wannacry | hxxps://github[.]com/Endermanch/MalwareDatabase/raw/master/ransomwares/WannaCrypt0r[.]zip

Analysis

max time kernel
269s
max time network
270s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17-03-2024 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase/raw/master/ransomwares/WannaCrypt0r.zip

Score

10^/10

wannacry discovery persistence ransomware worm

Malware Config

Extracted

Path

C:\Users\Admin\Documents\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Drops startup file 1 IoCs

Processes:

[email protected]

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDB964.tmp	[email protected]

Executes dropped EXE 20 IoCs

Processes:

taskdl.exe@[email protected]@[email protected]taskhsvc.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exe

pid	process
1708	taskdl.exe
1616	@[email protected]
568	@[email protected]
592	taskhsvc.exe
1520	@[email protected]
2348	taskdl.exe
2424	taskse.exe
2452	@[email protected]
1604	taskdl.exe
1672	taskse.exe
2196	@[email protected]
2812	taskdl.exe
2956	taskse.exe
2228	@[email protected]
2828	taskse.exe
2232	@[email protected]
1704	taskdl.exe
2924	taskse.exe
2916	@[email protected]
2508	taskdl.exe

Loads dropped DLL 45 IoCs

Processes:

[email protected]cscript.execmd.exe@[email protected]taskhsvc.exe

pid	process
2244	[email protected]
2244	[email protected]
2688	cscript.exe
2244	[email protected]
2244	[email protected]
1876	cmd.exe
1876	cmd.exe
1616	@[email protected]
1616	@[email protected]
592	taskhsvc.exe
592	taskhsvc.exe
592	taskhsvc.exe
592	taskhsvc.exe
592	taskhsvc.exe
592	taskhsvc.exe
2244	[email protected]
2244	[email protected]
2244	[email protected]
2244	[email protected]
2244	[email protected]
2244	[email protected]
2244	[email protected]
2244	[email protected]
2244	[email protected]
2244	[email protected]
2244	[email protected]
2244	[email protected]
2244	[email protected]
2244	[email protected]
2244	[email protected]
2244	[email protected]
2244	[email protected]
2244	[email protected]
2244	[email protected]
2244	[email protected]
2244	[email protected]
2244	[email protected]
2244	[email protected]
2244	[email protected]
2244	[email protected]
2244	[email protected]
2244	[email protected]
2244	[email protected]
2244	[email protected]
2244	[email protected]

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2360 icacls.exe

pid	process
2360	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ixmdcdcnvakydpr008 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_WannaCrypt0r.zip\\tasksche.exe\""	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

Processes:

flow	ioc
25	raw.githubusercontent.com
26	raw.githubusercontent.com
34	raw.githubusercontent.com
35	raw.githubusercontent.com
22	raw.githubusercontent.com
23	raw.githubusercontent.com
24	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

[email protected]@[email protected]

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1188 vssadmin.exe

pid	process
1188	vssadmin.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = d07647851078da01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A2E21381-E403-11EE-9966-EA483E0BCDAF} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "416803365"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002dcc56832ee45b40af0f973e997a3e3e0000000002000000000010660000000100002000000035a11150ce13dfa0fd75a7ab5e19703a92bad480f5bf677fbb5e3553aa98124f000000000e8000000002000020000000bc709d7e6676e839031b334ef62bf5ad43aedbf8e8ae00faee15eb479360b30d9000000072816180ab7aab8509e08d4500cbd6afaffc8d5c2dfd9af4de83d1df3ac0a31b5746debe758e9fcb69b0ff7e82d20342ac8edb4c9c90d65feb03e2017dbb9b9ec13788d5d703bc4cd4a1ed5790862ea8df9170ec0adbed136ea19f08eb27c9754ec421dc36b51dec9654883afb79ed64a9e71979fbabfd0fe1f0472ec750ade0433e5686f904fde387751d7bbaa70a0a400000006d91ebcfe0bf0d9ff52e4b9e430c4684653b0c876890f1a5a28a831bf319d2142e60d75840bd7043d3f2bdbe11d9821f9f6815daec6a69fa019afde3f31e7ea9	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\DownloadWindowPlacement = 2c0000000000000000000000ffffffffffffffffffffffffffffffff100100003d000000900300001d020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002dcc56832ee45b40af0f973e997a3e3e00000000020000000000106600000001000020000000f6898b3971c07261126d1c661cdb433a09ea2dcac45b78c6a6a3987b4a166713000000000e8000000002000020000000bafe731fbba6e7896a3d3bf8bb912e094340e90981876440d2034b4da1d452a8200000006018a62c17f87969addddbb86dcadfdb8ab60eaf7d7344af21650add76aaf5d0400000004e2f9d887b3ddf046adcbadd96b78f5c9db75b55c0c1186281d6fd906e0211bec27d0e79d3dab936bc6f9777f3bf74339ee7775f5f964d1a20adf4adf89537f8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a00582821078da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe

Modifies registry class 21 IoCs

Processes:

rundll32.exerundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\WNCRY_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ex__auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.WNCRY	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\WNCRY_auto_file\shell\edit	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ex__auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ex__auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\WNCRY_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\WNCRY_auto_file\shell\edit\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.ex_	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.ex_\ = "ex__auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ex__auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ex__auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\WNCRY_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\WNCRY_auto_file\shell\open	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\WNCRY_auto_file\shell\open\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\ex__auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\WNCRY_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.WNCRY\ = "WNCRY_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\WNCRY_auto_file\shell	rundll32.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2704 reg.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2408 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

taskhsvc.exe

pid process

592 taskhsvc.exe
592 taskhsvc.exe
592 taskhsvc.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

