wannacry | 5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9

Analysis

max time kernel
147s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
09-07-2024 18:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe
Size

316KB
MD5

b9b3965d1b218c63cd317ac33edcb942
SHA1

02408bb6dc1f3605a7d3f9bad687a858ec147896
SHA256

5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9
SHA512

18096b1167561c6da5bfcc05e40f7661e21f43521eb47da9520d2744c8a1806d7187894ce0ae8e0a9e97904b345daae09897d80e8754a63c9aa1d6514feaf98e
SSDEEP

6144:xHQFwJYDzVc1aWLn0IU4eFTE3Ijr2Cq6j7+qmOq:Z6wWcYWL0IUzNGqJq

Score

10^/10

wannacry defense_evasion execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $200 worth of bitcoin to this bitcoin address: 1QAc9S5EmycqjzzWDc1yiWzr9jJLC8sLiY Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) https://www.dropbox.com/s/c1gn29iy8erh1ks/m.rar?dl=1 rar password: wcry123 Run and follow the instructions! �

Wallets

1QAc9S5EmycqjzzWDc1yiWzr9jJLC8sLiY

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

Processes:

SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDBCA3.tmp	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDBCAA.tmp	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe

Executes dropped EXE 4 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid process

3952 !WannaDecryptor!.exe
3680 !WannaDecryptor!.exe
4056 !WannaDecryptor!.exe
4476 !WannaDecryptor!.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe\" /r"	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe!WannaDecryptor!.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

5032 taskkill.exe
432 taskkill.exe
2408 taskkill.exe
2616 taskkill.exe

pid	process
5032	taskkill.exe
432	taskkill.exe
2408	taskkill.exe
2616	taskkill.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	2408	taskkill.exe
Token: SeDebugPrivilege	432	taskkill.exe
Token: SeDebugPrivilege	5032	taskkill.exe
Token: SeDebugPrivilege	2616	taskkill.exe
Token: SeIncreaseQuotaPrivilege	1812	WMIC.exe
Token: SeSecurityPrivilege	1812	WMIC.exe
Token: SeTakeOwnershipPrivilege	1812	WMIC.exe
Token: SeLoadDriverPrivilege	1812	WMIC.exe
Token: SeSystemProfilePrivilege	1812	WMIC.exe
Token: SeSystemtimePrivilege	1812	WMIC.exe
Token: SeProfSingleProcessPrivilege	1812	WMIC.exe
Token: SeIncBasePriorityPrivilege	1812	WMIC.exe
Token: SeCreatePagefilePrivilege	1812	WMIC.exe
Token: SeBackupPrivilege	1812	WMIC.exe
Token: SeRestorePrivilege	1812	WMIC.exe
Token: SeShutdownPrivilege	1812	WMIC.exe
Token: SeDebugPrivilege	1812	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1812	WMIC.exe
Token: SeRemoteShutdownPrivilege	1812	WMIC.exe
Token: SeUndockPrivilege	1812	WMIC.exe
Token: SeManageVolumePrivilege	1812	WMIC.exe
Token: 33	1812	WMIC.exe
Token: 34	1812	WMIC.exe
Token: 35	1812	WMIC.exe
Token: 36	1812	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1812	WMIC.exe
Token: SeSecurityPrivilege	1812	WMIC.exe
Token: SeTakeOwnershipPrivilege	1812	WMIC.exe
Token: SeLoadDriverPrivilege	1812	WMIC.exe
Token: SeSystemProfilePrivilege	1812	WMIC.exe
Token: SeSystemtimePrivilege	1812	WMIC.exe
Token: SeProfSingleProcessPrivilege	1812	WMIC.exe
Token: SeIncBasePriorityPrivilege	1812	WMIC.exe
Token: SeCreatePagefilePrivilege	1812	WMIC.exe
Token: SeBackupPrivilege	1812	WMIC.exe
Token: SeRestorePrivilege	1812	WMIC.exe
Token: SeShutdownPrivilege	1812	WMIC.exe
Token: SeDebugPrivilege	1812	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1812	WMIC.exe
Token: SeRemoteShutdownPrivilege	1812	WMIC.exe
Token: SeUndockPrivilege	1812	WMIC.exe
Token: SeManageVolumePrivilege	1812	WMIC.exe
Token: 33	1812	WMIC.exe
Token: 34	1812	WMIC.exe
Token: 35	1812	WMIC.exe
Token: 36	1812	WMIC.exe
Token: SeBackupPrivilege	4776	vssvc.exe
Token: SeRestorePrivilege	4776	vssvc.exe
Token: SeAuditPrivilege	4776	vssvc.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid	process
3952	!WannaDecryptor!.exe
3952	!WannaDecryptor!.exe
3680	!WannaDecryptor!.exe
3680	!WannaDecryptor!.exe
4056	!WannaDecryptor!.exe
4056	!WannaDecryptor!.exe
4476	!WannaDecryptor!.exe
4476	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.execmd.execmd.exe!WannaDecryptor!.execmd.exe

