wannacry | be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

Analysis

max time kernel
298s
max time network
286s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
04/08/2024, 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WannaCry.exe
Size

224KB
MD5

5c7fb0927db37372da25f270708103a2
SHA1

120ed9279d85cbfa56e5b7779ffa7162074f7a29
SHA256

be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
SHA512

a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
SSDEEP

3072:Y059femWRwTs/dbelj0X8/j84pcRXPlU3Upt3or4H84lK8PtpLzLsR/EfcZ:+5RwTs/dSXj84mRXPemxdBlPvLzLeZ

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Documents\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD1D3.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD1CF.tmp	WannaCry.exe

Executes dropped EXE 4 IoCs

pid	Process
2948	!WannaDecryptor!.exe
1896	!WannaDecryptor!.exe
1532	!WannaDecryptor!.exe
984	!WannaDecryptor!.exe

Loads dropped DLL 9 IoCs

pid	Process
2720	cscript.exe
1696	WannaCry.exe
1696	WannaCry.exe
1696	WannaCry.exe
1696	WannaCry.exe
1944	cmd.exe
1944	cmd.exe
1696	WannaCry.exe
1696	WannaCry.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WannaCry.exe\" /r"	WannaCry.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg"	!WannaDecryptor!.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1440	vssadmin.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
1152	taskkill.exe
2420	taskkill.exe
2552	taskkill.exe
1016	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "340"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003125cc29be9a0e41b44a3d73dc8faf710000000002000000000010660000000100002000000069efb172c4f08daebcffba579be9bb04cff800fc43d9285782abfbdcbf7ec533000000000e8000000002000020000000e7c25d134c2310fbaf68be3419fb5cc5aa00d3cdd47be48291a2550a35b8103320000000c1e788bf4d1227f78031230ee9ba54fb796d0940ea980edd1bc2b9aabdc7a12240000000db89ee68377d114b7efab4272b20a9e44a48cc1b75050418409be424b74a1a4182f1f339ee0c9502cdef994c182c5b68084c71c32a40eeee2fa4bbd81b7f5213	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "340"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AE8ACC61-5283-11EF-8B52-DA486F9A72E4} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "21"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "60"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "60"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "99"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e064d36690e6da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "4"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = 4098597590e6da01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
980	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
984	!WannaDecryptor!.exe
980	vlc.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	1016	taskkill.exe
Token: SeDebugPrivilege	2420	taskkill.exe
Token: SeDebugPrivilege	2552	taskkill.exe
Token: SeDebugPrivilege	1152	taskkill.exe
Token: SeBackupPrivilege	1216	vssvc.exe
Token: SeRestorePrivilege	1216	vssvc.exe
Token: SeAuditPrivilege	1216	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1984	WMIC.exe
Token: SeSecurityPrivilege	1984	WMIC.exe
Token: SeTakeOwnershipPrivilege	1984	WMIC.exe
Token: SeLoadDriverPrivilege	1984	WMIC.exe
Token: SeSystemProfilePrivilege	1984	WMIC.exe
Token: SeSystemtimePrivilege	1984	WMIC.exe
Token: SeProfSingleProcessPrivilege	1984	WMIC.exe
Token: SeIncBasePriorityPrivilege	1984	WMIC.exe
Token: SeCreatePagefilePrivilege	1984	WMIC.exe
Token: SeBackupPrivilege	1984	WMIC.exe
Token: SeRestorePrivilege	1984	WMIC.exe
Token: SeShutdownPrivilege	1984	WMIC.exe
Token: SeDebugPrivilege	1984	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1984	WMIC.exe
Token: SeRemoteShutdownPrivilege	1984	WMIC.exe
Token: SeUndockPrivilege	1984	WMIC.exe
Token: SeManageVolumePrivilege	1984	WMIC.exe
Token: 33	1984	WMIC.exe
Token: 34	1984	WMIC.exe
Token: 35	1984	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1984	WMIC.exe
Token: SeSecurityPrivilege	1984	WMIC.exe
Token: SeTakeOwnershipPrivilege	1984	WMIC.exe
Token: SeLoadDriverPrivilege	1984	WMIC.exe
Token: SeSystemProfilePrivilege	1984	WMIC.exe
Token: SeSystemtimePrivilege	1984	WMIC.exe
Token: SeProfSingleProcessPrivilege	1984	WMIC.exe
Token: SeIncBasePriorityPrivilege	1984	WMIC.exe
Token: SeCreatePagefilePrivilege	1984	WMIC.exe
Token: SeBackupPrivilege	1984	WMIC.exe
Token: SeRestorePrivilege	1984	WMIC.exe
Token: SeShutdownPrivilege	1984	WMIC.exe
Token: SeDebugPrivilege	1984	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1984	WMIC.exe
Token: SeRemoteShutdownPrivilege	1984	WMIC.exe
Token: SeUndockPrivilege	1984	WMIC.exe
Token: SeManageVolumePrivilege	1984	WMIC.exe
Token: 33	1984	WMIC.exe
Token: 34	1984	WMIC.exe
Token: 35	1984	WMIC.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
984	!WannaDecryptor!.exe
2776	iexplore.exe
1540	iexplore.exe
980	vlc.exe
980	vlc.exe
980	vlc.exe
980	vlc.exe
1896	iexplore.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
980	vlc.exe
980	vlc.exe
980	vlc.exe

