wannacry | be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

Analysis

max time kernel
149s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
03-08-2024 10:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WannaCry.exe
Size

224KB
MD5

5c7fb0927db37372da25f270708103a2
SHA1

120ed9279d85cbfa56e5b7779ffa7162074f7a29
SHA256

be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
SHA512

a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
SSDEEP

3072:Y059femWRwTs/dbelj0X8/j84pcRXPlU3Upt3or4H84lK8PtpLzLsR/EfcZ:+5RwTs/dSXj84mRXPemxdBlPvLzLeZ

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Documents\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

Processes:

WannaCry.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD9080.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD9094.tmp	WannaCry.exe

Executes dropped EXE 4 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid process

2644 !WannaDecryptor!.exe
2604 !WannaDecryptor!.exe
2336 !WannaDecryptor!.exe
1960 !WannaDecryptor!.exe
Loads dropped DLL 9 IoCs

Processes:

cscript.exeWannaCry.execmd.exe

pid process

2876 cscript.exe
1972 WannaCry.exe
1972 WannaCry.exe
1972 WannaCry.exe
1972 WannaCry.exe
2864 cmd.exe
2864 cmd.exe
1972 WannaCry.exe
1972 WannaCry.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2876	cscript.exe
1972	WannaCry.exe
1972	WannaCry.exe
1972	WannaCry.exe
1972	WannaCry.exe
2864	cmd.exe
2864	cmd.exe
1972	WannaCry.exe
1972	WannaCry.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WannaCry.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WannaCry.exe\" /r"	WannaCry.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

!WannaDecryptor!.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg"	!WannaDecryptor!.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

WMIC.exetaskkill.exetaskkill.exe!WannaDecryptor!.exe!WannaDecryptor!.execmd.exe!WannaDecryptor!.execmd.execscript.exetaskkill.exevssadmin.exeWannaCry.exetaskkill.execmd.exe!WannaDecryptor!.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe

Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exe

pid process

816 vssadmin.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1060 taskkill.exe
2140 taskkill.exe
2456 taskkill.exe
1444 taskkill.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

!WannaDecryptor!.exe

pid process

1960 !WannaDecryptor!.exe

pid	process
816	vssadmin.exe

pid	process
1060	taskkill.exe
2140	taskkill.exe
2456	taskkill.exe
1444	taskkill.exe

pid	process
1960	!WannaDecryptor!.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2140	taskkill.exe
Token: SeDebugPrivilege	2456	taskkill.exe
Token: SeDebugPrivilege	1060	taskkill.exe
Token: SeDebugPrivilege	1444	taskkill.exe
Token: SeBackupPrivilege	2816	vssvc.exe
Token: SeRestorePrivilege	2816	vssvc.exe
Token: SeAuditPrivilege	2816	vssvc.exe
Token: SeIncreaseQuotaPrivilege	956	WMIC.exe
Token: SeSecurityPrivilege	956	WMIC.exe
Token: SeTakeOwnershipPrivilege	956	WMIC.exe
Token: SeLoadDriverPrivilege	956	WMIC.exe
Token: SeSystemProfilePrivilege	956	WMIC.exe
Token: SeSystemtimePrivilege	956	WMIC.exe
Token: SeProfSingleProcessPrivilege	956	WMIC.exe
Token: SeIncBasePriorityPrivilege	956	WMIC.exe
Token: SeCreatePagefilePrivilege	956	WMIC.exe
Token: SeBackupPrivilege	956	WMIC.exe
Token: SeRestorePrivilege	956	WMIC.exe
Token: SeShutdownPrivilege	956	WMIC.exe
Token: SeDebugPrivilege	956	WMIC.exe
Token: SeSystemEnvironmentPrivilege	956	WMIC.exe
Token: SeRemoteShutdownPrivilege	956	WMIC.exe
Token: SeUndockPrivilege	956	WMIC.exe
Token: SeManageVolumePrivilege	956	WMIC.exe
Token: 33	956	WMIC.exe
Token: 34	956	WMIC.exe
Token: 35	956	WMIC.exe
Token: SeIncreaseQuotaPrivilege	956	WMIC.exe
Token: SeSecurityPrivilege	956	WMIC.exe
Token: SeTakeOwnershipPrivilege	956	WMIC.exe
Token: SeLoadDriverPrivilege	956	WMIC.exe
Token: SeSystemProfilePrivilege	956	WMIC.exe
Token: SeSystemtimePrivilege	956	WMIC.exe
Token: SeProfSingleProcessPrivilege	956	WMIC.exe
Token: SeIncBasePriorityPrivilege	956	WMIC.exe
Token: SeCreatePagefilePrivilege	956	WMIC.exe
Token: SeBackupPrivilege	956	WMIC.exe
Token: SeRestorePrivilege	956	WMIC.exe
Token: SeShutdownPrivilege	956	WMIC.exe
Token: SeDebugPrivilege	956	WMIC.exe
Token: SeSystemEnvironmentPrivilege	956	WMIC.exe
Token: SeRemoteShutdownPrivilege	956	WMIC.exe
Token: SeUndockPrivilege	956	WMIC.exe
Token: SeManageVolumePrivilege	956	WMIC.exe
Token: 33	956	WMIC.exe
Token: 34	956	WMIC.exe
Token: 35	956	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

