wannacry | 5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2024 01:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe
Size

316KB
MD5

b9b3965d1b218c63cd317ac33edcb942
SHA1

02408bb6dc1f3605a7d3f9bad687a858ec147896
SHA256

5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9
SHA512

18096b1167561c6da5bfcc05e40f7661e21f43521eb47da9520d2744c8a1806d7187894ce0ae8e0a9e97904b345daae09897d80e8754a63c9aa1d6514feaf98e
SSDEEP

6144:xHQFwJYDzVc1aWLn0IU4eFTE3Ijr2Cq6j7+qmOq:Z6wWcYWL0IUzNGqJq

Score

10^/10

wannacry defense_evasion execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $200 worth of bitcoin to this bitcoin address: 1QAc9S5EmycqjzzWDc1yiWzr9jJLC8sLiY Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) https://www.dropbox.com/s/c1gn29iy8erh1ks/m.rar?dl=1 rar password: wcry123 Run and follow the instructions! �

Wallets

1QAc9S5EmycqjzzWDc1yiWzr9jJLC8sLiY

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

Processes:

5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD980A.tmp	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD9811.tmp	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe

Executes dropped EXE 4 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid process

4456 !WannaDecryptor!.exe
2836 !WannaDecryptor!.exe
4724 !WannaDecryptor!.exe
5028 !WannaDecryptor!.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe\" /r"	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe!WannaDecryptor!.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

2624 taskkill.exe
4532 taskkill.exe
2464 taskkill.exe
2460 taskkill.exe

pid	process
2624	taskkill.exe
4532	taskkill.exe
2464	taskkill.exe
2460	taskkill.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	4532	taskkill.exe
Token: SeDebugPrivilege	2464	taskkill.exe
Token: SeDebugPrivilege	2624	taskkill.exe
Token: SeDebugPrivilege	2460	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3852	WMIC.exe
Token: SeSecurityPrivilege	3852	WMIC.exe
Token: SeTakeOwnershipPrivilege	3852	WMIC.exe
Token: SeLoadDriverPrivilege	3852	WMIC.exe
Token: SeSystemProfilePrivilege	3852	WMIC.exe
Token: SeSystemtimePrivilege	3852	WMIC.exe
Token: SeProfSingleProcessPrivilege	3852	WMIC.exe
Token: SeIncBasePriorityPrivilege	3852	WMIC.exe
Token: SeCreatePagefilePrivilege	3852	WMIC.exe
Token: SeBackupPrivilege	3852	WMIC.exe
Token: SeRestorePrivilege	3852	WMIC.exe
Token: SeShutdownPrivilege	3852	WMIC.exe
Token: SeDebugPrivilege	3852	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3852	WMIC.exe
Token: SeRemoteShutdownPrivilege	3852	WMIC.exe
Token: SeUndockPrivilege	3852	WMIC.exe
Token: SeManageVolumePrivilege	3852	WMIC.exe
Token: 33	3852	WMIC.exe
Token: 34	3852	WMIC.exe
Token: 35	3852	WMIC.exe
Token: 36	3852	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3852	WMIC.exe
Token: SeSecurityPrivilege	3852	WMIC.exe
Token: SeTakeOwnershipPrivilege	3852	WMIC.exe
Token: SeLoadDriverPrivilege	3852	WMIC.exe
Token: SeSystemProfilePrivilege	3852	WMIC.exe
Token: SeSystemtimePrivilege	3852	WMIC.exe
Token: SeProfSingleProcessPrivilege	3852	WMIC.exe
Token: SeIncBasePriorityPrivilege	3852	WMIC.exe
Token: SeCreatePagefilePrivilege	3852	WMIC.exe
Token: SeBackupPrivilege	3852	WMIC.exe
Token: SeRestorePrivilege	3852	WMIC.exe
Token: SeShutdownPrivilege	3852	WMIC.exe
Token: SeDebugPrivilege	3852	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3852	WMIC.exe
Token: SeRemoteShutdownPrivilege	3852	WMIC.exe
Token: SeUndockPrivilege	3852	WMIC.exe
Token: SeManageVolumePrivilege	3852	WMIC.exe
Token: 33	3852	WMIC.exe
Token: 34	3852	WMIC.exe
Token: 35	3852	WMIC.exe
Token: 36	3852	WMIC.exe
Token: SeBackupPrivilege	3508	vssvc.exe
Token: SeRestorePrivilege	3508	vssvc.exe
Token: SeAuditPrivilege	3508	vssvc.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid	process
4456	!WannaDecryptor!.exe
4456	!WannaDecryptor!.exe
2836	!WannaDecryptor!.exe
2836	!WannaDecryptor!.exe
4724	!WannaDecryptor!.exe
4724	!WannaDecryptor!.exe
5028	!WannaDecryptor!.exe
5028	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.execmd.execmd.exe!WannaDecryptor!.execmd.exe

