin\Pictures\DismountSet.raw.WCRYT	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File renamed	C:\Users\Admin\Pictures\SplitRepair.tiff.WCRYT => C:\Users\Admin\Pictures\SplitRepair.tiff.WCRY	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\Pictures\TestUse.tif.WCRY	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File created	C:\Users\Admin\Pictures\UpdateCompare.raw.WCRYT	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File renamed	C:\Users\Admin\Pictures\TestUse.tif.WCRYT => C:\Users\Admin\Pictures\TestUse.tif.WCRY	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File created	C:\Users\Admin\Pictures\WriteUse.tiff.WCRYT	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File created	C:\Users\Admin\Pictures\ClearPublish.raw.WCRYT	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File renamed	C:\Users\Admin\Pictures\ClearPublish.raw.WCRYT => C:\Users\Admin\Pictures\ClearPublish.raw.WCRY	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\Pictures\ClearPublish.raw.WCRY	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\Pictures\DismountSet.raw.WCRY	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File created	C:\Users\Admin\Pictures\SplitRepair.tiff.WCRYT	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File created	C:\Users\Admin\Pictures\TestUse.tif.WCRYT	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File renamed	C:\Users\Admin\Pictures\WatchRead.png.WCRYT => C:\Users\Admin\Pictures\WatchRead.png.WCRY	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\Pictures\WatchRead.png.WCRY	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File created	C:\Users\Admin\Pictures\DenySwitch.tif.WCRYT	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File renamed	C:\Users\Admin\Pictures\DenySwitch.tif.WCRYT => C:\Users\Admin\Pictures\DenySwitch.tif.WCRY	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\Pictures\DenySwitch.tif.WCRY	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File renamed	C:\Users\Admin\Pictures\DismountSet.raw.WCRYT => C:\Users\Admin\Pictures\DismountSet.raw.WCRY	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File renamed	C:\Users\Admin\Pictures\WriteUse.tiff.WCRYT => C:\Users\Admin\Pictures\WriteUse.tiff.WCRY	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe

Drops startup file 24 IoCs

Processes:

201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD89C1.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD5E7.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDEF17.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD520C.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDD1F3.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD3C45.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD56AB.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDBCC8.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDD5F6.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD8CE8.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD1F53.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD37F5.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD227B.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDA31E.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDF00D.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDD1E7.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDEC3D.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD8504.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD9E70.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDB82A.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD873.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD6FE8.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDB87C.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD6B0B.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe

Loads dropped DLL 7 IoCs

Processes:

cscript.execmd.execmd.exe201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe

pid	process
1796	cscript.exe
968	cmd.exe
968	cmd.exe
1544	cmd.exe
1544	cmd.exe
1476	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
1476	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2199625441-3471261906-229485034-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1624 schtasks.exe
972 schtasks.exe
1500 schtasks.exe
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

636 vssadmin.exe

pid	process
1624	schtasks.exe
972	schtasks.exe
1500	schtasks.exe

pid	process
636	vssadmin.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

!WannaDecryptor!.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	!WannaDecryptor!.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	!WannaDecryptor!.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	!WannaDecryptor!.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	!WannaDecryptor!.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

!WannaDecryptor!.exe

pid process

1224 !WannaDecryptor!.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

vssvc.exe

description pid process

Token: SeBackupPrivilege 768 vssvc.exe
Token: SeRestorePrivilege 768 vssvc.exe
Token: SeAuditPrivilege 768 vssvc.exe

pid	process
1224	!WannaDecryptor!.exe

description	pid	process
Token: SeBackupPrivilege	768	vssvc.exe
Token: SeRestorePrivilege	768	vssvc.exe
Token: SeAuditPrivilege	768	vssvc.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid	process
1540	!WannaDecryptor!.exe
1540	!WannaDecryptor!.exe
1232	!WannaDecryptor!.exe
1232	!WannaDecryptor!.exe
1224	!WannaDecryptor!.exe
1224	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.execmd.execmd.execmd.exe!WannaDecryptor!.execmd.exetaskeng.exe201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe

description	pid	process	target process
PID 1476 wrote to memory of 1624	1476	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	schtasks.exe
PID 1476 wrote to memory of 1624	1476	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	schtasks.exe
PID 1476 wrote to memory of 1624	1476	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	schtasks.exe
PID 1476 wrote to memory of 1624	1476	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	schtasks.exe
PID 1476 wrote to memory of 664	1476	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	cmd.exe
PID 1476 wrote to memory of 664	1476	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	cmd.exe
PID 1476 wrote to memory of 664	1476	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	cmd.exe
PID 1476 wrote to memory of 664	1476	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	cmd.exe
PID 664 wrote to memory of 1796	664	cmd.exe	cscript.exe
PID 664 wrote to memory of 1796	664	cmd.exe	cscript.exe
PID 664 wrote to memory of 1796	664	cmd.exe	cscript.exe
PID 664 wrote to memory of 1796	664	cmd.exe	cscript.exe
PID 1476 wrote to memory of 968	1476	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	cmd.exe
PID 1476 wrote to memory of 968	1476	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	cmd.exe
PID 1476 wrote to memory of 968	1476	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	cmd.exe
PID 1476 wrote to memory of 968	1476	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	cmd.exe
PID 1476 wrote to memory of 1544	1476	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	cmd.exe
PID 1476 wrote to memory of 1544	1476	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	cmd.exe
PID 1476 wrote to memory of 1544	1476	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	cmd.exe
PID 1476 wrote to memory of 1544	1476	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	cmd.exe
PID 968 wrote to memory of 1540	968	cmd.exe	!WannaDecryptor!.exe
PID 968 wrote to memory of 1540	968	cmd.exe	!WannaDecryptor!.exe
PID 968 wrote to memory of 1540	968	cmd.exe	!WannaDecryptor!.exe
PID 968 wrote to memory of 1540	968	cmd.exe	!WannaDecryptor!.exe
PID 1544 wrote to memory of 1232	1544	cmd.exe	!WannaDecryptor!.exe
PID 1544 wrote to memory of 1232	1544	cmd.exe	!WannaDecryptor!.exe
PID 1544 wrote to memory of 1232	1544	cmd.exe	!WannaDecryptor!.exe
PID 1544 wrote to memory of 1232	1544	cmd.exe	!WannaDecryptor!.exe
PID 1476 wrote to memory of 1224	1476	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	!WannaDecryptor!.exe
PID 1476 wrote to memory of 1224	1476	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	!WannaDecryptor!.exe
PID 1476 wrote to memory of 1224	1476	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	!WannaDecryptor!.exe
PID 1476 wrote to memory of 1224	1476	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	!WannaDecryptor!.exe
PID 1232 wrote to memory of 1176	1232	!WannaDecryptor!.exe	cmd.exe
PID 1232 wrote to memory of 1176	1232	!WannaDecryptor!.exe	cmd.exe
PID 1232 wrote to memory of 1176	1232	!WannaDecryptor!.exe	cmd.exe
PID 1232 wrote to memory of 1176	1232	!WannaDecryptor!.exe	cmd.exe
PID 1176 wrote to memory of 636	1176	cmd.exe	vssadmin.exe
PID 1176 wrote to memory of 636	1176	cmd.exe	vssadmin.exe
PID 1176 wrote to memory of 636	1176	cmd.exe	vssadmin.exe
PID 1176 wrote to memory of 636	1176	cmd.exe	vssadmin.exe
PID 1444 wrote to memory of 1636	1444	taskeng.exe	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
PID 1444 wrote to memory of 1636	1444	taskeng.exe	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
PID 1444 wrote to memory of 1636	1444	taskeng.exe	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
PID 1444 wrote to memory of 1636	1444	taskeng.exe	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
PID 1636 wrote to memory of 972	1636	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	schtasks.exe
PID 1636 wrote to memory of 972	1636	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	schtasks.exe
PID 1636 wrote to memory of 972	1636	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	schtasks.exe
PID 1636 wrote to memory of 972	1636	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	schtasks.exe
PID 1444 wrote to memory of 1740	1444	taskeng.exe	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
PID 1444 wrote to memory of 1740	1444	taskeng.exe	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
PID 1444 wrote to memory of 1740	1444	taskeng.exe	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
PID 1444 wrote to memory of 1740	1444	taskeng.exe	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
PID 1740 wrote to memory of 1500	1740	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	schtasks.exe
PID 1740 wrote to memory of 1500	1740	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	schtasks.exe
PID 1740 wrote to memory of 1500	1740	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	schtasks.exe
PID 1740 wrote to memory of 1500	1740	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
"C:\Users\Admin\AppData\Local\Temp\201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Loads dropped DLL
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /xml "C:\Users\Admin\AppData\Local\Temp\1.xml" /tn "Microsoft Update Scheduler" /f
2⤵
- Creates scheduled task(s)
PID:1624