Suspicious use of SetWindowsHookEx 27 IoCs

pid	Process
2948	!WannaDecryptor!.exe
2948	!WannaDecryptor!.exe
1896	!WannaDecryptor!.exe
1896	!WannaDecryptor!.exe
1532	!WannaDecryptor!.exe
1532	!WannaDecryptor!.exe
984	!WannaDecryptor!.exe
984	!WannaDecryptor!.exe
2776	iexplore.exe
2776	iexplore.exe
1044	IEXPLORE.EXE
1044	IEXPLORE.EXE
1044	IEXPLORE.EXE
1044	IEXPLORE.EXE
1540	iexplore.exe
1540	iexplore.exe
2648	IEXPLORE.EXE
2648	IEXPLORE.EXE
2648	IEXPLORE.EXE
2648	IEXPLORE.EXE
980	vlc.exe
1896	iexplore.exe
1896	iexplore.exe
1660	IEXPLORE.EXE
1660	IEXPLORE.EXE
1660	IEXPLORE.EXE
1660	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 2496	1696	WannaCry.exe	29
PID 1696 wrote to memory of 2496	1696	WannaCry.exe	29
PID 1696 wrote to memory of 2496	1696	WannaCry.exe	29
PID 1696 wrote to memory of 2496	1696	WannaCry.exe	29
PID 2496 wrote to memory of 2720	2496	cmd.exe	31
PID 2496 wrote to memory of 2720	2496	cmd.exe	31
PID 2496 wrote to memory of 2720	2496	cmd.exe	31
PID 2496 wrote to memory of 2720	2496	cmd.exe	31
PID 1696 wrote to memory of 2948	1696	WannaCry.exe	32
PID 1696 wrote to memory of 2948	1696	WannaCry.exe	32
PID 1696 wrote to memory of 2948	1696	WannaCry.exe	32
PID 1696 wrote to memory of 2948	1696	WannaCry.exe	32
PID 1696 wrote to memory of 1152	1696	WannaCry.exe	33
PID 1696 wrote to memory of 1152	1696	WannaCry.exe	33
PID 1696 wrote to memory of 1152	1696	WannaCry.exe	33
PID 1696 wrote to memory of 1152	1696	WannaCry.exe	33
PID 1696 wrote to memory of 2420	1696	WannaCry.exe	34
PID 1696 wrote to memory of 2420	1696	WannaCry.exe	34
PID 1696 wrote to memory of 2420	1696	WannaCry.exe	34
PID 1696 wrote to memory of 2420	1696	WannaCry.exe	34
PID 1696 wrote to memory of 2552	1696	WannaCry.exe	36
PID 1696 wrote to memory of 2552	1696	WannaCry.exe	36
PID 1696 wrote to memory of 2552	1696	WannaCry.exe	36
PID 1696 wrote to memory of 2552	1696	WannaCry.exe	36
PID 1696 wrote to memory of 1016	1696	WannaCry.exe	39
PID 1696 wrote to memory of 1016	1696	WannaCry.exe	39
PID 1696 wrote to memory of 1016	1696	WannaCry.exe	39
PID 1696 wrote to memory of 1016	1696	WannaCry.exe	39
PID 1696 wrote to memory of 1896	1696	WannaCry.exe	43
PID 1696 wrote to memory of 1896	1696	WannaCry.exe	43
PID 1696 wrote to memory of 1896	1696	WannaCry.exe	43
PID 1696 wrote to memory of 1896	1696	WannaCry.exe	43
PID 1696 wrote to memory of 1944	1696	WannaCry.exe	44
PID 1696 wrote to memory of 1944	1696	WannaCry.exe	44
PID 1696 wrote to memory of 1944	1696	WannaCry.exe	44
PID 1696 wrote to memory of 1944	1696	WannaCry.exe	44
PID 1944 wrote to memory of 1532	1944	cmd.exe	46
PID 1944 wrote to memory of 1532	1944	cmd.exe	46
PID 1944 wrote to memory of 1532	1944	cmd.exe	46
PID 1944 wrote to memory of 1532	1944	cmd.exe	46
PID 1696 wrote to memory of 984	1696	WannaCry.exe	47
PID 1696 wrote to memory of 984	1696	WannaCry.exe	47
PID 1696 wrote to memory of 984	1696	WannaCry.exe	47
PID 1696 wrote to memory of 984	1696	WannaCry.exe	47
PID 1532 wrote to memory of 3052	1532	!WannaDecryptor!.exe	48
PID 1532 wrote to memory of 3052	1532	!WannaDecryptor!.exe	48
PID 1532 wrote to memory of 3052	1532	!WannaDecryptor!.exe	48
PID 1532 wrote to memory of 3052	1532	!WannaDecryptor!.exe	48
PID 3052 wrote to memory of 1440	3052	cmd.exe	50
PID 3052 wrote to memory of 1440	3052	cmd.exe	50
PID 3052 wrote to memory of 1440	3052	cmd.exe	50
PID 3052 wrote to memory of 1440	3052	cmd.exe	50
PID 3052 wrote to memory of 1984	3052	cmd.exe	52
PID 3052 wrote to memory of 1984	3052	cmd.exe	52
PID 3052 wrote to memory of 1984	3052	cmd.exe	52
PID 3052 wrote to memory of 1984	3052	cmd.exe	52
PID 984 wrote to memory of 2776	984	!WannaDecryptor!.exe	54
PID 984 wrote to memory of 2776	984	!WannaDecryptor!.exe	54
PID 984 wrote to memory of 2776	984	!WannaDecryptor!.exe	54
PID 984 wrote to memory of 2776	984	!WannaDecryptor!.exe	54
PID 2776 wrote to memory of 1044	2776	iexplore.exe	55
PID 2776 wrote to memory of 1044	2776	iexplore.exe	55
PID 2776 wrote to memory of 1044	2776	iexplore.exe	55
PID 2776 wrote to memory of 1044	2776	iexplore.exe	55

