Analysis
-
max time kernel
194s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
20-06-2023 21:56
Static task
static1
Behavioral task
behavioral1
Sample
WannaCry.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
WannaCry.exe
Resource
win10v2004-20230220-en
General
-
Target
WannaCry.exe
-
Size
224KB
-
MD5
5c7fb0927db37372da25f270708103a2
-
SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29
-
SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
-
SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
-
SSDEEP
3072:Y059femWRwTs/dbelj0X8/j84pcRXPlU3Upt3or4H84lK8PtpLzLsR/EfcZ:+5RwTs/dSXj84mRXPemxdBlPvLzLeZ
Malware Config
Extracted
C:\Users\Admin\Documents\!Please Read Me!.txt
wannacry
15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 15 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
WannaCry.exedescription ioc process File created C:\Users\Admin\Pictures\FindResolve.png.WCRYT WannaCry.exe File opened for modification C:\Users\Admin\Pictures\SkipProtect.png.WCRY WannaCry.exe File renamed C:\Users\Admin\Pictures\SaveInstall.tif.WCRYT => C:\Users\Admin\Pictures\SaveInstall.tif.WCRY WannaCry.exe File renamed C:\Users\Admin\Pictures\FindResolve.png.WCRYT => C:\Users\Admin\Pictures\FindResolve.png.WCRY WannaCry.exe File opened for modification C:\Users\Admin\Pictures\FindResolve.png.WCRY WannaCry.exe File opened for modification C:\Users\Admin\Pictures\ResumeAssert.raw.WCRY WannaCry.exe File created C:\Users\Admin\Pictures\SaveInstall.tif.WCRYT WannaCry.exe File created C:\Users\Admin\Pictures\SkipProtect.png.WCRYT WannaCry.exe File created C:\Users\Admin\Pictures\TestUnregister.png.WCRYT WannaCry.exe File renamed C:\Users\Admin\Pictures\SkipProtect.png.WCRYT => C:\Users\Admin\Pictures\SkipProtect.png.WCRY WannaCry.exe File renamed C:\Users\Admin\Pictures\TestUnregister.png.WCRYT => C:\Users\Admin\Pictures\TestUnregister.png.WCRY WannaCry.exe File opened for modification C:\Users\Admin\Pictures\TestUnregister.png.WCRY WannaCry.exe File created C:\Users\Admin\Pictures\ResumeAssert.raw.WCRYT WannaCry.exe File renamed C:\Users\Admin\Pictures\ResumeAssert.raw.WCRYT => C:\Users\Admin\Pictures\ResumeAssert.raw.WCRY WannaCry.exe File opened for modification C:\Users\Admin\Pictures\SaveInstall.tif.WCRY WannaCry.exe -
Drops startup file 1 IoCs
Processes:
WannaCry.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD310C.tmp WannaCry.exe -
Executes dropped EXE 4 IoCs
Processes:
!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exepid process 300 !WannaDecryptor!.exe 1112 !WannaDecryptor!.exe 284 !WannaDecryptor!.exe 1616 !WannaDecryptor!.exe -
Loads dropped DLL 9 IoCs
Processes:
cscript.exeWannaCry.execmd.exepid process 516 cscript.exe 2032 WannaCry.exe 2032 WannaCry.exe 2032 WannaCry.exe 2032 WannaCry.exe 1672 cmd.exe 1672 cmd.exe 2032 WannaCry.exe 2032 WannaCry.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
WannaCry.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WannaCry.exe\" /r" WannaCry.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
!WannaDecryptor!.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp" !WannaDecryptor!.exe Set value (str) \REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" !WannaDecryptor!.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1076 vssadmin.exe -
Kills process with taskkill 4 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1148 taskkill.exe 1952 taskkill.exe 1600 taskkill.exe 1756 taskkill.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
