wannacry | 1f7ee194375dd93d30ff05e9fc25bff1bef245a44c75d00bc85d3b59715c582e

Analysis

max time kernel
726s
max time network
616s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
15-05-2024 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe
Size

224KB
MD5

5c7fb0927db37372da25f270708103a2
SHA1

120ed9279d85cbfa56e5b7779ffa7162074f7a29
SHA256

be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
SHA512

a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
SSDEEP

3072:Y059femWRwTs/dbelj0X8/j84pcRXPlU3Upt3or4H84lK8PtpLzLsR/EfcZ:+5RwTs/dSXj84mRXPemxdBlPvLzLeZ

Score

10^/10

wannacry defense_evasion execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Documents\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 1 IoCs

Processes:

be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD252E.tmp	be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe

Executes dropped EXE 4 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid process

2688 !WannaDecryptor!.exe
1256 !WannaDecryptor!.exe
904 !WannaDecryptor!.exe
1260 !WannaDecryptor!.exe

Loads dropped DLL 9 IoCs

Processes:

cscript.exebe22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.execmd.exe

pid	process
2792	cscript.exe
2240	be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe
2240	be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe
2240	be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe
2240	be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe
1104	cmd.exe
1104	cmd.exe
2240	be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe
2240	be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe\" /r"	be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

!WannaDecryptor!.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg"	!WannaDecryptor!.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

2620 vssadmin.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1612 taskkill.exe
1624 taskkill.exe
1688 taskkill.exe
1672 taskkill.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

!WannaDecryptor!.exe

pid process

1260 !WannaDecryptor!.exe

pid	process
2620	vssadmin.exe

pid	process
1612	taskkill.exe
1624	taskkill.exe
1688	taskkill.exe
1672	taskkill.exe

pid	process
1260	!WannaDecryptor!.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1672	taskkill.exe
Token: SeDebugPrivilege	1624	taskkill.exe
Token: SeDebugPrivilege	1612	taskkill.exe
Token: SeDebugPrivilege	1688	taskkill.exe
Token: SeBackupPrivilege	2996	vssvc.exe
Token: SeRestorePrivilege	2996	vssvc.exe
Token: SeAuditPrivilege	2996	vssvc.exe
Token: SeIncreaseQuotaPrivilege	556	WMIC.exe
Token: SeSecurityPrivilege	556	WMIC.exe
Token: SeTakeOwnershipPrivilege	556	WMIC.exe
Token: SeLoadDriverPrivilege	556	WMIC.exe
Token: SeSystemProfilePrivilege	556	WMIC.exe
Token: SeSystemtimePrivilege	556	WMIC.exe
Token: SeProfSingleProcessPrivilege	556	WMIC.exe
Token: SeIncBasePriorityPrivilege	556	WMIC.exe
Token: SeCreatePagefilePrivilege	556	WMIC.exe
Token: SeBackupPrivilege	556	WMIC.exe
Token: SeRestorePrivilege	556	WMIC.exe
Token: SeShutdownPrivilege	556	WMIC.exe
Token: SeDebugPrivilege	556	WMIC.exe
Token: SeSystemEnvironmentPrivilege	556	WMIC.exe
Token: SeRemoteShutdownPrivilege	556	WMIC.exe
Token: SeUndockPrivilege	556	WMIC.exe
Token: SeManageVolumePrivilege	556	WMIC.exe
Token: 33	556	WMIC.exe
Token: 34	556	WMIC.exe
Token: 35	556	WMIC.exe
Token: SeIncreaseQuotaPrivilege	556	WMIC.exe
Token: SeSecurityPrivilege	556	WMIC.exe
Token: SeTakeOwnershipPrivilege	556	WMIC.exe
Token: SeLoadDriverPrivilege	556	WMIC.exe
Token: SeSystemProfilePrivilege	556	WMIC.exe
Token: SeSystemtimePrivilege	556	WMIC.exe
Token: SeProfSingleProcessPrivilege	556	WMIC.exe
Token: SeIncBasePriorityPrivilege	556	WMIC.exe
Token: SeCreatePagefilePrivilege	556	WMIC.exe
Token: SeBackupPrivilege	556	WMIC.exe
Token: SeRestorePrivilege	556	WMIC.exe
Token: SeShutdownPrivilege	556	WMIC.exe
Token: SeDebugPrivilege	556	WMIC.exe
Token: SeSystemEnvironmentPrivilege	556	WMIC.exe
Token: SeRemoteShutdownPrivilege	556	WMIC.exe
Token: SeUndockPrivilege	556	WMIC.exe
Token: SeManageVolumePrivilege	556	WMIC.exe
Token: 33	556	WMIC.exe
Token: 34	556	WMIC.exe
Token: 35	556	WMIC.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