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\WannaCry.exe
"C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 226541722790928.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\SysWOW64\cscript.exe
    cscript //nologo c.vbs
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2720
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe f
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2948
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im MSExchange*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1152
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Microsoft.Exchange.*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2420
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlserver.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2552
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlwriter.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1016
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe c
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1896
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b !WannaDecryptor!.exe v
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
    !WannaDecryptor!.exe v
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3052
    - - C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        System Location Discovery: System Language Discovery
        Interacts with shadow copies
        
        PID:1440
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:984
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" https://www.google.com/search?q=how+to+buy+bitcoin
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2776 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1044
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.btcfrog.com/qr/bitcoinPNG.php?address=15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:1540
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1540 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2648

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1216

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\NewStep.mp3.WCRY
1⤵
- Modifies registry class
PID:2260

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:980

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\UnblockRepair.jpeg.WCRY
1⤵
- Modifies registry class
PID:2396

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1896
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1896 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
067a073d1cb598ad5e311703ca386c6b

SHA1
8ba871e5396dfa20f52835ca4c59deec8099ba34

SHA256
7459d8ce89643dc5412033ba42fa0c1e82c4386dfa3f62c1ecbcd9b9cf1bf039

SHA512
dfedb7aa826ee375620a6aa91ef65f9b3cc02e9bd99f81108b6ca5a10590557dc5f5e50f9b321ed780bc58de59eaf59613a905f8b8559a2769c6c6a54ec6a0bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8556dc6130ea3277945b3c3c1b9869df

SHA1
01d62827c9c4022743d54eb17084e28ff33b4db3

SHA256
76e0a703ecdb43c6eae074eddb48af2b1814e6d2d26bbd55ebbe1c6e96635aeb

SHA512
285d037d291b9e70dd4f8201ab120c7094880c58f56160c0e7c5723a179939c5c7a1c954bebe5499017caf0db110bd433b064259c2343b824cd3751123bf857f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74f01dede10cf65cc9c08f28e75aa745

SHA1
899a8b521d4e97d40ab0e5fc0cbcd45c0ae998ee

SHA256
7bb3127a1bfa8329a6c97309f35e601eb15f14eefe74d9e10af8638dabc61122

SHA512
6d767dc0c42c44372076aa39be5fb9e2b62a06df8a7a7b35cd1863fb8ea32ba76fc30ce74cf6def9a11e0d8020cf19da006b883a4899c3c85c6a39f2c06055ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
429574c8fea51f5ebac74d38c1145224

SHA1
3900775d1852f18095ce3fbcc748b381965e4e21

SHA256
2808e4e8c989dad2230048c85b524bbb22e15c2bbbe0a646d0f48b42c20370a2

SHA512
e860860eacfb802683ea70807eb928d35e3eb97c9d0e325536e0ba002a95470a1a6c20fc13837a9253de3bb23dc796379b3af67d37420209cb8e7fdaea9540a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73360fa54014d40484eb57a119492e6e

SHA1
5a56fd62b6bbc298ad65f001f4c46ffbdf8e68a8

SHA256
8be9228e12b5b0e1651dc9d674a13c439a468ea41ac1b8d954e29c0a80f02f1d

SHA512
6bb0d527c704f958b85ce54dbc80e93df4ae93c70a2a1461c5eda85a5af79cec49283d6d2c4c1766ccaf933d15f8cf6f0f4a7bb4f5f75b7a60719f13ab7bacb9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d1fa3235fc9eff71d2036837a8edd78c

SHA1
ae72d5d5591c00bf43fa74603245c5eb952566b9

SHA256
c8b2e7c5d9c9b50293239ea1eb3700cd99a8f2a9d514cdd317a5b35cf76e0736

SHA512
e0ed55a8348def2339eefd0cc2cd5157f077c3576e578d6414b5df4cb7fc88dbd8074ad80ceacb10da874f108f35627cfeacbc71b5740bf6614338dfefeb00e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e34bb7d5d3a650b23dbf49b86c4a8faa

SHA1
9f1ace7c9d1e51c0520fa23c902fe4caf8131a15

SHA256
0fa56f8ebd6780bc48a695a6754e829ea6a11956653e494e1b5a379ad2e2467c

SHA512
019d1170b97f0f502d698e02a0e2e41ef93ca1e63c310539d8ad85e3171470c8901ed7c92bc142f996e6b87d9074a39ce65825f21823371d3ca9f1f799c7cb90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6151003f8a4282ea7574d41e0d427361

SHA1
db6aa3fc70d0cb5e8d8b1a0e5a70f2f32a3ed40e

SHA256
104aad4ab9635b0ac1cb4cceda9c3f2c71f142f2a3e49888c2a9695a43661d89

SHA512
37f3c8aab19a782d78fa7961a2e45730577d503b62ff49d056b0eb26f1c960def4c23e578aec061ca3801dbd51a41537ed7d65e42d932dc41e6c47fe15b48b2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f281be894ea8dc42a9204edbce36612

SHA1
df75275006f55bc4b33596f46a29778d02608394

SHA256
50e67f8a545c9f398f02df97a085a813bc69a617d0431e0a6ae89950a8f81aae

SHA512
4e4f36d7937f425adf3023111d251b19bf5ccbb9497f5fa78ccdb18e57d30bf7cf53d73d2ed37b5d2623e8793daabd3c6327945cc82cab8709a07f1e9c03fae1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74d1b578373458c83b833afc3bf89d8b