@[email protected]rundll32.exe

pid process

1520 @[email protected]
2200 rundll32.exe

pid	process
2704	reg.exe

pid	process
2408	NOTEPAD.EXE

pid	process
592	taskhsvc.exe
592	taskhsvc.exe
592	taskhsvc.exe

pid	process
1520	@[email protected]
2200	rundll32.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

Processes:

vssvc.exeWMIC.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exe

description	pid	process
Token: SeBackupPrivilege	296	vssvc.exe
Token: SeRestorePrivilege	296	vssvc.exe
Token: SeAuditPrivilege	296	vssvc.exe
Token: SeIncreaseQuotaPrivilege	2804	WMIC.exe
Token: SeSecurityPrivilege	2804	WMIC.exe
Token: SeTakeOwnershipPrivilege	2804	WMIC.exe
Token: SeLoadDriverPrivilege	2804	WMIC.exe
Token: SeSystemProfilePrivilege	2804	WMIC.exe
Token: SeSystemtimePrivilege	2804	WMIC.exe
Token: SeProfSingleProcessPrivilege	2804	WMIC.exe
Token: SeIncBasePriorityPrivilege	2804	WMIC.exe
Token: SeCreatePagefilePrivilege	2804	WMIC.exe
Token: SeBackupPrivilege	2804	WMIC.exe
Token: SeRestorePrivilege	2804	WMIC.exe
Token: SeShutdownPrivilege	2804	WMIC.exe
Token: SeDebugPrivilege	2804	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2804	WMIC.exe
Token: SeRemoteShutdownPrivilege	2804	WMIC.exe
Token: SeUndockPrivilege	2804	WMIC.exe
Token: SeManageVolumePrivilege	2804	WMIC.exe
Token: 33	2804	WMIC.exe
Token: 34	2804	WMIC.exe
Token: 35	2804	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2804	WMIC.exe
Token: SeSecurityPrivilege	2804	WMIC.exe
Token: SeTakeOwnershipPrivilege	2804	WMIC.exe
Token: SeLoadDriverPrivilege	2804	WMIC.exe
Token: SeSystemProfilePrivilege	2804	WMIC.exe
Token: SeSystemtimePrivilege	2804	WMIC.exe
Token: SeProfSingleProcessPrivilege	2804	WMIC.exe
Token: SeIncBasePriorityPrivilege	2804	WMIC.exe
Token: SeCreatePagefilePrivilege	2804	WMIC.exe
Token: SeBackupPrivilege	2804	WMIC.exe
Token: SeRestorePrivilege	2804	WMIC.exe
Token: SeShutdownPrivilege	2804	WMIC.exe
Token: SeDebugPrivilege	2804	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2804	WMIC.exe
Token: SeRemoteShutdownPrivilege	2804	WMIC.exe
Token: SeUndockPrivilege	2804	WMIC.exe
Token: SeManageVolumePrivilege	2804	WMIC.exe
Token: 33	2804	WMIC.exe
Token: 34	2804	WMIC.exe
Token: 35	2804	WMIC.exe
Token: SeTcbPrivilege	2424	taskse.exe
Token: SeTcbPrivilege	2424	taskse.exe
Token: SeTcbPrivilege	1672	taskse.exe
Token: SeTcbPrivilege	1672	taskse.exe
Token: SeTcbPrivilege	2956	taskse.exe
Token: SeTcbPrivilege	2956	taskse.exe
Token: SeTcbPrivilege	2828	taskse.exe
Token: SeTcbPrivilege	2828	taskse.exe
Token: SeTcbPrivilege	2924	taskse.exe
Token: SeTcbPrivilege	2924	taskse.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

iexplore.exe

pid process

2156 iexplore.exe
2156 iexplore.exe
2156 iexplore.exe

Suspicious use of SetWindowsHookEx 19 IoCs

Processes:

iexplore.exeIEXPLORE.EXE@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]AcroRd32.exe@[email protected]@[email protected]

pid	process
2156	iexplore.exe
2156	iexplore.exe
2528	IEXPLORE.EXE
2528	IEXPLORE.EXE
2528	IEXPLORE.EXE
2528	IEXPLORE.EXE
1616	@[email protected]
1616	@[email protected]
568	@[email protected]
568	@[email protected]
1520	@[email protected]
1520	@[email protected]
2452	@[email protected]
2196	@[email protected]
2228	@[email protected]
1144	AcroRd32.exe
1144	AcroRd32.exe
2232	@[email protected]
2916	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exe[email protected]cmd.execmd.exe@[email protected]@[email protected]cmd.exe

