wannacry | be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

Resubmissions

17-11-2023 16:04

231117-th3fksbg6y 10

17-11-2023 12:50

231117-p28pgshd98 10

Analysis

max time kernel
150s
max time network
134s
platform
windows10-1703_x64
resource
win10-20231025-en
resource tags

arch:x64arch:x86image:win10-20231025-enlocale:en-usos:windows10-1703-x64system
submitted
17-11-2023 12:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WannaCry (1).exe
Size

224KB
MD5

5c7fb0927db37372da25f270708103a2
SHA1

120ed9279d85cbfa56e5b7779ffa7162074f7a29
SHA256

be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
SHA512

a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
SSDEEP

3072:Y059femWRwTs/dbelj0X8/j84pcRXPlU3Upt3or4H84lK8PtpLzLsR/EfcZ:+5RwTs/dSXj84mRXPemxdBlPvLzLeZ

Score

10^/10

wannacry persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry

Drops startup file 2 IoCs

Processes:

WannaCry (1).exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDAAC5.tmp	WannaCry (1).exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDAABE.tmp	WannaCry (1).exe

Executes dropped EXE 20 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid	process
3180	!WannaDecryptor!.exe
2564	!WannaDecryptor!.exe
4764	!WannaDecryptor!.exe
2016	!WannaDecryptor!.exe
3924	!WannaDecryptor!.exe
1972	!WannaDecryptor!.exe
4912	!WannaDecryptor!.exe
2748	!WannaDecryptor!.exe
4244	!WannaDecryptor!.exe
4920	!WannaDecryptor!.exe
4600	!WannaDecryptor!.exe
4844	!WannaDecryptor!.exe
3732	!WannaDecryptor!.exe
3444	!WannaDecryptor!.exe
1280	!WannaDecryptor!.exe
2140	!WannaDecryptor!.exe
4360	!WannaDecryptor!.exe
4240	!WannaDecryptor!.exe
2156	!WannaDecryptor!.exe
660	!WannaDecryptor!.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WannaCry (1).exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WannaCry (1).exe\" /r"	WannaCry (1).exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

!WannaDecryptor!.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2852493121-870915337-2715324265-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Drops file in Windows directory 1 IoCs

Processes:

mspaint.exe

description ioc process

File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

4584 taskkill.exe
1804 taskkill.exe
4792 taskkill.exe
4172 taskkill.exe

pid	process
4584	taskkill.exe
1804	taskkill.exe
4792	taskkill.exe
4172	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133446990687315950"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exemspaint.exe

pid process

2972 chrome.exe
2972 chrome.exe
5060 mspaint.exe
5060 mspaint.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

2972 chrome.exe
2972 chrome.exe
2972 chrome.exe
2972 chrome.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	4584	taskkill.exe
Token: SeDebugPrivilege	4172	taskkill.exe
Token: SeDebugPrivilege	1804	taskkill.exe
Token: SeDebugPrivilege	4792	taskkill.exe
Token: SeShutdownPrivilege	2972	chrome.exe
Token: SeCreatePagefilePrivilege	2972	chrome.exe
Token: SeShutdownPrivilege	2972	chrome.exe
Token: SeCreatePagefilePrivilege	2972	chrome.exe
Token: SeShutdownPrivilege	2972	chrome.exe
Token: SeCreatePagefilePrivilege	2972	chrome.exe
Token: SeShutdownPrivilege	2972	chrome.exe
Token: SeCreatePagefilePrivilege	2972	chrome.exe
Token: SeShutdownPrivilege	2972	chrome.exe
Token: SeCreatePagefilePrivilege	2972	chrome.exe
Token: SeShutdownPrivilege	2972	chrome.exe
Token: SeCreatePagefilePrivilege	2972	chrome.exe
Token: SeShutdownPrivilege	2972	chrome.exe
Token: SeCreatePagefilePrivilege	2972	chrome.exe
Token: SeShutdownPrivilege	2972	chrome.exe
Token: SeCreatePagefilePrivilege	2972	chrome.exe
Token: SeShutdownPrivilege	2972	chrome.exe
Token: SeCreatePagefilePrivilege	2972	chrome.exe
Token: SeShutdownPrivilege	2972	chrome.exe
Token: SeCreatePagefilePrivilege	2972	chrome.exe
Token: SeShutdownPrivilege	2972	chrome.exe
Token: SeCreatePagefilePrivilege	2972	chrome.exe
Token: SeShutdownPrivilege	2972	chrome.exe
Token: SeCreatePagefilePrivilege	2972	chrome.exe
Token: SeShutdownPrivilege	2972	chrome.exe
Token: SeCreatePagefilePrivilege	2972	chrome.exe
Token: SeShutdownPrivilege	2972	chrome.exe
Token: SeCreatePagefilePrivilege	2972	chrome.exe
Token: SeShutdownPrivilege	2972	chrome.exe
Token: SeCreatePagefilePrivilege	2972	chrome.exe
Token: SeShutdownPrivilege	2972	chrome.exe
Token: SeCreatePagefilePrivilege	2972	chrome.exe
Token: SeShutdownPrivilege	2972	chrome.exe
Token: SeCreatePagefilePrivilege	2972	chrome.exe
Token: SeShutdownPrivilege	2972	chrome.exe
Token: SeCreatePagefilePrivilege	2972	chrome.exe
Token: SeShutdownPrivilege	2972	chrome.exe
Token: SeCreatePagefilePrivilege	2972	chrome.exe
Token: SeShutdownPrivilege	2972	chrome.exe
Token: SeCreatePagefilePrivilege	2972	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