SHA1
f957056c535db846b3a2e5fae42891a83d5dd169

SHA256
38902aec442c77e1ce583e0af2453c8e016f1171933222ae868e52a58498d4a8

SHA512
7e6cacff2ab3b7b42e630ac7f0bfc4dbc4f76de04947d41737c39807cced30c15a44a4e4ceacc50ac8882c27974719f5ac741c1960d34b9ea62259afba6348ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
547eb3b915903635263a0adb73cc8bee

SHA1
cbe14e18982752427e1c121700d3b874679a1adc

SHA256
745d865ae179e4b0807b8476cd6b9a550896ed9d4417d33d13dcbef7f5351307

SHA512
637ea1df1da74f941322cf3dad0dc06d6d2950720a981ad44ad493b38359a0a3da51f688d187986a6747cb5d9550ea8adea3706fcd0bbe7600bf185202ffc95f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a459ccf79d738004ed62b5094df6bf0e

SHA1
70ad3d47474915449d27d8b03d87d3c5b1d68dec

SHA256
5b2a3e3b59c6fbc60c3b18f4b77f11cc91903afd51ac1f60b4dff696347523ab

SHA512
6b8a71b179549f65f33884a8ed438734e9db1e4b7402d827881396db6a43dfe90fdb0d24a4fcd73e5b2728fcb2fcdac93e95aece6d0f80330c5a3ba2463923e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
939e671161e0fef5e0a073a74631416f

SHA1
df66c72bfa65f37c40abf3aa1c623ffa7f97bb94

SHA256
a7056a56a27335bf0d20704e68d83ff5720a0d70145da5c0c9285f8a27272da1

SHA512
1fe09fca84565a3719d267b47e680f9c489dbfc55953a5a3b87e02fab711af6ea97c0fce0a63e67ac29ab3625fcdb75d4f0729d5224bc82ba5d45981815b4e98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
20d6d1ab52686f74979da47a114daaac

SHA1
d2a9180cf87ebdece86f1aa821020a2eb7ea007e

SHA256
0f9987207fff05965391607b00419bdd574a31ccc37fda2a042a9c339556bdad

SHA512
9fea281f3c8b29a8243c2ee495dd27f2903e66e25c851bbd7cf062dea5792397be1a4847aa14f288d7e3e84455afd7c7fcc64f1f2e7d6ca3f149eca7193b4845

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6652ea156b867c2961f26efe306b8975

SHA1
3ac57d619eeec9f2e29abdc4f3b1e603773a7618

SHA256
3f9e3c962bcb70600dd952d3ab343abbbba527b715413fb66c17dead45d7b91f

SHA512
0c89beb9d12acefb3efe66c86ef824b29104fa7cfa7996e219747b12eb02083dc53c755f5e7eed15b3589a6796b9f5d92e56f654e7f1155f2f275ea086aa68e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
676bfd814037f6df33b377c3ab03f6d1

SHA1
eac62790002b6e5637e0c88485e3428ede6e39a9

SHA256
dd23bce1c8cbdd28f4a4a9edf45f908f85f5ea9c86448008c11f1e01c0de1a6e

SHA512
eb647b646def0bb13e469996cc7d33e255a6ef75303459e381bf4b5d7d32f47c1ef478e33c7301477efb4ef599fba9e0f0b13245ced18ee0e1ef8a319f289db6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
61f5ce4c60da62815a831e046b818a5c

SHA1
bddd3fb1bf9324ff423f7af1910ac18a1eabc10d

SHA256
2344819767cc41dc3b489cfadef92d80a890adc156a041aea5e412a64bbe4152

SHA512
bf739f31ade26cd374e0ae2923bc8c10f910744bcc7b370e9f2d5fbc61fbaa8bd5aac4aa44c7f1cae9a67e6659e7e20e5885ab5407b39928495a43a367f86405

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f2f3373732eed6846edc170d4f97a9c

SHA1
05eeefc374a47010828169558265aa46996e3a34

SHA256
c1ddd5f742c733df9e4cfcfea596a448799cf99d2410cc1669f619d1d4cba203

SHA512
a0189a631aec71f14d363ae1c62fb48b5eb85561df719598e1063518c01c987530b9e99c1cc2652fbbf7d098ec8e883a6e19634c9009920073abe3b7fd3f7332

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a651e5e33c796e13101cc62c13a872d

SHA1
b46344e76ee78ad81db316509da012c783ffb7db

SHA256
571b97c9b8d0d06bf12ae4894a450355acf220bf2705d68d4778fb08e60fa852

SHA512
08735e9931920f9ba0079b8c7a994a234176ce839e5a4683b2dd0ef6647211587625d09e6ef24566a30416a58a17f40be2cd4b606587ab9525bb8ffd01637210

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9783a11920c57f5094d406167cfbdd65

SHA1
7768c610407547583ea7dc00d52f272e841fc2d6

SHA256
02788b89ba3078da6821d293daa131f96189f920e5489605600cf5201d67053b

SHA512
e063dbad00e57cf36addf1c79f39344afebc557478601c07d66594ce48f2b7b74cfbd04ba73324f7f90388c9cd559d1c14936805ccfc572ea062566b7e053555

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
775096cdcf069dd4908b22671574a042

SHA1
0a728b08006812a15f9ee06eb26a96d53e534782

SHA256
6a4943301831282b723f03b92eb95cee86e3535d02f2237b1748c758639f7114

SHA512
12214ce0fef0ef3dff370e6b7fffa1f237a219aee7fc3569d83cd3df5f7741473a9714558462595ce9394b2a715aeae233aac178ed11ac40986071ed1ffa8af4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ad777d874cdbc549ce67fd5dd33920da

