wannacry | 5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9

Analysis

max time kernel
141s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2024 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe
Size

316KB
MD5

b9b3965d1b218c63cd317ac33edcb942
SHA1

02408bb6dc1f3605a7d3f9bad687a858ec147896
SHA256

5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9
SHA512

18096b1167561c6da5bfcc05e40f7661e21f43521eb47da9520d2744c8a1806d7187894ce0ae8e0a9e97904b345daae09897d80e8754a63c9aa1d6514feaf98e
SSDEEP

6144:xHQFwJYDzVc1aWLn0IU4eFTE3Ijr2Cq6j7+qmOq:Z6wWcYWL0IUzNGqJq

Score

10^/10

wannacry defense_evasion execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $200 worth of bitcoin to this bitcoin address: 1QAc9S5EmycqjzzWDc1yiWzr9jJLC8sLiY Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) https://www.dropbox.com/s/c1gn29iy8erh1ks/m.rar?dl=1 rar password: wcry123 Run and follow the instructions! �

Wallets

1QAc9S5EmycqjzzWDc1yiWzr9jJLC8sLiY

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

Processes:

5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDB41F.tmp	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDB436.tmp	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe

Executes dropped EXE 4 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid process

4876 !WannaDecryptor!.exe
1784 !WannaDecryptor!.exe
5012 !WannaDecryptor!.exe
1360 !WannaDecryptor!.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe\" /r"	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe!WannaDecryptor!.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

2124 taskkill.exe
948 taskkill.exe
1188 taskkill.exe
1160 taskkill.exe

pid	process
2124	taskkill.exe
948	taskkill.exe
1188	taskkill.exe
1160	taskkill.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	948	taskkill.exe
Token: SeDebugPrivilege	2124	taskkill.exe
Token: SeDebugPrivilege	1188	taskkill.exe
Token: SeDebugPrivilege	1160	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2220	WMIC.exe
Token: SeSecurityPrivilege	2220	WMIC.exe
Token: SeTakeOwnershipPrivilege	2220	WMIC.exe
Token: SeLoadDriverPrivilege	2220	WMIC.exe
Token: SeSystemProfilePrivilege	2220	WMIC.exe
Token: SeSystemtimePrivilege	2220	WMIC.exe
Token: SeProfSingleProcessPrivilege	2220	WMIC.exe
Token: SeIncBasePriorityPrivilege	2220	WMIC.exe
Token: SeCreatePagefilePrivilege	2220	WMIC.exe
Token: SeBackupPrivilege	2220	WMIC.exe
Token: SeRestorePrivilege	2220	WMIC.exe
Token: SeShutdownPrivilege	2220	WMIC.exe
Token: SeDebugPrivilege	2220	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2220	WMIC.exe
Token: SeRemoteShutdownPrivilege	2220	WMIC.exe
Token: SeUndockPrivilege	2220	WMIC.exe
Token: SeManageVolumePrivilege	2220	WMIC.exe
Token: 33	2220	WMIC.exe
Token: 34	2220	WMIC.exe
Token: 35	2220	WMIC.exe
Token: 36	2220	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2220	WMIC.exe
Token: SeSecurityPrivilege	2220	WMIC.exe
Token: SeTakeOwnershipPrivilege	2220	WMIC.exe
Token: SeLoadDriverPrivilege	2220	WMIC.exe
Token: SeSystemProfilePrivilege	2220	WMIC.exe
Token: SeSystemtimePrivilege	2220	WMIC.exe
Token: SeProfSingleProcessPrivilege	2220	WMIC.exe
Token: SeIncBasePriorityPrivilege	2220	WMIC.exe
Token: SeCreatePagefilePrivilege	2220	WMIC.exe
Token: SeBackupPrivilege	2220	WMIC.exe
Token: SeRestorePrivilege	2220	WMIC.exe
Token: SeShutdownPrivilege	2220	WMIC.exe
Token: SeDebugPrivilege	2220	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2220	WMIC.exe
Token: SeRemoteShutdownPrivilege	2220	WMIC.exe
Token: SeUndockPrivilege	2220	WMIC.exe
Token: SeManageVolumePrivilege	2220	WMIC.exe
Token: 33	2220	WMIC.exe
Token: 34	2220	WMIC.exe
Token: 35	2220	WMIC.exe
Token: 36	2220	WMIC.exe
Token: SeBackupPrivilege	3368	vssvc.exe
Token: SeRestorePrivilege	3368	vssvc.exe
Token: SeAuditPrivilege	3368	vssvc.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid	process
4876	!WannaDecryptor!.exe
4876	!WannaDecryptor!.exe
1784	!WannaDecryptor!.exe
1784	!WannaDecryptor!.exe
5012	!WannaDecryptor!.exe
5012	!WannaDecryptor!.exe
1360	!WannaDecryptor!.exe
1360	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.execmd.execmd.exe!WannaDecryptor!.execmd.exe