C:\Windows\SysWOW64\cmd.exe
cmd /c 115771649075111.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:664

C:\Windows\SysWOW64\cscript.exe
cscript //nologo c.vbs
3⤵
- Loads dropped DLL
PID:1796

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b !WannaDecryptor!.exe c
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:968

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe c
3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:1540

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b !WannaDecryptor!.exe v
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1544

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe v
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1232

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b vssadmin.exe Delete Shadows /All /Quiet
4⤵
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
5⤵
- Interacts with shadow copies
PID:636

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1224

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:768

C:\Windows\system32\taskeng.exe
taskeng.exe {B9D5A523-0760-4CB5-B5B3-24D0F6681A70} S-1-5-21-2199625441-3471261906-229485034-1000:DRLQIXCW\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1444

C:\Users\Admin\AppData\Local\Temp\201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
C:\Users\Admin\AppData\Local\Temp\201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe /r 0
2⤵
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /xml "C:\Users\Admin\AppData\Local\Temp\1.xml" /tn "Microsoft Update Scheduler" /f
3⤵
- Creates scheduled task(s)
PID:972

C:\Users\Admin\AppData\Local\Temp\201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
C:\Users\Admin\AppData\Local\Temp\201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe /r 0
2⤵
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /xml "C:\Users\Admin\AppData\Local\Temp\1.xml" /tn "Microsoft Update Scheduler" /f
3⤵
- Creates scheduled task(s)
PID:1500

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
Filesize
232KB

MD5
b0ad5902366f860f85b892867e5b1e87

SHA1
a52e025d579bebae7c64cb40236b469b3c376024

SHA256
ca29de1dc8817868c93e54b09f557fe14e40083c0955294df5bd91f52ba469c8

SHA512
af9f9a00f1382c0ac47237fa89e11f87f9551f90d5ac5f092a9ed959cd5c89523513ce02d42d31c557622b1fedc4f778798b222813035a8b4074abe38be5b360

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
Filesize
232KB

MD5
b0ad5902366f860f85b892867e5b1e87

SHA1
a52e025d579bebae7c64cb40236b469b3c376024

SHA256
ca29de1dc8817868c93e54b09f557fe14e40083c0955294df5bd91f52ba469c8

SHA512
af9f9a00f1382c0ac47237fa89e11f87f9551f90d5ac5f092a9ed959cd5c89523513ce02d42d31c557622b1fedc4f778798b222813035a8b4074abe38be5b360

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
Filesize
232KB

MD5
b0ad5902366f860f85b892867e5b1e87

SHA1
a52e025d579bebae7c64cb40236b469b3c376024

SHA256
ca29de1dc8817868c93e54b09f557fe14e40083c0955294df5bd91f52ba469c8

SHA512
af9f9a00f1382c0ac47237fa89e11f87f9551f90d5ac5f092a9ed959cd5c89523513ce02d42d31c557622b1fedc4f778798b222813035a8b4074abe38be5b360