!WannaDecryptor!.exeNOTEPAD.EXE

pid process

1260 !WannaDecryptor!.exe
1260 !WannaDecryptor!.exe
1260 !WannaDecryptor!.exe
1744 NOTEPAD.EXE

pid	process
1260	!WannaDecryptor!.exe
1260	!WannaDecryptor!.exe
1260	!WannaDecryptor!.exe
1744	NOTEPAD.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid	process
2688	!WannaDecryptor!.exe
2688	!WannaDecryptor!.exe
1256	!WannaDecryptor!.exe
1256	!WannaDecryptor!.exe
904	!WannaDecryptor!.exe
904	!WannaDecryptor!.exe
1260	!WannaDecryptor!.exe
1260	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.execmd.execmd.exe!WannaDecryptor!.execmd.exe

description	pid	process	target process
PID 2240 wrote to memory of 2800	2240	be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe	cmd.exe
PID 2240 wrote to memory of 2800	2240	be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe	cmd.exe
PID 2240 wrote to memory of 2800	2240	be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe	cmd.exe
PID 2240 wrote to memory of 2800	2240	be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe	cmd.exe
PID 2800 wrote to memory of 2792	2800	cmd.exe	cscript.exe
PID 2800 wrote to memory of 2792	2800	cmd.exe	cscript.exe
PID 2800 wrote to memory of 2792	2800	cmd.exe	cscript.exe
PID 2800 wrote to memory of 2792	2800	cmd.exe	cscript.exe
PID 2240 wrote to memory of 2688	2240	be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe	!WannaDecryptor!.exe
PID 2240 wrote to memory of 2688	2240	be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe	!WannaDecryptor!.exe
PID 2240 wrote to memory of 2688	2240	be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe	!WannaDecryptor!.exe
PID 2240 wrote to memory of 2688	2240	be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe	!WannaDecryptor!.exe
PID 2240 wrote to memory of 1612	2240	be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe	taskkill.exe
PID 2240 wrote to memory of 1612	2240	be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe	taskkill.exe
PID 2240 wrote to memory of 1612	2240	be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe	taskkill.exe
PID 2240 wrote to memory of 1612	2240	be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe	taskkill.exe
PID 2240 wrote to memory of 1624	2240	be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe	taskkill.exe
PID 2240 wrote to memory of 1624	2240	be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe	taskkill.exe
PID 2240 wrote to memory of 1624	2240	be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe	taskkill.exe
PID 2240 wrote to memory of 1624	2240	be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe	taskkill.exe
PID 2240 wrote to memory of 1688	2240	be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe	taskkill.exe
PID 2240 wrote to memory of 1688	2240	be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe	taskkill.exe
PID 2240 wrote to memory of 1688	2240	be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe	taskkill.exe
PID 2240 wrote to memory of 1688	2240	be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe	taskkill.exe
PID 2240 wrote to memory of 1672	2240	be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe	taskkill.exe
PID 2240 wrote to memory of 1672	2240	be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe	taskkill.exe
PID 2240 wrote to memory of 1672	2240	be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe	taskkill.exe
PID 2240 wrote to memory of 1672	2240	be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe	taskkill.exe
PID 2240 wrote to memory of 1256	2240	be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe	!WannaDecryptor!.exe
PID 2240 wrote to memory of 1256	2240	be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe	!WannaDecryptor!.exe
PID 2240 wrote to memory of 1256	2240	be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe	!WannaDecryptor!.exe
PID 2240 wrote to memory of 1256	2240	be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe	!WannaDecryptor!.exe
PID 2240 wrote to memory of 1104	2240	be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe	cmd.exe
PID 2240 wrote to memory of 1104	2240	be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe	cmd.exe
PID 2240 wrote to memory of 1104	2240	be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe	cmd.exe
PID 2240 wrote to memory of 1104	2240	be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe	cmd.exe
PID 1104 wrote to memory of 904	1104	cmd.exe	!WannaDecryptor!.exe
PID 1104 wrote to memory of 904	1104	cmd.exe	!WannaDecryptor!.exe
PID 1104 wrote to memory of 904	1104	cmd.exe	!WannaDecryptor!.exe
PID 1104 wrote to memory of 904	1104	cmd.exe	!WannaDecryptor!.exe
PID 2240 wrote to memory of 1260	2240	be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe	!WannaDecryptor!.exe
PID 2240 wrote to memory of 1260	2240	be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe	!WannaDecryptor!.exe
PID 2240 wrote to memory of 1260	2240	be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe	!WannaDecryptor!.exe
PID 2240 wrote to memory of 1260	2240	be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe	!WannaDecryptor!.exe
PID 904 wrote to memory of 1976	904	!WannaDecryptor!.exe	cmd.exe
PID 904 wrote to memory of 1976	904	!WannaDecryptor!.exe	cmd.exe
PID 904 wrote to memory of 1976	904	!WannaDecryptor!.exe	cmd.exe
PID 904 wrote to memory of 1976	904	!WannaDecryptor!.exe	cmd.exe
PID 1976 wrote to memory of 2620	1976	cmd.exe	vssadmin.exe
PID 1976 wrote to memory of 2620	1976	cmd.exe	vssadmin.exe
PID 1976 wrote to memory of 2620	1976	cmd.exe	vssadmin.exe
PID 1976 wrote to memory of 2620	1976	cmd.exe	vssadmin.exe
PID 1976 wrote to memory of 556	1976	cmd.exe	WMIC.exe
PID 1976 wrote to memory of 556	1976	cmd.exe	WMIC.exe
PID 1976 wrote to memory of 556	1976	cmd.exe	WMIC.exe
PID 1976 wrote to memory of 556	1976	cmd.exe	WMIC.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe
"C:\Users\Admin\AppData\Local\Temp\be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\SysWOW64\cmd.exe
cmd /c 21251715797596.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2800