description	pid	process	target process
PID 3268 wrote to memory of 2876	3268	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	cmd.exe
PID 3268 wrote to memory of 2876	3268	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	cmd.exe
PID 3268 wrote to memory of 2876	3268	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	cmd.exe
PID 2876 wrote to memory of 2424	2876	cmd.exe	cscript.exe
PID 2876 wrote to memory of 2424	2876	cmd.exe	cscript.exe
PID 2876 wrote to memory of 2424	2876	cmd.exe	cscript.exe
PID 3268 wrote to memory of 4456	3268	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	!WannaDecryptor!.exe
PID 3268 wrote to memory of 4456	3268	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	!WannaDecryptor!.exe
PID 3268 wrote to memory of 4456	3268	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	!WannaDecryptor!.exe
PID 3268 wrote to memory of 2624	3268	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	taskkill.exe
PID 3268 wrote to memory of 2624	3268	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	taskkill.exe
PID 3268 wrote to memory of 2624	3268	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	taskkill.exe
PID 3268 wrote to memory of 2460	3268	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	taskkill.exe
PID 3268 wrote to memory of 2460	3268	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	taskkill.exe
PID 3268 wrote to memory of 2460	3268	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	taskkill.exe
PID 3268 wrote to memory of 2464	3268	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	taskkill.exe
PID 3268 wrote to memory of 2464	3268	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	taskkill.exe
PID 3268 wrote to memory of 2464	3268	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	taskkill.exe
PID 3268 wrote to memory of 4532	3268	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	taskkill.exe
PID 3268 wrote to memory of 4532	3268	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	taskkill.exe
PID 3268 wrote to memory of 4532	3268	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	taskkill.exe
PID 3268 wrote to memory of 2836	3268	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	!WannaDecryptor!.exe
PID 3268 wrote to memory of 2836	3268	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	!WannaDecryptor!.exe
PID 3268 wrote to memory of 2836	3268	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	!WannaDecryptor!.exe
PID 3268 wrote to memory of 1976	3268	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	cmd.exe
PID 3268 wrote to memory of 1976	3268	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	cmd.exe
PID 3268 wrote to memory of 1976	3268	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	cmd.exe
PID 1976 wrote to memory of 4724	1976	cmd.exe	!WannaDecryptor!.exe
PID 1976 wrote to memory of 4724	1976	cmd.exe	!WannaDecryptor!.exe
PID 1976 wrote to memory of 4724	1976	cmd.exe	!WannaDecryptor!.exe
PID 3268 wrote to memory of 5028	3268	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	!WannaDecryptor!.exe
PID 3268 wrote to memory of 5028	3268	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	!WannaDecryptor!.exe
PID 3268 wrote to memory of 5028	3268	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	!WannaDecryptor!.exe
PID 4724 wrote to memory of 4896	4724	!WannaDecryptor!.exe	cmd.exe
PID 4724 wrote to memory of 4896	4724	!WannaDecryptor!.exe	cmd.exe
PID 4724 wrote to memory of 4896	4724	!WannaDecryptor!.exe	cmd.exe
PID 4896 wrote to memory of 3852	4896	cmd.exe	WMIC.exe
PID 4896 wrote to memory of 3852	4896	cmd.exe	WMIC.exe
PID 4896 wrote to memory of 3852	4896	cmd.exe	WMIC.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe
"C:\Users\Admin\AppData\Local\Temp\5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:3268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 49901720575446.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2876

C:\Windows\SysWOW64\cscript.exe
cscript //nologo c.vbs
3⤵
PID:2424

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe f
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4456

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im MSExchange*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Microsoft.Exchange.*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlserver.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2464

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlwriter.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4532

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe c
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2836

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b !WannaDecryptor!.exe v
2⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe v
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4724

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
- Suspicious use of WriteProcessMemory
PID:4896

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3852

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:5028

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
7e7a1a23e7ee02bffc2dabb63efd6554

SHA1
e3359f0298b7151c46c576b96110b4435c987d4e

SHA256
ea5bf27142482bc76eb3053a2d129c0a96a1817abcfb76c599f5cc2df7c54192

SHA512
59ae5381f6dc2f88a839dd85daf180f41f323dba931ad364e02a6732cac7c91ce8fc5bb6a6e5acb621f7fdd11e9f6391adc105dffeded5c9ca61267c00472ee0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E573CDF4C6D731D56A665145182FD759_1D978D5EA8275AA72D1BFCD66AF4A751

Filesize
471B

MD5
651cd6cd7b0326fae0e52c9fd6a64355

SHA1
40045e10ea63f8b90664b1509aeef6fe93eb1997

SHA256
61b97d69e5e23ae9cb7cb7560ab67629d551236e409363169437c65932169727

SHA512
910c45668e4ff9e812424315c5d7131ba78ba581909b323cddf90ace573520fbf1e4e06bdce22d92420dc47b319da64024fde31977ea1546613eeeff9b127114

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
d36667abc94b2f73676dbefd1694c7fd

SHA1
b38d4470f2ef152baeacd4b28b0a4160be2b9a94

SHA256
ec0591f711a3c952be01118384d2ab86138b940ccfccd4acdb2dba59a0ab4461

SHA512
50a23b3456110e09dfdcdd9511c6f18511323a77b580291dbe7879bd0fbb04533b02501cef737d0153de0701fc4ae6758c4ce0e928a9e3f2613f7ebd19472afb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
1a9120fa0eadaf3a6348e2d7f6511f84

SHA1
2eb2dc13af361ecf8b296df4d7edd85f3981881e

SHA256
6ef8cd0382e02060c321aa73a93e373bbc1cece64a5443057bc7062486bec2eb

SHA512
e7fb70c677f11065bed9d656bf161638072517aac8ea7b752665f1c2f0b66b660c3e985dd077ff7a2324758125bba5e4473fa3acd106e3ab2bd9859cc9d6248f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E573CDF4C6D731D56A665145182FD759_1D978D5EA8275AA72D1BFCD66AF4A751

Filesize
396B

MD5
a098b24aaad0c6e89c4090ad5c9be080

SHA1
a85267533e2740af3ee2b81af2ed126142c3194c

SHA256
4ee3e167f1efae546bf42f8d661e8fdb2491e11ab0d2dc4b8dc8098e44871ff1

SHA512
205225c26240e9769ffe64e4debe6aa9f726428e3b5d348ef42163ebd39e5fa22ec280aa745e93606fcff8c86bb78f54f6f2dc7e8a8384ea1291653f88bd773f

Download Submit
C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

Filesize
849B

MD5
66c169379186555b050c266dd5f9ce29

SHA1
45568656a50454ae85cc49c12872bad0167945ac

SHA256
90bb163d3350460dd30132a16e15d37bc1d5932af354cad83dbedb46275b6861

SHA512
926a185bbe8989f9cbba6fa635883e8514b70fa66247ef5ba51dce19b73bd1d3a6b8c4ab98f4f8b4e55ab19054b19e1ca38e4949e8a042a51db09d8528ced2d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk

Filesize
1KB

MD5
67e826cf99d325c7d52c870ea61c968f

SHA1
b50f0323ecf99532b7ab578e56083f41c97f1861

SHA256
90be08167bd44caf0008b784394b1480174c9d44ff1a82ae3e54da2078d55d09

SHA512
ff04e927784ab0ce37113a94100c4302f1b30746d81cfecd880d9253835427057d6bc12ebc4505a9923fdf5a7122cd55be5b5f7841c812316a0649be6ff57e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
9dc6d944da0bbf39b5f650ddf0d3789e

SHA1
2ae4c72a11b38280122bc64d1a23bcc4c4009553

SHA256
372f82793c83d60e705d545379596cc701a28615fb0a1c7ff7212ba3c7b5f6c0

SHA512
f2e1489553ad0a5ce981ba1c576e6cea4883188f3bcdf7721e09b016ae333d008afc12eedfa87c4482d2038f8e5ca200bb3b045108eab7d865c3b3421dc33281

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
d39bcf0c24589e987f8ae27275e33f6b

SHA1
ef53022b4b85b9b60239785e23ffd8b50da98a9f

SHA256
8bd38bce2c4d50b8cfdb30cff88e0a5e65a71d6e8ea3b2ff83c29fd8e24f59d5

SHA512
2da1aaa960d0446ada0d5492c97ce024c1be69a8bbd34ae191e106e964eed5ae4e8022be4273a030a9a7a6fc7f7ba0a4b28a51595dd88d60d314096bd0dc6bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\49901720575446.bat

Filesize
336B

MD5
3540e056349c6972905dc9706cd49418

SHA1
492c20442d34d45a6d6790c720349b11ec591cde

SHA256
73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc

SHA512
c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

Download Submit
C:\Users\Admin\AppData\Local\Temp\b.wry

Filesize
1.4MB

MD5
99ae8326b4bc406daf54ddc7c5e43abe

SHA1
6ce5002f3cb55a8de0e8e8da77f0d0d0d7679183

SHA256
5054c415757f8a62abe0d61087d31e95065439d9ea1b364a6f207cdceaa24b7c

SHA512
756d7e44eb139501f5b3cf1ed0f76d1e8730c4dfd15f30bc23cda25102b240ad69784d414f995099c57610cf2f9bc9083b20fb4d303f1ca89f75e6819b8cf1d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.vbs

Filesize
219B

MD5
5f6d40ca3c34b470113ed04d06a88ff4

SHA1
50629e7211ae43e32060686d6be17ebd492fd7aa

SHA256
0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1

SHA512
4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wry

Filesize
628B

MD5
a317813ea497d9b487eb4292fcabe80d

SHA1
59c5f753be90b702a966f68ec2575502154b287a

SHA256
cb9c17c644db94d591b2da8baaea5c357fbd6074351550c0f660bde85d5ba422

SHA512
18d96539ce8066801027bbf31817b147b34f40e8da614eff302f6252dfebe72c6a1fe2ce70d20a18a668778ac3eb514ab1a21b2495aac208e543b622e4b4a810

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.wry

Filesize
43KB

MD5
54c0e4aa798ce82886a96ba4bb449188

SHA1
71886d4d410013425243a00f15c270fc4f2a6a3a

SHA256
e5373e95a201b3b676072752097ff5d851a0a34e1be4194ff0c52c33601e576a

SHA512
4415559fa5da1192360b4d6db368179335661120443b812f5bc256466c79ecb6d36ed5d3c00a4e2590bf70e473565287a7db53f6aa3f8faaad46f21e34e84298

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.wry

Filesize
236KB

MD5
abcb7d4353abee5083ddd8057c7cd1ff

SHA1
d8a2c1be4b47944d9afdf5e664e5db1364b66a5a

SHA256
eeb9cd6a1c4b3949b2ff3134a77d6736b35977f951b9c7c911483b5caeb1c1fb

SHA512
7d1ebb730a4c4833f2d690c80a35a73f3b7dbe2a83a642dbcf5e6d1d6aa4204a1513a28f74f32751727074b9f0072071deafea48cbe7d36081efd957a5244508

Download Submit
memory/3268-8-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download