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
Filesize
232KB

MD5
b0ad5902366f860f85b892867e5b1e87

SHA1
a52e025d579bebae7c64cb40236b469b3c376024

SHA256
ca29de1dc8817868c93e54b09f557fe14e40083c0955294df5bd91f52ba469c8

SHA512
af9f9a00f1382c0ac47237fa89e11f87f9551f90d5ac5f092a9ed959cd5c89523513ce02d42d31c557622b1fedc4f778798b222813035a8b4074abe38be5b360

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk
Filesize
921B

MD5
12f59bbbe8bab62168fffc4c1503335c

SHA1
f78226c6397566f06d3136a50e5a0ab2ed00e606

SHA256
fe9dc67f7a32f479c32ebcdb9f39f2e76ec2c22563c78b8ef4e51be15251d2fb

SHA512
98afb2b3589648c4dc7152e4cf04e58f76137f12a7ca60bd45f62c044d99eb316b76f2e1b608bea6eb83f46539f9ee317ac26c176a0f3425ab4b46e8fa2f3f4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res
Filesize
136B

MD5
830bd8a23e2c2b3726cc3f04643dd051

SHA1
b68a45dbbc65eb2db81cc1b4846536951d0503e4

SHA256
d82c0c75a111ea9cd9217f9caccad90290907df5935d49b91d0d0ac517f0ed86

SHA512
f2db7ea68f9a6479df1204c6dfbc05564d145537ca5cfa1a2bc7d457b69ffae0c8b3145518e9c462cb2da0b4d75a814532c0baf6694a4361bc385a02e6e4501d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.xml
Filesize
1KB

MD5
4c75bb40f320ad4b92aae1bfe389a90d

SHA1
41f2fd705f226fc90fba035eccba13b4878c712d

SHA256
f59c84f8b122dfd57396424ecdf3e27c064d744654e1c6e0fb2de54f0c893b7e

SHA512
c9cb71e22a89440afd30f74000e474237c0da1a02c5280d08fa5407983cf8b180d67c2bd63efce6ab9fc05bc1e07e84f72c5fa3993e4dcd556c07da9171fda18

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.xml
Filesize
1KB

MD5
4c75bb40f320ad4b92aae1bfe389a90d

SHA1
41f2fd705f226fc90fba035eccba13b4878c712d

SHA256
f59c84f8b122dfd57396424ecdf3e27c064d744654e1c6e0fb2de54f0c893b7e

SHA512
c9cb71e22a89440afd30f74000e474237c0da1a02c5280d08fa5407983cf8b180d67c2bd63efce6ab9fc05bc1e07e84f72c5fa3993e4dcd556c07da9171fda18

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.xml
Filesize
1KB

MD5
4c75bb40f320ad4b92aae1bfe389a90d

SHA1
41f2fd705f226fc90fba035eccba13b4878c712d

SHA256
f59c84f8b122dfd57396424ecdf3e27c064d744654e1c6e0fb2de54f0c893b7e

SHA512
c9cb71e22a89440afd30f74000e474237c0da1a02c5280d08fa5407983cf8b180d67c2bd63efce6ab9fc05bc1e07e84f72c5fa3993e4dcd556c07da9171fda18

Download Submit
C:\Users\Admin\AppData\Local\Temp\115771649075111.bat
Filesize
336B

