wannacry | 5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9

Analysis

max time kernel
140s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10-07-2024 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe
Size

316KB
MD5

b9b3965d1b218c63cd317ac33edcb942
SHA1

02408bb6dc1f3605a7d3f9bad687a858ec147896
SHA256

5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9
SHA512

18096b1167561c6da5bfcc05e40f7661e21f43521eb47da9520d2744c8a1806d7187894ce0ae8e0a9e97904b345daae09897d80e8754a63c9aa1d6514feaf98e
SSDEEP

6144:xHQFwJYDzVc1aWLn0IU4eFTE3Ijr2Cq6j7+qmOq:Z6wWcYWL0IUzNGqJq

Score

10^/10

wannacry defense_evasion execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $200 worth of bitcoin to this bitcoin address: 1QAc9S5EmycqjzzWDc1yiWzr9jJLC8sLiY Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) https://www.dropbox.com/s/c1gn29iy8erh1ks/m.rar?dl=1 rar password: wcry123 Run and follow the instructions! �

Wallets

1QAc9S5EmycqjzzWDc1yiWzr9jJLC8sLiY

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

Processes:

5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDFDB8.tmp	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDFDDB.tmp	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe

Executes dropped EXE 4 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid process

3044 !WannaDecryptor!.exe
2992 !WannaDecryptor!.exe
2100 !WannaDecryptor!.exe
1960 !WannaDecryptor!.exe

Loads dropped DLL 9 IoCs

Processes:

cscript.exe5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.execmd.exe

pid	process
2560	cscript.exe
2276	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe
2276	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe
2276	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe
2276	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe
1320	cmd.exe
1320	cmd.exe
2276	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe
2276	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe\" /r"	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe!WannaDecryptor!.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exe

pid process

2696 vssadmin.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1032 taskkill.exe
1756 taskkill.exe
1796 taskkill.exe
2996 taskkill.exe

pid	process
2696	vssadmin.exe

pid	process
1032	taskkill.exe
1756	taskkill.exe
1796	taskkill.exe
2996	taskkill.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

!WannaDecryptor!.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	!WannaDecryptor!.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	!WannaDecryptor!.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	!WannaDecryptor!.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	!WannaDecryptor!.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	!WannaDecryptor!.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	!WannaDecryptor!.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	!WannaDecryptor!.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	!WannaDecryptor!.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

!WannaDecryptor!.exe

pid process

1960 !WannaDecryptor!.exe

pid	process
1960	!WannaDecryptor!.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1756	taskkill.exe
Token: SeDebugPrivilege	2996	taskkill.exe
Token: SeDebugPrivilege	1796	taskkill.exe
Token: SeDebugPrivilege	1032	taskkill.exe
Token: SeBackupPrivilege	1992	vssvc.exe
Token: SeRestorePrivilege	1992	vssvc.exe
Token: SeAuditPrivilege	1992	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1820	WMIC.exe
Token: SeSecurityPrivilege	1820	WMIC.exe
Token: SeTakeOwnershipPrivilege	1820	WMIC.exe
Token: SeLoadDriverPrivilege	1820	WMIC.exe
Token: SeSystemProfilePrivilege	1820	WMIC.exe
Token: SeSystemtimePrivilege	1820	WMIC.exe
Token: SeProfSingleProcessPrivilege	1820	WMIC.exe
Token: SeIncBasePriorityPrivilege	1820	WMIC.exe
Token: SeCreatePagefilePrivilege	1820	WMIC.exe
Token: SeBackupPrivilege	1820	WMIC.exe
Token: SeRestorePrivilege	1820	WMIC.exe
Token: SeShutdownPrivilege	1820	WMIC.exe
Token: SeDebugPrivilege	1820	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1820	WMIC.exe
Token: SeRemoteShutdownPrivilege	1820	WMIC.exe
Token: SeUndockPrivilege	1820	WMIC.exe
Token: SeManageVolumePrivilege	1820	WMIC.exe
Token: 33	1820	WMIC.exe
Token: 34	1820	WMIC.exe
Token: 35	1820	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1820	WMIC.exe
Token: SeSecurityPrivilege	1820	WMIC.exe
Token: SeTakeOwnershipPrivilege	1820	WMIC.exe
Token: SeLoadDriverPrivilege	1820	WMIC.exe
Token: SeSystemProfilePrivilege	1820	WMIC.exe
Token: SeSystemtimePrivilege	1820	WMIC.exe
Token: SeProfSingleProcessPrivilege	1820	WMIC.exe
Token: SeIncBasePriorityPrivilege	1820	WMIC.exe
Token: SeCreatePagefilePrivilege	1820	WMIC.exe
Token: SeBackupPrivilege	1820	WMIC.exe
Token: SeRestorePrivilege	1820	WMIC.exe
Token: SeShutdownPrivilege	1820	WMIC.exe
Token: SeDebugPrivilege	1820	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1820	WMIC.exe
Token: SeRemoteShutdownPrivilege	1820	WMIC.exe
Token: SeUndockPrivilege	1820	WMIC.exe
Token: SeManageVolumePrivilege	1820	WMIC.exe
Token: 33	1820	WMIC.exe
Token: 34	1820	WMIC.exe
Token: 35	1820	WMIC.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid	process
3044	!WannaDecryptor!.exe
3044	!WannaDecryptor!.exe
2992	!WannaDecryptor!.exe
2992	!WannaDecryptor!.exe
2100	!WannaDecryptor!.exe
2100	!WannaDecryptor!.exe
1960	!WannaDecryptor!.exe
1960	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.execmd.execmd.exe!WannaDecryptor!.execmd.exe

description	pid	process	target process
PID 2276 wrote to memory of 2832	2276	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	cmd.exe
PID 2276 wrote to memory of 2832	2276	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	cmd.exe
PID 2276 wrote to memory of 2832	2276	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	cmd.exe
PID 2276 wrote to memory of 2832	2276	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	cmd.exe
PID 2832 wrote to memory of 2560	2832	cmd.exe	cscript.exe
PID 2832 wrote to memory of 2560	2832	cmd.exe	cscript.exe
PID 2832 wrote to memory of 2560	2832	cmd.exe	cscript.exe
PID 2832 wrote to memory of 2560	2832	cmd.exe	cscript.exe
PID 2276 wrote to memory of 3044	2276	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	!WannaDecryptor!.exe
PID 2276 wrote to memory of 3044	2276	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	!WannaDecryptor!.exe
PID 2276 wrote to memory of 3044	2276	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	!WannaDecryptor!.exe
PID 2276 wrote to memory of 3044	2276	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	!WannaDecryptor!.exe
PID 2276 wrote to memory of 2996	2276	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	taskkill.exe
PID 2276 wrote to memory of 2996	2276	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	taskkill.exe
PID 2276 wrote to memory of 2996	2276	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	taskkill.exe
PID 2276 wrote to memory of 2996	2276	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	taskkill.exe
PID 2276 wrote to memory of 1032	2276	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	taskkill.exe
PID 2276 wrote to memory of 1032	2276	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	taskkill.exe
PID 2276 wrote to memory of 1032	2276	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	taskkill.exe
PID 2276 wrote to memory of 1032	2276	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	taskkill.exe
PID 2276 wrote to memory of 1796	2276	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	taskkill.exe
PID 2276 wrote to memory of 1796	2276	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	taskkill.exe
PID 2276 wrote to memory of 1796	2276	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	taskkill.exe
PID 2276 wrote to memory of 1796	2276	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	taskkill.exe
PID 2276 wrote to memory of 1756	2276	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	taskkill.exe
PID 2276 wrote to memory of 1756	2276	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	taskkill.exe
PID 2276 wrote to memory of 1756	2276	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	taskkill.exe
PID 2276 wrote to memory of 1756	2276	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	taskkill.exe
PID 2276 wrote to memory of 2992	2276	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	!WannaDecryptor!.exe
PID 2276 wrote to memory of 2992	2276	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	!WannaDecryptor!.exe
PID 2276 wrote to memory of 2992	2276	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	!WannaDecryptor!.exe
PID 2276 wrote to memory of 2992	2276	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	!WannaDecryptor!.exe
PID 2276 wrote to memory of 1320	2276	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	cmd.exe
PID 2276 wrote to memory of 1320	2276	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	cmd.exe
PID 2276 wrote to memory of 1320	2276	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	cmd.exe
PID 2276 wrote to memory of 1320	2276	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	cmd.exe
PID 1320 wrote to memory of 2100	1320	cmd.exe	!WannaDecryptor!.exe
PID 1320 wrote to memory of 2100	1320	cmd.exe	!WannaDecryptor!.exe
PID 1320 wrote to memory of 2100	1320	cmd.exe	!WannaDecryptor!.exe
PID 1320 wrote to memory of 2100	1320	cmd.exe	!WannaDecryptor!.exe
PID 2276 wrote to memory of 1960	2276	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	!WannaDecryptor!.exe
PID 2276 wrote to memory of 1960	2276	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	!WannaDecryptor!.exe
PID 2276 wrote to memory of 1960	2276	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	!WannaDecryptor!.exe
PID 2276 wrote to memory of 1960	2276	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	!WannaDecryptor!.exe
PID 2100 wrote to memory of 1604	2100	!WannaDecryptor!.exe	cmd.exe
PID 2100 wrote to memory of 1604	2100	!WannaDecryptor!.exe	cmd.exe
PID 2100 wrote to memory of 1604	2100	!WannaDecryptor!.exe	cmd.exe
PID 2100 wrote to memory of 1604	2100	!WannaDecryptor!.exe	cmd.exe
PID 1604 wrote to memory of 2696	1604	cmd.exe	vssadmin.exe
PID 1604 wrote to memory of 2696	1604	cmd.exe	vssadmin.exe
PID 1604 wrote to memory of 2696	1604	cmd.exe	vssadmin.exe
PID 1604 wrote to memory of 2696	1604	cmd.exe	vssadmin.exe
PID 1604 wrote to memory of 1820	1604	cmd.exe	WMIC.exe
PID 1604 wrote to memory of 1820	1604	cmd.exe	WMIC.exe
PID 1604 wrote to memory of 1820	1604	cmd.exe	WMIC.exe
PID 1604 wrote to memory of 1820	1604	cmd.exe	WMIC.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe
"C:\Users\Admin\AppData\Local\Temp\5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:2276

C:\Windows\SysWOW64\cmd.exe
cmd /c 175561720631156.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2832

C:\Windows\SysWOW64\cscript.exe
cscript //nologo c.vbs
3⤵
- Loads dropped DLL
PID:2560

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe f
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:3044

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im MSExchange*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2996

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Microsoft.Exchange.*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1032

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlserver.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlwriter.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe c
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2992

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b !WannaDecryptor!.exe v
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1320

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe v
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:2696

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1960

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
7e7a1a23e7ee02bffc2dabb63efd6554

SHA1
e3359f0298b7151c46c576b96110b4435c987d4e

SHA256
ea5bf27142482bc76eb3053a2d129c0a96a1817abcfb76c599f5cc2df7c54192

SHA512
59ae5381f6dc2f88a839dd85daf180f41f323dba931ad364e02a6732cac7c91ce8fc5bb6a6e5acb621f7fdd11e9f6391adc105dffeded5c9ca61267c00472ee0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E573CDF4C6D731D56A665145182FD759_1D978D5EA8275AA72D1BFCD66AF4A751

Filesize
471B

MD5
998774b9068e8d968d89d093a6d25281

SHA1
23c5d074a63c3ed07a655b9ebbbaf9af12332264

SHA256
b7d432a8dc74b5efc0bd7b805c36c1cde9ef3cba2dc78a145fa206b130075a3d

SHA512
a9d8d55b2d959f1bb2dee2708271383df65adde6d7f7359f81fee238a477d38163d9ddd4c4fdc811bfee8d0b7b7a2cccb130a28f87f20ffe45e4177b5869b92f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
426bf985271e6f41b025c0ad2b2ae9f4

SHA1
6cab62ada70e938302f8f8c929ba1056e09ea3e2

SHA256
5be7c8954cc5856a0325a5eb530c47c87f683674e905152babfca4d8d25313c4

SHA512
2f4bac57c3793ee4c35906fa5890c127e7fbbec57842c01283ffd726658259de37687a40684e9f28313bf144ed237bf195d2e9bd258c60937c56b439a0ceaa31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e0539fbee5f6933c1f2c8ed49f282d9

SHA1
c4e4ae2c3f9a69743c08c99fddb99202d9b70dba

SHA256
da613abc78dbdfa1d737e2b161346a9d0e48d0cd676d55bd0b99cf6cf33de33d

SHA512
0c14f31dc1256f348bcaffab9dfb0db009bfa3891e311e3b9647ca7de01d5fe6c19e7e6a14e036dcd133d7efdb611c693828b955c7af8a1f70dbdbbef4adf5f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d8fba253a17059443388423304cc8d5d

SHA1
f9dca9ff820347b13d38c6ec0f328f116c8ff6da

SHA256
a4340a55e92b50594d075880ec3de1a3d02f8ea6e972202ad22d3d021581cfb8

SHA512
99050ab5eb4a8743158f831a9c5b9f790667a64ce64363bdc9aae8b7700177cb98b13f40b86550cb35f90f2605256b7c1b36842762c8c2ed4a0ea52f830a3193

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c32fee6bb7c17b5e013b87be634afb38

SHA1
68864aa3acc531288539010dfeb5291dcb2b9f09

SHA256
715069571b1518775e66293425948d65650bf9fd08839e097c51d98ef85bf768

SHA512
98e3f651179247bbb185c133688d5470d48aec765c91fb61baba807712cafa800e23070c5676d869db6fb03d2ed0973bba410da9cad840050975196f3e7a79b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a7a10d2e277ee583f01e9959c5394e9b

SHA1
58468535ff7d2e7f6ed5cc6e8af5f560520264b4

SHA256
3fad7f289b1994f54e2eef5e27d68645e41f3658c7b28777eb581655c60f663a

SHA512
855291e45d23df7dc2dd39fbb85e6a572453bf3a2bce07bee597936ab76cff29f0922cada15451f704ffbf0d1dd737f29594e637b67dabd2b3323e96a18c3722

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
45d079f1935686da205c05a212e83b0c

SHA1
d771d611d87826fb883830ffa05c061b88a82bd8

SHA256
043b9e376e055290d2e4d0cfa9736bdcfca67aa004852659620cd7317378a6f7

SHA512
6835b7abc4b447991c1ca6191ce257aa49231728e3888805e1c0e95ca17b39f27f65f5f03bb3e6d4b84ae5a604bc2120e5753a1bcd8b835a53ef1dfa4be563b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
60977384ff6d4bbbe133bb175a3e0a63

SHA1
9a9b1e17234f7768d54dce335fa0022f75d4037b

SHA256
f465b6dfe24152b6249bf6696b87f9f114cf7daf68e25843403495bd65e8bbc9

SHA512
a21e77342cd2c6a703de1361e452e0a99e6d3dae1674b41418b3c74212425e567cb43102ca4deb32fdb58c5614eda5ff8086ac4dffd6d8b4a0acca51f6568014

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E573CDF4C6D731D56A665145182FD759_1D978D5EA8275AA72D1BFCD66AF4A751

Filesize
396B

MD5
b82b6a045e7208fa1780447f7f131a69

SHA1
68a0f9ad28b6f2274c225d2d40cb89b82d4f269a

SHA256
179d02132a716da3460470c198a5d9eae8d24b3478299226eac571d42f98b3e0

SHA512
f7ab83e40a46bfc5f47793921e006905b94579fa200060c839c4c7f8f9aca5dc001a2b45d98502614c46a8c765f5a1e6aa89ec7c7394e9f211a7d196451db1be

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

Filesize
236KB

MD5
abcb7d4353abee5083ddd8057c7cd1ff

SHA1
d8a2c1be4b47944d9afdf5e664e5db1364b66a5a

SHA256
eeb9cd6a1c4b3949b2ff3134a77d6736b35977f951b9c7c911483b5caeb1c1fb

SHA512
7d1ebb730a4c4833f2d690c80a35a73f3b7dbe2a83a642dbcf5e6d1d6aa4204a1513a28f74f32751727074b9f0072071deafea48cbe7d36081efd957a5244508

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk

Filesize
925B

MD5
887c481e84eb65e4fbeaec23f29dffde

SHA1
28c9d1ae5758ee6eea4924843dc572c9c98db33b

SHA256
17880e3eb988438a4953519a60cb195ba0a56829c53b719fece8bcff09f2c121

SHA512
8c876b2b3de1b7d9a254eb7592fce1fb89c20e94b80881a311361312409aa715c041b7551b00fb4f57991f5cf29ec8cade3577e2439a74bd604ec71a330b453b

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
995fa885e6000239903a5502a0c11175

SHA1
cb6d9d435816b49a430c928574348792efb9b05b

SHA256
60e6c6bd9d13ed0e279a93e58313b001ae053667d6b6612abe2f857f5dd43100

SHA512
53117a9b363a9443b8d7af8ddcf8fcd4a4189c62cf9337e1dd61b8072cae02e7bdcf4e4faa043aadb5bd391a02dc4da380ec7720ac36fc229a9ca3b6e79bb602

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
72466209499e7db322103768e06867e4

SHA1
e552ea7fec319e48127e5c9ed0d3588a8bbcd9f8

SHA256
a2603e493a964d93534f1652dc687110bd69f480e131fbbc66d9ae9f15158c98

SHA512
3fa78d586fa9529594ba11b190dd68f45d4cb3bb2bfb24492b4b34a2f95fd68cffb0156488f3adad59bc0b172051091497aa5fa0b6160f7e0f2186a887b2c1a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\175561720631156.bat

Filesize
336B

MD5
3540e056349c6972905dc9706cd49418

SHA1
492c20442d34d45a6d6790c720349b11ec591cde

SHA256
73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc

SHA512
c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab67A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar68D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\b.wry

Filesize
1.4MB

MD5
99ae8326b4bc406daf54ddc7c5e43abe

SHA1
6ce5002f3cb55a8de0e8e8da77f0d0d0d7679183

SHA256
5054c415757f8a62abe0d61087d31e95065439d9ea1b364a6f207cdceaa24b7c

SHA512
756d7e44eb139501f5b3cf1ed0f76d1e8730c4dfd15f30bc23cda25102b240ad69784d414f995099c57610cf2f9bc9083b20fb4d303f1ca89f75e6819b8cf1d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.vbs

Filesize
219B

MD5
5f6d40ca3c34b470113ed04d06a88ff4

SHA1
50629e7211ae43e32060686d6be17ebd492fd7aa

SHA256
0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1

SHA512
4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wry

Filesize
628B

MD5
ada020b08252224191e8eb66f6e475a8

SHA1
c34893d5824c0e3999259fd9e9cf13d1a800c26d

SHA256
3a4e6b681c30ff7058f5f7fc416f5b764d574d3bdce2611564a0d1f6fb403e73

SHA512
21534a9eaee4e2e635f605046a06602149b91283343aa72ce2ab938a476b1f31ac973a552eb57e161949882f634b1c944fbd2216e15fcf710c049f1813d7625f

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.wry

Filesize
43KB

MD5
54c0e4aa798ce82886a96ba4bb449188

SHA1
71886d4d410013425243a00f15c270fc4f2a6a3a

SHA256
e5373e95a201b3b676072752097ff5d851a0a34e1be4194ff0c52c33601e576a

SHA512
4415559fa5da1192360b4d6db368179335661120443b812f5bc256466c79ecb6d36ed5d3c00a4e2590bf70e473565287a7db53f6aa3f8faaad46f21e34e84298

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\09MKBHQD.txt

Filesize
121B

MD5
c85ce2dc39321f43f655b3686a312df2

SHA1
87608d1097f4b568b184a436ea8abc983be53c39

SHA256
32ae6972b39cef74798d101406843cc79398efbfd8cae25288195f4d3981a55b

SHA512
d976a7fed920022ab72dc187db1ad3954c886f1a03fb3d1e2e2b26dbb786494233adc043f5fe0894db0520f22768bcfa9c6ce0b1d1bbe3903e09f76ca0d8fb61

Download Submit
F:\$RECYCLE.BIN\!Please Read Me!.txt

Filesize
849B

MD5
66c169379186555b050c266dd5f9ce29

SHA1
45568656a50454ae85cc49c12872bad0167945ac

SHA256
90bb163d3350460dd30132a16e15d37bc1d5932af354cad83dbedb46275b6861

SHA512
926a185bbe8989f9cbba6fa635883e8514b70fa66247ef5ba51dce19b73bd1d3a6b8c4ab98f4f8b4e55ab19054b19e1ca38e4949e8a042a51db09d8528ced2d0

Download Submit
memory/2276-7-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download