description	pid	process	target process
PID 2156 wrote to memory of 2528	2156	iexplore.exe	IEXPLORE.EXE
PID 2156 wrote to memory of 2528	2156	iexplore.exe	IEXPLORE.EXE
PID 2156 wrote to memory of 2528	2156	iexplore.exe	IEXPLORE.EXE
PID 2156 wrote to memory of 2528	2156	iexplore.exe	IEXPLORE.EXE
PID 2244 wrote to memory of 2448	2244	[email protected]	attrib.exe
PID 2244 wrote to memory of 2448	2244	[email protected]	attrib.exe
PID 2244 wrote to memory of 2448	2244	[email protected]	attrib.exe
PID 2244 wrote to memory of 2448	2244	[email protected]	attrib.exe
PID 2244 wrote to memory of 2360	2244	[email protected]	icacls.exe
PID 2244 wrote to memory of 2360	2244	[email protected]	icacls.exe
PID 2244 wrote to memory of 2360	2244	[email protected]	icacls.exe
PID 2244 wrote to memory of 2360	2244	[email protected]	icacls.exe
PID 2244 wrote to memory of 1708	2244	[email protected]	taskdl.exe
PID 2244 wrote to memory of 1708	2244	[email protected]	taskdl.exe
PID 2244 wrote to memory of 1708	2244	[email protected]	taskdl.exe
PID 2244 wrote to memory of 1708	2244	[email protected]	taskdl.exe
PID 2244 wrote to memory of 2180	2244	[email protected]	cmd.exe
PID 2244 wrote to memory of 2180	2244	[email protected]	cmd.exe
PID 2244 wrote to memory of 2180	2244	[email protected]	cmd.exe
PID 2244 wrote to memory of 2180	2244	[email protected]	cmd.exe
PID 2180 wrote to memory of 2688	2180	cmd.exe	cscript.exe
PID 2180 wrote to memory of 2688	2180	cmd.exe	cscript.exe
PID 2180 wrote to memory of 2688	2180	cmd.exe	cscript.exe
PID 2180 wrote to memory of 2688	2180	cmd.exe	cscript.exe
PID 2244 wrote to memory of 2708	2244	[email protected]	attrib.exe
PID 2244 wrote to memory of 2708	2244	[email protected]	attrib.exe
PID 2244 wrote to memory of 2708	2244	[email protected]	attrib.exe
PID 2244 wrote to memory of 2708	2244	[email protected]	attrib.exe
PID 2244 wrote to memory of 1616	2244	[email protected]	@[email protected]
PID 2244 wrote to memory of 1616	2244	[email protected]	@[email protected]
PID 2244 wrote to memory of 1616	2244	[email protected]	@[email protected]
PID 2244 wrote to memory of 1616	2244	[email protected]	@[email protected]
PID 2244 wrote to memory of 1876	2244	[email protected]	cmd.exe
PID 2244 wrote to memory of 1876	2244	[email protected]	cmd.exe
PID 2244 wrote to memory of 1876	2244	[email protected]	cmd.exe
PID 2244 wrote to memory of 1876	2244	[email protected]	cmd.exe
PID 1876 wrote to memory of 568	1876	cmd.exe	@[email protected]
PID 1876 wrote to memory of 568	1876	cmd.exe	@[email protected]
PID 1876 wrote to memory of 568	1876	cmd.exe	@[email protected]
PID 1876 wrote to memory of 568	1876	cmd.exe	@[email protected]
PID 1616 wrote to memory of 592	1616	@[email protected]	taskhsvc.exe
PID 1616 wrote to memory of 592	1616	@[email protected]	taskhsvc.exe
PID 1616 wrote to memory of 592	1616	@[email protected]	taskhsvc.exe
PID 1616 wrote to memory of 592	1616	@[email protected]	taskhsvc.exe
PID 568 wrote to memory of 2200	568	@[email protected]	cmd.exe
PID 568 wrote to memory of 2200	568	@[email protected]	cmd.exe
PID 568 wrote to memory of 2200	568	@[email protected]	cmd.exe
PID 568 wrote to memory of 2200	568	@[email protected]	cmd.exe
PID 2200 wrote to memory of 1188	2200	cmd.exe	vssadmin.exe
PID 2200 wrote to memory of 1188	2200	cmd.exe	vssadmin.exe
PID 2200 wrote to memory of 1188	2200	cmd.exe	vssadmin.exe
PID 2200 wrote to memory of 1188	2200	cmd.exe	vssadmin.exe
PID 2200 wrote to memory of 2804	2200	cmd.exe	WMIC.exe
PID 2200 wrote to memory of 2804	2200	cmd.exe	WMIC.exe
PID 2200 wrote to memory of 2804	2200	cmd.exe	WMIC.exe
PID 2200 wrote to memory of 2804	2200	cmd.exe	WMIC.exe
PID 2244 wrote to memory of 2348	2244	[email protected]	taskdl.exe
PID 2244 wrote to memory of 2348	2244	[email protected]	taskdl.exe
PID 2244 wrote to memory of 2348	2244	[email protected]	taskdl.exe
PID 2244 wrote to memory of 2348	2244	[email protected]	taskdl.exe
PID 2244 wrote to memory of 2424	2244	[email protected]	taskse.exe
PID 2244 wrote to memory of 2424	2244	[email protected]	taskse.exe
PID 2244 wrote to memory of 2424	2244	[email protected]	taskse.exe
PID 2244 wrote to memory of 2424	2244	[email protected]	taskse.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

2448 attrib.exe
2708 attrib.exe

pid	process
2448	attrib.exe
2708	attrib.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/Endermanch/MalwareDatabase/raw/master/ransomwares/WannaCrypt0r.zip
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2156

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2156 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2528

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\[email protected]"
1⤵
- Drops startup file
- Loads dropped DLL
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- Views/modifies file attributes
PID:2448

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:2360

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1708

C:\Windows\SysWOW64\cmd.exe
cmd /c 148981710641579.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
3⤵
- Loads dropped DLL
PID:2688

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
2⤵
- Views/modifies file attributes
PID:2708

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected] co
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1616

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:592

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1876

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected] vs
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
- Suspicious use of WriteProcessMemory
PID:2200