SHA1
fdccb627f280058d947fbd362a065da41d7cf563

SHA256
83e75ec9cef688c831173605a2ef0d1c26260a9f6b07da26991260381f686174

SHA512
c13b27514ae494ad944608481c4e89c07db8bd33a766e44bf725e6bcf916d805a5744bab2675fd5ec73edf6b69407d14656963337c2b8c87186d40d7c2ae2e4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b859c3f07ff6d1f8fcca84bb78b3f7a1

SHA1
7f40c707b4e1b279d75422e848213c544cb6d4eb

SHA256
e76b37867f968f40640d222db57476e962bdea481052a95c24041e559d0be355

SHA512
315786b642b775f3e68ed46b8a1d7a597f03670dd83d3cf8912bb954d0b906c15300b96fb9a09193db6204398f90fe114d9486a08e48869272f98c498f850641

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c889c3337ed6bb44ccca04d91e816216

SHA1
04c06d492adccfa1dc7474bf908ddac21a131918

SHA256
79973c40d6cc5406461db9f6eab0966cc94669a1d4253f2c6963d641618a4fc5

SHA512
1afe2f6b1056a52eb6fc980c348ec4fed86d82c1252e4d22bc7c21378725b37fa4d44a51db245e39bad85243d98a108cb5056314aa9de8384a58ded6199520ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b38603cb305a3c1caac6db97cf377b00

SHA1
8bb0a8938678803edd53e91bf51ce00ad689038e

SHA256
681113a2a8df905e2aaf7e6fb5bd86e0048c5f5aaa4a7e79988133d4bcf5421e

SHA512
d7d5d15fab63f3081bce3dc12f16d5573c9dd81f3ae890441be5359f70b7cbe75fe2ee10a3f4e376e0eaa439e1870b6b629e7c5fd8f25554de59e84754753e35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5687770b092b11c5a3207376a782788c

SHA1
11a901bf4158618c5d975d92347a735cff503bb2

SHA256
1d08cb30398170c605b2f420ae9d38c0c9fadc337773ed6c25d0b0eeb47c77aa

SHA512
27b069e9869e685611c77d9b1e5c9ad2ffaffb4cde780bb3cf67cd9466df00c7ec27a88758ea62bbc912d9b8804356d20802abfe9c390ff7e12c9ed417e715da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6401ea3327d86d533c7ecbe774d90125

SHA1
72ad42b6c421f27a873774f6a45d1346a5c5a547

SHA256
5ff68aecc90bf6da82b14cd1a818a9023ce8dd689af2cf01d4a8ef73d78d1377

SHA512
6414f41a70ab0d99fe45fc73d7fff11a82ec633fdf8e9da7e3b960cb4703885a2d57f8495d345e99d4ab58c5d0c1c4f065aba99a65c858c244e63af9149465d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d02fc02b3bba87f040798bbb38282b5d

SHA1
da799e4c57700aecb84ca2f901ef79f63ac719a4

SHA256
689f5b38f508627032b6385246749b788c378f616ff4c8f8372134521dad8ff1

SHA512
7de9eb2b260acb1f93c5a8c5b73dbf7cbd1b0af997f25c7ea8f51ef7596512acfccdef5a3111581eabbdbeedf9fd761ea20bd618a8a638a1174452247ecf0e66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
65198230f35be5b82feed60793207e2e

SHA1
697d3f58c849e962d8f7943ec49c8347cf67a92d

SHA256
7601c58d07bc0ac92fb2da1eb19bba04dcfee7a1b0fda1b374141a3dae7cb8d3

SHA512
cd2117e2a387c693cfb165e8d514872672b88e675ef0e26a215396cafe3f845a3b703d9c15241b267e26cec5fa4ad632385d9194c5d5f76a7fdda72a19db0595

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bc75544209a2833c0ca407a7ca35d98d

SHA1
02a2269791ea7976015b6e87dd3138c8e5d4826c

SHA256
fd2bc3b1ee51c6c18c29a896a543c1261959affa7cc126482f96f0cc5feb62c4

SHA512
fd6eb9d4248902fbb4c4a660f406a2f03c05821248a3be4be1cbf9583defd24fd63ab79dcf5bd3eb540de9ab62a84d982af79658f7ab0f540666b407fc2dfc31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
857f72c3839fa157a779544d4e171ebe

SHA1
68cc567feb0f2eec3e2c88681e83c559fdf69309

SHA256
021912ec65e8bb43efcb3e942ae3d5736bb87ffac06464683d024f516b4e1809

SHA512
3687a412e57e940d063e1d7eee704e586ceac16a68c6b08517d774754a5d9b06b31a422d236de8cec47f6c7dd38609a96ec4e4c11db7669aa36fd33d5c99c35f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8fa0b4fd9caf69d34b6192d88c5817ef

SHA1
fe5336e65d266898817a93edd213599fdab59200

SHA256
4b230b963b48ba346f55b05cd4dd68c508aea92d52571dc05e8d1dd28d7d1241

SHA512
f55c7be4d1fae4f284ca7184646bf1b70abec23e9ae43b2ec6d1e99afc23d5e4bc1403691e3f181b0eb190b36f72b6c918ea04d78f51d37715fb4d5dc50706e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f3e037ff7f5bdd34d908e794711e534

SHA1
d7c382c5364d91883947d8e44281dad9860e2d43

SHA256
92385b0467d337e600c3ba2dc55f931f3006c3221384a8542241af2072bef820

SHA512
38c68baac5ecbe74fd5e41cdefca232de039faaa16dc6c5e6d48d82099aafe8482d4478fe53d4a6196fdc807108a45d542e7369154ff66a6530b5c4ab610dc7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
361d24852a94d80da86822ae0e1225bc