description	pid	process	target process
PID 1600 wrote to memory of 3168	1600	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	cmd.exe
PID 1600 wrote to memory of 3168	1600	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	cmd.exe
PID 1600 wrote to memory of 3168	1600	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	cmd.exe
PID 3168 wrote to memory of 4724	3168	cmd.exe	cscript.exe
PID 3168 wrote to memory of 4724	3168	cmd.exe	cscript.exe
PID 3168 wrote to memory of 4724	3168	cmd.exe	cscript.exe
PID 1600 wrote to memory of 3952	1600	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	!WannaDecryptor!.exe
PID 1600 wrote to memory of 3952	1600	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	!WannaDecryptor!.exe
PID 1600 wrote to memory of 3952	1600	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	!WannaDecryptor!.exe
PID 1600 wrote to memory of 432	1600	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	taskkill.exe
PID 1600 wrote to memory of 432	1600	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	taskkill.exe
PID 1600 wrote to memory of 432	1600	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	taskkill.exe
PID 1600 wrote to memory of 5032	1600	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	taskkill.exe
PID 1600 wrote to memory of 5032	1600	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	taskkill.exe
PID 1600 wrote to memory of 5032	1600	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	taskkill.exe
PID 1600 wrote to memory of 2616	1600	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	taskkill.exe
PID 1600 wrote to memory of 2616	1600	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	taskkill.exe
PID 1600 wrote to memory of 2616	1600	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	taskkill.exe
PID 1600 wrote to memory of 2408	1600	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	taskkill.exe
PID 1600 wrote to memory of 2408	1600	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	taskkill.exe
PID 1600 wrote to memory of 2408	1600	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	taskkill.exe
PID 1600 wrote to memory of 3680	1600	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	!WannaDecryptor!.exe
PID 1600 wrote to memory of 3680	1600	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	!WannaDecryptor!.exe
PID 1600 wrote to memory of 3680	1600	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	!WannaDecryptor!.exe
PID 1600 wrote to memory of 2960	1600	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	cmd.exe
PID 1600 wrote to memory of 2960	1600	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	cmd.exe
PID 1600 wrote to memory of 2960	1600	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	cmd.exe
PID 2960 wrote to memory of 4056	2960	cmd.exe	!WannaDecryptor!.exe
PID 2960 wrote to memory of 4056	2960	cmd.exe	!WannaDecryptor!.exe
PID 2960 wrote to memory of 4056	2960	cmd.exe	!WannaDecryptor!.exe
PID 1600 wrote to memory of 4476	1600	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	!WannaDecryptor!.exe
PID 1600 wrote to memory of 4476	1600	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	!WannaDecryptor!.exe
PID 1600 wrote to memory of 4476	1600	SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe	!WannaDecryptor!.exe
PID 4056 wrote to memory of 3124	4056	!WannaDecryptor!.exe	cmd.exe
PID 4056 wrote to memory of 3124	4056	!WannaDecryptor!.exe	cmd.exe
PID 4056 wrote to memory of 3124	4056	!WannaDecryptor!.exe	cmd.exe
PID 3124 wrote to memory of 1812	3124	cmd.exe	WMIC.exe
PID 3124 wrote to memory of 1812	3124	cmd.exe	WMIC.exe
PID 3124 wrote to memory of 1812	3124	cmd.exe	WMIC.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen18.23618.24708.4475.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 65601720549197.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:3168

