wannacry | be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

Analysis

max time kernel
194s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
20-06-2023 21:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WannaCry.exe
Size

224KB
MD5

5c7fb0927db37372da25f270708103a2
SHA1

120ed9279d85cbfa56e5b7779ffa7162074f7a29
SHA256

be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
SHA512

a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
SSDEEP

3072:Y059femWRwTs/dbelj0X8/j84pcRXPlU3Upt3or4H84lK8PtpLzLsR/EfcZ:+5RwTs/dSXj84mRXPemxdBlPvLzLeZ

Score

10^/10

wannacry persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Documents\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 15 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

WannaCry.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\FindResolve.png.WCRYT	WannaCry.exe
File opened for modification	C:\Users\Admin\Pictures\SkipProtect.png.WCRY	WannaCry.exe
File renamed	C:\Users\Admin\Pictures\SaveInstall.tif.WCRYT => C:\Users\Admin\Pictures\SaveInstall.tif.WCRY	WannaCry.exe
File renamed	C:\Users\Admin\Pictures\FindResolve.png.WCRYT => C:\Users\Admin\Pictures\FindResolve.png.WCRY	WannaCry.exe
File opened for modification	C:\Users\Admin\Pictures\FindResolve.png.WCRY	WannaCry.exe
File opened for modification	C:\Users\Admin\Pictures\ResumeAssert.raw.WCRY	WannaCry.exe
File created	C:\Users\Admin\Pictures\SaveInstall.tif.WCRYT	WannaCry.exe
File created	C:\Users\Admin\Pictures\SkipProtect.png.WCRYT	WannaCry.exe
File created	C:\Users\Admin\Pictures\TestUnregister.png.WCRYT	WannaCry.exe
File renamed	C:\Users\Admin\Pictures\SkipProtect.png.WCRYT => C:\Users\Admin\Pictures\SkipProtect.png.WCRY	WannaCry.exe
File renamed	C:\Users\Admin\Pictures\TestUnregister.png.WCRYT => C:\Users\Admin\Pictures\TestUnregister.png.WCRY	WannaCry.exe
File opened for modification	C:\Users\Admin\Pictures\TestUnregister.png.WCRY	WannaCry.exe
File created	C:\Users\Admin\Pictures\ResumeAssert.raw.WCRYT	WannaCry.exe
File renamed	C:\Users\Admin\Pictures\ResumeAssert.raw.WCRYT => C:\Users\Admin\Pictures\ResumeAssert.raw.WCRY	WannaCry.exe
File opened for modification	C:\Users\Admin\Pictures\SaveInstall.tif.WCRY	WannaCry.exe

Drops startup file 1 IoCs

Processes:

WannaCry.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD310C.tmp	WannaCry.exe

Executes dropped EXE 4 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid process

300 !WannaDecryptor!.exe
1112 !WannaDecryptor!.exe
284 !WannaDecryptor!.exe
1616 !WannaDecryptor!.exe
Loads dropped DLL 9 IoCs

Processes:

cscript.exeWannaCry.execmd.exe

pid process

516 cscript.exe
2032 WannaCry.exe
2032 WannaCry.exe
2032 WannaCry.exe
2032 WannaCry.exe
1672 cmd.exe
1672 cmd.exe
2032 WannaCry.exe
2032 WannaCry.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
516	cscript.exe
2032	WannaCry.exe
2032	WannaCry.exe
2032	WannaCry.exe
2032	WannaCry.exe
1672	cmd.exe
1672	cmd.exe
2032	WannaCry.exe
2032	WannaCry.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WannaCry.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WannaCry.exe\" /r"	WannaCry.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

!WannaDecryptor!.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg"	!WannaDecryptor!.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1076 vssadmin.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1148 taskkill.exe
1952 taskkill.exe
1600 taskkill.exe
1756 taskkill.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