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:1188

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2348

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2424

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2452

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ixmdcdcnvakydpr008" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\tasksche.exe\"" /f
2⤵
PID:2992

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ixmdcdcnvakydpr008" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\tasksche.exe\"" /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:2704

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1604

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2196

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2812

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2956

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2228

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2828

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2232

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1704

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2924

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2916

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2508

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:296

C:\Users\Admin\Desktop\@[email protected]
"C:\Users\Admin\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1520

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
1⤵
PID:2304

C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
2⤵
PID:808

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\SelectInitialize.ex_
1⤵
- Modifies registry class
PID:1228

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\SelectInitialize.ex_"
2⤵
- Suspicious use of SetWindowsHookEx
PID:1144

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\WriteJoin.png.WNCRY
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:2200

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\WriteJoin.png.WNCRY
2⤵
- Opens file in notepad (likely ransom note)
PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dd7bf8bed162425d4344397653773d36

SHA1
57e9a7c7fc8b8bde40d1b5e7cd444355cb5e8012

SHA256
fe854126efdebe0622c1e7915084001e40d7a01c8cdff73187e9b5bf5d0b7787

SHA512
c0b2500a88b81ac933e57ba9267038e5a302bc7277fb89fa0147020ac9d46843f217a542ef95a5c3bf752703abe4605df034bae50e5ee8e48975996c942576da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
41d90179d377bfaddcd93bfd1daec3b2

SHA1
11c5dd50fce568426c38fbb0d5933e1622e65be1

SHA256
bbf8d81a4b729e3dd4d1bfb56761e1e2a0a73584fd499bc9b440675dc4438d2d

SHA512
9e05635934529a526c0a535e06dc3f37391c1a185a72a9badb6913fb776f6720dc089b62b62a3e1a7023a15c7f4d40e76115015fbdfde182c4756ebb3428dc69

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f6924d03262926484cbf42a0c1bcbe19

SHA1
43343d81b70e1eeaa2f2208ccebda71517fa924a

SHA256
1e9acaf5cfb5ac87044c74a070070563551bc624b08ab4986dcf61ebb896bf36

SHA512
254fef519c6c7b50200db8e9ef97cd62b50d940237820796ca0655e6b049efcee289cc77f340d2f6e43eab61dfe46f6424c4a61e20d723ff646083489317b638

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
450b089cd30aec005376f92ffb62ac88

SHA1
c2306a3fe3b1832c15727a9d8de65ab45b386548

SHA256
8518bbd6badbfcd1edf33c062e7b4b8bbc145d5d7da1ed61a436dc7f3c9ea450

SHA512
86773022a192a7a86ad08197b549f40b8c44be43d0aa0d439119a725400016c56be411356a754f751bea74a293417c2ff4afceb11a1879b63a1ee4c1b0b92007

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6963861da9abeff2fb46b9b4405fd7be

SHA1
f69bbc3b07c6742ad4a85baa691d29969aa320b6

SHA256
fb6a8ad0400f8c5e5bf7b7ee44004c80a2d269e1b4242a39662fe4b7a1cfde62

SHA512
ac5938eba88449d19aca2553943ca8fb285ac70a0860ea4fba4b6ae186a49ab4aa34db1c70ee984926fd830d38f327389c9b8a4c3ad518806f287cd5beb9d809

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3feda9f5219839fe1389eb8a1fa94fda

SHA1
65fd8fa603c5165e342223ef204e50d4e190cd9a

SHA256
86b6101b93631ea90b3baef16880416601e731bde6a409d40179d806f703e749

SHA512
ca2e1fdc97607691d2516675aadb8d1638c75a935ee55b115663d44b8f8f2f1a361973aeaf68bb328d302ebc2f603c75a5e677365d37fd431184ffaa91995d3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1e4fc42d59b46ec973b88c90010cb3c9

SHA1
2dacb6f224c920d9573a3c1e63b7fcb456f47631

SHA256
6456f8077cefa67739f678701e081617688a33773661e1f67307b976e81671fd

SHA512
140af784dadecbcc79f6855761f73d83df5d3e4b74e65471f552911bea316752b610b4ed6facb8150e9ede3059f4e1ee01d6d43a370dd72c398c58483ebaab71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a84f216bcbf5b2f6766c653508d64e20

SHA1
12605f1ad704f58f97306e1e4760dc56716626e0

SHA256
2d35f7f6a7dc06311b1b3028f9ce0cab7aa76c3d84e04814ca437a47eb914fdb

SHA512
3a575b09ac5cd06e82c3a0101843073802db2db117ac026103c70598b73458de5247cff2378285b2a84727fc96405b7038b94ce1fec7f18498437ab0c75a6a5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4e86e9c871e620ba51ad58c524e6bbd2

SHA1
baa3656b1f63c3ff6a0f53e3397ba045f999d553

SHA256
6399a488cae1a46aada69c11c29bc0e1e11eb76481aa5af9c9cf00133f43973c

SHA512
0f688f0cf1b8a80a7a15c791b7d92a10cb5292c0afcd3f3c1544f4a5c09b01e528657bb1c60624dde1bf09cf7ccb729db735efabf782a3e74ce2fea78722b5ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ee74f6db03931c0a655dac66c1548c43

