wannacry | be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-12-2024 20:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WannaCry.exe
Size

224KB
MD5

5c7fb0927db37372da25f270708103a2
SHA1

120ed9279d85cbfa56e5b7779ffa7162074f7a29
SHA256

be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
SHA512

a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
SSDEEP

3072:Y059femWRwTs/dbelj0X8/j84pcRXPlU3Upt3or4H84lK8PtpLzLsR/EfcZ:+5RwTs/dSXj84mRXPemxdBlPvLzLeZ

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD9205.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD921C.tmp	WannaCry.exe

Executes dropped EXE 4 IoCs

pid	Process
1616	!WannaDecryptor!.exe
3756	!WannaDecryptor!.exe
4752	!WannaDecryptor!.exe
4868	!WannaDecryptor!.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WannaCry.exe\" /r"	WannaCry.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
1528	taskkill.exe
1560	taskkill.exe
4872	taskkill.exe
1784	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2142517858"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2142517858"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0e25682644edb01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31149668"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{AB3FC9C2-BA57-11EF-9361-D2BD7E71DA05} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ab44cbc7ac5e824ba8748f8001f100a100000000020000000000106600000001000020000000005970981141eee18ce653b3d79cab1f06ab668b96e9a14f44cefc43c9226101000000000e8000000002000020000000153dad53b67bbf02f6757d5fd9417b2eaaa0c92c3c357f85c66f3c797ef2ad8520000000a2f82b93a93cb6a231559fdf0630255f2dc068033d8969f39dd526607a1cb72f400000004898c79712770b5957dcf4816e7a47298c3f88838322e2081edb84eb4bcc1403202cf5774743a2d22b4c885e6131c9411ee7c995761bb8c75d5673d943d0b6a1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31149668"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ab44cbc7ac5e824ba8748f8001f100a10000000002000000000010660000000100002000000025a9ca2906fcc59804226a2d0e1e11d20f7d450556e8f74a77ffc144a1a82344000000000e80000000020000200000003595f55b234395b16c55ffb0204fcb05fdd7c7ee02b0d0993b8f00d17289aec1200000008de2c7e47b23bae4ed26b1281d506a0065db0e6d70925a256a50995851ce55ba400000002fc02c42f959116f52c97270e43290cca7f6efc263e260cb6dbc3d08a99c626e1a1d0f9a782d98e51e3f9b4fac76114a1266dd7bcfb322e0628abab69217ec0c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00285282644edb01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133786807317998238"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4868	!WannaDecryptor!.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1560	taskkill.exe
Token: SeDebugPrivilege	1784	taskkill.exe
Token: SeDebugPrivilege	1528	taskkill.exe
Token: SeDebugPrivilege	4872	taskkill.exe
Token: SeDebugPrivilege	2932	taskmgr.exe
Token: SeSystemProfilePrivilege	2932	taskmgr.exe
Token: SeCreateGlobalPrivilege	2932	taskmgr.exe
Token: SeIncreaseQuotaPrivilege	956	WMIC.exe
Token: SeSecurityPrivilege	956	WMIC.exe
Token: SeTakeOwnershipPrivilege	956	WMIC.exe