C:\Windows\SysWOW64\cscript.exe
cscript //nologo c.vbs
3⤵
- Loads dropped DLL
PID:2792

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe f
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2688

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im MSExchange*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Microsoft.Exchange.*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlserver.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1688

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlwriter.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe c
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1256

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b !WannaDecryptor!.exe v
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1104

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe v
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:2620

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:556

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1260

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2996

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\!Please Read Me!.txt
1⤵
- Suspicious use of FindShellTrayWindow
PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk
Filesize
921B

MD5
f7b27d9e5b3c286e6247e9b1e27f3384

SHA1
1289c34c1825549bbe421bbdced9954057c93051

SHA256
022e96ab76c286cb5ca164acb50f7bdc5c1e0d2617c0568cfdbafc9732a47d00

SHA512
03e993f65226142f18421666eec74d6db91eb113a19fa19ec0c3cfaea5ef37677afc5b23283b83fe54946a4402999d369de1cfbc105e3e5af38567e586762c99

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res
Filesize
136B

MD5
4cf030cd523d48f171faba09b65e09f4

SHA1
0d25d8071c411b44428f70d17ec6f021bff7f1d9

SHA256
db8f677738003b840d96e8769da5b9fdaf33f74930f4e54bdae48c7bc2b611e5

SHA512
1cf1d77d62f62715b8b069575e8caa0747a7899a476b72227bd1bb503b9c6f2362c2829f4155898632f3578e13ff25f7c63b2dc365969e8a9c7f2215f5ad46ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res
Filesize
136B

MD5
1a89fb89659c38066dcd25c5b44108a3

SHA1
a95dd39e27ccca66991c500ffb54eb78b00a9ed7

SHA256
3c86e101d1165e5a21b7190b12bf7badb7a55eac680b9bba4693bbd41ec99e9e

SHA512
b8ebf28f3c66d474d7408a299c99b75054b5d46b9217a4a0412c614fb42a751a3ae6f77c15b43c0d178643f53d15c8308115d8e055fddc173d3106ad0fb93902