!WannaDecryptor!.exepid process 1616 !WannaDecryptor!.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exevssvc.exeWMIC.exedescription pid process Token: SeDebugPrivilege 1952 taskkill.exe Token: SeDebugPrivilege 1148 taskkill.exe Token: SeDebugPrivilege 1600 taskkill.exe Token: SeDebugPrivilege 1756 taskkill.exe Token: SeBackupPrivilege 1344 vssvc.exe Token: SeRestorePrivilege 1344 vssvc.exe Token: SeAuditPrivilege 1344 vssvc.exe Token: SeIncreaseQuotaPrivilege 1808 WMIC.exe Token: SeSecurityPrivilege 1808 WMIC.exe Token: SeTakeOwnershipPrivilege 1808 WMIC.exe Token: SeLoadDriverPrivilege 1808 WMIC.exe Token: SeSystemProfilePrivilege 1808 WMIC.exe Token: SeSystemtimePrivilege 1808 WMIC.exe Token: SeProfSingleProcessPrivilege 1808 WMIC.exe Token: SeIncBasePriorityPrivilege 1808 WMIC.exe Token: SeCreatePagefilePrivilege 1808 WMIC.exe Token: SeBackupPrivilege 1808 WMIC.exe Token: SeRestorePrivilege 1808 WMIC.exe Token: SeShutdownPrivilege 1808 WMIC.exe Token: SeDebugPrivilege 1808 WMIC.exe Token: SeSystemEnvironmentPrivilege 1808 WMIC.exe Token: SeRemoteShutdownPrivilege 1808 WMIC.exe Token: SeUndockPrivilege 1808 WMIC.exe Token: SeManageVolumePrivilege 1808 WMIC.exe Token: 33 1808 WMIC.exe Token: 34 1808 WMIC.exe Token: 35 1808 WMIC.exe Token: SeIncreaseQuotaPrivilege 1808 WMIC.exe Token: SeSecurityPrivilege 1808 WMIC.exe Token: SeTakeOwnershipPrivilege 1808 WMIC.exe Token: SeLoadDriverPrivilege 1808 WMIC.exe Token: SeSystemProfilePrivilege 1808 WMIC.exe Token: SeSystemtimePrivilege 1808 WMIC.exe Token: SeProfSingleProcessPrivilege 1808 WMIC.exe Token: SeIncBasePriorityPrivilege 1808 WMIC.exe Token: SeCreatePagefilePrivilege 1808 WMIC.exe Token: SeBackupPrivilege 1808 WMIC.exe Token: SeRestorePrivilege 1808 WMIC.exe Token: SeShutdownPrivilege 1808 WMIC.exe Token: SeDebugPrivilege 1808 WMIC.exe Token: SeSystemEnvironmentPrivilege 1808 WMIC.exe Token: SeRemoteShutdownPrivilege 1808 WMIC.exe Token: SeUndockPrivilege 1808 WMIC.exe Token: SeManageVolumePrivilege 1808 WMIC.exe Token: 33 1808 WMIC.exe Token: 34 1808 WMIC.exe Token: 35 1808 WMIC.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
!WannaDecryptor!.exepid process 1616 !WannaDecryptor!.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exepid process 300 !WannaDecryptor!.exe 300 !WannaDecryptor!.exe 1112 !WannaDecryptor!.exe 1112 !WannaDecryptor!.exe 284 !WannaDecryptor!.exe 284 !WannaDecryptor!.exe 1616 !WannaDecryptor!.exe 1616 !WannaDecryptor!.exe -
Suspicious use of WriteProcessMemory 56 IoCs
Processes:
WannaCry.execmd.execmd.exe!WannaDecryptor!.execmd.exedescription pid process target process PID 2032 wrote to memory of 532 2032 WannaCry.exe cmd.exe PID 2032 wrote to memory of 532 2032 WannaCry.exe cmd.exe PID 2032 wrote to memory of 532 2032 WannaCry.exe cmd.exe PID 2032 wrote to memory of 532 2032 WannaCry.exe cmd.exe PID 532 wrote to memory of 516 532 cmd.exe cscript.exe PID 532 wrote to memory of 516 532 cmd.exe cscript.exe PID 532 wrote to memory of 516 532 cmd.exe cscript.exe PID 532 wrote to memory of 516 532 cmd.exe cscript.exe PID 2032 wrote to memory of 300 2032 WannaCry.exe !WannaDecryptor!.exe PID 2032 wrote to memory of 300 2032 WannaCry.exe !WannaDecryptor!.exe PID 2032 wrote to memory of 300 2032 WannaCry.exe !WannaDecryptor!.exe PID 2032 wrote to memory of 300 2032 WannaCry.exe !WannaDecryptor!.exe PID 2032 wrote to memory of 1148 