!WannaDecryptor!.exe

pid process

1616 !WannaDecryptor!.exe

pid	process
1076	vssadmin.exe

pid	process
1148	taskkill.exe
1952	taskkill.exe
1600	taskkill.exe
1756	taskkill.exe

pid	process
1616	!WannaDecryptor!.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1952	taskkill.exe
Token: SeDebugPrivilege	1148	taskkill.exe
Token: SeDebugPrivilege	1600	taskkill.exe
Token: SeDebugPrivilege	1756	taskkill.exe
Token: SeBackupPrivilege	1344	vssvc.exe
Token: SeRestorePrivilege	1344	vssvc.exe
Token: SeAuditPrivilege	1344	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1808	WMIC.exe
Token: SeSecurityPrivilege	1808	WMIC.exe
Token: SeTakeOwnershipPrivilege	1808	WMIC.exe
Token: SeLoadDriverPrivilege	1808	WMIC.exe
Token: SeSystemProfilePrivilege	1808	WMIC.exe
Token: SeSystemtimePrivilege	1808	WMIC.exe
Token: SeProfSingleProcessPrivilege	1808	WMIC.exe
Token: SeIncBasePriorityPrivilege	1808	WMIC.exe
Token: SeCreatePagefilePrivilege	1808	WMIC.exe
Token: SeBackupPrivilege	1808	WMIC.exe
Token: SeRestorePrivilege	1808	WMIC.exe
Token: SeShutdownPrivilege	1808	WMIC.exe
Token: SeDebugPrivilege	1808	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1808	WMIC.exe
Token: SeRemoteShutdownPrivilege	1808	WMIC.exe
Token: SeUndockPrivilege	1808	WMIC.exe
Token: SeManageVolumePrivilege	1808	WMIC.exe
Token: 33	1808	WMIC.exe
Token: 34	1808	WMIC.exe
Token: 35	1808	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1808	WMIC.exe
Token: SeSecurityPrivilege	1808	WMIC.exe
Token: SeTakeOwnershipPrivilege	1808	WMIC.exe
Token: SeLoadDriverPrivilege	1808	WMIC.exe
Token: SeSystemProfilePrivilege	1808	WMIC.exe
Token: SeSystemtimePrivilege	1808	WMIC.exe
Token: SeProfSingleProcessPrivilege	1808	WMIC.exe
Token: SeIncBasePriorityPrivilege	1808	WMIC.exe
Token: SeCreatePagefilePrivilege	1808	WMIC.exe
Token: SeBackupPrivilege	1808	WMIC.exe
Token: SeRestorePrivilege	1808	WMIC.exe
Token: SeShutdownPrivilege	1808	WMIC.exe
Token: SeDebugPrivilege	1808	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1808	WMIC.exe
Token: SeRemoteShutdownPrivilege	1808	WMIC.exe
Token: SeUndockPrivilege	1808	WMIC.exe
Token: SeManageVolumePrivilege	1808	WMIC.exe
Token: 33	1808	WMIC.exe
Token: 34	1808	WMIC.exe
Token: 35	1808	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

!WannaDecryptor!.exe

pid process

1616 !WannaDecryptor!.exe

pid	process
1616	!WannaDecryptor!.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid	process
300	!WannaDecryptor!.exe
300	!WannaDecryptor!.exe
1112	!WannaDecryptor!.exe
1112	!WannaDecryptor!.exe
284	!WannaDecryptor!.exe
284	!WannaDecryptor!.exe
1616	!WannaDecryptor!.exe
1616	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

WannaCry.execmd.execmd.exe!WannaDecryptor!.execmd.exe

description	pid	process	target process
PID 2032 wrote to memory of 532	2032	WannaCry.exe	cmd.exe
PID 2032 wrote to memory of 532	2032	WannaCry.exe	cmd.exe
PID 2032 wrote to memory of 532	2032	WannaCry.exe	cmd.exe
PID 2032 wrote to memory of 532	2032	WannaCry.exe	cmd.exe
PID 532 wrote to memory of 516	532	cmd.exe	cscript.exe
PID 532 wrote to memory of 516	532	cmd.exe	cscript.exe
PID 532 wrote to memory of 516	532	cmd.exe	cscript.exe
PID 532 wrote to memory of 516	532	cmd.exe	cscript.exe
PID 2032 wrote to memory of 300	2032	WannaCry.exe	!WannaDecryptor!.exe
PID 2032 wrote to memory of 300	2032	WannaCry.exe	!WannaDecryptor!.exe
PID 2032 wrote to memory of 300	2032	WannaCry.exe	!WannaDecryptor!.exe
PID 2032 wrote to memory of 300	2032	WannaCry.exe	!WannaDecryptor!.exe
PID 2032 wrote to memory of 1148	2032	WannaCry.exe	taskkill.exe
PID 2032 wrote to memory of 1148	2032	WannaCry.exe	taskkill.exe
PID 2032 wrote to memory of 1148	2032	WannaCry.exe	taskkill.exe
PID 2032 wrote to memory of 1148	2032	WannaCry.exe	taskkill.exe
PID 2032 wrote to memory of 1952	2032	WannaCry.exe	taskkill.exe
PID 2032 wrote to memory of 1952	2032	WannaCry.exe	taskkill.exe
PID 2032 wrote to memory of 1952	2032	WannaCry.exe	taskkill.exe
PID 2032 wrote to memory of 1952	2032	WannaCry.exe	taskkill.exe
PID 2032 wrote to memory of 1600	2032	WannaCry.exe	taskkill.exe
PID 2032 wrote to memory of 1600	2032	WannaCry.exe	taskkill.exe
PID 2032 wrote to memory of 1600	2032	WannaCry.exe	taskkill.exe
PID 2032 wrote to memory of 1600	2032	WannaCry.exe	taskkill.exe
PID 2032 wrote to memory of 1756	2032	WannaCry.exe	taskkill.exe
PID 2032 wrote to memory of 1756	2032	WannaCry.exe	taskkill.exe
PID 2032 wrote to memory of 1756	2032	WannaCry.exe	taskkill.exe
PID 2032 wrote to memory of 1756	2032	WannaCry.exe	taskkill.exe
PID 2032 wrote to memory of 1112	2032	WannaCry.exe	!WannaDecryptor!.exe
PID 2032 wrote to memory of 1112	2032	WannaCry.exe	!WannaDecryptor!.exe
PID 2032 wrote to memory of 1112	2032	WannaCry.exe	!WannaDecryptor!.exe
PID 2032 wrote to memory of 1112	2032	WannaCry.exe	!WannaDecryptor!.exe
PID 2032 wrote to memory of 1672	2032	WannaCry.exe	cmd.exe
PID 2032 wrote to memory of 1672	2032	WannaCry.exe	cmd.exe
PID 2032 wrote to memory of 1672	2032	WannaCry.exe	cmd.exe
PID 2032 wrote to memory of 1672	2032	WannaCry.exe	cmd.exe
PID 1672 wrote to memory of 284	1672	cmd.exe	!WannaDecryptor!.exe
PID 1672 wrote to memory of 284	1672	cmd.exe	!WannaDecryptor!.exe
PID 1672 wrote to memory of 284	1672	cmd.exe	!WannaDecryptor!.exe
PID 1672 wrote to memory of 284	1672	cmd.exe	!WannaDecryptor!.exe
PID 2032 wrote to memory of 1616	2032	WannaCry.exe	!WannaDecryptor!.exe
PID 2032 wrote to memory of 1616	2032	WannaCry.exe	!WannaDecryptor!.exe
PID 2032 wrote to memory of 1616	2032	WannaCry.exe	!WannaDecryptor!.exe
PID 2032 wrote to memory of 1616	2032	WannaCry.exe	!WannaDecryptor!.exe
PID 284 wrote to memory of 1988	284	!WannaDecryptor!.exe	cmd.exe
PID 284 wrote to memory of 1988	284	!WannaDecryptor!.exe	cmd.exe
PID 284 wrote to memory of 1988	284	!WannaDecryptor!.exe	cmd.exe
PID 284 wrote to memory of 1988	284	!WannaDecryptor!.exe	cmd.exe
PID 1988 wrote to memory of 1076	1988	cmd.exe	vssadmin.exe
PID 1988 wrote to memory of 1076	1988	cmd.exe	vssadmin.exe
PID 1988 wrote to memory of 1076	1988	cmd.exe	vssadmin.exe
PID 1988 wrote to memory of 1076	1988	cmd.exe	vssadmin.exe
PID 1988 wrote to memory of 1808	1988	cmd.exe	WMIC.exe
PID 1988 wrote to memory of 1808	1988	cmd.exe	WMIC.exe
PID 1988 wrote to memory of 1808	1988	cmd.exe	WMIC.exe
PID 1988 wrote to memory of 1808	1988	cmd.exe	WMIC.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\WannaCry.exe
"C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\cmd.exe
cmd /c 316221687298194.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:532

C:\Windows\SysWOW64\cscript.exe
cscript //nologo c.vbs
3⤵
- Loads dropped DLL
PID:516

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe f
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:300

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im MSExchange*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1148

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Microsoft.Exchange.*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlserver.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlwriter.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe c
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1112

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b !WannaDecryptor!.exe v
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1672

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe v
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:284

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:1076

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1616

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1344

C:\Program Files\windows defender\MSASCui.exe
"C:\Program Files\windows defender\MSASCui.exe" -quickscan
1⤵
PID:1284

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\!WannaDecryptor!.exe.lnk
Filesize
921B

MD5
bff43dc066db635e576953d9097e4618

SHA1
214758cd53383255f58df41a70bb2f887d4ce65a

SHA256
4fb4a6eb3bd76f492e640306cd96b88a8a818f0ec951d2b4a40d8ae5edf51353

SHA512
e4d6bb87ed2c0b838755444cebcac5e0400c78d8a6abf2f3ab8b51b17fd8fee1838852b7fb4f56092ce1a4d2e31d4791a1a4d7792ca80ce983b72ae55db70605

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk
Filesize
921B

MD5
bff43dc066db635e576953d9097e4618

SHA1
214758cd53383255f58df41a70bb2f887d4ce65a

SHA256
4fb4a6eb3bd76f492e640306cd96b88a8a818f0ec951d2b4a40d8ae5edf51353

SHA512
e4d6bb87ed2c0b838755444cebcac5e0400c78d8a6abf2f3ab8b51b17fd8fee1838852b7fb4f56092ce1a4d2e31d4791a1a4d7792ca80ce983b72ae55db70605

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.eky
Filesize
1KB

MD5
1b59b8813f98832849854038f8212139

SHA1
2681688bfef78201284dbd98b31f11b642db144a

SHA256
5c176d6e4c9ad86d7b4e28088002561191bcc676300f6460b419dbd66f6734a0

SHA512
6996e7a66f6d1b307da394caa6509983e6ce6b331f471e7eeabbd7ebad415d194531a079af2eb4ea6a8ca94a2fceb209ee94445a0cd0aad896a83cdbed9cb662

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res
Filesize
136B

MD5
414314a673cb1e114b2e526881560f2c

SHA1
50bb0caecb0adea26a63d6dcd2ad8d8a5718e70c

SHA256
c97bd58d34f089e7ca58763dc028858a2e268d99465219fcf93af7854478d14a

SHA512
e0f0358ec718b166a2879189f55bfa4ac24f0daba7d7efdcd233b4b89bc284b6659d1effa49d29d53fdbec8e0b3a5309f9b2bf1d5e53696b05fe29fd5c000c55

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res
Filesize
136B

MD5
22e467edaf40429fcbe95127725c8aad

SHA1
3636522438b97e78d8c691e919be27d8153114fd

SHA256
04144c2ca0e4de6e1de8a7b37bdc5055b5c14cbc31093796ca3b407558f8e721

SHA512
98041b554e71cfdd5beb52294ee6952cf48b968067638be4b549da08148451b1e51ba3f53f8de7aec0c170b3812618e4f656d96a81d8aa84f379d0bfbe781052

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res
Filesize
136B

MD5
571faedc72f64cf9ffdfa5efd8634a12

SHA1
2b5482d4eaaf32906b0ed8b83d63a1df70b6f69f

SHA256
26d5c743af6d465825af9382fb5df3f328e31c92765d7fe4a00991f9b4dd06a8

SHA512
10ed1e98fa9328f81d902428544d500dcc96c6c5df3d799aec62f6b9249cce491f8d6c9c7412a7fec477d6f34e90a8b1591200754698f068975da58f3fe9f834

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res
Filesize
136B

MD5
fa6db01bd862ea73c57592bdbb69a4ba

SHA1
91e8922aabdb5c9e6bdf34ad3c6c566dce5ad71b

SHA256
1abd5abbdb35ef73c2998624cf80139a243bf97bce652c6e2b2c0a4a7eddc94f

SHA512
228a48d1d98e4affd7226377c203ad5030bb5858f82270c612d49c32a4c01998730ad8c006dc57b773e9892f4c8eaab33bae27509133942d642f688ee257283e

Download Submit
C:\Users\Admin\AppData\Local\Temp\316221687298194.bat
Filesize
336B

MD5
3540e056349c6972905dc9706cd49418

SHA1
492c20442d34d45a6d6790c720349b11ec591cde

SHA256
73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc

SHA512
c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

Download Submit
C:\Users\Admin\AppData\Local\Temp\316221687298194.bat
Filesize
336B

MD5
3540e056349c6972905dc9706cd49418

SHA1
492c20442d34d45a6d6790c720349b11ec591cde

SHA256
73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc

SHA512
c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FXSAPIDebugLogFile.txt.WCRY
Filesize
280B

MD5
2fedacfcfe3bbf79a8f19f286a948bdb

SHA1
fdc80f624beca0a49bf676c18a759e278a45684d

SHA256
08fefd922d0cfe9f87af710faca6ad86171079f6c03d50d9643c1ada5f844205

SHA512
58320334516962047291da4e4a9332fcfdcafed68d5b2db2899c9fc7f221ac3229567689eebfd5a860b5e7ddfaf949832bb804b827c79c5d496e7133ccc2078f

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.vbs
Filesize
219B

MD5
5f6d40ca3c34b470113ed04d06a88ff4

SHA1
50629e7211ae43e32060686d6be17ebd492fd7aa

SHA256
0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1

SHA512
4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wry
Filesize
628B

MD5
eb317baf46df757e96d4a5fcec7cb54e

SHA1
829db2a8b6a1d4f290a224a7c048beabee098f8e

SHA256
89eb920228cc8cf7e1d475cae9ebec7f38fbf27fb0b613cfe1bb810360eab648

SHA512
80f09939b5f84b6f057d86a60c98b3b66e19b932b8d86227fafaa10f4ba6ea0a8c8e0758db8cb20a9571522d2e130019dd797cec87cde2fb9114a33e328d0106

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wry
Filesize
628B

MD5
eb317baf46df757e96d4a5fcec7cb54e

SHA1
829db2a8b6a1d4f290a224a7c048beabee098f8e

SHA256
89eb920228cc8cf7e1d475cae9ebec7f38fbf27fb0b613cfe1bb810360eab648

SHA512
80f09939b5f84b6f057d86a60c98b3b66e19b932b8d86227fafaa10f4ba6ea0a8c8e0758db8cb20a9571522d2e130019dd797cec87cde2fb9114a33e328d0106

Download Submit
C:\Users\Admin\AppData\Local\Temp\f.wry
Filesize
176B

MD5
89abfa116ef5c4d34bbc3b30325613f1

SHA1
ecedc88f4f8903b8fadca9e985429c1e296c7744

SHA256
36ec93315a173f7df466019b3820d62c158294ed2a62d4cc0a18f632227ff967

SHA512
2ddafbcd38ab2117d891c76b1fdd0934892e75228fdc21465b589a64422fe691faa574e1bd5c625eb53ed5a9d5eda9b0d3ce6efcb2ec2e4f94d678592d943a50

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.wry
Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Documents\!Please Read Me!.txt
Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Music\RegisterRead.dot.WCRY
Filesize
498KB

MD5
059eaab625d1b4d9005d9d18f198bfd9

SHA1
db24b902d4e5e1d6344e018d92d049988c0b34f7

SHA256
c203ed40fc96ed1aa7644ac33a28e3896d31647aaae0f212f190ba40de9a63ae

SHA512
3e6b077f14026d9e56bed54c1ec36312f73c0523a811f952bb009674d8143114c572cc2cbd629f623ae8992fea8b716885a9c1066997e1812ba6ac304b4898e3

Download Submit
C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 05.wma.WCRY
Filesize
110KB

MD5
9c0f81d54240a327b1b9c049f94b3765

SHA1
c6107487d379a232ae93989d6554b81f5107a48a

SHA256
2c35c78eb4c128dcd8ee48c26000090555e6c7abc3fb29c2abb5d58735e39a67

SHA512
f5e1a3af80257c6e25d0892ea22084d06b5e4b1280b8259ccc0a32dd369f0935619e5401cafeec7f5e3d2bac8a19274bf60bc4d3fb9ac227747269b03c2baa9a

Download Submit
\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
memory/1284-729-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/2032-60-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download