SHA1
32a7576d7bb2c21af5501abf6b229a9c027f1f62

SHA256
02626ef7b4de0e1ac240834f0b3f2817758e5fb683da0d8bcaa88596ae3e4e33

SHA512
7987480ff6dca6c5277889dc93b5ccda3964dba84606d31e2fd17f5362dd4c5b37e8903f78d1058cd611ff68e597a7302e36f4e87e07b08a944338fa685e33e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6e13164da40bbd8b61d8e8d9c6369799

SHA1
7eab23d57349302d7bf6055ac5a4647993c179f7

SHA256
3184d4b87cb959f0a112b3dc87d8e24d9f040ca0253b509ca5602d488823ec7e

SHA512
ac82fc36963d16eb7d9b97efad1f06a946aa95b8195f5dd4eba4988730d3a9f166553cbb4aa88139e2689eba1b3dfab306f091e58122241490dca770a5dbb016

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5eda7fd1e4a59492bc5fca0b9467d683

SHA1
88c5915e4c677bc025a88eecc15f7ab245ca8a9c

SHA256
4d6ebe11ae85dba39f9cf8cdda0becdd7faf952c7fed377dff2216b8e0b05c74

SHA512
9804e59d8b833cc593c5d119a4afd59387f574c7312369728738d5f5a5395831f30d57c22457695ee96d2ba7a285155f63d9405da38e4383badff7d06a900d89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6ef9af1a748af382512a45e5a32b44d6

SHA1
24296ec49d97935fdfa632929d061fb8489232cd

SHA256
023669d06408705c98535592fc14f012fc64a16d06bdd494dfaf769841c752cc

SHA512
d741c01874a9830fcedbcaab5251892a2d3d38c47f036e183da0ffb56fbdb8ce6a18f9fae6f0e788cac940319bf71694c43ac2f7dc73eb4e2e08cfb8aaa1e1ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0e4e1ac40758a2668ee3fd9ac56f11e5

SHA1
f0952e6176db214b1e47286702549f1dc29c41c9

SHA256
bd2ae3f177dede820bd1e1eb2e52d282b14fdce4ae23ff187cc131261013c65f

SHA512
0781e80eba2f3ae6c55106674309c74f240e709367d6a58914b27e1b1ec0423307874a1018429f99a7caec6c1bb79396d14f2e948b0abdd9f97a7a15795e3aa7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
006085853154962564194e49b41d34cd

SHA1
6ed857b0a0bd745e15e43f93d067fb638bbf4732

SHA256
07975b782653900039ae9eca62c90803fb12999b8a185649795cb54346d0e2ce

SHA512
1e14509109fbcaa29dc33f1fd3d33e3c23e42acae29fab827d8206339790ca5c168e638501986a316a1488d20784a491152a376fc970d7e43ea0017111f0379c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
363b4a1995ec8499650f3d31dd6e3794

SHA1
53328137727925ce742e280c8f48f3276ab58ae9

SHA256
cb4b3dd5977ec1bd941d6fccddafa383cdf7053c4fe9bcc98e97632922549a06

SHA512
50c4d0eeef6da58c995d08d5e3336e91e410be6354da429f0130e98b88b0483e09103b8a7f7b1d078726e6ea7f763ee5683b8e7ea110025e22efc55f1e0e3db4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
89b0edb9dec8f0604b8a7a0ce2a599d3

SHA1
9f3c0f97c0f58da2221bdb465e4e4f1ce4af6051

SHA256
ba0dcfcca1ef226c6ebcafe0a5782aa09ecc990509c884582912deb3b1a0f730

SHA512
d975d3e585ac330955bf55ad5dc0382446f9bafe82ed7fe130d1041cf26ce80c5f6cbdabbc2635f3c67fbdef5c3a15d043e425a246a076bd61ed0da61f28f4df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
aa85c35e154e1d1f940e2fef595f0f69

SHA1
10bb556f8d9276128c76a3c018aa77350494c0ec

SHA256
16462aa7e43f64cfc56c111601df77d2d74ce09a5b28764db5d68d20226033dc

SHA512
b54d13d22dea06d16be0d60f129b0ee40c1d63aa67437241a6c1ab975180288f790f246bf6e65bffd6ff673123cfeb50d91648081a3cc5bd31f922fd864f63e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a81d3f4aeddc84cdff2ecf690fc9dc90

SHA1
0d8aeb4afb40eccf80937dd6e9fd012a5bac56f0

SHA256
05030dfa6949310dac844cca671c85773055917a461637ff1e899f9e89b6878d

SHA512
3f3c6f9df1cf3324cdc710620103b52ea1831519d6df4f2717eab9387f93347f422934d43fcec3f50546eb2459624f1dfbfbe5b08ebf343ad3e1bfe56bb1d946

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
abba7b8f2108582eb9a15f2b71596fbf

SHA1
7b4b1c2c3d102b4018a20598d614aebd8eb6ef2f

SHA256
f80364197aeea0d9bfff90f1ab32d8a013558a83998ca7312919fafa51303843

SHA512
62fe118e007ef9f407f0c9056d284ed7632fb2026bed224ff271ececcb88cb53916676d42aaa2d243f3bde53f418228dee8fc3881e645a8c1d3878a83deb3ba9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
827c0308e8e16bca3f058165af67ab61

SHA1
576fbfbe7c04a42d2bdd33d134fcdef790d7149c

SHA256
8ed8b7594b62a71624dba047b8e278bb6c20fd968369b09711ee7b412b291578

SHA512
5509fb071edc1b4c2d44cd567e52581253f25ed175c0c04368f80ba23b691fc08cd960a5ff026e183769f64acbeb828ef9dcede017cc893f613a01478340c72c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eb72fe73e8ab0c61ac7ea856b789adcd