2032 WannaCry.exe taskkill.exe PID 2032 wrote to memory of 1148 2032 WannaCry.exe taskkill.exe PID 2032 wrote to memory of 1148 2032 WannaCry.exe taskkill.exe PID 2032 wrote to memory of 1148 2032 WannaCry.exe taskkill.exe PID 2032 wrote to memory of 1952 2032 WannaCry.exe taskkill.exe PID 2032 wrote to memory of 1952 2032 WannaCry.exe taskkill.exe PID 2032 wrote to memory of 1952 2032 WannaCry.exe taskkill.exe PID 2032 wrote to memory of 1952 2032 WannaCry.exe taskkill.exe PID 2032 wrote to memory of 1600 2032 WannaCry.exe taskkill.exe PID 2032 wrote to memory of 1600 2032 WannaCry.exe taskkill.exe PID 2032 wrote to memory of 1600 2032 WannaCry.exe taskkill.exe PID 2032 wrote to memory of 1600 2032 WannaCry.exe taskkill.exe PID 2032 wrote to memory of 1756 2032 WannaCry.exe taskkill.exe PID 2032 wrote to memory of 1756 2032 WannaCry.exe taskkill.exe PID 2032 wrote to memory of 1756 2032 WannaCry.exe taskkill.exe PID 2032 wrote to memory of 1756 2032 WannaCry.exe taskkill.exe PID 2032 wrote to memory of 1112 2032 WannaCry.exe !WannaDecryptor!.exe PID 2032 wrote to memory of 1112 2032 WannaCry.exe !WannaDecryptor!.exe PID 2032 wrote to memory of 1112 2032 WannaCry.exe !WannaDecryptor!.exe PID 2032 wrote to memory of 1112 2032 WannaCry.exe !WannaDecryptor!.exe PID 2032 wrote to memory of 1672 2032 WannaCry.exe cmd.exe PID 2032 wrote to memory of 1672 2032 WannaCry.exe cmd.exe PID 2032 wrote to memory of 1672 2032 WannaCry.exe cmd.exe PID 2032 wrote to memory of 1672 2032 WannaCry.exe cmd.exe PID 1672 wrote to memory of 284 1672 cmd.exe !WannaDecryptor!.exe PID 1672 wrote to memory of 284 1672 cmd.exe !WannaDecryptor!.exe PID 1672 wrote to memory of 284 1672 cmd.exe !WannaDecryptor!.exe PID 1672 wrote to memory of 284 1672 cmd.exe !WannaDecryptor!.exe PID 2032 wrote to memory of 1616 2032 WannaCry.exe !WannaDecryptor!.exe PID 2032 wrote to memory of 1616 2032 WannaCry.exe !WannaDecryptor!.exe PID 2032 wrote to memory of 1616 2032 WannaCry.exe !WannaDecryptor!.exe PID 2032 wrote to memory of 1616 2032 WannaCry.exe !WannaDecryptor!.exe PID 284 wrote to memory of 1988 284 !WannaDecryptor!.exe cmd.exe PID 284 wrote to memory of 1988 284 !WannaDecryptor!.exe cmd.exe PID 284 wrote to memory of 1988 284 !WannaDecryptor!.exe cmd.exe PID 284 wrote to memory of 1988 284 !WannaDecryptor!.exe cmd.exe PID 1988 wrote to memory of 1076 1988 cmd.exe vssadmin.exe PID 1988 wrote to memory of 1076 1988 cmd.exe vssadmin.exe PID 1988 wrote to memory of 1076 1988 cmd.exe vssadmin.exe PID 1988 wrote to memory of 1076 1988 cmd.exe vssadmin.exe PID 1988 wrote to memory of 1808 1988 cmd.exe WMIC.exe PID 1988 wrote to memory of 1808 1988 cmd.exe WMIC.exe PID 1988 wrote to memory of 1808 1988 cmd.exe WMIC.exe PID 1988 wrote to memory of 1808 1988 cmd.exe WMIC.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"1⤵
- Modifies extensions of user files
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c 316221687298194.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cscript.execscript //nologo c.vbs3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe!WannaDecryptor!.exe f2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im MSExchange*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Microsoft.Exchange.*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlserver.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlwriter.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe!WannaDecryptor!.exe c2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /b !WannaDecryptor!.exe v2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe!WannaDecryptor!.exe v3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\windows defender\MSASCui.exe"C:\Program Files\windows defender\MSASCui.exe" -quickscan1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\!WannaDecryptor!.exe.lnkFilesize