chrome.exe

pid	process
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe
2972	chrome.exe

Suspicious use of SetWindowsHookEx 26 IoCs

Processes:

!WannaDecryptor!.exemspaint.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid	process
3180	!WannaDecryptor!.exe
3180	!WannaDecryptor!.exe
5060	mspaint.exe
5060	mspaint.exe
5060	mspaint.exe
5060	mspaint.exe
2564	!WannaDecryptor!.exe
2564	!WannaDecryptor!.exe
4764	!WannaDecryptor!.exe
2016	!WannaDecryptor!.exe
3924	!WannaDecryptor!.exe
1972	!WannaDecryptor!.exe
4912	!WannaDecryptor!.exe
2748	!WannaDecryptor!.exe
4244	!WannaDecryptor!.exe
4920	!WannaDecryptor!.exe
4600	!WannaDecryptor!.exe
4844	!WannaDecryptor!.exe
3732	!WannaDecryptor!.exe
3444	!WannaDecryptor!.exe
1280	!WannaDecryptor!.exe
2140	!WannaDecryptor!.exe
4360	!WannaDecryptor!.exe
4240	!WannaDecryptor!.exe
2156	!WannaDecryptor!.exe
660	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WannaCry (1).execmd.exechrome.exe

description	pid	process	target process
PID 3588 wrote to memory of 3480	3588	WannaCry (1).exe	cmd.exe
PID 3588 wrote to memory of 3480	3588	WannaCry (1).exe	cmd.exe
PID 3588 wrote to memory of 3480	3588	WannaCry (1).exe	cmd.exe
PID 3480 wrote to memory of 4100	3480	cmd.exe	cscript.exe
PID 3480 wrote to memory of 4100	3480	cmd.exe	cscript.exe
PID 3480 wrote to memory of 4100	3480	cmd.exe	cscript.exe
PID 3588 wrote to memory of 3180	3588	WannaCry (1).exe	!WannaDecryptor!.exe
PID 3588 wrote to memory of 3180	3588	WannaCry (1).exe	!WannaDecryptor!.exe
PID 3588 wrote to memory of 3180	3588	WannaCry (1).exe	!WannaDecryptor!.exe
PID 3588 wrote to memory of 4172	3588	WannaCry (1).exe	taskkill.exe
PID 3588 wrote to memory of 4172	3588	WannaCry (1).exe	taskkill.exe
PID 3588 wrote to memory of 4172	3588	WannaCry (1).exe	taskkill.exe
PID 3588 wrote to memory of 4792	3588	WannaCry (1).exe	taskkill.exe
PID 3588 wrote to memory of 4792	3588	WannaCry (1).exe	taskkill.exe
PID 3588 wrote to memory of 4792	3588	WannaCry (1).exe	taskkill.exe
PID 3588 wrote to memory of 1804	3588	WannaCry (1).exe	taskkill.exe
PID 3588 wrote to memory of 1804	3588	WannaCry (1).exe	taskkill.exe
PID 3588 wrote to memory of 1804	3588	WannaCry (1).exe	taskkill.exe
PID 3588 wrote to memory of 4584	3588	WannaCry (1).exe	taskkill.exe
PID 3588 wrote to memory of 4584	3588	WannaCry (1).exe	taskkill.exe
PID 3588 wrote to memory of 4584	3588	WannaCry (1).exe	taskkill.exe
PID 2972 wrote to memory of 4560	2972	chrome.exe	chrome.exe
PID 2972 wrote to memory of 4560	2972	chrome.exe	chrome.exe
PID 2972 wrote to memory of 516	2972	chrome.exe	chrome.exe
PID 2972 wrote to memory of 516	2972	chrome.exe	chrome.exe
PID 2972 wrote to memory of 516	2972	chrome.exe	chrome.exe
PID 2972 wrote to memory of 516	2972	chrome.exe	chrome.exe
PID 2972 wrote to memory of 516	2972	chrome.exe	chrome.exe
PID 2972 wrote to memory of 516	2972	chrome.exe	chrome.exe
PID 2972 wrote to memory of 516	2972	chrome.exe	chrome.exe
PID 2972 wrote to memory of 516	2972	chrome.exe	chrome.exe
PID 2972 wrote to memory of 516	2972	chrome.exe	chrome.exe