SHA1
6e6c048ba2b1077302266f7727ca75255baf10cb

SHA256
f8b2e5b960aa91a083ea5e0a87411fc09ceccdec5ec5f1a927ce671d2240e659

SHA512
d961ab3aee6528840cb5cfc68d9823e09092d6c7c88742ecec414938a2c3ba4b323f5c3695c35500e28658f785792933aad5fda57a1266a7db5f2b5e549c23f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
74659cbec1e7b807eafb881583317cf0

SHA1
13c69ff0f5359ed421f5e9e6d44ac03a977ed178

SHA256
98de8911e89fce4f7c8f016e7ebd8d5cd5e5441d18c4eb8f6fc78e4db5085330

SHA512
6fd9677a7cc9833dfc0d86b9aa7917aa37eecf587a6209f3dbbaf2dc08ee55158da318de6792fd612509e285b0abb01b24b6460800d72ff5077ea494d4111d2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
12c8da2a9714c50eb944022e26c2027d

SHA1
6c61c514ae5056d3ef45b4d567161d90a0cd3c54

SHA256
675f67b5cfb8fdcb66382a5d977bdc564f462bac36926206c72115fd67289012

SHA512
10a62ed464e14c8639376342052b95bf6d3f54b59015e4f1a6e98e0cde3eacf5565ee3e9d041ead5f2fd8fb2d35eeb247a4884ee3095c044aff0ce6430caf159

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2b3f56e3d533230512f8bd56a7ad7de5

SHA1
55b7627ea5f9f313655f7d745e5dcf3f2e2f616b

SHA256
9f5c1ea1aabdd72f7c87a3574fa4677fd0dbb1a7359d83f2ae8688f159ab07ea

SHA512
28e9219d53c1c56ba4089a2decc8021c60a2bbf917eb4ccb44c4ef2ef75d3431a11732bcf77acc6a98184ea75061e0e0b919ed27bcebb7212675402638e065e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8514b8ba0a9a56bd07b862773eb046e3

SHA1
476936a308bbede9e98bc3c22d0923b3cdb63c74

SHA256
84eefdf58d0d19117d608a14d3f2c404d2e5492bf839b119222005e4697c2091

SHA512
90f9fe825aedc1f397a32953377f13e0281344f4e28e023fc3a256f9538f19f22f74b4d9cceae48adcc1d3d6bf3931ce8d2f98a09e186de4af2b7b7fa5c1446c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b9ac99bd0c0847b88505e882397d5d6d

SHA1
87a397e300eccda26673faab1d9cd32d7aab33e6

SHA256
7a9c966b5c17aa492ebe6971f4e4947c9a4cdec90e96c222fe83ccd6a5fd02e1

SHA512
e294334177d3acc5b36f9928873d8fd79b330dbc3439a71c8dc9417ace37b3437591660ae7d8a2550eb925b2cc0cd8154b8faf46741c3670b5e2a153f0ac58c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4JZQ5QLK\WannaCrypt0r.zip.yrat6bx.partial

Filesize
3.3MB

MD5
e58fdd8b0ce47bcb8ffd89f4499d186d

SHA1
b7e2334ac6e1ad75e3744661bb590a2d1da98b03

SHA256
283f40e9d550833bec101a24fd6fd6fbd9937ed32a51392e818ffff662a1d30a

SHA512
95b6567b373efa6aec6a9bfd7af70ded86f8c72d3e8ba75f756024817815b830f54d18143b0be6de335dd0ca0afe722f88a4684663be5a84946bd30343d43a8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8ADCJI8Z\WannaCrypt0r[1].zip

Filesize
871KB

MD5
4f7c5b6be8998222820625b4c4da2d04

SHA1
94dc62fd2dd6f46390b0de6ff98bb957c9025990

SHA256
3ac2e1c2be76f7010e1b31341bfdfccc3c2af49a010f9f507ec63e4f9345c4c1

SHA512
ca899d1c31cce806fdc3471c4a4ba159750ffc54bcbc8c5e217826d639275b451f342958094b2fd8c7c80758dfa377e2335af19ca04ec68b99a011e341bcd8d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2628.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2787.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\148981710641579.bat

Filesize
386B

MD5
4f328f9964cb23a802584c5c078ba721

SHA1
30a34d991a386e7f32b2c234ef4731d0605b9516

SHA256
3089e9cd50dc6c3486d1ce4029ef026476cf03bd10dab76a63f2d70fa1e9979a

SHA512
fc6b14db9f622f6a114b34f275c72a70b793ee7250591a43ef74ef58b8beddd9855ed12b8c499e657bef4e0918e5302cacf00a7d3e4b94ea6ef7c55243797f30

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]

Filesize
1KB

MD5
17463075ca4b8bf74a6ad010df237050

SHA1
3090919fe535d71b4c130cde3cd08c3dcf6c34f8

SHA256
32f91ddccab830da5f71192c761e640d88a7c29235019529f03afbcdfd63cee4

SHA512
e751a6c6b345e6bd24c084930e54fc87bba3b05f7400d54827e1d69054f5fca578429cebc720cda1a56b89e4aae7286b4fc8b5a1a18fae29f1c5c66646546d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\TaskData\Tor\taskhsvc.exe