!WannaDecryptor!.exe

pid process

1960 !WannaDecryptor!.exe

pid	process
1960	!WannaDecryptor!.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid	process
2644	!WannaDecryptor!.exe
2644	!WannaDecryptor!.exe
2604	!WannaDecryptor!.exe
2604	!WannaDecryptor!.exe
2336	!WannaDecryptor!.exe
2336	!WannaDecryptor!.exe
1960	!WannaDecryptor!.exe
1960	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

WannaCry.execmd.execmd.exe!WannaDecryptor!.execmd.exe

description	pid	process	target process
PID 1972 wrote to memory of 2204	1972	WannaCry.exe	cmd.exe
PID 1972 wrote to memory of 2204	1972	WannaCry.exe	cmd.exe
PID 1972 wrote to memory of 2204	1972	WannaCry.exe	cmd.exe
PID 1972 wrote to memory of 2204	1972	WannaCry.exe	cmd.exe
PID 2204 wrote to memory of 2876	2204	cmd.exe	cscript.exe
PID 2204 wrote to memory of 2876	2204	cmd.exe	cscript.exe
PID 2204 wrote to memory of 2876	2204	cmd.exe	cscript.exe
PID 2204 wrote to memory of 2876	2204	cmd.exe	cscript.exe
PID 1972 wrote to memory of 2644	1972	WannaCry.exe	!WannaDecryptor!.exe
PID 1972 wrote to memory of 2644	1972	WannaCry.exe	!WannaDecryptor!.exe
PID 1972 wrote to memory of 2644	1972	WannaCry.exe	!WannaDecryptor!.exe
PID 1972 wrote to memory of 2644	1972	WannaCry.exe	!WannaDecryptor!.exe
PID 1972 wrote to memory of 1444	1972	WannaCry.exe	taskkill.exe
PID 1972 wrote to memory of 1444	1972	WannaCry.exe	taskkill.exe
PID 1972 wrote to memory of 1444	1972	WannaCry.exe	taskkill.exe
PID 1972 wrote to memory of 1444	1972	WannaCry.exe	taskkill.exe
PID 1972 wrote to memory of 1060	1972	WannaCry.exe	taskkill.exe
PID 1972 wrote to memory of 1060	1972	WannaCry.exe	taskkill.exe
PID 1972 wrote to memory of 1060	1972	WannaCry.exe	taskkill.exe
PID 1972 wrote to memory of 1060	1972	WannaCry.exe	taskkill.exe
PID 1972 wrote to memory of 2456	1972	WannaCry.exe	taskkill.exe
PID 1972 wrote to memory of 2456	1972	WannaCry.exe	taskkill.exe
PID 1972 wrote to memory of 2456	1972	WannaCry.exe	taskkill.exe
PID 1972 wrote to memory of 2456	1972	WannaCry.exe	taskkill.exe
PID 1972 wrote to memory of 2140	1972	WannaCry.exe	taskkill.exe
PID 1972 wrote to memory of 2140	1972	WannaCry.exe	taskkill.exe
PID 1972 wrote to memory of 2140	1972	WannaCry.exe	taskkill.exe
PID 1972 wrote to memory of 2140	1972	WannaCry.exe	taskkill.exe
PID 1972 wrote to memory of 2604	1972	WannaCry.exe	!WannaDecryptor!.exe
PID 1972 wrote to memory of 2604	1972	WannaCry.exe	!WannaDecryptor!.exe
PID 1972 wrote to memory of 2604	1972	WannaCry.exe	!WannaDecryptor!.exe
PID 1972 wrote to memory of 2604	1972	WannaCry.exe	!WannaDecryptor!.exe
PID 1972 wrote to memory of 2864	1972	WannaCry.exe	cmd.exe
PID 1972 wrote to memory of 2864	1972	WannaCry.exe	cmd.exe
PID 1972 wrote to memory of 2864	1972	WannaCry.exe	cmd.exe
PID 1972 wrote to memory of 2864	1972	WannaCry.exe	cmd.exe
PID 2864 wrote to memory of 2336	2864	cmd.exe	!WannaDecryptor!.exe
PID 2864 wrote to memory of 2336	2864	cmd.exe	!WannaDecryptor!.exe
PID 2864 wrote to memory of 2336	2864	cmd.exe	!WannaDecryptor!.exe
PID 2864 wrote to memory of 2336	2864	cmd.exe	!WannaDecryptor!.exe
PID 1972 wrote to memory of 1960	1972	WannaCry.exe	!WannaDecryptor!.exe
PID 1972 wrote to memory of 1960	1972	WannaCry.exe	!WannaDecryptor!.exe
PID 1972 wrote to memory of 1960	1972	WannaCry.exe	!WannaDecryptor!.exe
PID 1972 wrote to memory of 1960	1972	WannaCry.exe	!WannaDecryptor!.exe
PID 2336 wrote to memory of 2360	2336	!WannaDecryptor!.exe	cmd.exe
PID 2336 wrote to memory of 2360	2336	!WannaDecryptor!.exe	cmd.exe
PID 2336 wrote to memory of 2360	2336	!WannaDecryptor!.exe	cmd.exe
PID 2336 wrote to memory of 2360	2336	!WannaDecryptor!.exe	cmd.exe
PID 2360 wrote to memory of 816	2360	cmd.exe	vssadmin.exe
PID 2360 wrote to memory of 816	2360	cmd.exe	vssadmin.exe
PID 2360 wrote to memory of 816	2360	cmd.exe	vssadmin.exe
PID 2360 wrote to memory of 816	2360	cmd.exe	vssadmin.exe
PID 2360 wrote to memory of 956	2360	cmd.exe	WMIC.exe
PID 2360 wrote to memory of 956	2360	cmd.exe	WMIC.exe
PID 2360 wrote to memory of 956	2360	cmd.exe	WMIC.exe
PID 2360 wrote to memory of 956	2360	cmd.exe	WMIC.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\WannaCry.exe
"C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\cmd.exe
cmd /c 58241722681813.bat
2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\SysWOW64\cscript.exe
cscript //nologo c.vbs
3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2876