description	pid	process	target process
PID 3472 wrote to memory of 1784	3472	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	cmd.exe
PID 3472 wrote to memory of 1784	3472	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	cmd.exe
PID 3472 wrote to memory of 1784	3472	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	cmd.exe
PID 1784 wrote to memory of 4628	1784	cmd.exe	cscript.exe
PID 1784 wrote to memory of 4628	1784	cmd.exe	cscript.exe
PID 1784 wrote to memory of 4628	1784	cmd.exe	cscript.exe
PID 3472 wrote to memory of 4876	3472	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	!WannaDecryptor!.exe
PID 3472 wrote to memory of 4876	3472	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	!WannaDecryptor!.exe
PID 3472 wrote to memory of 4876	3472	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	!WannaDecryptor!.exe
PID 3472 wrote to memory of 1188	3472	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	taskkill.exe
PID 3472 wrote to memory of 1188	3472	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	taskkill.exe
PID 3472 wrote to memory of 1188	3472	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	taskkill.exe
PID 3472 wrote to memory of 948	3472	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	taskkill.exe
PID 3472 wrote to memory of 948	3472	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	taskkill.exe
PID 3472 wrote to memory of 948	3472	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	taskkill.exe
PID 3472 wrote to memory of 2124	3472	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	taskkill.exe
PID 3472 wrote to memory of 2124	3472	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	taskkill.exe
PID 3472 wrote to memory of 2124	3472	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	taskkill.exe
PID 3472 wrote to memory of 1160	3472	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	taskkill.exe
PID 3472 wrote to memory of 1160	3472	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	taskkill.exe
PID 3472 wrote to memory of 1160	3472	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	taskkill.exe
PID 3472 wrote to memory of 1784	3472	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	!WannaDecryptor!.exe
PID 3472 wrote to memory of 1784	3472	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	!WannaDecryptor!.exe
PID 3472 wrote to memory of 1784	3472	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	!WannaDecryptor!.exe
PID 3472 wrote to memory of 2852	3472	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	cmd.exe
PID 3472 wrote to memory of 2852	3472	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	cmd.exe
PID 3472 wrote to memory of 2852	3472	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	cmd.exe
PID 2852 wrote to memory of 5012	2852	cmd.exe	!WannaDecryptor!.exe
PID 2852 wrote to memory of 5012	2852	cmd.exe	!WannaDecryptor!.exe
PID 2852 wrote to memory of 5012	2852	cmd.exe	!WannaDecryptor!.exe
PID 3472 wrote to memory of 1360	3472	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	!WannaDecryptor!.exe
PID 3472 wrote to memory of 1360	3472	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	!WannaDecryptor!.exe
PID 3472 wrote to memory of 1360	3472	5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe	!WannaDecryptor!.exe
PID 5012 wrote to memory of 3888	5012	!WannaDecryptor!.exe	cmd.exe
PID 5012 wrote to memory of 3888	5012	!WannaDecryptor!.exe	cmd.exe
PID 5012 wrote to memory of 3888	5012	!WannaDecryptor!.exe	cmd.exe
PID 3888 wrote to memory of 2220	3888	cmd.exe	WMIC.exe
PID 3888 wrote to memory of 2220	3888	cmd.exe	WMIC.exe
PID 3888 wrote to memory of 2220	3888	cmd.exe	WMIC.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe
"C:\Users\Admin\AppData\Local\Temp\5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:3472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 295311720631164.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\SysWOW64\cscript.exe
cscript //nologo c.vbs
3⤵
PID:4628

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe f
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4876