MD5
3540e056349c6972905dc9706cd49418

SHA1
492c20442d34d45a6d6790c720349b11ec591cde

SHA256
73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc

SHA512
c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

Download Submit
C:\Users\Admin\AppData\Local\Temp\b.wry
Filesize
1.4MB

MD5
9f47d8c378c162cc7b10068aa4b3c4ff

SHA1
1df6ba8abcc11ac02367735887cce740cd3bc069

SHA256
c0dfe30d62ea74418b0315290000ca4ae6e682c551f65d4d55b45b1ac7c51f0d

SHA512
494be00eada16b4ff8c748de6e0a308e7b35bb79eb5e2c7e34bcb889d2c147245b910e16bcfe1dfc499feac8df0e3927e2de5e9ec5dfae2ca7d25c102355e384

Download Submit
C:\Users\Admin\AppData\Local\Temp\b.wry
Filesize
1.4MB

MD5
9f47d8c378c162cc7b10068aa4b3c4ff

SHA1
1df6ba8abcc11ac02367735887cce740cd3bc069

SHA256
c0dfe30d62ea74418b0315290000ca4ae6e682c551f65d4d55b45b1ac7c51f0d

SHA512
494be00eada16b4ff8c748de6e0a308e7b35bb79eb5e2c7e34bcb889d2c147245b910e16bcfe1dfc499feac8df0e3927e2de5e9ec5dfae2ca7d25c102355e384

Download Submit
C:\Users\Admin\AppData\Local\Temp\b.wry
Filesize
1.4MB

MD5
9f47d8c378c162cc7b10068aa4b3c4ff

SHA1
1df6ba8abcc11ac02367735887cce740cd3bc069

SHA256
c0dfe30d62ea74418b0315290000ca4ae6e682c551f65d4d55b45b1ac7c51f0d

SHA512
494be00eada16b4ff8c748de6e0a308e7b35bb79eb5e2c7e34bcb889d2c147245b910e16bcfe1dfc499feac8df0e3927e2de5e9ec5dfae2ca7d25c102355e384

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.vbs
Filesize
219B

MD5
5f6d40ca3c34b470113ed04d06a88ff4

SHA1
50629e7211ae43e32060686d6be17ebd492fd7aa

SHA256
0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1

SHA512
4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wry
Filesize
628B

MD5
8b35e50d6f2cc9d70a2ed177a8c5ae17

SHA1
7d56b4b23b4fd79c2bd07619771ceeae4bc824ab

SHA256
126401eda1c73a2cd8123e1d6a0b471d0e6c3d9a15f9be14817aa1ae313182d5

SHA512
42a5259ca3e1869fa89865bda0b7a3e2b6b8f71bd29948a1a867ed70ea6bfc2f2206324f3343abc42de47824a5b2799aef495ee93968b8b194773af04b6d1926

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wry
Filesize
628B

MD5
8b35e50d6f2cc9d70a2ed177a8c5ae17

SHA1
7d56b4b23b4fd79c2bd07619771ceeae4bc824ab

SHA256
126401eda1c73a2cd8123e1d6a0b471d0e6c3d9a15f9be14817aa1ae313182d5

SHA512
42a5259ca3e1869fa89865bda0b7a3e2b6b8f71bd29948a1a867ed70ea6bfc2f2206324f3343abc42de47824a5b2799aef495ee93968b8b194773af04b6d1926

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.wry
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.wry
Filesize
43KB

MD5
54c0e4aa798ce82886a96ba4bb449188

SHA1
71886d4d410013425243a00f15c270fc4f2a6a3a

SHA256
e5373e95a201b3b676072752097ff5d851a0a34e1be4194ff0c52c33601e576a

SHA512
4415559fa5da1192360b4d6db368179335661120443b812f5bc256466c79ecb6d36ed5d3c00a4e2590bf70e473565287a7db53f6aa3f8faaad46f21e34e84298

Download Submit
C:\Users\Admin\AppData\Local\Temp\r.wry
Filesize
729B

MD5
880e6a619106b3def7e1255f67cb8099

SHA1
8b3a90b2103a92d9facbfb1f64cb0841d97b4de7

SHA256
c9e9dc06f500ae39bfeb4671233cc97bb6dab58d97bb94aba4a2e0e509418d35

SHA512
c35ca30e0131ae4ee3429610ce4914a36b681d2c406f67816f725aa336969c2996347268cb3d19c22abaa4e2740ae86f4210b872610a38b4fa09ee80fcf36243