921B
MD5bff43dc066db635e576953d9097e4618
SHA1214758cd53383255f58df41a70bb2f887d4ce65a
SHA2564fb4a6eb3bd76f492e640306cd96b88a8a818f0ec951d2b4a40d8ae5edf51353
SHA512e4d6bb87ed2c0b838755444cebcac5e0400c78d8a6abf2f3ab8b51b17fd8fee1838852b7fb4f56092ce1a4d2e31d4791a1a4d7792ca80ce983b72ae55db70605
-
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exeFilesize
236KB
MD5cf1416074cd7791ab80a18f9e7e219d9
SHA1276d2ec82c518d887a8a3608e51c56fa28716ded
SHA25678e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA5120bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5
-
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exeFilesize
236KB
MD5cf1416074cd7791ab80a18f9e7e219d9
SHA1276d2ec82c518d887a8a3608e51c56fa28716ded
SHA25678e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA5120bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5
-
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exeFilesize
236KB
MD5cf1416074cd7791ab80a18f9e7e219d9
SHA1276d2ec82c518d887a8a3608e51c56fa28716ded
SHA25678e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA5120bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5
-
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exeFilesize
236KB
MD5cf1416074cd7791ab80a18f9e7e219d9
SHA1276d2ec82c518d887a8a3608e51c56fa28716ded
SHA25678e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA5120bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5
-
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exeFilesize
236KB
MD5cf1416074cd7791ab80a18f9e7e219d9
SHA1276d2ec82c518d887a8a3608e51c56fa28716ded
SHA25678e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA5120bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5
-
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnkFilesize
921B
MD5bff43dc066db635e576953d9097e4618
SHA1214758cd53383255f58df41a70bb2f887d4ce65a
SHA2564fb4a6eb3bd76f492e640306cd96b88a8a818f0ec951d2b4a40d8ae5edf51353
SHA512e4d6bb87ed2c0b838755444cebcac5e0400c78d8a6abf2f3ab8b51b17fd8fee1838852b7fb4f56092ce1a4d2e31d4791a1a4d7792ca80ce983b72ae55db70605
-
C:\Users\Admin\AppData\Local\Temp\00000000.ekyFilesize
1KB
MD51b59b8813f98832849854038f8212139
SHA12681688bfef78201284dbd98b31f11b642db144a
SHA2565c176d6e4c9ad86d7b4e28088002561191bcc676300f6460b419dbd66f6734a0
SHA5126996e7a66f6d1b307da394caa6509983e6ce6b331f471e7eeabbd7ebad415d194531a079af2eb4ea6a8ca94a2fceb209ee94445a0cd0aad896a83cdbed9cb662
-
C:\Users\Admin\AppData\Local\Temp\00000000.resFilesize
136B
MD5414314a673cb1e114b2e526881560f2c
SHA150bb0caecb0adea26a63d6dcd2ad8d8a5718e70c
SHA256c97bd58d34f089e7ca58763dc028858a2e268d99465219fcf93af7854478d14a
SHA512e0f0358ec718b166a2879189f55bfa4ac24f0daba7d7efdcd233b4b89bc284b6659d1effa49d29d53fdbec8e0b3a5309f9b2bf1d5e53696b05fe29fd5c000c55
-
C:\Users\Admin\AppData\Local\Temp\00000000.resFilesize
136B
MD522e467edaf40429fcbe95127725c8aad
SHA13636522438b97e78d8c691e919be27d8153114fd
SHA25604144c2ca0e4de6e1de8a7b37bdc5055b5c14cbc31093796ca3b407558f8e721
SHA51298041b554e71cfdd5beb52294ee6952cf48b968067638be4b549da08148451b1e51ba3f53f8de7aec0c170b3812618e4f656d96a81d8aa84f379d0bfbe781052