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res
Filesize
136B

MD5
f2d1021ed53a09e63ce14df5d20222fd

SHA1
adfb4a1bc1a1c445548892374cddb3c702bb71b0

SHA256
4ac89484de6b4343f947aaacd634976a4daf2c8c97ac5158568695f23067f30e

SHA512
add0043f914bd4bef545035e177f5d4dc10a2ff1e73cec5b1c05cfb3ebc64cbdec2fbef8321945b01cbec5c775a86eb385d91907a55b6d73bc59e6bb91d97387

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res
Filesize
136B

MD5
e9aed92c06c35353305ca3da85f8993a

SHA1
9661b4059e9a2abacd82c978d126aaef8f8ced1c

SHA256
4a1ea8aa255880880c3a90b090c62af52fc33b7824f0bc5572e7055f6be69ea1

SHA512
db6d3209900f7595284a7e406eff28ee3c61b05992114c3ad56c467b47d9a53ed6d8d5ffbacca7f7735166289eabcd1d0e2f92cac8b03bb4d4751039b10cf1a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res
Filesize
136B

MD5
963e22e21373f0b3121f8c4abd3ac693

SHA1
4d4d0fe630e8dec808ace06e5585932684cf224e

SHA256
32053e15c0a740c34e8c99bc7b8c906f4a72ab8b47e811a23017b5cf15d13878

SHA512
7e7d3f7f7dadbb3e090ea445f5c66dfd0e92c1c7bb3a9fc272d0397729fc3aaf3777f8dd0fefa57be8fd6a988c56a3d51184ce93f0e5b39be510de861f9f10bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\21251715797596.bat
Filesize
336B

MD5
3540e056349c6972905dc9706cd49418

SHA1
492c20442d34d45a6d6790c720349b11ec591cde

SHA256
73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc

SHA512
c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.vbs
Filesize
219B

MD5
5f6d40ca3c34b470113ed04d06a88ff4

SHA1
50629e7211ae43e32060686d6be17ebd492fd7aa

SHA256
0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1

SHA512
4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wry
Filesize
628B

MD5
300798609a50008fdd26b9f0f7c8a12d

SHA1
e617b2ac85775ee8b6f52a59e272fdc759df93e5

SHA256
f79ffcbbce0965fbff68373190b70bc22a73e90b5a7caf6240068eb4e1553d6d

SHA512
3724a695f1ec3a9070d1adf8cee229df286ca80d36158d11772dfb3556adf2fdf79a4ef538f3ad78e532a9ffac4aafeb1e5a3042a4ad4316e0eccf3e0711fe92

Download Submit
C:\Users\Admin\AppData\Local\Temp\f.wry
Filesize
142B

MD5
ea6e715fc641cd15ff7326521172a01d

SHA1
479f68301d472848da18f86ca9b702198ef3df32

SHA256
727cd8a52e90c4bea9ec0030b7bb8cc727e7b9f3edf987a1df7956f8c51a17c0

SHA512
5d8fd67f8c979cd2ecbd7e5eb736b83d2bade13eb06d17e0fcaa9f38a439a805f08686830680eaae175d3f85ff0c1f480e19cfd1e598bab99beebd764e90771f

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.wry
Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\AppData\Roaming\CompareWait.pdf.WCRY
Filesize
272KB

MD5
eb1ab634bef03983c03c50bcd941a3c9

SHA1
1f2ca6924240cdf648fe75394f39a6828f8852ac

SHA256
e8d37d402ec5cc316c3777eb71a9e9bb25ad21d8e51f61aef1519ff14c01f0b0

SHA512
cc43db48674cb31e3092955493630fcb9bd4e9d3ea6ea64550058617ffdf31376e2483d529b6ef2bdc3f933304d808b82516d993b6919dcad759b77c901e3029

Download Submit
C:\Users\Admin\Documents\!Please Read Me!.txt
Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile44.bmp.WCRY
Filesize
48KB

MD5
c63ef54b5d6788df64c49b0105cf1f30

SHA1
ac291681c6423ec873b16a0706342d930898d1ef

SHA256
8853fab23b976e431a0d0157c0f973057c40a9704263bb626effa1b3d8730e27

SHA512
4a87ce2f3bcd4bf3e483821decd2226177e99fd5ae04e553bc2745a47394e8b616e2bbc03239f31f9406df133a7f5dc60a414ee4f01cab8377ad1304289226ed

Download Submit
memory/2240-6-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download