Download Submit
C:\Users\Admin\AppData\Local\Temp\r.wry
Filesize
729B

MD5
880e6a619106b3def7e1255f67cb8099

SHA1
8b3a90b2103a92d9facbfb1f64cb0841d97b4de7

SHA256
c9e9dc06f500ae39bfeb4671233cc97bb6dab58d97bb94aba4a2e0e509418d35

SHA512
c35ca30e0131ae4ee3429610ce4914a36b681d2c406f67816f725aa336969c2996347268cb3d19c22abaa4e2740ae86f4210b872610a38b4fa09ee80fcf36243

Download Submit
C:\Users\Admin\AppData\Local\Temp\t.wry
Filesize
60KB

MD5
1111b0e88d5c6fca7c98fe2d9092e53a

SHA1
2393e5fb3e2752a1fe7c1e5d6e447526c32e41c1

SHA256
eda41cc817aaeb08667a6b4a2eb876c5422debb4c721708d500ca0cf8adeca44

SHA512
32868810ea9a50e487793e3951b1bfb505a9ef61531900a7688eba1904744e904e3abbd09ef2fa63b873cae9ece926dff619cf29b4c6fcdcf6c158e6b5f9007b

Download Submit
C:\Users\Admin\AppData\Local\Temp\t.wry
Filesize
60KB

MD5
1111b0e88d5c6fca7c98fe2d9092e53a

SHA1
2393e5fb3e2752a1fe7c1e5d6e447526c32e41c1

SHA256
eda41cc817aaeb08667a6b4a2eb876c5422debb4c721708d500ca0cf8adeca44

SHA512
32868810ea9a50e487793e3951b1bfb505a9ef61531900a7688eba1904744e904e3abbd09ef2fa63b873cae9ece926dff619cf29b4c6fcdcf6c158e6b5f9007b

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.wry
Filesize
232KB

MD5
b0ad5902366f860f85b892867e5b1e87

SHA1
a52e025d579bebae7c64cb40236b469b3c376024

SHA256
ca29de1dc8817868c93e54b09f557fe14e40083c0955294df5bd91f52ba469c8

SHA512
af9f9a00f1382c0ac47237fa89e11f87f9551f90d5ac5f092a9ed959cd5c89523513ce02d42d31c557622b1fedc4f778798b222813035a8b4074abe38be5b360

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.wry
Filesize
232KB

MD5
b0ad5902366f860f85b892867e5b1e87

SHA1
a52e025d579bebae7c64cb40236b469b3c376024

SHA256
ca29de1dc8817868c93e54b09f557fe14e40083c0955294df5bd91f52ba469c8

SHA512
af9f9a00f1382c0ac47237fa89e11f87f9551f90d5ac5f092a9ed959cd5c89523513ce02d42d31c557622b1fedc4f778798b222813035a8b4074abe38be5b360

Download Submit
\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
Filesize
232KB

MD5
b0ad5902366f860f85b892867e5b1e87

SHA1
a52e025d579bebae7c64cb40236b469b3c376024

SHA256
ca29de1dc8817868c93e54b09f557fe14e40083c0955294df5bd91f52ba469c8

SHA512
af9f9a00f1382c0ac47237fa89e11f87f9551f90d5ac5f092a9ed959cd5c89523513ce02d42d31c557622b1fedc4f778798b222813035a8b4074abe38be5b360

Download Submit
\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
Filesize
232KB

MD5
b0ad5902366f860f85b892867e5b1e87

SHA1
a52e025d579bebae7c64cb40236b469b3c376024

SHA256
ca29de1dc8817868c93e54b09f557fe14e40083c0955294df5bd91f52ba469c8

SHA512
af9f9a00f1382c0ac47237fa89e11f87f9551f90d5ac5f092a9ed959cd5c89523513ce02d42d31c557622b1fedc4f778798b222813035a8b4074abe38be5b360

Download Submit
\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
Filesize
232KB

MD5
b0ad5902366f860f85b892867e5b1e87

SHA1
a52e025d579bebae7c64cb40236b469b3c376024

SHA256
ca29de1dc8817868c93e54b09f557fe14e40083c0955294df5bd91f52ba469c8

SHA512
af9f9a00f1382c0ac47237fa89e11f87f9551f90d5ac5f092a9ed959cd5c89523513ce02d42d31c557622b1fedc4f778798b222813035a8b4074abe38be5b360

Download Submit
\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
Filesize
232KB

MD5
b0ad5902366f860f85b892867e5b1e87

SHA1
a52e025d579bebae7c64cb40236b469b3c376024

SHA256
ca29de1dc8817868c93e54b09f557fe14e40083c0955294df5bd91f52ba469c8

SHA512
af9f9a00f1382c0ac47237fa89e11f87f9551f90d5ac5f092a9ed959cd5c89523513ce02d42d31c557622b1fedc4f778798b222813035a8b4074abe38be5b360

Download Submit
\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
Filesize
232KB

MD5
b0ad5902366f860f85b892867e5b1e87

SHA1
a52e025d579bebae7c64cb40236b469b3c376024

SHA256
ca29de1dc8817868c93e54b09f557fe14e40083c0955294df5bd91f52ba469c8

SHA512
af9f9a00f1382c0ac47237fa89e11f87f9551f90d5ac5f092a9ed959cd5c89523513ce02d42d31c557622b1fedc4f778798b222813035a8b4074abe38be5b360

Download Submit
\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
Filesize
232KB

MD5
b0ad5902366f860f85b892867e5b1e87

SHA1
a52e025d579bebae7c64cb40236b469b3c376024

SHA256
ca29de1dc8817868c93e54b09f557fe14e40083c0955294df5bd91f52ba469c8

SHA512
af9f9a00f1382c0ac47237fa89e11f87f9551f90d5ac5f092a9ed959cd5c89523513ce02d42d31c557622b1fedc4f778798b222813035a8b4074abe38be5b360

Download Submit
\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
Filesize
232KB

MD5
b0ad5902366f860f85b892867e5b1e87

SHA1
a52e025d579bebae7c64cb40236b469b3c376024

SHA256
ca29de1dc8817868c93e54b09f557fe14e40083c0955294df5bd91f52ba469c8

SHA512
af9f9a00f1382c0ac47237fa89e11f87f9551f90d5ac5f092a9ed959cd5c89523513ce02d42d31c557622b1fedc4f778798b222813035a8b4074abe38be5b360

Download Submit
memory/636-90-0x0000000000000000-mapping.dmp

Download
memory/664-60-0x0000000000000000-mapping.dmp

Download
memory/968-68-0x0000000000000000-mapping.dmp

Download
memory/972-100-0x0000000000000000-mapping.dmp

Download
memory/1176-89-0x0000000000000000-mapping.dmp

Download
memory/1224-84-0x0000000000000000-mapping.dmp

Download
memory/1232-77-0x0000000000000000-mapping.dmp

Download
memory/1476-54-0x0000000075B01000-0x0000000075B03000-memory.dmp

Filesize
8KB

Download
memory/1476-55-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/1500-112-0x0000000000000000-mapping.dmp

Download
memory/1540-72-0x0000000000000000-mapping.dmp

Download
memory/1544-69-0x0000000000000000-mapping.dmp

Download
memory/1624-58-0x0000000000000000-mapping.dmp

Download
memory/1636-91-0x0000000000000000-mapping.dmp

Download
memory/1740-103-0x0000000000000000-mapping.dmp

Download
memory/1796-62-0x0000000000000000-mapping.dmp

Download