C:\Windows\SysWOW64\cscript.exe
cscript //nologo c.vbs
3⤵
PID:4724

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe f
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3952

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im MSExchange*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Microsoft.Exchange.*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5032

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlserver.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlwriter.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2408

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe c
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3680

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b !WannaDecryptor!.exe v
2⤵
- Suspicious use of WriteProcessMemory
PID:2960

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe v
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4056

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
- Suspicious use of WriteProcessMemory
PID:3124

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:4476

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
7e7a1a23e7ee02bffc2dabb63efd6554

SHA1
e3359f0298b7151c46c576b96110b4435c987d4e

SHA256
ea5bf27142482bc76eb3053a2d129c0a96a1817abcfb76c599f5cc2df7c54192

SHA512
59ae5381f6dc2f88a839dd85daf180f41f323dba931ad364e02a6732cac7c91ce8fc5bb6a6e5acb621f7fdd11e9f6391adc105dffeded5c9ca61267c00472ee0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E573CDF4C6D731D56A665145182FD759_1D978D5EA8275AA72D1BFCD66AF4A751

Filesize
471B

MD5
651cd6cd7b0326fae0e52c9fd6a64355

SHA1
40045e10ea63f8b90664b1509aeef6fe93eb1997

SHA256
61b97d69e5e23ae9cb7cb7560ab67629d551236e409363169437c65932169727

SHA512
910c45668e4ff9e812424315c5d7131ba78ba581909b323cddf90ace573520fbf1e4e06bdce22d92420dc47b319da64024fde31977ea1546613eeeff9b127114

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
a1afcdd9d466e837e6b67168ce63ffb8

SHA1
dd3a090baf7991112fab2b630de3ba89114b32ae

SHA256
73dd05b907099a7ec54600dee4b3915122d5c7b9bdca0ace530ceb27f1e3723f

SHA512
48f99cd44d26e8801d0e4719167387647f5a973ea82c86b9c5c0e64fce78d840919a131a6e9294893582ed6ea49167c4977a2d44b78944912764d4dabb07781c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
496f4d4f216d4d7d491218f3a8012d32

SHA1
fc30a6a8d8a1a76869fba29775a29338c4017c3e

SHA256
ab6112645917b0363854e00d26d6f82a6a9f68ef1255f0bc11859c6b91db1eb7

SHA512
38c47ff0df214415678d12072e16df6eaa0d7e305ab79910ecc9751dd8f3287ed2e35b49e6d8d5f91bea9fcaef75080412c605a5fdbe11c8fcc55efe7cfe0580

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E573CDF4C6D731D56A665145182FD759_1D978D5EA8275AA72D1BFCD66AF4A751

Filesize
396B

MD5
7048bd4343bc4566dcdfbe1bbbaa92d6

SHA1
861c83a833a0c5e0bb3b7c119f957cea1019856f

SHA256
8f077db10db7a6fbb4643e249b18bd909264edaf8b909feb5370f937f8b6be9a

SHA512
d6d85679794ed02eeb02e9a517dc944078e34cb969e7863c260392ffc617d95a02a1ecfcd220f0441614ef616456aabc5d7882f3b836708e7b6677e6ad88ef39

Download Submit
C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

Filesize
849B

MD5
66c169379186555b050c266dd5f9ce29

SHA1
45568656a50454ae85cc49c12872bad0167945ac

SHA256
90bb163d3350460dd30132a16e15d37bc1d5932af354cad83dbedb46275b6861

SHA512
926a185bbe8989f9cbba6fa635883e8514b70fa66247ef5ba51dce19b73bd1d3a6b8c4ab98f4f8b4e55ab19054b19e1ca38e4949e8a042a51db09d8528ced2d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
2f833a701231882a12a285e1e2730200