SHA1
fec5e5cf7cda4ca9ac8e7cbaef51ce03a07a8892

SHA256
2a84193861a6a2f85cff8a38e5247662c0ed956bd3a821c2ce52367f2752e3ce

SHA512
2d6aa5c1ca7220ea1ec86fc69148c960aea4e8814c5ac4d7698415030b53e956ebda596c0357ddb8009218d74f058a08a5009f4b5f012ee7c89f4bbafcd9c956

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\0EDKRECI\www.google[1].xml

Filesize
536B

MD5
dd392223f89f04974d4a1f59ccc67e2d

SHA1
94573821a223b685ab1e4e6e6b578f186add8e01

SHA256
0abd396cfd60d9c83579ec7c54ccc61955006cf66e5f5e19538e989bac0253ad

SHA512
e3d50b3cbeadfa443530d39d778e60366a597ce8cb7c07bfbe9f048d1b9374d043a500b927a4ed5c814a192f71e14b50e18943fa2a93a444a784c8ef4035c3d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\0EDKRECI\www.google[1].xml

Filesize
234B

MD5
1602390278388b0ddab615a9f545290f

SHA1
b32dfa913b3fdc8613e5e16c95765bd5f5bf182d

SHA256
32c980b78290c4b276d8f3042bc91e29e80b1fbcc3fadc7d6139b7e6a9134a44

SHA512
0c1ae191973ef75fa4f17895fed9d0797e70d66268c6e7e54ef1eaa33c3a9c3b8b3b6c3db8839fb5023fb7fece8246c1e49ba6351b79d355311e08d47d3e0ab1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\0EDKRECI\www.google[1].xml

Filesize
95B

MD5
fd06cf5a3031f8083efed7088924cfc9

SHA1
463345a03af3da787187a60f86456a096aa9b48b

SHA256
76807d6bf828eb1cf1284c5a471b0ad10ebbc9a9f709a7a4632f68ea0a31c3ec

SHA512
bfec08cd36ccfc08ab7c7d40275b28a31b95003256f04cbd288f17d36f6d9e6dd656e0a0194e6e090c7dca4191078d91a0c3e0dd0c2281484238116b8ad5a6be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{90C4E171-5283-11EF-8B52-DA486F9A72E4}.dat

Filesize
5KB

MD5
259931adf4cd4b60c848a9ce7eafa4bb

SHA1
0cf5ca6e22f941e4aa49587c7568cb54545d56ee

SHA256
1c6c7bd6dbcda5ef051e44eff92d6f99b1a47ce67d3f6d5e7dd3e91c4584044e

SHA512
46b6b1944d02740dec854b2f7b5f9578920010507905e94319b64953a5a0d68142187f42839bc9efe2ffb0adc27445b2b9fe823d258dc5eaa80321c76f1bb7fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{F10AAFC0-3AD1-11EF-AE8B-D2F1755C8AFD}.dat

Filesize
5KB

MD5
1975bfc6e1c4d4577dcd5dc72401b63a

SHA1
b15ca773ed7480838ee3132edb8144d69f14e9e7

SHA256
5e808e8301aeeedadc703e92539ea828f9248a60435039d9316f1c8a4dcd5b69

SHA512
66e75462f1485d84f2c787e222cdd7ebe4c9f856b0dcae08a9bcdb899f525c1af9a80cffdaf1b69e27a6891e64814db1dda8a0e3948baf659750fe1a45835fb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{F10AAFC0-3AD1-11EF-AE8B-D2F1755C8AFD}.dat

Filesize
5KB

MD5
d849de8eb3307d076801856689f88739

SHA1
aba099312dc5ce0a47676c8e592f7c6b21c65029

SHA256
07a741a0b6aca9dd53473140d18156e4e535caf8fa615de3d5e36bc9f644c0ea

SHA512
c75ab486db01735a95b149e49e1399d919aef426993af930d5e0ffbedf958c15245abd8b30dd76508c1cee30e80ae512509362488373f98199980c24f1b498db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{A74C7D40-5283-11EF-8B52-DA486F9A72E4}.dat

Filesize
24KB

MD5
a577aafaefc6c7350855e2d9322ee4c9

SHA1
4230bd58ecdddd5b2c6b56b551bf94aa682dce10

SHA256
b9c10d20dfbebd0065fe5a676f8479c2c98fdf1b0a4fbb723385a1af3e6b7563

SHA512
f7b1a6dd89f094a5113be84228775f1c78bee6789cccdbc6c704ea6b266c41313363f86e63a5e75e7c8b68876bea81569fac48b076141a54785c0ae0346b31ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{B926CD40-5283-11EF-8B52-DA486F9A72E4}.dat

Filesize
8KB

MD5
9a9f157959cc04a3b1fd20c615efd722

SHA1
4065137a5ef97b6cc8876bba6f612f08238dd9ed

SHA256
0ab95517df2f1a4ce742c92487a62f734f62f89e57b8c3e7eb3442bc06d61ed8

SHA512
8b819399643633e518bfbb41f7420e50866b27e5791010cbc6ce943ebc8bd218944be67634f66c4ddd6514293d6716f56f64e97c93389818be38e35e11e3c360

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{B926CD41-5283-11EF-8B52-DA486F9A72E4}.dat

Filesize
4KB

MD5
003875e66759b610afbc3e4380f7429a

SHA1
3db5e0a080e6e66496a4545961f6066e3ecdff3c

SHA256
d150d505533e7cc443f9d2e88384d16522bf62dc65ee9d5ab0152fb6b1a8998f

SHA512
f5f3ed86c84e0d531e188ee4434ca21799ebbb36100eb140e5d0cb86f7661bcc30f5a51d505b7d663d1a1c6af415ea66c183e6e727d705c77ae84b0bf9bb39ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\jmgc6we\imagestore.dat