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im MSExchange*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1188

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Microsoft.Exchange.*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlserver.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlwriter.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe c
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1784

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b !WannaDecryptor!.exe v
2⤵
- Suspicious use of WriteProcessMemory
PID:2852

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe v
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5012

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
- Suspicious use of WriteProcessMemory
PID:3888

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:1360

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
7e7a1a23e7ee02bffc2dabb63efd6554

SHA1
e3359f0298b7151c46c576b96110b4435c987d4e

SHA256
ea5bf27142482bc76eb3053a2d129c0a96a1817abcfb76c599f5cc2df7c54192

SHA512
59ae5381f6dc2f88a839dd85daf180f41f323dba931ad364e02a6732cac7c91ce8fc5bb6a6e5acb621f7fdd11e9f6391adc105dffeded5c9ca61267c00472ee0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E573CDF4C6D731D56A665145182FD759_1D978D5EA8275AA72D1BFCD66AF4A751

Filesize
471B

MD5
998774b9068e8d968d89d093a6d25281

SHA1
23c5d074a63c3ed07a655b9ebbbaf9af12332264

SHA256
b7d432a8dc74b5efc0bd7b805c36c1cde9ef3cba2dc78a145fa206b130075a3d

SHA512
a9d8d55b2d959f1bb2dee2708271383df65adde6d7f7359f81fee238a477d38163d9ddd4c4fdc811bfee8d0b7b7a2cccb130a28f87f20ffe45e4177b5869b92f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
961c9d1a6d20b875f98fc8124cacaf5d

SHA1
b9fc7512748099b5ee4e66c256d94b8fb4fa2296

SHA256
ccf3a885083abed71da08d2f84893341a146d6e4e079c0eb144c9f28b9ad0f83

SHA512
8740aa01b2d979e799b7d75792396d1e1f0f6efd0cf9cb79f62b798dee03d3fa9c9520e42a4b8030f978471fe362dd11a2437a1813509164da7f01a5d33eb88c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
0bbe5a8ccec8e01d14ba9a2bc1c82e11

SHA1
c8799a6ea12587647a1260f41ebd3f7218846f6c

SHA256
62b974b28272db7b22a82f1144d4e615608c3c92059d7bdb774a4739aebd3c5a

SHA512
37075c8b5d60e0b6a69333736be50b0458ef3b193404bc3ba5231e185449218703a76a5081c45954073aedaa6b0d53204cb2367f740b8a5a984fe7602d88e01c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E573CDF4C6D731D56A665145182FD759_1D978D5EA8275AA72D1BFCD66AF4A751

Filesize
396B

MD5
41eec6ccee57b24b0b8c3bcb8bf59625

SHA1
c7c28b43384596d8f382a164bad7879275b7fae2

SHA256
f3984763f03ad0321834accf7ded56f63279457a5408b9b44db1461795912202

SHA512
6607cf6d38ce40c2594b1c91ed36dab50cf0481594337d7167736e5bd0c05691661100d5b9c69e81b1bcb4b048ca8a65d31bf5798a26700fad9b8a9b15866996

Download Submit
C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

Filesize
849B

MD5
66c169379186555b050c266dd5f9ce29

SHA1
45568656a50454ae85cc49c12872bad0167945ac

SHA256
90bb163d3350460dd30132a16e15d37bc1d5932af354cad83dbedb46275b6861

SHA512
926a185bbe8989f9cbba6fa635883e8514b70fa66247ef5ba51dce19b73bd1d3a6b8c4ab98f4f8b4e55ab19054b19e1ca38e4949e8a042a51db09d8528ced2d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
31060bbb459f7568ea29e59a2d3a97f0

SHA1
f7f114a446bb3898234e63b71ce6e27586cfeda5

SHA256
77d71bd65b969faae82078f4e454885db601ad498c090e6d0c19bfe5783cbfd8

SHA512
89062c711874a588da543ed5bd0bcf8ed7e43708f3ae5f53bc45ba1005f6aa316722ac9f2fb5100cddd5434fd565458c252da9000526473295460c8969a4054b

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
c24d874ec67ebac42de16de1d55715b4