SHA1
355b4ae91880e38bda6afee7f27af747c2b50d95

SHA256
c42529b1d3bf47cee5c69a7206095684ba7e8f59102d3caf778ed8b8dd10beca

SHA512
ef4c6fde16d639f0ec61206eafe30cdd529ec4ff1c4baaaa03053bdb804fdb137b0a719ffcfecaaddcfe438dfd8131208fc5b20ff2ae87caa5b3b41f3150484c

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
640a11f52b357bbec8aa6c591e846e46

SHA1
939de7e1d1b80653db2860ebd04b2f50bab5c2ee

SHA256
23c08b8d02bc8bc035e3e08074e9213e872807badd2a21d8d7de318a5dbd0041

SHA512
5bf747de7e570b10cf3bf86598f88c47d406a6b68eaca3716140557f5f65a9fbc8d292b15766fc5cd67bfcf6b05562e0a08fd9e220c8a79ff527a023196e8f0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\65601720549197.bat

Filesize
336B

MD5
3540e056349c6972905dc9706cd49418

SHA1
492c20442d34d45a6d6790c720349b11ec591cde

SHA256
73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc

SHA512
c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

Download Submit
C:\Users\Admin\AppData\Local\Temp\b.wry

Filesize
1.4MB

MD5
99ae8326b4bc406daf54ddc7c5e43abe

SHA1
6ce5002f3cb55a8de0e8e8da77f0d0d0d7679183

SHA256
5054c415757f8a62abe0d61087d31e95065439d9ea1b364a6f207cdceaa24b7c

SHA512
756d7e44eb139501f5b3cf1ed0f76d1e8730c4dfd15f30bc23cda25102b240ad69784d414f995099c57610cf2f9bc9083b20fb4d303f1ca89f75e6819b8cf1d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.vbs

Filesize
219B

MD5
5f6d40ca3c34b470113ed04d06a88ff4

SHA1
50629e7211ae43e32060686d6be17ebd492fd7aa

SHA256
0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1

SHA512
4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wry

Filesize
628B

MD5
c92e9fa2d3c9e9fdb907fcaa86de0035

SHA1
13b72cd91a06487583cf2cb87ff0dbf4bfd38e42

SHA256
eff0bdf1ffa734a32f7891ad9017d3a8d98b00c32a07de79069beae5dc5b501f

SHA512
3f50d1a34489cc735e3bb7732c284c93d64e5d7319c1d251955e7e9e76de83ed4b1404b72ae7f1de09bf44286d75d797cc3fcfa040e75a45cff3ec589a7340ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.wry

Filesize
43KB

MD5
54c0e4aa798ce82886a96ba4bb449188

SHA1
71886d4d410013425243a00f15c270fc4f2a6a3a

SHA256
e5373e95a201b3b676072752097ff5d851a0a34e1be4194ff0c52c33601e576a

SHA512
4415559fa5da1192360b4d6db368179335661120443b812f5bc256466c79ecb6d36ed5d3c00a4e2590bf70e473565287a7db53f6aa3f8faaad46f21e34e84298

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.wry

Filesize
236KB

MD5
abcb7d4353abee5083ddd8057c7cd1ff

SHA1
d8a2c1be4b47944d9afdf5e664e5db1364b66a5a

SHA256
eeb9cd6a1c4b3949b2ff3134a77d6736b35977f951b9c7c911483b5caeb1c1fb

SHA512
7d1ebb730a4c4833f2d690c80a35a73f3b7dbe2a83a642dbcf5e6d1d6aa4204a1513a28f74f32751727074b9f0072071deafea48cbe7d36081efd957a5244508

Download Submit
F:\$RECYCLER\!WannaDecryptor!.exe.lnk

Filesize
1KB

MD5
09c56a12751194e211f03ce349f26a42

SHA1
169e45e1d45648a66d1244738d9ee8d5c4af3a52

SHA256
de7c01da90c006a0b00eb197fe10da9822643a1c85dbf1c09ecebc93df19adfd

SHA512
f75ac5b3298972d6d95c3cebde1068cd8c9c1466c74532a18ce4470b376ab457d399cf27c1f927f5712e01b6188cc158d2bf9dedd86079fbf9f1f57c0081200b

Download Submit
memory/1600-7-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download