Filesize
5KB

MD5
3e83e2766a2a499e53bcd13df4980d6e

SHA1
bcf5660530a50e04137b00fbec79d5161c46339b

SHA256
18338e3f8225e55b5965d9c91bbcf0fc55aa65092ac97ae3326a2c94837ab7bf

SHA512
ee2ebd1a58eb32112af4d348eca56b5af3eedc6a87df71e258e51165f1bba76b698b1203b8e19e89d9f2f019ea960044319c7f801427c59f177c1d757877792a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5J67VDZD\gzp8hCsKRvm4DBaRw-7k0slVyvw4q9YITZj12WXAmdo[1].js

Filesize
24KB

MD5
b2d00c29215554272c46edc89c1f1dee

SHA1
a972985ba448332803430c9a931f81625886bf3e

SHA256
833a7c842b0a46f9b80c1691c3eee4d2c955cafc38abd6084d98f5d965c099da

SHA512
063911a4f74aa93f67f219503775b61c9aad9423a70d6233cc7067df5d8564467218a886b980d67d382ec595524ac1920b7fc4b262ed5bc3e8a2eaabe8fbe16e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GE5J41S2\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GLOK2QLQ\styles__ltr[1].css

Filesize
55KB

MD5
4adccf70587477c74e2fcd636e4ec895

SHA1
af63034901c98e2d93faa7737f9c8f52e302d88b

SHA256
0e04cd9eec042868e190cbdabf2f8f0c7172dcc54ab87eb616eca14258307b4d

SHA512
d3f071c0a0aa7f2d3b8e584c67d4a1adf1a9a99595cffc204bf43b99f5b19c4b98cec8b31e65a46c01509fc7af8787bd7839299a683d028e388fdc4ded678cb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\J8I3CVQY\recaptcha__en[1].js

Filesize
531KB

MD5
1d96c92a257d170cba9e96057042088e

SHA1
70c323e5d1fc37d0839b3643c0b3825b1fc554f1

SHA256
e96a5e1e04ee3d7ffd8118f853ec2c0bcbf73b571cfa1c710238557baf5dd896

SHA512
a0fe722f29a7794398b315d9b6bec9e19fc478d54f53a2c14dd0d02e6071d6024d55e62bc7cf8543f2267fb96c352917ef4a2fdc5286f7997c8a5dc97519ee99

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk

Filesize
921B

MD5
6def6d2f856665155ddbf6b2a680421f

SHA1
25d29bc1aa4d9dafb04f6433ab7ece80a11c1152

SHA256
5bf9c2c6c89f3c7f3ae4fe8cd67d3b7fb1a9b7c31018f07f4e35faab0e6f0386

SHA512
c0d0452713df742851acf07c429801a341043aff02a6f47ce25b0956122be0c9043fa5da6bf0383d5bd0afaf84433398383226fea7c247e7f1e060a9a12053db

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.eky

Filesize
1KB

MD5
8ae0f84d70051982c2e2c03f828169b4

SHA1
0e6d58e6c99fa5421eebc93a12ac7b142298c7b5

SHA256
60c913173bf24b08f6ca09ebd99dfc7862da25204046c9c3728c55c2273dea98

SHA512
46c79bbffd1ff367258407a9e356d685fc913f56b10fa3e44b61c12b5777046c1ac3eba0640c3f34d902232e039141187ef27a10be406c744ed488c873d587ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
05b67b222f3b80723a8c7ea2c85d858c

SHA1
b35c32103babccf67577163824cf9b31d70d6ee0

SHA256
cb9d5212e0327ff5a9db211fa315f18b12330491bd980ce47ec0914add497aa0

SHA512
45c15514292ca8f56f6c00ed1f95700ee3eefdfdba7488c5f83996fd3f1599fbbccf7cf3a8acdb727acb8f1ddb6f354574a3f2c1a9bdaefcee97facb61fd5804

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
3fced3d3c0ffb1f759bf9b8eeb7ad22d

SHA1
5ee3614e391d5737afb1df3da3600c8c58b7357b

SHA256
7468b2308d4b456321e81d2533ae2cd2fce73e1d6c1faa4523a350402bd26f87

SHA512
9ad125ff024773000be5b9ceb0941b601fcd6d1616f7af54814f72b473e5dd7a619b1eb8a2a58239ca9477321fc6a49fff9ec6003a7a7ceb3ce1c797fb39cd12

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
740d4b1ac5bbf073940952c77cbf8adf

SHA1
c127e1329b5dfd2a2668581802424a0e7276deaa

SHA256
1e61316013313e5f8fec3351a11aa5a41f956177d7c041703436bbc80d667d15

SHA512
4c5ca73c669afc7b5909d7e566b56eb4cba2f89e8c39275da8e5ee74d361dfb945dff838ec44aa47f147f31583c57d3de73a3f1dcbffa4dd80502681c9c15b21

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
432650735a7d23c752c4facd63c72cde

SHA1
390f15a223f7d40cef00e97f2aff17c8de04f63e

SHA256
a7c096a4fa166764679cacc2d5233ed0da76d77a78b124ee3ba747fd458ff6c2

SHA512
3c7bfacebefc85335f1ef6ef2c719360f117de1efd32e8b1a3619e180f298335354d325657d7d6d1245a606fbca50e4171a3d82ff8f27daad9f2e471156508c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
e408a8088f672e4406dd38f70680bd2e