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe f
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2644

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im MSExchange*
2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1444

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Microsoft.Exchange.*
2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1060

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlserver.exe
2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlwriter.exe
2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe c
2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2604

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b !WannaDecryptor!.exe v
2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2864

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe v
3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
5⤵
- System Location Discovery: System Language Discovery
- Interacts with shadow copies
PID:816

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1960

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\!Please Read Me!.txt
1⤵
PID:1348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk

Filesize
925B

MD5
5a429855dd865cd6b18d39f21aa73640

SHA1
9a3876d2f052857ed4909468a253cc4771f9a13b

SHA256
b783c3b66485d6ee609cc45ccf4722662c1eb8a14270445f557b883ea703e9ec

SHA512
1b0daa13f2150829b57b7c3f436d0137b00623fd0530ed7150be868b14e1d0ec99f086d0eb7d550ce3025edc205ad6365bc07387d26d3272ba7b6903965d473b

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.eky

Filesize
1KB

MD5
476a50762821e36662bcf1809357b667

SHA1
fdc9f59e6fa285ca8d83af5ad777fee5fff56b20

SHA256
37887e4dd7cbcca2f6a434feb31a92f27b3416dede6a1b0a860d56050753029e

SHA512
ce1ec27d015842fbb6b7706db86358dde698eca33a4d9334778323862f115d4be756b1dea901e0d0b63097ed44a96bf35de0b16b7e86cce1f8a0d16b73c8f5a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
5cf034b6600adcf6c20bb9677d9be5aa

SHA1
935c2692fa690643234cc560cf47fff69be4167f

SHA256
95b86d9f06ef61c3278e8dc151771f26f2310bc8d2fc15db98e627d7bb70f938

SHA512
88b7bdf2fd053209a1f930e871c9ec0053c4d4369b5be74fc6c16683f7920473232cc6cbb7bd833715f083b45f0411fb11cf7bfd4a3d1416a4ae7b6ec718b069

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
d5ddf2981a8551fb376e33ea17b2a168

SHA1
740a4cb0f4a423e140a04272cd89a6f5bc7f5717

SHA256
041b1a24679507bb63086fd2f257940f807b0ddff651dc30ef53b3f4825988cf

SHA512
6f66c3c97052228dc67eecc7a1e6874401af1a76f132fbcb4e14793aa270c462de0dc554d2eb115807fa8189a5594271676da4e605ffc683283c7c3edbbefb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
f2185bdfeb0cbd01c43d220a3aff227f