PID 2972 wrote to memory of 516	2972	chrome.exe	chrome.exe
PID 2972 wrote to memory of 516	2972	chrome.exe	chrome.exe
PID 2972 wrote to memory of 516	2972	chrome.exe	chrome.exe
PID 2972 wrote to memory of 516	2972	chrome.exe	chrome.exe
PID 2972 wrote to memory of 516	2972	chrome.exe	chrome.exe
PID 2972 wrote to memory of 516	2972	chrome.exe	chrome.exe
PID 2972 wrote to memory of 516	2972	chrome.exe	chrome.exe
PID 2972 wrote to memory of 516	2972	chrome.exe	chrome.exe
PID 2972 wrote to memory of 516	2972	chrome.exe	chrome.exe
PID 2972 wrote to memory of 516	2972	chrome.exe	chrome.exe
PID 2972 wrote to memory of 516	2972	chrome.exe	chrome.exe
PID 2972 wrote to memory of 516	2972	chrome.exe	chrome.exe
PID 2972 wrote to memory of 516	2972	chrome.exe	chrome.exe
PID 2972 wrote to memory of 516	2972	chrome.exe	chrome.exe
PID 2972 wrote to memory of 516	2972	chrome.exe	chrome.exe
PID 2972 wrote to memory of 516	2972	chrome.exe	chrome.exe
PID 2972 wrote to memory of 516	2972	chrome.exe	chrome.exe
PID 2972 wrote to memory of 516	2972	chrome.exe	chrome.exe
PID 2972 wrote to memory of 516	2972	chrome.exe	chrome.exe
PID 2972 wrote to memory of 516	2972	chrome.exe	chrome.exe
PID 2972 wrote to memory of 516	2972	chrome.exe	chrome.exe
PID 2972 wrote to memory of 516	2972	chrome.exe	chrome.exe
PID 2972 wrote to memory of 516	2972	chrome.exe	chrome.exe
PID 2972 wrote to memory of 516	2972	chrome.exe	chrome.exe
PID 2972 wrote to memory of 516	2972	chrome.exe	chrome.exe
PID 2972 wrote to memory of 516	2972	chrome.exe	chrome.exe
PID 2972 wrote to memory of 516	2972	chrome.exe	chrome.exe
PID 2972 wrote to memory of 516	2972	chrome.exe	chrome.exe
PID 2972 wrote to memory of 516	2972	chrome.exe	chrome.exe
PID 2972 wrote to memory of 2980	2972	chrome.exe	chrome.exe
PID 2972 wrote to memory of 2980	2972	chrome.exe	chrome.exe
PID 2972 wrote to memory of 3432	2972	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\WannaCry (1).exe
"C:\Users\Admin\AppData\Local\Temp\WannaCry (1).exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 153981700225449.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:3480

C:\Windows\SysWOW64\cscript.exe
cscript //nologo c.vbs
3⤵
PID:4100

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe f
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3180

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im MSExchange*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4172

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlwriter.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4584

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlserver.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Microsoft.Exchange.*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4792

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b !WannaDecryptor!.exe v
2⤵
PID:1828

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe v
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3924

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe c
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2016