Token: SeLoadDriverPrivilege	956	WMIC.exe
Token: SeSystemProfilePrivilege	956	WMIC.exe
Token: SeSystemtimePrivilege	956	WMIC.exe
Token: SeProfSingleProcessPrivilege	956	WMIC.exe
Token: SeIncBasePriorityPrivilege	956	WMIC.exe
Token: SeCreatePagefilePrivilege	956	WMIC.exe
Token: SeBackupPrivilege	956	WMIC.exe
Token: SeRestorePrivilege	956	WMIC.exe
Token: SeShutdownPrivilege	956	WMIC.exe
Token: SeDebugPrivilege	956	WMIC.exe
Token: SeSystemEnvironmentPrivilege	956	WMIC.exe
Token: SeRemoteShutdownPrivilege	956	WMIC.exe
Token: SeUndockPrivilege	956	WMIC.exe
Token: SeManageVolumePrivilege	956	WMIC.exe
Token: 33	956	WMIC.exe
Token: 34	956	WMIC.exe
Token: 35	956	WMIC.exe
Token: 36	956	WMIC.exe
Token: SeIncreaseQuotaPrivilege	956	WMIC.exe
Token: SeSecurityPrivilege	956	WMIC.exe
Token: SeTakeOwnershipPrivilege	956	WMIC.exe
Token: SeLoadDriverPrivilege	956	WMIC.exe
Token: SeSystemProfilePrivilege	956	WMIC.exe
Token: SeSystemtimePrivilege	956	WMIC.exe
Token: SeProfSingleProcessPrivilege	956	WMIC.exe
Token: SeIncBasePriorityPrivilege	956	WMIC.exe
Token: SeCreatePagefilePrivilege	956	WMIC.exe
Token: SeBackupPrivilege	956	WMIC.exe
Token: SeRestorePrivilege	956	WMIC.exe
Token: SeShutdownPrivilege	956	WMIC.exe
Token: SeDebugPrivilege	956	WMIC.exe
Token: SeSystemEnvironmentPrivilege	956	WMIC.exe
Token: SeRemoteShutdownPrivilege	956	WMIC.exe
Token: SeUndockPrivilege	956	WMIC.exe
Token: SeManageVolumePrivilege	956	WMIC.exe
Token: 33	956	WMIC.exe
Token: 34	956	WMIC.exe
Token: 35	956	WMIC.exe
Token: 36	956	WMIC.exe
Token: SeBackupPrivilege	5112	vssvc.exe
Token: SeRestorePrivilege	5112	vssvc.exe
Token: SeAuditPrivilege	5112	vssvc.exe
Token: 33	2932	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2932	taskmgr.exe
Token: SeShutdownPrivilege	3976	chrome.exe
Token: SeCreatePagefilePrivilege	3976	chrome.exe
Token: SeShutdownPrivilege	3976	chrome.exe
Token: SeCreatePagefilePrivilege	3976	chrome.exe
Token: SeShutdownPrivilege	3976	chrome.exe
Token: SeCreatePagefilePrivilege	3976	chrome.exe
Token: SeShutdownPrivilege	3976	chrome.exe
Token: SeCreatePagefilePrivilege	3976	chrome.exe
Token: SeShutdownPrivilege	3976	chrome.exe
Token: SeCreatePagefilePrivilege	3976	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe
2932	taskmgr.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1616	!WannaDecryptor!.exe
1616	!WannaDecryptor!.exe
3756	!WannaDecryptor!.exe
3756	!WannaDecryptor!.exe
4752	!WannaDecryptor!.exe
4752	!WannaDecryptor!.exe
4868	!WannaDecryptor!.exe
4868	!WannaDecryptor!.exe
4588	OpenWith.exe
4316	iexplore.exe
4316	iexplore.exe
3952	IEXPLORE.EXE
3952	IEXPLORE.EXE
3952	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3380 wrote to memory of 2272	3380	WannaCry.exe	83
PID 3380 wrote to memory of 2272	3380	WannaCry.exe	83
PID 3380 wrote to memory of 2272	3380	WannaCry.exe	83
PID 2272 wrote to memory of 5116	2272	cmd.exe	85
PID 2272 wrote to memory of 5116	2272	cmd.exe	85
PID 2272 wrote to memory of 5116	2272	cmd.exe	85
PID 3380 wrote to memory of 1616	3380	WannaCry.exe	86
PID 3380 wrote to memory of 1616	3380	WannaCry.exe	86