SHA1
6e3aef6cda33b89cd7f6e5709fd52a7639307ec7

SHA256
cb2e2a6d70cc95b865b84564c3bde89aa685428ce2ee64cf216d2d2a9ff47160

SHA512
398540a6fae8f4e7e95733851d6fe8ec02c4b2e9126068cb5f471cfa9dbd6a677890b611344f91071d54f9f829df7aae572e406287c7a9434e4ad9903832052c

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
4b6e93102d3a7d8b8fd452e73542f7e8

SHA1
328dbfbe57d783f8fc05da56f55ff4b553e492b7

SHA256
4f1038471e10544f7112fb297fd1554f1867f40d895959891778f102112f8e0f

SHA512
d4d637f4afe9b1311126a221361982198b82fa7642fc6a4cd03d40c93d85343d119beba8a9f6700844e368872ccc7de4aebdb056213166c2125c93eb62438d91

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
0eb4db3a622aa704f672784cbbf8fec9

SHA1
e3902433c58209937ed82b246fedca2b75f3b5d6

SHA256
10f8c8704f325b0f93ffadbe10187a77d3e5a0b40997d1434cb6ffcd2b1fe365

SHA512
a1d289fc8307a9e05603d579754f81d327d2e56f1c3aa526c06b93cd79b055327a4dcc396a37df37fea1c2d308d03f6c396a1fbbf2840f2742c394a0f006b8c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\58241722681813.bat

Filesize
336B

MD5
3540e056349c6972905dc9706cd49418

SHA1
492c20442d34d45a6d6790c720349b11ec591cde

SHA256
73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc

SHA512
c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.vbs

Filesize
219B

MD5
5f6d40ca3c34b470113ed04d06a88ff4

SHA1
50629e7211ae43e32060686d6be17ebd492fd7aa

SHA256
0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1

SHA512
4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wry

Filesize
628B

MD5
c1d5721412ecdfc35cc3a4fe3e412e8c

SHA1
9f33535685fa1b57f562f5ac6cb5c1f6479760d4

SHA256
3e278c5ec7a40f8b04b1b1e93f3dd8a0862e091fcd51bc4f5d0693ae9702e58d

SHA512
942cbc6ba205927a1300ba54889b6ff4f12beae26f8348bd00ce9121719e1031b6efed23d2e6049e6694d93314bbe28c7be817f50aea9fd1c079bf27a733f234

Download Submit
C:\Users\Admin\AppData\Local\Temp\f.wry

Filesize
221B

MD5
84f14f789997b1542460be86868d9992

SHA1
bcadd7f1a08b70954744841e7e3fd6583d3ddae4

SHA256
bbae4dd1312a71b2d463702d9684f31f3b2ad50a0d8cbf2dc8258c3a7317afb7

SHA512
6fec8738bd71647134621e469cf36419bfab9b54d1b2f3332f6189e63d8bb6b7e16c7dc7f83f7adcdcda989c68fb8913a8a3d5dff928591cb8e9690d8687209f

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Documents\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Music\RedoDisable.csv.WCRY

Filesize
157KB

MD5
1de6a5bbb4f71b414b10ef6393f3040b

SHA1
82678b410c34335d92da6e60e8af319eb5cdfc5b

SHA256
f95d6552b2fd4f6aeb64c599f7a4250f1fe2c3a34cf12afbd967bf5d64a7ec84

SHA512
d57e24152514571083de51db0e2c160099283c1a8d4a5d2514c95ac6b2a5b36ed45ee9ae3216bc7ea58e52d890e9cdb8af7482459db4da06e69bf93c498f4501

Download Submit
C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile11.bmp.WCRY

Filesize
48KB

MD5
e6679d0e4a61088abc1def99a210796b

SHA1
1e1816782e5f8e5138aabfac459e48d460a9c55c

SHA256
985cba61a78039920a06ea92b9e1b7163b8bcb373d2fb2a9e7eaf5a65d654990

SHA512
bfae475bda0ab75982fea6b787ab44662adc79c73d4ebca0f5e95ecd16a38e823162fc7633f1b7ce8011060b3c36a9aee3cdbc092dc03a15500a3505e996f33a

Download Submit
C:\Users\All Users\Microsoft\User Account Pictures\Default Pictures\usertile36.bmp.WCRY

Filesize
48KB

MD5
efe3c48f715634326e41049c7da4d771

SHA1
e239b1ac2ce5fc746e67b53a5e6e1d01a9bc381b

SHA256
19aaf6465dde3f29d23901474553666f804085005f62bd0e44fc77ae426e11e7

SHA512
b73462e3408108731910e2f81b16b6f3b45fc34e2d00861bf5c52a6740e5dfa76cf60d2abcd5ff251399e6802369beedd692448ae5c99e10e4514934736730e1

Download Submit
memory/1972-6-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download