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1972

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4912

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2748

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4244

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4920

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4600

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4844

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3732

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3444

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1280

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2140

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4360

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4240

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2156

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe9c329758,0x7ffe9c329768,0x7ffe9c329778
2⤵
PID:4560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1804,i,2406890255951566395,6475180049754332420,131072 /prefetch:2
2⤵
PID:516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2000 --field-trial-handle=1804,i,2406890255951566395,6475180049754332420,131072 /prefetch:8
2⤵
PID:2980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2900 --field-trial-handle=1804,i,2406890255951566395,6475180049754332420,131072 /prefetch:1
2⤵
PID:2372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2132 --field-trial-handle=1804,i,2406890255951566395,6475180049754332420,131072 /prefetch:1
2⤵
PID:2540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2044 --field-trial-handle=1804,i,2406890255951566395,6475180049754332420,131072 /prefetch:8
2⤵
PID:3432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4480 --field-trial-handle=1804,i,2406890255951566395,6475180049754332420,131072 /prefetch:1
2⤵
PID:4772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4764 --field-trial-handle=1804,i,2406890255951566395,6475180049754332420,131072 /prefetch:8
2⤵
PID:948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3760 --field-trial-handle=1804,i,2406890255951566395,6475180049754332420,131072 /prefetch:8
2⤵
PID:2680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4796 --field-trial-handle=1804,i,2406890255951566395,6475180049754332420,131072 /prefetch:1
2⤵
PID:4420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3896 --field-trial-handle=1804,i,2406890255951566395,6475180049754332420,131072 /prefetch:8
2⤵
PID:2136

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:412

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\StartRepair.dib"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5060

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
PID:1800

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
"C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe"
1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:2564

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
"C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4764

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\cfd4cf8dcb9742d38b1dd87ef1883f53 /t 2116 /p 2564
1⤵
PID:5048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\!WannaDecryptor!.exe.lnk

Filesize
1KB

MD5
e8c5bd1e8f6f0c1b08117f599ddc4dee

SHA1
1e8e8d1924eaac17b375920df5716da02e043f2b

SHA256
64be9aaa8d38c8c39784bde792abc51863b7620f10174d461f59207bdc992993

SHA512
55357da9a9943304823031f095e0df5f9182ddb5adcbcf005a7280ac60f751511aac0502f28fcc862cf70ea920356af622a6440f01b4584955efad082b4456d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
e903cf19459cc9105062a56fb7076700

SHA1
c723ce478df1d6537d0dfa7d4e11d47c88ee6d66

SHA256
98a13e0592095bb1da691445b787587b00bea55a10675268a635a55c1033a5b0

SHA512
94886e73ead40fd3de1033464a2d19bac675e80c4c32cc806cd050c5fb5d047dd465f8eaf5766ac4269d254e0899d9698683ed1afc1a6e981fce82616fc2e68b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
29dc4b23d30696b8e12095ef96a217a9

SHA1
53537bd9fbebc8e5a38c0540746d28863d5690ee

SHA256
b03b89879a35cca4d9c4ece0b3137f9f46452035f86d166ac00dc89430bc36c6

SHA512
179f17f67abbbe4d8dce9e22495bfd4fdb5acf12b645d849ece984ece89a4816ca28422504812e5643d0938f0b1e024c8946873da14562c37b6a403a558ecf54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
6b8191ab7e12acba1c33d4771d599952

SHA1
20afee55914a9cf56e5922a2012fd77aedb157f4

SHA256
19d069404135217b4494069c7860005617798f7fd73791c6c6746f613a9362f8

SHA512
6851dc26904b99c25c58adbfaf25e226c42cf171d8a427cd4f7b300b3fe571f38d62106561f7e07bd1392399e4bfb7f4f62865af51840c7559c9426f3233cd28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
2fffceabe1edd2c2ffd309177f82d533

SHA1
ddb187c6580541e2df0e7fe2983dcbf52e20741e

SHA256
5ea4be53e0972cd3ae3663dca11a46d5d2fd133fcdfc998d6104c5551c185a27

SHA512
338fb1ae6e027b0ea26c58abf775491c9b2eb66bf5d31303e8f6be448727330f79ff7f7301fff6c1c272ee4f94bbbe57b9e31e7ee8c73fd2c540ff78cd1be5fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
7cba0f01360f969ff1d4b149c4effdad

SHA1
8e026f24e4558a19dd9b972029a02a8f21ce3048

SHA256
a295ed322f6595722d65f91edad42cc14e25b4f23cb90c066172e8ccc38f3a8d

SHA512
9601e363ed6777705c43ce7356e837b3146c2a6f064bfda95b34d91c95c0240a12da094fc2701aea47cbe25a503ec0dc9d57702ff1aa864f7a82a3c87c6b067e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
552f9c179241b98834d8d74e6b4b2550

SHA1
c804e0a6d0b67135b87485f2b7f5684094d9567d

SHA256
6738cc73be966ac6a6360415dbf4960805dbbd27a4418fb2485c588d605d10e7

SHA512
15bf245b2fc0b5ca4331e4020d2aee35a3b77427891c7b1fe9164f9575d887c1933f90b119c1083fbf6af6a63adf44d61d8cdd9e61016af7a07d35db2edd7f10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
220KB

