wannacry | 0f5e1ad4815e0d0e967c8e2e594cf495152911d4337bb8f5270ed590879722c4

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220310-en
submitted
04-04-2022 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
Size

232KB
MD5

8dd63adb68ef053e044a5a2f46e0d2cd
SHA1

1bc604573ceab106e5a0e9c419ade38739228707
SHA256

201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9
SHA512

c7c267b3be9f50783b394ae9ae960d5ff636c63a58c645764712fed28ce9be616344c2a248782da7f50ede465d3f1e8ec7267d62ebc5e86490ad472518ab1526

Score

10^/10

wannacry ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $200 worth of bitcoin to this bitcoin address: 1QAc9S5EmycqjzzWDc1yiWzr9jJLC8sLiY Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) https://www.dropbox.com/s/c1gn29iy8erh1ks/m.rar?dl=1 rar password: wcry123 Run and follow the instructions! �

Wallets

1QAc9S5EmycqjzzWDc1yiWzr9jJLC8sLiY

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Executes dropped EXE 3 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid process

4172 !WannaDecryptor!.exe
4160 !WannaDecryptor!.exe
4340 !WannaDecryptor!.exe

Modifies extensions of user files 12 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\RenameClose.tif.WCRY	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File renamed	C:\Users\Admin\Pictures\ReadUnlock.tif.WCRYT => C:\Users\Admin\Pictures\ReadUnlock.tif.WCRY	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File created	C:\Users\Admin\Pictures\CompressMerge.png.WCRYT	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File renamed	C:\Users\Admin\Pictures\CompressMerge.png.WCRYT => C:\Users\Admin\Pictures\CompressMerge.png.WCRY	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\Pictures\CompressMerge.png.WCRY	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File created	C:\Users\Admin\Pictures\OptimizeNew.tif.WCRYT	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File renamed	C:\Users\Admin\Pictures\OptimizeNew.tif.WCRYT => C:\Users\Admin\Pictures\OptimizeNew.tif.WCRY	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\Pictures\OptimizeNew.tif.WCRY	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File created	C:\Users\Admin\Pictures\ReadUnlock.tif.WCRYT	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\Pictures\ReadUnlock.tif.WCRY	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File created	C:\Users\Admin\Pictures\RenameClose.tif.WCRYT	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File renamed	C:\Users\Admin\Pictures\RenameClose.tif.WCRYT => C:\Users\Admin\Pictures\RenameClose.tif.WCRY	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe

Drops startup file 30 IoCs

Processes:

201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD5656.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD6831.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD17B4.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD3EED.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDB94C.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD2EE8.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDF1AE.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD178F.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDE189.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDE19F.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD2EE2.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD7C82.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD8E70.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDB5A6.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD581.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDF1A8.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDDC1.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDDD7.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDCB8B.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDCBB2.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD3EF3.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDB57F.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDB982.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD566C.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDA2AF.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD6858.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD57B.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD7C88.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDA2B5.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD8E4A.tmp	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

4040 schtasks.exe
4792 schtasks.exe
4176 schtasks.exe

pid	process
4040	schtasks.exe
4792	schtasks.exe
4176	schtasks.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid	process
4172	!WannaDecryptor!.exe
4160	!WannaDecryptor!.exe
4160	!WannaDecryptor!.exe
4172	!WannaDecryptor!.exe
4340	!WannaDecryptor!.exe
4340	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.execmd.execmd.execmd.exe!WannaDecryptor!.exe201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe

description	pid	process	target process
PID 1984 wrote to memory of 4040	1984	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	schtasks.exe
PID 1984 wrote to memory of 4040	1984	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	schtasks.exe
PID 1984 wrote to memory of 4040	1984	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	schtasks.exe
PID 1984 wrote to memory of 2280	1984	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	cmd.exe
PID 1984 wrote to memory of 2280	1984	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	cmd.exe
PID 1984 wrote to memory of 2280	1984	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	cmd.exe
PID 2280 wrote to memory of 3756	2280	cmd.exe	cscript.exe
PID 2280 wrote to memory of 3756	2280	cmd.exe	cscript.exe
PID 2280 wrote to memory of 3756	2280	cmd.exe	cscript.exe
PID 1984 wrote to memory of 1940	1984	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	cmd.exe
PID 1984 wrote to memory of 1940	1984	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	cmd.exe
PID 1984 wrote to memory of 1940	1984	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	cmd.exe
PID 1984 wrote to memory of 2120	1984	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	cmd.exe
PID 1984 wrote to memory of 2120	1984	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	cmd.exe
PID 1984 wrote to memory of 2120	1984	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	cmd.exe
PID 2120 wrote to memory of 4172	2120	cmd.exe	!WannaDecryptor!.exe
PID 2120 wrote to memory of 4172	2120	cmd.exe	!WannaDecryptor!.exe
PID 2120 wrote to memory of 4172	2120	cmd.exe	!WannaDecryptor!.exe
PID 1940 wrote to memory of 4160	1940	cmd.exe	!WannaDecryptor!.exe
PID 1940 wrote to memory of 4160	1940	cmd.exe	!WannaDecryptor!.exe
PID 1940 wrote to memory of 4160	1940	cmd.exe	!WannaDecryptor!.exe
PID 1984 wrote to memory of 4340	1984	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	!WannaDecryptor!.exe
PID 1984 wrote to memory of 4340	1984	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	!WannaDecryptor!.exe
PID 1984 wrote to memory of 4340	1984	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	!WannaDecryptor!.exe
PID 4172 wrote to memory of 4780	4172	!WannaDecryptor!.exe	cmd.exe
PID 4172 wrote to memory of 4780	4172	!WannaDecryptor!.exe	cmd.exe
PID 4172 wrote to memory of 4780	4172	!WannaDecryptor!.exe	cmd.exe
PID 4508 wrote to memory of 4792	4508	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	schtasks.exe
PID 4508 wrote to memory of 4792	4508	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	schtasks.exe
PID 4508 wrote to memory of 4792	4508	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	schtasks.exe
PID 2968 wrote to memory of 4176	2968	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	schtasks.exe
PID 2968 wrote to memory of 4176	2968	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	schtasks.exe
PID 2968 wrote to memory of 4176	2968	201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
"C:\Users\Admin\AppData\Local\Temp\201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /xml "C:\Users\Admin\AppData\Local\Temp\1.xml" /tn "Microsoft Update Scheduler" /f
2⤵
- Creates scheduled task(s)
PID:4040

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 165151649082315.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2280

C:\Windows\SysWOW64\cscript.exe
cscript //nologo c.vbs
3⤵
PID:3756

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b !WannaDecryptor!.exe c
2⤵
- Suspicious use of WriteProcessMemory
PID:1940

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe c
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4160

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b !WannaDecryptor!.exe v
2⤵
- Suspicious use of WriteProcessMemory
PID:2120

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe v
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4172

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b vssadmin.exe Delete Shadows /All /Quiet
4⤵
PID:4780

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4340

C:\Users\Admin\AppData\Local\Temp\201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
C:\Users\Admin\AppData\Local\Temp\201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe /r 0
1⤵
- Suspicious use of WriteProcessMemory
PID:4508

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /xml "C:\Users\Admin\AppData\Local\Temp\1.xml" /tn "Microsoft Update Scheduler" /f
2⤵
- Creates scheduled task(s)
PID:4792

C:\Users\Admin\AppData\Local\Temp\201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe
C:\Users\Admin\AppData\Local\Temp\201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9.exe /r 0
1⤵
- Suspicious use of WriteProcessMemory
PID:2968

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /xml "C:\Users\Admin\AppData\Local\Temp\1.xml" /tn "Microsoft Update Scheduler" /f
2⤵
- Creates scheduled task(s)
PID:4176

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
Filesize
232KB

MD5
b0ad5902366f860f85b892867e5b1e87

SHA1
a52e025d579bebae7c64cb40236b469b3c376024

SHA256
ca29de1dc8817868c93e54b09f557fe14e40083c0955294df5bd91f52ba469c8

SHA512
af9f9a00f1382c0ac47237fa89e11f87f9551f90d5ac5f092a9ed959cd5c89523513ce02d42d31c557622b1fedc4f778798b222813035a8b4074abe38be5b360

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
Filesize
232KB

MD5
b0ad5902366f860f85b892867e5b1e87

SHA1
a52e025d579bebae7c64cb40236b469b3c376024

SHA256
ca29de1dc8817868c93e54b09f557fe14e40083c0955294df5bd91f52ba469c8

SHA512
af9f9a00f1382c0ac47237fa89e11f87f9551f90d5ac5f092a9ed959cd5c89523513ce02d42d31c557622b1fedc4f778798b222813035a8b4074abe38be5b360

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
Filesize
232KB

MD5
b0ad5902366f860f85b892867e5b1e87

SHA1
a52e025d579bebae7c64cb40236b469b3c376024

SHA256
ca29de1dc8817868c93e54b09f557fe14e40083c0955294df5bd91f52ba469c8

SHA512
af9f9a00f1382c0ac47237fa89e11f87f9551f90d5ac5f092a9ed959cd5c89523513ce02d42d31c557622b1fedc4f778798b222813035a8b4074abe38be5b360

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
Filesize
232KB

MD5
b0ad5902366f860f85b892867e5b1e87

SHA1
a52e025d579bebae7c64cb40236b469b3c376024

SHA256
ca29de1dc8817868c93e54b09f557fe14e40083c0955294df5bd91f52ba469c8

SHA512
af9f9a00f1382c0ac47237fa89e11f87f9551f90d5ac5f092a9ed959cd5c89523513ce02d42d31c557622b1fedc4f778798b222813035a8b4074abe38be5b360

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk
Filesize
1KB

MD5
8c9cea881f0e581f95509348b3e02acd

SHA1
9c13872b6cc45f3cb7ec4c27040f605518efc765

SHA256
5f76b7964bb180874d26f003c58ccfb0a521c2328b7ce61b1db05cbe5a3b2fc8

SHA512
d5eaa88271e01438b2bb07c3d69874bb5bb73629ce6c90d59d686fd43829e0b3c6a8cbb4b522d6a3f9fab2beeb4e3da7576e478468eb9273858f99c8b3222514

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res
Filesize
136B

MD5
26e2c97968584444137560b0b776f523

SHA1
04206c1e4be59726a52a65c27531a0531aae7a06

SHA256
71b53271f3f52199e02288304a835d24a7ef6778948d40680d086b51bfd10bbf

SHA512
7acc472f2e7c6c241ac2cffa5ebd47940e3e16a1c98f08598527ce54c5b36b5c1fa636c986f5f28b434b6f08f71212ee7569f8d7a6207718a4080385e46c8a38

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.xml
Filesize
1KB

MD5
f20edf635eb4bd8e94b15caf5415d6ae

SHA1
e9f5e980539ca8b0b910e541ad16027ed5b9768d

SHA256
531f0da1048278f31c63c10ff0856f2c3ca9b3a4fc9919bd2ea3e3b95b1b916a

SHA512
4c5f2e9d248006d4510a565733433ebabaaa445b0669328b7bb66fbc11b058f505670813939ca75405a8729bfc6e5759f22a95bdd84ebd3e75080e15eea59071

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.xml
Filesize
1KB

MD5
f20edf635eb4bd8e94b15caf5415d6ae

SHA1
e9f5e980539ca8b0b910e541ad16027ed5b9768d

SHA256
531f0da1048278f31c63c10ff0856f2c3ca9b3a4fc9919bd2ea3e3b95b1b916a

SHA512
4c5f2e9d248006d4510a565733433ebabaaa445b0669328b7bb66fbc11b058f505670813939ca75405a8729bfc6e5759f22a95bdd84ebd3e75080e15eea59071

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.xml
Filesize
1KB

MD5
f20edf635eb4bd8e94b15caf5415d6ae

SHA1
e9f5e980539ca8b0b910e541ad16027ed5b9768d

SHA256
531f0da1048278f31c63c10ff0856f2c3ca9b3a4fc9919bd2ea3e3b95b1b916a

SHA512
4c5f2e9d248006d4510a565733433ebabaaa445b0669328b7bb66fbc11b058f505670813939ca75405a8729bfc6e5759f22a95bdd84ebd3e75080e15eea59071

Download Submit
C:\Users\Admin\AppData\Local\Temp\165151649082315.bat
Filesize
336B

MD5
3540e056349c6972905dc9706cd49418

SHA1
492c20442d34d45a6d6790c720349b11ec591cde

SHA256
73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc

SHA512
c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

Download Submit
C:\Users\Admin\AppData\Local\Temp\b.wry
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\b.wry
Filesize
1.4MB

MD5
9f47d8c378c162cc7b10068aa4b3c4ff

SHA1
1df6ba8abcc11ac02367735887cce740cd3bc069

SHA256
c0dfe30d62ea74418b0315290000ca4ae6e682c551f65d4d55b45b1ac7c51f0d

SHA512
494be00eada16b4ff8c748de6e0a308e7b35bb79eb5e2c7e34bcb889d2c147245b910e16bcfe1dfc499feac8df0e3927e2de5e9ec5dfae2ca7d25c102355e384

Download Submit
C:\Users\Admin\AppData\Local\Temp\b.wry
Filesize
1.4MB

MD5
9f47d8c378c162cc7b10068aa4b3c4ff

SHA1
1df6ba8abcc11ac02367735887cce740cd3bc069

SHA256
c0dfe30d62ea74418b0315290000ca4ae6e682c551f65d4d55b45b1ac7c51f0d

SHA512
494be00eada16b4ff8c748de6e0a308e7b35bb79eb5e2c7e34bcb889d2c147245b910e16bcfe1dfc499feac8df0e3927e2de5e9ec5dfae2ca7d25c102355e384

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.vbs
Filesize
219B

MD5
5f6d40ca3c34b470113ed04d06a88ff4

SHA1
50629e7211ae43e32060686d6be17ebd492fd7aa

SHA256
0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1

SHA512
4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wry
Filesize
628B

MD5
9291acbf5f67ecf3ad5229924bdbf59a

SHA1
6edf9b55e013f94d15f057f2804e8a8dfc5f3897

SHA256
d741c5862f49e02cb0d2501454e9ef36f68b38e784c963dd1dda58065109d94a

SHA512
e39d95704f7b0c1a765662c236c845963bc88f0d6a58991f483e31baf4c874dd383c812716a3ca8f488ca4a3dba9a8bfe158fda0d7426d96c911307eb986f890

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wry
Filesize
628B

MD5
9291acbf5f67ecf3ad5229924bdbf59a

SHA1
6edf9b55e013f94d15f057f2804e8a8dfc5f3897

SHA256
d741c5862f49e02cb0d2501454e9ef36f68b38e784c963dd1dda58065109d94a

SHA512
e39d95704f7b0c1a765662c236c845963bc88f0d6a58991f483e31baf4c874dd383c812716a3ca8f488ca4a3dba9a8bfe158fda0d7426d96c911307eb986f890

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.wry
Filesize
43KB

MD5
54c0e4aa798ce82886a96ba4bb449188

SHA1
71886d4d410013425243a00f15c270fc4f2a6a3a

SHA256
e5373e95a201b3b676072752097ff5d851a0a34e1be4194ff0c52c33601e576a

SHA512
4415559fa5da1192360b4d6db368179335661120443b812f5bc256466c79ecb6d36ed5d3c00a4e2590bf70e473565287a7db53f6aa3f8faaad46f21e34e84298

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.wry
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\r.wry
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\r.wry
Filesize
729B

MD5
880e6a619106b3def7e1255f67cb8099

SHA1
8b3a90b2103a92d9facbfb1f64cb0841d97b4de7

SHA256
c9e9dc06f500ae39bfeb4671233cc97bb6dab58d97bb94aba4a2e0e509418d35

SHA512
c35ca30e0131ae4ee3429610ce4914a36b681d2c406f67816f725aa336969c2996347268cb3d19c22abaa4e2740ae86f4210b872610a38b4fa09ee80fcf36243

Download Submit
C:\Users\Admin\AppData\Local\Temp\t.wry
Filesize
60KB

MD5
1111b0e88d5c6fca7c98fe2d9092e53a

SHA1
2393e5fb3e2752a1fe7c1e5d6e447526c32e41c1

SHA256
eda41cc817aaeb08667a6b4a2eb876c5422debb4c721708d500ca0cf8adeca44

SHA512
32868810ea9a50e487793e3951b1bfb505a9ef61531900a7688eba1904744e904e3abbd09ef2fa63b873cae9ece926dff619cf29b4c6fcdcf6c158e6b5f9007b

Download Submit
C:\Users\Admin\AppData\Local\Temp\t.wry
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.wry
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.wry
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1940-145-0x0000000000000000-mapping.dmp

Download
memory/1984-134-0x0000000010000000-0x000000001000F000-memory.dmp

Filesize
60KB

Download
memory/2120-146-0x0000000000000000-mapping.dmp

Download
memory/2280-139-0x0000000000000000-mapping.dmp

Download
memory/3756-141-0x0000000000000000-mapping.dmp

Download
memory/4040-137-0x0000000000000000-mapping.dmp

Download
memory/4160-149-0x0000000000000000-mapping.dmp

Download
memory/4172-147-0x0000000000000000-mapping.dmp

Download
memory/4176-175-0x0000000000000000-mapping.dmp

Download
memory/4340-154-0x0000000000000000-mapping.dmp

Download
memory/4780-157-0x0000000000000000-mapping.dmp

Download
memory/4792-165-0x0000000000000000-mapping.dmp

Download