PID 3380 wrote to memory of 1616	3380	WannaCry.exe	86
PID 3380 wrote to memory of 1528	3380	WannaCry.exe	88
PID 3380 wrote to memory of 1528	3380	WannaCry.exe	88
PID 3380 wrote to memory of 1528	3380	WannaCry.exe	88
PID 3380 wrote to memory of 1784	3380	WannaCry.exe	89
PID 3380 wrote to memory of 1784	3380	WannaCry.exe	89
PID 3380 wrote to memory of 1784	3380	WannaCry.exe	89
PID 3380 wrote to memory of 4872	3380	WannaCry.exe	90
PID 3380 wrote to memory of 4872	3380	WannaCry.exe	90
PID 3380 wrote to memory of 4872	3380	WannaCry.exe	90
PID 3380 wrote to memory of 1560	3380	WannaCry.exe	91
PID 3380 wrote to memory of 1560	3380	WannaCry.exe	91
PID 3380 wrote to memory of 1560	3380	WannaCry.exe	91
PID 3380 wrote to memory of 3756	3380	WannaCry.exe	101
PID 3380 wrote to memory of 3756	3380	WannaCry.exe	101
PID 3380 wrote to memory of 3756	3380	WannaCry.exe	101
PID 3380 wrote to memory of 3236	3380	WannaCry.exe	102
PID 3380 wrote to memory of 3236	3380	WannaCry.exe	102
PID 3380 wrote to memory of 3236	3380	WannaCry.exe	102
PID 3236 wrote to memory of 4752	3236	cmd.exe	104
PID 3236 wrote to memory of 4752	3236	cmd.exe	104
PID 3236 wrote to memory of 4752	3236	cmd.exe	104
PID 3380 wrote to memory of 4868	3380	WannaCry.exe	108
PID 3380 wrote to memory of 4868	3380	WannaCry.exe	108
PID 3380 wrote to memory of 4868	3380	WannaCry.exe	108
PID 4752 wrote to memory of 400	4752	!WannaDecryptor!.exe	110
PID 4752 wrote to memory of 400	4752	!WannaDecryptor!.exe	110
PID 4752 wrote to memory of 400	4752	!WannaDecryptor!.exe	110
PID 400 wrote to memory of 956	400	cmd.exe	112
PID 400 wrote to memory of 956	400	cmd.exe	112
PID 400 wrote to memory of 956	400	cmd.exe	112
PID 4316 wrote to memory of 3952	4316	iexplore.exe	120
PID 4316 wrote to memory of 3952	4316	iexplore.exe	120
PID 4316 wrote to memory of 3952	4316	iexplore.exe	120
PID 3976 wrote to memory of 2972	3976	chrome.exe	122
PID 3976 wrote to memory of 2972	3976	chrome.exe	122
PID 3976 wrote to memory of 2796	3976	chrome.exe	123
PID 3976 wrote to memory of 2796	3976	chrome.exe	123
PID 3976 wrote to memory of 2796	3976	chrome.exe	123
PID 3976 wrote to memory of 2796	3976	chrome.exe	123
PID 3976 wrote to memory of 2796	3976	chrome.exe	123
PID 3976 wrote to memory of 2796	3976	chrome.exe	123
PID 3976 wrote to memory of 2796	3976	chrome.exe	123
PID 3976 wrote to memory of 2796	3976	chrome.exe	123
PID 3976 wrote to memory of 2796	3976	chrome.exe	123
PID 3976 wrote to memory of 2796	3976	chrome.exe	123
PID 3976 wrote to memory of 2796	3976	chrome.exe	123
PID 3976 wrote to memory of 2796	3976	chrome.exe	123
PID 3976 wrote to memory of 2796	3976	chrome.exe	123
PID 3976 wrote to memory of 2796	3976	chrome.exe	123
PID 3976 wrote to memory of 2796	3976	chrome.exe	123
PID 3976 wrote to memory of 2796	3976	chrome.exe	123
PID 3976 wrote to memory of 2796	3976	chrome.exe	123
PID 3976 wrote to memory of 2796	3976	chrome.exe	123
PID 3976 wrote to memory of 2796	3976	chrome.exe	123
PID 3976 wrote to memory of 2796	3976	chrome.exe	123