MD5
2483485ac1a578005576f9820c47fd23

SHA1
794ee1825388b0a6b63a734be52c3d995b9566ba

SHA256
5a8001e7caffe9ebf750551dceba425e0fe442a8a4bb793703c084f04273ccbd

SHA512
0e8101659ad1d0fafb1a9305b5ee2b312ecc9d97890a0275517b2ed6dd4bc41dc5d5d1d9395e3ea1f3cd33f096aad6cf4bf55a1e17c456a16a5595828a5f64d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
220KB

MD5
7dd59ea8c685c0ebc44cb549c3310bab

SHA1
ab6308872e503c6861f64425922f57a5f6abe3eb

SHA256
cbd9263c4d4b0fa19b08f396a8f0c29acd68f96d1aa278bee5cc9967e3af4b07

SHA512
4abeeb9bd87be7259f5efb56fafeb8905db10fd30297b8636a7da1d5a4e9e72d70e95e708e550fe6d2d686c9dde05f3b5ab2435b5226263a5a1d27aeaf2b0d94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk

Filesize
1KB

MD5
e8c5bd1e8f6f0c1b08117f599ddc4dee

SHA1
1e8e8d1924eaac17b375920df5716da02e043f2b

SHA256
64be9aaa8d38c8c39784bde792abc51863b7620f10174d461f59207bdc992993

SHA512
55357da9a9943304823031f095e0df5f9182ddb5adcbcf005a7280ac60f751511aac0502f28fcc862cf70ea920356af622a6440f01b4584955efad082b4456d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
1452e24fc85b73fed7fb7ecafe6120a0

SHA1
1949f63bc2d345b43511eba5e72ec4c931b24e64

SHA256
a607fe4143af2fe8bda0fd4c14cbee0a1eda7fbdae5b8425bb9999d4f49a23b9

SHA512
20a07b7ebde381147695f7405adbe71778e6cb73d2d69250dc3b64385f04526e9ca925e2509e9a3456a22cdb5b7f8e2bae4006f6b2de5a5e9a41906493a9e847

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
72583c290d237dbbf27813e76e980ad3

SHA1
5962ec790c5c5e4cada7d69eec83bca279737fc4

SHA256
500790ceb1368645dfee9a19fd00ef825fe1200d8f266409a3aa8130bb216914

SHA512
c9c35a76ad82db74a763118e62e634ac69900657d7219712b908d22d341616da9580bdf56960ea773fa4aecd4ba3e174790b589d73b22fae9971ab246144b855

Download Submit
C:\Users\Admin\AppData\Local\Temp\153981700225449.bat

Filesize
336B

MD5
3540e056349c6972905dc9706cd49418

SHA1
492c20442d34d45a6d6790c720349b11ec591cde

SHA256
73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc

SHA512
c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.vbs

Filesize
219B

MD5
5f6d40ca3c34b470113ed04d06a88ff4

SHA1
50629e7211ae43e32060686d6be17ebd492fd7aa

SHA256
0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1

SHA512
4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wry

Filesize
628B

MD5
ca7a5ebf5a85e7de1363eacaa7efb8b9

SHA1
46d98f89010fd53c956731311ae241045cc89208

SHA256
dc689a30e3980372b6051710d4f685e4c682e29e9a0dc89fbca301dec1af7d46

SHA512
c7d4afd2a31862d3e50840c4d5a94c573ee2cdb2e32bc80eee41c5c5852be6f68f4ebeb2a7e50e5aa5b2e42c6c875c9dbc17a4a11b4c98a520558600d90e4655

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wry

Filesize
628B

MD5
ca7a5ebf5a85e7de1363eacaa7efb8b9

SHA1
46d98f89010fd53c956731311ae241045cc89208

SHA256
dc689a30e3980372b6051710d4f685e4c682e29e9a0dc89fbca301dec1af7d46

SHA512
c7d4afd2a31862d3e50840c4d5a94c573ee2cdb2e32bc80eee41c5c5852be6f68f4ebeb2a7e50e5aa5b2e42c6c875c9dbc17a4a11b4c98a520558600d90e4655

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\Desktop\!WannaDecryptor!.exe.lnk

Filesize
1KB

MD5
e8c5bd1e8f6f0c1b08117f599ddc4dee

SHA1
1e8e8d1924eaac17b375920df5716da02e043f2b

SHA256
64be9aaa8d38c8c39784bde792abc51863b7620f10174d461f59207bdc992993

SHA512
55357da9a9943304823031f095e0df5f9182ddb5adcbcf005a7280ac60f751511aac0502f28fcc862cf70ea920356af622a6440f01b4584955efad082b4456d8

Download Submit
\??\pipe\crashpad_2972_OTUNLKQLODVOYVUU

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3588-6-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download