SHA1
6bf361598b924916934c5531c3cc142477c9a6b1

SHA256
e6371d06c9823a2844de817a2a4187334b672a69a97422c7b1a4cb8103d8b6a1

SHA512
b93f0785397be78f7a58087f2d2244594969c28f808b06da1f062cbb0267c6cae9107bbfa78cecdd0738f92046b5bd5b6db270a1e6c34a91c1f70c948e036906

Download Submit
C:\Users\Admin\AppData\Local\Temp\295311720631164.bat

Filesize
336B

MD5
3540e056349c6972905dc9706cd49418

SHA1
492c20442d34d45a6d6790c720349b11ec591cde

SHA256
73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc

SHA512
c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

Download Submit
C:\Users\Admin\AppData\Local\Temp\b.wry

Filesize
1.4MB

MD5
99ae8326b4bc406daf54ddc7c5e43abe

SHA1
6ce5002f3cb55a8de0e8e8da77f0d0d0d7679183

SHA256
5054c415757f8a62abe0d61087d31e95065439d9ea1b364a6f207cdceaa24b7c

SHA512
756d7e44eb139501f5b3cf1ed0f76d1e8730c4dfd15f30bc23cda25102b240ad69784d414f995099c57610cf2f9bc9083b20fb4d303f1ca89f75e6819b8cf1d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.vbs

Filesize
219B

MD5
5f6d40ca3c34b470113ed04d06a88ff4

SHA1
50629e7211ae43e32060686d6be17ebd492fd7aa

SHA256
0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1

SHA512
4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wry

Filesize
628B

MD5
764f93971231a40f198b0a673c011221

SHA1
da4cc6876a44c43f644c0e1e84410fa7de7bf5e1

SHA256
1c58099b982e13a64498c3a91038481a2c3324d85bdd42db657420e46ac0c041

SHA512
38e16110bb7614f2b51f4158cedd2dfc8c7ccb1811a11a73784633ac59448e9ca1a156d0cc73227ce865a90f72e279abcee719ed5ba29c8c776b3f833edb4222

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.wry

Filesize
43KB

MD5
54c0e4aa798ce82886a96ba4bb449188

SHA1
71886d4d410013425243a00f15c270fc4f2a6a3a

SHA256
e5373e95a201b3b676072752097ff5d851a0a34e1be4194ff0c52c33601e576a

SHA512
4415559fa5da1192360b4d6db368179335661120443b812f5bc256466c79ecb6d36ed5d3c00a4e2590bf70e473565287a7db53f6aa3f8faaad46f21e34e84298

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.wry

Filesize
236KB

MD5
abcb7d4353abee5083ddd8057c7cd1ff

SHA1
d8a2c1be4b47944d9afdf5e664e5db1364b66a5a

SHA256
eeb9cd6a1c4b3949b2ff3134a77d6736b35977f951b9c7c911483b5caeb1c1fb

SHA512
7d1ebb730a4c4833f2d690c80a35a73f3b7dbe2a83a642dbcf5e6d1d6aa4204a1513a28f74f32751727074b9f0072071deafea48cbe7d36081efd957a5244508

Download Submit
C:\Users\Admin\Desktop\!WannaCryptor!.bmp

Filesize
1.4MB

MD5
c90063de916b496c72e0cdc97d4581a6

SHA1
b8d593bb2805ca60d5bbd201379be6742fd5413a

SHA256
3842102b2274cfaa989263a00bb34a5709919858b07d12162fd106040803ed91

SHA512
dcf141c76f87a1a2c6f04ea4f9bf94c1e12ca312d9e729047f772a5e8791f180a706a8ffdaba89f0db1072abb1912897f708f6d507961795b600ce532d1f0cd2

Download Submit
F:\$RECYCLER\!WannaDecryptor!.exe.lnk

Filesize
1KB

MD5
8529def3c584c212f1ab30cf412da68f

SHA1
1d241e54c21e3161b4c39de5d8830a797b0661aa

SHA256
e247e3cc2ff8fbc9aea19c64f4d815a81c911d2040958b7facc5c58c425bbc19

SHA512
4574c86dfff66fe97dfb21dedfe04136492cb59714d5aab116c9d0b9ff9272334ccbe2f71beedbbe79e0dae9c7bca8bda53bf16ddbfb4c57b788ee3e383d8c79

Download Submit
memory/3472-7-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download