-
C:\Users\Admin\AppData\Local\Temp\00000000.resFilesize
136B
MD5571faedc72f64cf9ffdfa5efd8634a12
SHA12b5482d4eaaf32906b0ed8b83d63a1df70b6f69f
SHA25626d5c743af6d465825af9382fb5df3f328e31c92765d7fe4a00991f9b4dd06a8
SHA51210ed1e98fa9328f81d902428544d500dcc96c6c5df3d799aec62f6b9249cce491f8d6c9c7412a7fec477d6f34e90a8b1591200754698f068975da58f3fe9f834
-
C:\Users\Admin\AppData\Local\Temp\00000000.resFilesize
136B
MD5fa6db01bd862ea73c57592bdbb69a4ba
SHA191e8922aabdb5c9e6bdf34ad3c6c566dce5ad71b
SHA2561abd5abbdb35ef73c2998624cf80139a243bf97bce652c6e2b2c0a4a7eddc94f
SHA512228a48d1d98e4affd7226377c203ad5030bb5858f82270c612d49c32a4c01998730ad8c006dc57b773e9892f4c8eaab33bae27509133942d642f688ee257283e
-
C:\Users\Admin\AppData\Local\Temp\316221687298194.batFilesize
336B
MD53540e056349c6972905dc9706cd49418
SHA1492c20442d34d45a6d6790c720349b11ec591cde
SHA25673872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc
SHA512c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c
-
C:\Users\Admin\AppData\Local\Temp\316221687298194.batFilesize
336B
MD53540e056349c6972905dc9706cd49418
SHA1492c20442d34d45a6d6790c720349b11ec591cde
SHA25673872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc
SHA512c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c
-
C:\Users\Admin\AppData\Local\Temp\FXSAPIDebugLogFile.txt.WCRYFilesize
280B
MD52fedacfcfe3bbf79a8f19f286a948bdb
SHA1fdc80f624beca0a49bf676c18a759e278a45684d
SHA25608fefd922d0cfe9f87af710faca6ad86171079f6c03d50d9643c1ada5f844205
SHA51258320334516962047291da4e4a9332fcfdcafed68d5b2db2899c9fc7f221ac3229567689eebfd5a860b5e7ddfaf949832bb804b827c79c5d496e7133ccc2078f
-
C:\Users\Admin\AppData\Local\Temp\c.vbsFilesize
219B
MD55f6d40ca3c34b470113ed04d06a88ff4
SHA150629e7211ae43e32060686d6be17ebd492fd7aa
SHA2560fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1
SHA5124d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35
-
C:\Users\Admin\AppData\Local\Temp\c.wryFilesize
628B
MD5eb317baf46df757e96d4a5fcec7cb54e
SHA1829db2a8b6a1d4f290a224a7c048beabee098f8e
SHA25689eb920228cc8cf7e1d475cae9ebec7f38fbf27fb0b613cfe1bb810360eab648
SHA51280f09939b5f84b6f057d86a60c98b3b66e19b932b8d86227fafaa10f4ba6ea0a8c8e0758db8cb20a9571522d2e130019dd797cec87cde2fb9114a33e328d0106
-
C:\Users\Admin\AppData\Local\Temp\c.wryFilesize
628B
MD5eb317baf46df757e96d4a5fcec7cb54e
SHA1829db2a8b6a1d4f290a224a7c048beabee098f8e
SHA25689eb920228cc8cf7e1d475cae9ebec7f38fbf27fb0b613cfe1bb810360eab648
SHA51280f09939b5f84b6f057d86a60c98b3b66e19b932b8d86227fafaa10f4ba6ea0a8c8e0758db8cb20a9571522d2e130019dd797cec87cde2fb9114a33e328d0106
-
C:\Users\Admin\AppData\Local\Temp\f.wryFilesize
176B
MD589abfa116ef5c4d34bbc3b30325613f1
SHA1ecedc88f4f8903b8fadca9e985429c1e296c7744
SHA25636ec93315a173f7df466019b3820d62c158294ed2a62d4cc0a18f632227ff967
SHA5122ddafbcd38ab2117d891c76b1fdd0934892e75228fdc21465b589a64422fe691faa574e1bd5c625eb53ed5a9d5eda9b0d3ce6efcb2ec2e4f94d678592d943a50
-
C:\Users\Admin\AppData\Local\Temp\m.wryFilesize
42KB
MD5980b08bac152aff3f9b0136b616affa5
SHA12a9c9601ea038f790cc29379c79407356a3d25a3
SHA256402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9
SHA512100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496
-
C:\Users\Admin\Documents\!Please Read Me!.txtFilesize
797B
MD5afa18cf4aa2660392111763fb93a8c3d
SHA1c219a3654a5f41ce535a09f2a188a464c3f5baf5
SHA256227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0