SHA1
dea5bbd11432f89bd2bbacff1f17f3b32109bdfe

SHA256
83e64cf2894f7f104f17c3a0c5b17f07fc4c3dd4920bfcccc92baeafb2bed2e5

SHA512
b2373eb5ddaec822576991fd12cd2641f0f828bf89ae3f58ead285e4b735a20d6ac8a5c23cc4f698d9419f58711eb18ef4d5950e3ae977aaad446dd428c5fc6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\226541722790928.bat

Filesize
336B

MD5
3540e056349c6972905dc9706cd49418

SHA1
492c20442d34d45a6d6790c720349b11ec591cde

SHA256
73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc

SHA512
c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF412.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF413.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.vbs

Filesize
219B

MD5
5f6d40ca3c34b470113ed04d06a88ff4

SHA1
50629e7211ae43e32060686d6be17ebd492fd7aa

SHA256
0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1

SHA512
4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wry

Filesize
628B

MD5
9266cf9098e5c4a6c35c849ea3554e03

SHA1
f6811c9da012580a81d129a1a6dc0ea117f8b3e5

SHA256
9d4001a275785637e9c9af2a909b661cc63e6b724e6e3577e4e40d3e212462af

SHA512
c4be03102be9ab1ea3b38f06899260c6e57b1452fdf2c76df9e2e2c9b00680f5a03089a3bc206878cafe7f63cc753202fb9f66dbaa1bd4543f23455c1d7f57d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\f.wry

Filesize
233B

MD5
bd4bee13af6c078370741f95adce7a5b

SHA1
3d5cad6dcce21a45ebf8c4aa89a88f946c58cb95

SHA256
4810f66b92f41459ae7327b0d70fe0ababfe7e4bd7b53069c102363159eacdc4

SHA512
2f213337f317b2bc5d72c2c10ca9ce3d800a2af7911ac7e40690234245d012996ec73ad862fae7bee2fe3149a1ad1b715d8e5ea462565c35103ed73020db6e71

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF9EEEF1E57704FCD2.TMP

Filesize
16KB

MD5
1085794910a34a3a2e180c5544ca8dbe

SHA1
0138c6b46bd6064a8292eb48bf70695b038fb6f9

SHA256
22c3d78056ae91a5c20d34612176d165ba03bf22134e4f5331cd0f291dc2e691

SHA512
f8674739de82ca6e61cbda60d781976c617c9c00f790f3678c78d54c24295356d9824b279f23921a66cd303edf6f7c24dce251c64d5102f9d81638642af9f0f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms

Filesize
4KB

MD5
2199c4de508d71528f2cf01cd0ea29de

SHA1
659d223d870b981d62da32352534c203fe4da1c0

SHA256
3660f7825af8fc6c68f51a6e9d789c94e169ae4f6c1cf1fa999ac1d6cdf6acd8

SHA512
d1b4360c4b5743029fc2ef2a1f73653ea34132b30924d8096d27496d0d3c2860c43cc4d595d9cb3bf097f99e26b2088e26f98fc6a12e5ea9bc4b22a9ca85298c

Download Submit
C:\Users\Admin\Documents\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Documents\MeasureTest.dotx.WCRY

Filesize
1.5MB

MD5
1c4ee7f9a27b51e88e26c0abe9a5736a

SHA1
c7e1f3bae05e072abd14a5fe4c58578fd822e928

SHA256
844ecb0c0deaf8dfd70a8a5b537716eacd300729500760073a46b5a1c57abfe6

SHA512
925985e43faba13f2e9c391dd50a44aa2d4cfc8b8e9ff7a3bcaa5c85703cfe5c724ef6310979066015e9a6e383c841faced9780bdc140e5be67a901a2694a5af

Download Submit
C:\Users\All Users\Microsoft\Windows\Caches\{F812F072-112F-4F66-A297-5814E6E491BD}.2.ver0x0000000000000001.db.WCRY

Filesize
1KB

MD5
b07fac5b5c2b494209832677d4165ec6

SHA1
60173041c507bfdadf658d4e0d1f3651b8af3be4

SHA256
22f749bdc2c9c1c6e9fe837710a6b0b7546cded99c016b226e82c574c5fd3b76

SHA512
ed0e785e7e22c14fc651192fe477d49e9bbdefd92a6ae43e891761098dd9f3b3fdfe0172d1a5c8b9f56758afdd4e784341aa281d74562762b20bc91517a01e98

Download Submit
C:\Users\All Users\Microsoft\Windows\Ringtones\Ringtone 07.wma.WCRY

Filesize
92KB

MD5
9fb74bf04487f062d0aa9810f4e7aa98

SHA1
384c282ca1ed8b3294467fdac03883c53844a6f6

SHA256
21af1a87b8ea9a487e9b428bc85c746518b62916172ff307344536252ab630c2

SHA512
f14afd4e96cc3884a53906ad141f445d8b2a32bac6e12801b5e99b6f60fb52ce70f5a65e1f236322dab5fe9ae7efefad4ae0fea6e1bf9b93821668fcc2a91bfb

Download Submit
memory/980-3053-0x000000013F160000-0x000000013F258000-memory.dmp

Filesize
992KB

Download
memory/980-3055-0x000007FEF6B20000-0x000007FEF6DD6000-memory.dmp

Filesize
2.7MB

Download
memory/980-3056-0x000007FEF5050000-0x000007FEF6100000-memory.dmp

Filesize
16.7MB

Download
memory/980-3054-0x000007FEFB030000-0x000007FEFB064000-memory.dmp

Filesize
208KB

Download
memory/1696-6-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads