Malware Analysis Report

2024-12-07 02:58

Sample ID 241111-crg3katmdn
Target WannaCry.exe
SHA256 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
Tags
wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

Threat Level: Known bad

The file WannaCry.exe was found to be: Known bad.

Malicious Activity Summary

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Wannacry

Wannacry family

Deletes shadow copies

Drops startup file

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Sets desktop wallpaper using registry

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

Suspicious use of SetWindowsHookEx

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-11 02:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-11 02:18

Reported

2024-11-11 02:21

Platform

win10v2004-20241007-en

Max time kernel

146s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"

Signatures

Wannacry

ransomware worm wannacry

Wannacry family

wannacry

Deletes shadow copies

ransomware defense_evasion impact execution

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDB41B.tmp C:\Users\Admin\AppData\Local\Temp\WannaCry.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDB422.tmp C:\Users\Admin\AppData\Local\Temp\WannaCry.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WannaCry.exe\" /r" C:\Users\Admin\AppData\Local\Temp\WannaCry.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp" C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WannaCry.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3276 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 3276 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 3276 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 1976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2552 wrote to memory of 1976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2552 wrote to memory of 1976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3276 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 3276 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 3276 wrote to memory of 4492 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 3276 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 3276 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 3276 wrote to memory of 2720 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 3276 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 3276 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 3276 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 3276 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 3276 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 3276 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 3276 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 3276 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 3276 wrote to memory of 3332 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 3276 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 3276 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 3276 wrote to memory of 3644 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 3276 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 3276 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 3276 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 1632 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1632 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 1632 wrote to memory of 3036 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 3276 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 3276 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 3276 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 3036 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 3036 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 2336 wrote to memory of 1988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2336 wrote to memory of 1988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2336 wrote to memory of 1988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\WannaCry.exe

"C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 296361731291513.bat

C:\Windows\SysWOW64\cscript.exe

cscript //nologo c.vbs

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe f

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im MSExchange*

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Microsoft.Exchange.*

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im sqlserver.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im sqlwriter.exe

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe c

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c start /b !WannaDecryptor!.exe v

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe v

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
N/A 127.0.0.1:9050 tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 127.0.0.1:9150 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp

Files

memory/3276-7-0x0000000010000000-0x0000000010012000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u.wry

MD5 cf1416074cd7791ab80a18f9e7e219d9
SHA1 276d2ec82c518d887a8a3608e51c56fa28716ded
SHA256 78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA512 0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

C:\Users\Admin\AppData\Local\Temp\296361731291513.bat

MD5 3540e056349c6972905dc9706cd49418
SHA1 492c20442d34d45a6d6790c720349b11ec591cde
SHA256 73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc
SHA512 c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

C:\Users\Admin\AppData\Local\Temp\c.vbs

MD5 5f6d40ca3c34b470113ed04d06a88ff4
SHA1 50629e7211ae43e32060686d6be17ebd492fd7aa
SHA256 0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1
SHA512 4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk

MD5 36d8ecde5bbdef1cbf46437af67154aa
SHA1 2c59131459020d78d46f39dec7d2c3831c40c778
SHA256 0d038d43417ec247c314112eb0beac8a1d42e403f417dd3e64c1b8eefdd9b777
SHA512 1aba1246ad0748dc7bbaa0ef967a99fabeb20c71278446f440262312accf29691a2d1987fd71db1460738065cc2008a63011862aa9d0d403e4cc8806abbc1056

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 a5841f659e66038cc562c02943750b9b
SHA1 9a2c31f5e8895662b5f6903f49a6870a14404051
SHA256 db7e5dc532e40607a9b625340d12aeeff3bd46e3520eb35ab96295b5de46f5d5
SHA512 3c54a37f5fcb38eebb15b347edde7af4f68c3feba7a2fdf449e5ea2119432f332b195d47380abbae13cda595b1c337ac001dc16e8049392c9fe2c24779429651

C:\Users\Admin\AppData\Local\Temp\c.wry

MD5 5030a1ba48977e4188bcb016a95fceae
SHA1 9393e77808495ca6ff9db47159857384fe40e808
SHA256 05ef87863d6dc286742af3a6b0e910c9e8b3dd914920e50317c08d12246f2217
SHA512 f8bcbfc5c74dce5b38ef96605a4fdcbebfdc035481dbfec64e58bd5c1caa55f739a705d119c380c83176ea09affb1f44d71108b38039cfbf39718b59a78ad9bc

C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

MD5 afa18cf4aa2660392111763fb93a8c3d
SHA1 c219a3654a5f41ce535a09f2a188a464c3f5baf5
SHA256 227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0
SHA512 4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 0c243e0d26aae630d0dadaff456b556c
SHA1 691ed2ce5075d99bd3ce132bf3c8029018aed808
SHA256 9707e4af48c4ce780d4466163d94bf52850d54268444d1ffa0000646b98cb442
SHA512 c0c1067ea1735e701b41c3b79e4427876e96634aded8ad250ccf2d5c27b126b94239e2f8552e4acce6d92cdc9b020df873b0e28c153772ff619114449a9a07f2

C:\Users\Admin\AppData\Local\Temp\m.wry

MD5 980b08bac152aff3f9b0136b616affa5
SHA1 2a9c9601ea038f790cc29379c79407356a3d25a3
SHA256 402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9
SHA512 100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 29d45e1648c69cc5b6b80a8c59ddc07d
SHA1 3323909c4cd15e8c8b238c5cd9f91223adc474d7
SHA256 87f02b455fa58589b331f92ee2ace6d4254a7decfcef225cd9e8110de87e9a55
SHA512 fd875a59a1ee1c9afa0d6bae578e673027ed300bba7782f4b5e84071210b513536bc34737be0b5e5312bce7fb6e5023b4faa0ff640a4bd91c4f2140c85362474

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-11 02:18

Reported

2024-11-11 02:21

Platform

win10ltsc2021-20241023-en

Max time kernel

145s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"

Signatures

Wannacry

ransomware worm wannacry

Wannacry family

wannacry

Deletes shadow copies

ransomware defense_evasion impact execution

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD8BB8.tmp C:\Users\Admin\AppData\Local\Temp\WannaCry.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD8BDE.tmp C:\Users\Admin\AppData\Local\Temp\WannaCry.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WannaCry.exe\" /r" C:\Users\Admin\AppData\Local\Temp\WannaCry.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp" C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cscript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\taskkill.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\WannaCry.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3896 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 3896 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 3896 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 2312 wrote to memory of 220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2312 wrote to memory of 220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2312 wrote to memory of 220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3896 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 3896 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 3896 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 3896 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 3896 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 3896 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 3896 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 3896 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 3896 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 3896 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 3896 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 3896 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 3896 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 3896 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 3896 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\taskkill.exe
PID 3896 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 3896 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 3896 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 3896 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 3896 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 3896 wrote to memory of 3088 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Windows\SysWOW64\cmd.exe
PID 3088 wrote to memory of 3860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 3088 wrote to memory of 3860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 3088 wrote to memory of 3860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 3896 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 3896 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 3896 wrote to memory of 3660 N/A C:\Users\Admin\AppData\Local\Temp\WannaCry.exe C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
PID 3860 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 3860 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 3860 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe C:\Windows\SysWOW64\cmd.exe
PID 4348 wrote to memory of 3848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4348 wrote to memory of 3848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 4348 wrote to memory of 3848 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\WannaCry.exe

"C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 292871731291513.bat

C:\Windows\SysWOW64\cscript.exe

cscript //nologo c.vbs

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe f

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im MSExchange*

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im Microsoft.Exchange.*

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im sqlserver.exe

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im sqlwriter.exe

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe c

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c start /b !WannaDecryptor!.exe v

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe v

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

!WannaDecryptor!.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
N/A 127.0.0.1:9050 tcp
N/A 127.0.0.1:9150 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/3896-6-0x0000000010000000-0x0000000010012000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\292871731291513.bat

MD5 3540e056349c6972905dc9706cd49418
SHA1 492c20442d34d45a6d6790c720349b11ec591cde
SHA256 73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc
SHA512 c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

C:\Users\Admin\AppData\Local\Temp\c.vbs

MD5 5f6d40ca3c34b470113ed04d06a88ff4
SHA1 50629e7211ae43e32060686d6be17ebd492fd7aa
SHA256 0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1
SHA512 4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

MD5 cf1416074cd7791ab80a18f9e7e219d9
SHA1 276d2ec82c518d887a8a3608e51c56fa28716ded
SHA256 78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA512 0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk

MD5 d13c3cbb74cb3ee4a9ea9525b2f668d6
SHA1 08c45c7bda089b665e11d8219ba38cee622fbe84
SHA256 56c6b524083a3f453b4bdf7d2f6f986ed97b7da5132145465293b5455e6a1543
SHA512 7b0c3ed114bf67568ab1ef30a9f354a055a2f9089fcf497f6d18ac00914942fca2c4a74e4454ca0507c714f959cacd5d1d5598f6b6e1539a088823bc2c244637

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 765553afeecf908386759d3aa1f6c027
SHA1 210dec2e62acf157566b4ea31e431d8574b44fe7
SHA256 be0a08cd76b90c8f10a0604cf8c647ed45eff423a3f1b5aefdfd1a52404184bb
SHA512 65741defe8ce8addbbee43a508e3bc2c81c9f47951c88d2436a349a4b3be96ffa6342b86b955615bd056f5081d708dc796cadac6ecea6aaf031803507e66f3a5

C:\Users\Admin\AppData\Local\Temp\c.wry

MD5 5030a1ba48977e4188bcb016a95fceae
SHA1 9393e77808495ca6ff9db47159857384fe40e808
SHA256 05ef87863d6dc286742af3a6b0e910c9e8b3dd914920e50317c08d12246f2217
SHA512 f8bcbfc5c74dce5b38ef96605a4fdcbebfdc035481dbfec64e58bd5c1caa55f739a705d119c380c83176ea09affb1f44d71108b38039cfbf39718b59a78ad9bc

C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

MD5 afa18cf4aa2660392111763fb93a8c3d
SHA1 c219a3654a5f41ce535a09f2a188a464c3f5baf5
SHA256 227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0
SHA512 4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 fc8c66f6482ece28b265b4ca9b0ef048
SHA1 74450b61fec35efaf8d662295112c2806f578485
SHA256 74c6477c7d52923f7d6f39396d5e295d570c1332f46fc55149827b32a164efd2
SHA512 ba882d046e848652ff52de7eedbc1c8c25fda3791f0c5ff19a2663ab4696ac81140a3f418c3bdb5c295c52353274397ee4961372acf7ff76c620de27113a948a

C:\Users\Admin\AppData\Local\Temp\m.wry

MD5 980b08bac152aff3f9b0136b616affa5
SHA1 2a9c9601ea038f790cc29379c79407356a3d25a3
SHA256 402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9
SHA512 100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

C:\Users\Admin\AppData\Local\Temp\00000000.res

MD5 9dcd25b5c23de1309851ccb6a502f7cd
SHA1 14ee694b45f2393fc87689e3ca04f82227140350
SHA256 85b0eae1d3fb48d4b744186b71ff0595b82c045f636b9132a71cefd49ab199f6
SHA512 c4637048da891e3f286acdc1b8a3cf33a3305349926113da6a63cf8beb8349a64b10834abe23e9c10a8a4019bab794f1e608c5690174d1e3893d1893c2dc665b