SHA5124161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b
-
C:\Users\Admin\Music\RegisterRead.dot.WCRYFilesize
498KB
MD5059eaab625d1b4d9005d9d18f198bfd9
SHA1db24b902d4e5e1d6344e018d92d049988c0b34f7
SHA256c203ed40fc96ed1aa7644ac33a28e3896d31647aaae0f212f190ba40de9a63ae
SHA5123e6b077f14026d9e56bed54c1ec36312f73c0523a811f952bb009674d8143114c572cc2cbd629f623ae8992fea8b716885a9c1066997e1812ba6ac304b4898e3
-
C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 05.wma.WCRYFilesize
110KB
MD59c0f81d54240a327b1b9c049f94b3765
SHA1c6107487d379a232ae93989d6554b81f5107a48a
SHA2562c35c78eb4c128dcd8ee48c26000090555e6c7abc3fb29c2abb5d58735e39a67
SHA512f5e1a3af80257c6e25d0892ea22084d06b5e4b1280b8259ccc0a32dd369f0935619e5401cafeec7f5e3d2bac8a19274bf60bc4d3fb9ac227747269b03c2baa9a
-
\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exeFilesize
236KB
MD5cf1416074cd7791ab80a18f9e7e219d9
SHA1276d2ec82c518d887a8a3608e51c56fa28716ded
SHA25678e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA5120bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5
-
\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exeFilesize
236KB
MD5cf1416074cd7791ab80a18f9e7e219d9
SHA1276d2ec82c518d887a8a3608e51c56fa28716ded
SHA25678e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA5120bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5
-
\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exeFilesize
236KB
MD5cf1416074cd7791ab80a18f9e7e219d9
SHA1276d2ec82c518d887a8a3608e51c56fa28716ded
SHA25678e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA5120bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5
-
\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exeFilesize
236KB
MD5cf1416074cd7791ab80a18f9e7e219d9
SHA1276d2ec82c518d887a8a3608e51c56fa28716ded
SHA25678e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA5120bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5
-
\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exeFilesize
236KB
MD5cf1416074cd7791ab80a18f9e7e219d9
SHA1276d2ec82c518d887a8a3608e51c56fa28716ded
SHA25678e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA5120bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5
-
\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exeFilesize
236KB
MD5cf1416074cd7791ab80a18f9e7e219d9
SHA1276d2ec82c518d887a8a3608e51c56fa28716ded
SHA25678e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA5120bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5
-
\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exeFilesize
236KB
MD5cf1416074cd7791ab80a18f9e7e219d9
SHA1276d2ec82c518d887a8a3608e51c56fa28716ded
SHA25678e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA5120bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5
-
\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exeFilesize
236KB
MD5cf1416074cd7791ab80a18f9e7e219d9
SHA1276d2ec82c518d887a8a3608e51c56fa28716ded
SHA25678e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA5120bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5
-
\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exeFilesize
236KB
MD5cf1416074cd7791ab80a18f9e7e219d9
SHA1276d2ec82c518d887a8a3608e51c56fa28716ded
SHA25678e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA5120bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5
-
memory/1284-729-0x00000000000B0000-0x00000000000B1000-memory.dmpFilesize
4KB
-
memory/2032-60-0x0000000010000000-0x0000000010012000-memory.dmpFilesize
72KB