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\WannaCry.exe
"C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 23881734207003.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Windows\SysWOW64\cscript.exe
    cscript //nologo c.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5116
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe f
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1616
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im MSExchange*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1528
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Microsoft.Exchange.*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1784
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlserver.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4872
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlwriter.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1560
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe c
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3756
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b !WannaDecryptor!.exe v
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3236
- - C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
    !WannaDecryptor!.exe v
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4752
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:400
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:956
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:4868

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2932

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4588

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4316
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4316 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xc0,0x124,0x7ff80cdacc40,0x7ff80cdacc4c,0x7ff80cdacc58
  2⤵
  PID:2972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1868,i,14966056053767693224,17893668643377563450,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1864 /prefetch:2
  2⤵
  PID:2796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2204,i,14966056053767693224,17893668643377563450,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  PID:1100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2280,i,14966056053767693224,17893668643377563450,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2296 /prefetch:8
  2⤵
  PID:4452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,14966056053767693224,17893668643377563450,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:1252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3176,i,14966056053767693224,17893668643377563450,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4564,i,14966056053767693224,17893668643377563450,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4580 /prefetch:1
  2⤵
  PID:4812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4524,i,14966056053767693224,17893668643377563450,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4796 /prefetch:8
  2⤵
  PID:2668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4900,i,14966056053767693224,17893668643377563450,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4896 /prefetch:8
  2⤵
  PID:1784

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
da88b6be0e6a946aba9c94757bb5d4ea

SHA1
7edf490902dbfd14114c1ad998af64f004a01665

SHA256
aae7a386c26c294c7308f9f44cb5a243d1ac4580933280da67eaecc4c36c95e0

SHA512
a25695293523038a6ba52dc6cac93fd993259f887dc6aa51c3b3c3cc9021d0038263bc3994f3b44ad05fb217a0431b6fcf334a81012282fc25e40040d4563805

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
f19029b2f58afa176bdf85adc12204d9

SHA1
6868396df68a7c50e926cd20fa8ae5dd5f4f321b

SHA256
f43b87ac1c1cf91b97f73feaae0f5c4d1b76f8a811fb25b0828e1bb02350085b

SHA512
0731e7e846a3fa8224bb573cdbcbe94a0bd75bc4f8e0ba025e65dd55f2b9c75db87ff1a1f1bb3c0a2356b8444f7dd380ac354db2163383043de1248de8b7f08a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b61cf9c7d8d48fe34dc3082088590b8c

SHA1
ce0eed71ad7ab599c2ebb1b13e91a11430f9fa6b

SHA256
107c1c11b7665c4fe3e3bc1923cf9fd5e30ee4a39e82cb3c3baf504661685615

SHA512
aab9c7319d36944979be280912ee49bff7bbf0214d899f15f2a3300bf30ff0e27725c7a11baf984f39312474a7d5fa9953ce9bb2f84b52472bddb9c0e9d91444

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c7159fe5cb94b83edc1f4155f9cffd7c

SHA1
3d7ffa028ec2051956a4d4fc9c0d2f71da508a41

SHA256
00d76ca0e02398ed2b547e4646807df7bbbe5137990b7ce9ba2ff6f78ec3a78e

SHA512
f30e3e710a3c48a55290ca4614211aba73e148af6a499fcfb7a4553e251c514209619101efd4f7cc38c53713b76bcc1f28058f2f0a2de5dedd5c4c12519196f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
2e58fb64eacfc34f2a57b2ff1b1bb398

SHA1
181c3876326fbee955d8908f347f7221b2e36f0f

SHA256
bae629cfb1a2349538fce3827cbd7e08ccaa7a9462f59d38db97248049dc0e65

SHA512
71b49139d57eed925e701bcbbd7bf440dbdd2bbf7ab17d46079803bca947b1c41c7b76259bc8a23ceab17521ed60a9ce8c19c46c6b4fe11427fe0cdab536aa24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
5a1076ae3ce16a29b78eb8029703a520

SHA1
f168fe7dcb3b8d9002a4b6a55643d27e8b00f8f0

SHA256
4e61e5564480034b2f806a732de2dfb221b5dc65e94b107c3953fbe85094e6b7

SHA512
ff2195e615107af3b94204f21b49767bcf2ac49e63bce8e263e33353ee1a3d0cfe3a0ac581a19296c55970e372b07d2e92452e73eeada2413a04318a928993f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db.WCRY

Filesize
24KB

MD5
db478b80fe39e1c0a45a894937515bcb

SHA1
e7061e3c3d78496b557923470f51e8b01ab525c6

SHA256
e90fbf24b04f0a6091f7a123dcef733e3eef1f77675c153a4bbf1605674fb404

SHA512
f738aa1ca32057a01e370f4106756c1d4479772eb1a11fdeaa14b663264a59c149570e971a68924d93d57f40bf00a2a7a20a8411d65540cdaac18391278ed08b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133727664064470971.txt.WCRY

Filesize
66KB

MD5
71e5f13477441f0c29ff2118daf6a7e1

SHA1
8caca0cf64ba30fb565af3498093a0804c995ff4

SHA256
eb68b1bc98668534bddf77ee5d8ca2b535622ac56b43fb2da7f752fc9a40c1b8

SHA512
926cd27e2c26497baaabb8bfc8bfce9391218b236190854b41c8803ad3017e9485c646b8b79eda7ecdf5c3a3d6b9453fa1af66147e14876f7d0a66a1f26dd817

Download Submit
C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk

Filesize
1KB

MD5
ef570cdf55db1f775dba9a9d264b736f

SHA1
30f5acde6358c632e18d03348e827a8d37854baa

SHA256
be3aff4f447508230d40251a86e949b924afc2284f4bbf4cc15021612538a395

SHA512
2cf7a648fa8f9c2aef03906b92319dd0a9f826a6458dad8b7a7b9162922b77d43233874094c91c660cd6b94113193c7c195190a244d8491b9a493c24eb032dec

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.eky

Filesize
1KB

MD5
e00e0f0eabd10ce8a8d2f3f89bfcd174

SHA1
00fb53460544d6ab1338e5d89d51fd8d9504876c

SHA256
ede80efc9f806368c2acc3ed5b8000952799805879574c97c0178c4e7466e51b

SHA512
0c16491d0200be63201e1f6bc1556a436476e917c9c272305afb8fc252f8d39a25ac2df77679b87fb79b0a26e0d02dc9abe93686dd841f64ba48cc6b061ebc51

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
dc63e73056141d10db7740cd8b6e72b3

SHA1
225ec237e1a21f3edd84e8a4a328671a259c2e9d

SHA256
ece35271ace3531573da043ef9989a46cb11c661349ba4a81331bbf48eae344a

SHA512
2c8e6d9da28e10607a70060b4df797dcf35e301ddcb364671733cf7f820acfb4cc68717a6806e10460a2b08124148e6603d89e258e550c1264f5383d52ae0276

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
792363a2c6a2ffe894049663e773b8e7

SHA1
a506c247b0f8203451ce70628c3c1995c9425fba

SHA256
2d542b2c36736dacc724549a17de2743dca95ec7e4c6bdffa93b53715b375529

SHA512
760f2e06fad9e7524dc21719d372907eefae8ee46831e0320ea2f7c5f34e86871bf87ff23cbcade3d578fbc38c4411973eba329d5861b832bb5e45bc0531dc5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
74863a2f0d8a0d1da9d3a336feb3d821

SHA1
b1c6dbb5ef9aaf714fa6ba88313ce2e4c506f569

SHA256
4a115d0c8cc71a727a6a583e99cd928866696752e9d6f7be4104457a8d693814

SHA512
e373621987a723eba2a8aa545f11871bd99ba5a9caa80dfee772ed76222fe65173ba58f95f71b31ebb0bb91c42fff9586f2857daad86b7d42c1ef2338fb7fbf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
1330e99d94fec0f84d22a84674752e6a

SHA1
18d4aa503a5ac3c2668bc1ab858113dcd6af33ee

SHA256
33d468cf620b759818b36995047c5f40f2816bbfa14ee244a9210b8876565cdb

SHA512
cb065b2ee0b67190b0953a65ebb7c3d3fc23b709965d2ae86b407189704d3eaaeb581b23779036914ca870a77759b4f78563472ed7aedc9180ba495954e66cb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
9cd2e4edd19de3fe9e3fc9ca98b17f9a

SHA1
8c74319cdf70a773ebcfe109e7bf964e27999533

SHA256
190e539549978e7b4a36b1182c5b79971b39dd9ad25e2bc84df135d397ceb6c1

SHA512
d0e34ff7d8e861d9522700dad873603db28091149ce0530a8276da6a065e8c111da1c0084a61c8c4db7b0c8070907e28c2ddc587c19fa698504d871c76f99311

Download Submit
C:\Users\Admin\AppData\Local\Temp\23881734207003.bat

Filesize
336B

MD5
3540e056349c6972905dc9706cd49418

SHA1
492c20442d34d45a6d6790c720349b11ec591cde

SHA256
73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc

SHA512
c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.vbs

Filesize
219B

MD5
5f6d40ca3c34b470113ed04d06a88ff4

SHA1
50629e7211ae43e32060686d6be17ebd492fd7aa

SHA256
0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1

SHA512
4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wry

Filesize
628B

MD5
2c3b1ac6eb3c385748bdec138db2cee8

SHA1
826464f5683e637955035d82b5c3c84917fd9cdf

SHA256
875f41ee27565a2e9614d3ee151a27b59bb461248ee335af0d326e0334a9063a

SHA512
f878e105834e7be055ccf24e7d95ee08298333482db975f58c2d74bc6960728aaeff9dbad5ac24a4842de840119402691b9037e04e180fac894f327bbfde0d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\f.wry

Filesize
365B

MD5
95d3ee0f70a2a259da1180634945fe7d

SHA1
17f1bd4373ab6ab6d681aade0236fb06aeb97f5d

SHA256
3a0882843f11d8bdbd127abc9a635aa2813099bd2704d9cf74f3dd51de473e98

SHA512
0de99ddaaaa2b7062361e9dd6113d6dcd58b703305bd66b58b169567b103769f336685fef198b41e57c34ca0ecc049388a52989b1d1f33f3360cafd85cdeb406

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Background Tasks Profiles\oj34dzup.MozillaBackgroundTask-308046B0AF4A39CB-defaultagent\prefs.js.WCRY

Filesize
776B

MD5
a895523142edce8015e96c1f9d29163e

SHA1
7539694138eb69e892328cf1966e8f2ba985491e

SHA256
0b18c6bccb4f4c0764238da3837f21cc09d1ccff587e7427a9472a8548982bc0

SHA512
7920698b05b3f6fb9775b4a14696ff14ad1332aae22425d3c4e208b8f4a4abb00e26204b08903fab11095b27345fd3c8b6753826f44fa26c80f6f19a0ed37e38

Download Submit
memory/2932-1373-0x000001DF2B970000-0x000001DF2B971000-memory.dmp

Filesize
4KB

Download
memory/2932-1374-0x000001DF2B970000-0x000001DF2B971000-memory.dmp

Filesize
4KB

Download
memory/2932-1375-0x000001DF2B970000-0x000001DF2B971000-memory.dmp

Filesize
4KB

Download
memory/2932-1377-0x000001DF2B970000-0x000001DF2B971000-memory.dmp

Filesize
4KB

Download
memory/2932-1376-0x000001DF2B970000-0x000001DF2B971000-memory.dmp

Filesize
4KB

Download
memory/2932-1378-0x000001DF2B970000-0x000001DF2B971000-memory.dmp

Filesize
4KB

Download
memory/2932-1372-0x000001DF2B970000-0x000001DF2B971000-memory.dmp

Filesize
4KB

Download
memory/2932-1367-0x000001DF2B970000-0x000001DF2B971000-memory.dmp

Filesize
4KB

Download
memory/2932-1368-0x000001DF2B970000-0x000001DF2B971000-memory.dmp

Filesize
4KB

Download
memory/2932-1366-0x000001DF2B970000-0x000001DF2B971000-memory.dmp

Filesize
4KB

Download
memory/3380-6-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download