wannacry | be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

Analysis

max time kernel
148s
max time network
121s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
20-06-2024 14:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WannaCry.exe
Size

224KB
MD5

5c7fb0927db37372da25f270708103a2
SHA1

120ed9279d85cbfa56e5b7779ffa7162074f7a29
SHA256

be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
SHA512

a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
SSDEEP

3072:Y059femWRwTs/dbelj0X8/j84pcRXPlU3Upt3or4H84lK8PtpLzLsR/EfcZ:+5RwTs/dSXj84mRXPemxdBlPvLzLeZ

Score

10^/10

wannacry defense_evasion execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Documents\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDEC1.tmp	WannaCry.exe

Executes dropped EXE 5 IoCs

pid	Process
2628	!WannaDecryptor!.exe
1628	!WannaDecryptor!.exe
2888	!WannaDecryptor!.exe
620	!WannaDecryptor!.exe
892	!WannaDecryptor!.exe

Loads dropped DLL 11 IoCs

pid	Process
2796	cscript.exe
1044	WannaCry.exe
1044	WannaCry.exe
1044	WannaCry.exe
1044	WannaCry.exe
1268	cmd.exe
1268	cmd.exe
1044	WannaCry.exe
1044	WannaCry.exe
1044	WannaCry.exe
1044	WannaCry.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WannaCry.exe\" /r"	WannaCry.exe

Sets desktop wallpaper using registry 2 TTPs 4 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg"	!WannaDecryptor!.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg"	!WannaDecryptor!.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2112	vssadmin.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
2060	taskkill.exe
2020	taskkill.exe
2108	taskkill.exe
1284	taskkill.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1756	taskmgr.exe
892	!WannaDecryptor!.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeDebugPrivilege	1284	taskkill.exe
Token: SeDebugPrivilege	2020	taskkill.exe
Token: SeDebugPrivilege	2108	taskkill.exe
Token: SeDebugPrivilege	2060	taskkill.exe
Token: SeBackupPrivilege	1264	vssvc.exe
Token: SeRestorePrivilege	1264	vssvc.exe
Token: SeAuditPrivilege	1264	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1088	WMIC.exe
Token: SeSecurityPrivilege	1088	WMIC.exe
Token: SeTakeOwnershipPrivilege	1088	WMIC.exe
Token: SeLoadDriverPrivilege	1088	WMIC.exe
Token: SeSystemProfilePrivilege	1088	WMIC.exe
Token: SeSystemtimePrivilege	1088	WMIC.exe
Token: SeProfSingleProcessPrivilege	1088	WMIC.exe
Token: SeIncBasePriorityPrivilege	1088	WMIC.exe
Token: SeCreatePagefilePrivilege	1088	WMIC.exe
Token: SeBackupPrivilege	1088	WMIC.exe
Token: SeRestorePrivilege	1088	WMIC.exe
Token: SeShutdownPrivilege	1088	WMIC.exe
Token: SeDebugPrivilege	1088	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1088	WMIC.exe
Token: SeRemoteShutdownPrivilege	1088	WMIC.exe
Token: SeUndockPrivilege	1088	WMIC.exe
Token: SeManageVolumePrivilege	1088	WMIC.exe
Token: 33	1088	WMIC.exe
Token: 34	1088	WMIC.exe
Token: 35	1088	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1088	WMIC.exe
Token: SeSecurityPrivilege	1088	WMIC.exe
Token: SeTakeOwnershipPrivilege	1088	WMIC.exe
Token: SeLoadDriverPrivilege	1088	WMIC.exe
Token: SeSystemProfilePrivilege	1088	WMIC.exe
Token: SeSystemtimePrivilege	1088	WMIC.exe
Token: SeProfSingleProcessPrivilege	1088	WMIC.exe
Token: SeIncBasePriorityPrivilege	1088	WMIC.exe
Token: SeCreatePagefilePrivilege	1088	WMIC.exe
Token: SeBackupPrivilege	1088	WMIC.exe
Token: SeRestorePrivilege	1088	WMIC.exe
Token: SeShutdownPrivilege	1088	WMIC.exe
Token: SeDebugPrivilege	1088	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1088	WMIC.exe
Token: SeRemoteShutdownPrivilege	1088	WMIC.exe
Token: SeUndockPrivilege	1088	WMIC.exe
Token: SeManageVolumePrivilege	1088	WMIC.exe
Token: 33	1088	WMIC.exe
Token: 34	1088	WMIC.exe
Token: 35	1088	WMIC.exe
Token: SeDebugPrivilege	1756	taskmgr.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
892	!WannaDecryptor!.exe

Suspicious use of SendNotifyMessage 51 IoCs

pid	Process
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe
1756	taskmgr.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2628	!WannaDecryptor!.exe
2628	!WannaDecryptor!.exe
1628	!WannaDecryptor!.exe
1628	!WannaDecryptor!.exe
2888	!WannaDecryptor!.exe
2888	!WannaDecryptor!.exe
620	!WannaDecryptor!.exe
620	!WannaDecryptor!.exe
892	!WannaDecryptor!.exe
892	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 1296	1044	WannaCry.exe	28
PID 1044 wrote to memory of 1296	1044	WannaCry.exe	28
PID 1044 wrote to memory of 1296	1044	WannaCry.exe	28
PID 1044 wrote to memory of 1296	1044	WannaCry.exe	28
PID 1296 wrote to memory of 2796	1296	cmd.exe	30
PID 1296 wrote to memory of 2796	1296	cmd.exe	30
PID 1296 wrote to memory of 2796	1296	cmd.exe	30
PID 1296 wrote to memory of 2796	1296	cmd.exe	30
PID 1044 wrote to memory of 2628	1044	WannaCry.exe	31
PID 1044 wrote to memory of 2628	1044	WannaCry.exe	31
PID 1044 wrote to memory of 2628	1044	WannaCry.exe	31
PID 1044 wrote to memory of 2628	1044	WannaCry.exe	31
PID 1044 wrote to memory of 2060	1044	WannaCry.exe	32
PID 1044 wrote to memory of 2060	1044	WannaCry.exe	32
PID 1044 wrote to memory of 2060	1044	WannaCry.exe	32
PID 1044 wrote to memory of 2060	1044	WannaCry.exe	32
PID 1044 wrote to memory of 2020	1044	WannaCry.exe	33
PID 1044 wrote to memory of 2020	1044	WannaCry.exe	33
PID 1044 wrote to memory of 2020	1044	WannaCry.exe	33
PID 1044 wrote to memory of 2020	1044	WannaCry.exe	33
PID 1044 wrote to memory of 2108	1044	WannaCry.exe	35
PID 1044 wrote to memory of 2108	1044	WannaCry.exe	35
PID 1044 wrote to memory of 2108	1044	WannaCry.exe	35
PID 1044 wrote to memory of 2108	1044	WannaCry.exe	35
PID 1044 wrote to memory of 1284	1044	WannaCry.exe	36
PID 1044 wrote to memory of 1284	1044	WannaCry.exe	36
PID 1044 wrote to memory of 1284	1044	WannaCry.exe	36
PID 1044 wrote to memory of 1284	1044	WannaCry.exe	36
PID 1044 wrote to memory of 1628	1044	WannaCry.exe	42
PID 1044 wrote to memory of 1628	1044	WannaCry.exe	42
PID 1044 wrote to memory of 1628	1044	WannaCry.exe	42
PID 1044 wrote to memory of 1628	1044	WannaCry.exe	42
PID 1044 wrote to memory of 1268	1044	WannaCry.exe	43
PID 1044 wrote to memory of 1268	1044	WannaCry.exe	43
PID 1044 wrote to memory of 1268	1044	WannaCry.exe	43
PID 1044 wrote to memory of 1268	1044	WannaCry.exe	43
PID 1268 wrote to memory of 2888	1268	cmd.exe	45
PID 1268 wrote to memory of 2888	1268	cmd.exe	45
PID 1268 wrote to memory of 2888	1268	cmd.exe	45
PID 1268 wrote to memory of 2888	1268	cmd.exe	45
PID 1044 wrote to memory of 620	1044	WannaCry.exe	46
PID 1044 wrote to memory of 620	1044	WannaCry.exe	46
PID 1044 wrote to memory of 620	1044	WannaCry.exe	46
PID 1044 wrote to memory of 620	1044	WannaCry.exe	46
PID 2888 wrote to memory of 1312	2888	!WannaDecryptor!.exe	47
PID 2888 wrote to memory of 1312	2888	!WannaDecryptor!.exe	47
PID 2888 wrote to memory of 1312	2888	!WannaDecryptor!.exe	47
PID 2888 wrote to memory of 1312	2888	!WannaDecryptor!.exe	47
PID 1312 wrote to memory of 2112	1312	cmd.exe	49
PID 1312 wrote to memory of 2112	1312	cmd.exe	49
PID 1312 wrote to memory of 2112	1312	cmd.exe	49
PID 1312 wrote to memory of 2112	1312	cmd.exe	49
PID 1312 wrote to memory of 1088	1312	cmd.exe	51
PID 1312 wrote to memory of 1088	1312	cmd.exe	51
PID 1312 wrote to memory of 1088	1312	cmd.exe	51
PID 1312 wrote to memory of 1088	1312	cmd.exe	51
PID 1044 wrote to memory of 892	1044	WannaCry.exe	59
PID 1044 wrote to memory of 892	1044	WannaCry.exe	59
PID 1044 wrote to memory of 892	1044	WannaCry.exe	59
PID 1044 wrote to memory of 892	1044	WannaCry.exe	59

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\WannaCry.exe
"C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 155841718895357.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1296
- - C:\Windows\SysWOW64\cscript.exe
    cscript //nologo c.vbs
    3⤵
    - Loads dropped DLL
    PID:2796
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe f
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2628
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im MSExchange*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2060
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Microsoft.Exchange.*
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2020
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlserver.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2108
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlwriter.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1284
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe c
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1628
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b !WannaDecryptor!.exe v
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1268
- - C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
    !WannaDecryptor!.exe v
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1312
    - - C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:2112
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - Suspicious use of SetWindowsHookEx
  PID:620
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:892

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1264

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1756

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:928

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\!Please Read Me!.txt
1⤵
PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk

Filesize
921B

MD5
f7733d44e2671a1486aab012ac401a7f

SHA1
35ac14aeb4c34addc148bdafdb1f161a7e412b66

SHA256
b9fdfa36924c4db8395c1f7598f5d6dc2f455861c784584861cc05bbc7980d5a

SHA512
8b286d6a536cbe2ed7cc45b06306e6c1025a91ff66aef1f3ccaf838d7e8a5977be6807648b30d52c17e5b3206ee7ba9a228aac84f33d11811a432f8a08aab846

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
30223b381ded3f8b6c8e69fd7741ab99

SHA1
32eba9906a44668f89e99dc47671dcaa6578d1d9

SHA256
40ce271080b23c3a4f39d1d187636814d66a23a41b4b6e63be1d3448a01722b4

SHA512
89a6ff25378ed5beaa32d727456750f9d51e0d453d5a899050a2acb7f409a8186bb12525a3b5bccf7b893827ca0ef57f61ea12bcd2069eb4949a8229d72be19d

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
d89df611d36950c494b94b9d3f7c20e5

SHA1
97517e18075721e5b977ba5b68f1c6c2206f0271

SHA256
994afa58380a97c05ed3b33c5453fb0c43048fc1ea60fafc5ce8b3ea0226cb33

SHA512
919f67b8a06e702fb0fbbbaf8bca3919577de40be3c8e14e91de8a93bf343d9571bca2dfa83aaf961d7f1af6a5b7b6525d477e14c863bf41ea1eb0e830c302e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
f8a3cc61e6e83e777aaf6c181eacfa54

SHA1
5e4182de2d1d2da73700ecdefc0e24c9de2579e1

SHA256
d8255c6949cb14311d5425c90c92f0051d83be1ec665ccb1b603c036358224c9

SHA512
313ce84e96ec5ba079dcd347092afa4760f8adaa0561390c72762417b52baa2720dbc6e5889a15d53681525c8756fe39629e3246a6f11cc44c48d8d65d5231b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
e5b2b4fa17de567998d4c20f82adea53

SHA1
dba3a50f4c6eb4d961f01ceb9a4b37f94a528314

SHA256
3f980f26c7595c87c6f633ff1f1b05a9fef0c49ae94c57d8b519d4b9b7f68236

SHA512
4a349b3c74fed89f2569a806923f7af955f01fed96d145e3f1cbad3f4097881b01e0a50f175fa84ffd75e61575c1387c8e96cccf769ee7e48ded0b7353e6d96c

Download Submit
C:\Users\Admin\AppData\Local\Temp\155841718895357.bat

Filesize
336B

MD5
3540e056349c6972905dc9706cd49418

SHA1
492c20442d34d45a6d6790c720349b11ec591cde

SHA256
73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc

SHA512
c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.vbs

Filesize
219B

MD5
5f6d40ca3c34b470113ed04d06a88ff4

SHA1
50629e7211ae43e32060686d6be17ebd492fd7aa

SHA256
0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1

SHA512
4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wry

Filesize
628B

MD5
8202a5c09e9dd992c8e8b7d0db62095a

SHA1
62e01072de268ecd6413b422c0eb4aa7546f61ae

SHA256
40649d17b2c5bf5bc2b499369258394651e7f9525366e97959692f4fd57a3e6a

SHA512
980019e725a05e3cabb26a7595a713464fa8325afa2482e0b85614815e2da008d6afe0ce9c7c4f2da0c6c3b3fb26cfc7125f90b7dc546d5195a25e179153eec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\f.wry

Filesize
44B

MD5
7d36759693a88e998b131f05c778111c

SHA1
5d1e16571d59ec0194e1064761d8c7344bea908f

SHA256
e8409af301247bde396c77399bf1bd5d15b6edbb9b5ea35e4b7185a7962f387a

SHA512
d768cbf99d51f2393a785f67f853d406aa3c527fb57f701a64ea58195f9d752d13b6a821bf177b692528a8e30d264b575ff53594438253558b7b8a9f0a5d252c

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Desktop\SendUnlock.gif.WCRY

Filesize
515KB

MD5
4e0ab79b63f8b3181955991909bccfff

SHA1
a021793be879045fb346088425ca58acddf340f8

SHA256
3d524f344fee5e3cb8acaf225e8fe545edef7b850acc2f45b2fcd557c11c50b9

SHA512
41e7524cae25bf7bf7a6d32c6a5c98a0999412730ee187dad4854677ad46c116c32511fafe0f3b246b29e536750ce3d1b5a3a67199f3ee339f1e154bf3981793

Download Submit
C:\Users\Admin\Documents\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
memory/1044-6-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/1756-808-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1756-812-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1756-809-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download