Filesize
2.9MB

MD5
dfca2b5c43c652dc85d33769be8ca09b

SHA1
d30dfc942fc4851a20705559bd63ef11167eaed7

SHA256
c9195317ba93c42ba7b3f4905bc17dfc3b3e03e5ebda9f29da8737b1b80856d1

SHA512
c354592eaf0a4e9b0edcabcc17d6d869650254d34b699f8da7c50cebf53b2d3e8d47593b7e085c1cbd990f66d38f34af2f15e34a26789da46518401eaa726972

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\c.wnry

Filesize
780B

MD5
93f33b83f1f263e2419006d6026e7bc1

SHA1
1a4b36c56430a56af2e0ecabd754bf00067ce488

SHA256
ef0ed0b717d1b956eb6c42ba1f4fd2283cf7c8416bed0afd1e8805ee0502f2b4

SHA512
45bdd1a9a3118ee4d3469ee65a7a8fdb0f9315ca417821db058028ffb0ed145209f975232a9e64aba1c02b9664c854232221eb041d09231c330ae510f638afac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\m.vbs

Filesize
265B

MD5
ba6f59fde07f1793125c22894197a9e5

SHA1
0e778c94464e0bdd535c7aa8693a90e0a93ae95f

SHA256
2284ebff84da9accea9c25c805a9cb5bfb1946af1313901b545fa3a321df7f98

SHA512
990e203c2f189ab5e61e76896bd19532c268074555248363266af8ea92396644c8772fd8e6d3d34209558ab9e246943aebc61df48cb660d7a50705d52f846b6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_korean.wnry

Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_latvian.wnry

Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_norwegian.wnry

Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_polish.wnry

Filesize
38KB

MD5
e79d7f2833a9c2e2553c7fe04a1b63f4

SHA1
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

SHA256
519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

SHA512
e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_portuguese.wnry

Filesize
37KB

MD5
fa948f7d8dfb21ceddd6794f2d56b44f

SHA1
ca915fbe020caa88dd776d89632d7866f660fc7a

SHA256
bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66

SHA512
0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_romanian.wnry

Filesize
50KB

MD5
313e0ececd24f4fa1504118a11bc7986

SHA1
e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d

SHA256
70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1

SHA512
c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_russian.wnry

Filesize
46KB

MD5
452615db2336d60af7e2057481e4cab5

SHA1
442e31f6556b3d7de6eb85fbac3d2957b7f5eac6

SHA256
02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078

SHA512
7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_slovak.wnry

Filesize
40KB

MD5
c911aba4ab1da6c28cf86338ab2ab6cc

SHA1
fee0fd58b8efe76077620d8abc7500dbfef7c5b0

SHA256
e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729

SHA512
3491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_spanish.wnry

Filesize
36KB

MD5
8d61648d34cba8ae9d1e2a219019add1

SHA1
2091e42fc17a0cc2f235650f7aad87abf8ba22c2

SHA256
72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1

SHA512
68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_swedish.wnry

Filesize
37KB

MD5
c7a19984eb9f37198652eaf2fd1ee25c

SHA1
06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae

SHA256
146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4

SHA512
43dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_turkish.wnry

Filesize
41KB

MD5
531ba6b1a5460fc9446946f91cc8c94b

SHA1
cc56978681bd546fd82d87926b5d9905c92a5803

SHA256
6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415

SHA512
ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_vietnamese.wnry

Filesize
91KB

MD5
8419be28a0dcec3f55823620922b00fa

SHA1
2e4791f9cdfca8abf345d606f313d22b36c46b92

SHA256
1f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8

SHA512
8fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\r.wnry

Filesize
864B

MD5
3e0020fc529b1c2a061016dd2469ba96

SHA1
c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade

SHA256
402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c

SHA512
5ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\s.wnry

Filesize
2.9MB

MD5
ad4c9de7c8c40813f200ba1c2fa33083

SHA1
d1af27518d455d432b62d73c6a1497d032f6120e

SHA256
e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b

SHA512
115733d08e5f1a514808a20b070db7ff453fd149865f49c04365a8c6502fa1e5c3a31da3e21f688ab040f583cf1224a544aea9708ffab21405dde1c57f98e617

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\t.wnry

Filesize
64KB

MD5
5dcaac857e695a65f5c3ef1441a73a8f

SHA1
7b10aaeee05e7a1efb43d9f837e9356ad55c07dd

SHA256
97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6

SHA512
06eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe

Filesize
20KB

MD5
4fef5e34143e646dbf9907c4374276f5

SHA1
47a9ad4125b6bd7c55e4e7da251e23f089407b8f

SHA256
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

SHA512
4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe

Filesize
20KB

MD5
8495400f199ac77853c53b5a3f278f3e

SHA1
be5d6279874da315e3080b06083757aad9b32c23

SHA256
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

SHA512
0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\u.wnry

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFF654F7F83A9CB292.TMP

Filesize
16KB

MD5
5bd446cf7d164a9d109312406634285d

SHA1
51f8ce9671a6c44dc0d03fc96a09b9ac6b0790eb

SHA256
22a1108464d3daeedd73bb6bbc894e65e470dbfb018fc6582ed94fe21a694ef8

SHA512
68a66dd5b423c3f46ffa30c3e305d43df223a2fa1454365b468a765765237cd1d11823d0184ef0f70bfd2466611b612de03faa905fe296d257a30b6011d169c4

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
587d77c3a965b127ba5bf8034645295e

SHA1
e7e75dedc3a64f58db1bd737fb515bab6fd45bb3

SHA256
6ddee58d495c9d96dbbd736bb09e55c1aca288a63964e39f47babf1a97285dd1

SHA512
f8f392444baeb42861abea60d4496043ddd053eda7d2ffd95f8c67d617de27bc742eeed9c0721d1b24a75ba765bdd777edbe2d0e8e5dbf8582a5a3b5117805ad

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
6.3MB

MD5
20b805bcf5efd42203794bb5a17e8f94

SHA1
ed556c4a9b5f616cdd22c840c8e631578f65c87c

SHA256
ef01fef8f7237a1fe6c142ab11fbd0f5ff2f689fa6757face25fc129d88276ec

SHA512
8f5ed873fb63e3e1d4414f37ec3ddf8e7b5d7f1e88273ac647f3e074ce2e4900e313bd1a7c6643227361d8ed16e2288c5a607f03ed7f27c675fbbd8d1d9c3a66

Download Submit
C:\Users\Admin\Documents\@[email protected]

Filesize
933B

MD5
7e6b6da7c61fcb66f3f30166871def5b

SHA1
00f699cf9bbc0308f6e101283eca15a7c566d4f9

SHA256
4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e

SHA512
e5a56137f325904e0c7de1d0df38745f733652214f0cdb6ef173fa0743a334f95bed274df79469e270c9208e6bdc2e6251ef0cdd81af20fa1897929663e2c7d3

Download Submit
C:\Users\Default\Desktop\@[email protected]

Filesize
576KB

MD5
7ed4c2daf6a9d9ca20fcddc2e02b13ed

SHA1
01b920d13d2fa9614c87326c954159c4c81dc710

SHA256
1b09450bd0415369496dbca82c036ead5120612d0f119d8a5045ff4c754da5a6

SHA512
dd43c1d3ea1081bc711f4e57f4167beea1442263ea4e8ecb8a4ef560064f8534dbdc85ab18be8ba8f795a5e82615c6df4beeaf0f37183356c4d3fe8c624d9120

Download Submit
memory/592-2763-0x0000000071470000-0x000000007168C000-memory.dmp

Filesize
2.1MB

Download
memory/592-2809-0x0000000071470000-0x000000007168C000-memory.dmp

Filesize
2.1MB

Download
memory/592-2771-0x0000000000BC0000-0x0000000000EBE000-memory.dmp

Filesize
3.0MB

Download
memory/592-2762-0x0000000000BC0000-0x0000000000EBE000-memory.dmp

Filesize
3.0MB

Download
memory/592-2772-0x00000000713E0000-0x0000000071462000-memory.dmp

Filesize
520KB

Download
memory/592-2770-0x00000000713B0000-0x00000000713D2000-memory.dmp

Filesize
136KB

Download
memory/592-2759-0x00000000713E0000-0x0000000071462000-memory.dmp

Filesize
520KB

Download
memory/592-2758-0x0000000071470000-0x000000007168C000-memory.dmp

Filesize
2.1MB

Download
memory/592-2787-0x0000000000BC0000-0x0000000000EBE000-memory.dmp

Filesize
3.0MB

Download
memory/592-2788-0x0000000071730000-0x00000000717B2000-memory.dmp

Filesize
520KB

Download
memory/592-2791-0x0000000071470000-0x000000007168C000-memory.dmp

Filesize
2.1MB

Download
memory/592-2790-0x0000000071690000-0x0000000071707000-memory.dmp

Filesize
476KB

Download
memory/592-2792-0x00000000713E0000-0x0000000071462000-memory.dmp

Filesize
520KB

Download
memory/592-2789-0x0000000071710000-0x000000007172C000-memory.dmp

Filesize
112KB

Download
memory/592-2761-0x0000000071730000-0x00000000717B2000-memory.dmp

Filesize
520KB

Download
memory/592-2760-0x00000000713B0000-0x00000000713D2000-memory.dmp

Filesize
136KB

Download
memory/592-2806-0x0000000071470000-0x000000007168C000-memory.dmp

Filesize
2.1MB

Download
memory/592-2802-0x0000000000BC0000-0x0000000000EBE000-memory.dmp

Filesize
3.0MB

Download
memory/592-2810-0x0000000000BC0000-0x0000000000EBE000-memory.dmp

Filesize
3.0MB

Download
memory/592-2816-0x0000000071470000-0x000000007168C000-memory.dmp

Filesize
2.1MB

Download
memory/592-2812-0x0000000000BC0000-0x0000000000EBE000-memory.dmp

Filesize
3.0MB

Download
memory/592-2822-0x0000000000BC0000-0x0000000000EBE000-memory.dmp

Filesize
3.0MB

Download
memory/592-2826-0x0000000071470000-0x000000007168C000-memory.dmp

Filesize
2.1MB

Download
memory/592-2830-0x0000000000BC0000-0x0000000000EBE000-memory.dmp

Filesize
3.0MB

Download
memory/592-2869-0x0000000000BC0000-0x0000000000EBE000-memory.dmp

Filesize
3.0MB

Download
memory/592-2878-0x0000000000BC0000-0x0000000000EBE000-memory.dmp

Filesize
3.0MB

Download
memory/592-2882-0x0000000071470000-0x000000007168C000-memory.dmp

Filesize
2.1MB

Download
memory/592-2886-0x0000000000BC0000-0x0000000000EBE000-memory.dmp

Filesize
3.0MB

Download
memory/592-2757-0x0000000071730000-0x00000000717B2000-memory.dmp

Filesize
520KB

Download
memory/2244-1839-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download