wannacry | c40595be750c34265939a20f4d05f49a1648bced8e7f8fe82726b04d49d9f83f

Analysis

max time kernel
51s
max time network
30s
platform
windows7_x64
resource
win7-20240903-de
resource tags

arch:x64arch:x86image:win7-20240903-delocale:de-deos:windows7-x64systemwindows
submitted
23/03/2025, 08:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Wannacry-main/Wannacry/Wannacry.exe
Size

3.4MB
MD5

84c82835a5d21bbcf75a61706d8ab549
SHA1

5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA512

90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
SSDEEP

98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Documents\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDCD56.tmp	Wannacry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDCD6A.tmp	Wannacry.exe

Executes dropped EXE 7 IoCs

pid	Process
636	taskdl.exe
1496	@[email protected]
1708	@[email protected]
304	taskhsvc.exe
692	taskdl.exe
2624	taskse.exe
292	@[email protected]

Loads dropped DLL 21 IoCs

pid	Process
1468	Wannacry.exe
1468	Wannacry.exe
2684	cscript.exe
1468	Wannacry.exe
1468	Wannacry.exe
1560	cmd.exe
1560	cmd.exe
1496	@[email protected]
1496	@[email protected]
304	taskhsvc.exe
304	taskhsvc.exe
304	taskhsvc.exe
304	taskhsvc.exe
304	taskhsvc.exe
304	taskhsvc.exe
1468	Wannacry.exe
1468	Wannacry.exe
1468	Wannacry.exe
1468	Wannacry.exe
1468	Wannacry.exe
1468	Wannacry.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2452	icacls.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kdnsrcndc333 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Wannacry-main\\Wannacry\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	Wannacry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
3052	vssadmin.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2684	reg.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
304	taskhsvc.exe
304	taskhsvc.exe
304	taskhsvc.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeBackupPrivilege	2364	vssvc.exe
Token: SeRestorePrivilege	2364	vssvc.exe
Token: SeAuditPrivilege	2364	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1544	WMIC.exe
Token: SeSecurityPrivilege	1544	WMIC.exe
Token: SeTakeOwnershipPrivilege	1544	WMIC.exe
Token: SeLoadDriverPrivilege	1544	WMIC.exe
Token: SeSystemProfilePrivilege	1544	WMIC.exe
Token: SeSystemtimePrivilege	1544	WMIC.exe
Token: SeProfSingleProcessPrivilege	1544	WMIC.exe
Token: SeIncBasePriorityPrivilege	1544	WMIC.exe
Token: SeCreatePagefilePrivilege	1544	WMIC.exe
Token: SeBackupPrivilege	1544	WMIC.exe
Token: SeRestorePrivilege	1544	WMIC.exe
Token: SeShutdownPrivilege	1544	WMIC.exe
Token: SeDebugPrivilege	1544	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1544	WMIC.exe
Token: SeRemoteShutdownPrivilege	1544	WMIC.exe
Token: SeUndockPrivilege	1544	WMIC.exe
Token: SeManageVolumePrivilege	1544	WMIC.exe
Token: 33	1544	WMIC.exe
Token: 34	1544	WMIC.exe
Token: 35	1544	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1544	WMIC.exe
Token: SeSecurityPrivilege	1544	WMIC.exe
Token: SeTakeOwnershipPrivilege	1544	WMIC.exe
Token: SeLoadDriverPrivilege	1544	WMIC.exe
Token: SeSystemProfilePrivilege	1544	WMIC.exe
Token: SeSystemtimePrivilege	1544	WMIC.exe
Token: SeProfSingleProcessPrivilege	1544	WMIC.exe
Token: SeIncBasePriorityPrivilege	1544	WMIC.exe
Token: SeCreatePagefilePrivilege	1544	WMIC.exe
Token: SeBackupPrivilege	1544	WMIC.exe
Token: SeRestorePrivilege	1544	WMIC.exe
Token: SeShutdownPrivilege	1544	WMIC.exe
Token: SeDebugPrivilege	1544	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1544	WMIC.exe
Token: SeRemoteShutdownPrivilege	1544	WMIC.exe
Token: SeUndockPrivilege	1544	WMIC.exe
Token: SeManageVolumePrivilege	1544	WMIC.exe
Token: 33	1544	WMIC.exe
Token: 34	1544	WMIC.exe
Token: 35	1544	WMIC.exe
Token: SeTcbPrivilege	2624	taskse.exe
Token: SeTcbPrivilege	2624	taskse.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1708	@[email protected]
1496	@[email protected]
1496	@[email protected]
1708	@[email protected]
292	@[email protected]
292	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 2472	1468	Wannacry.exe	30
PID 1468 wrote to memory of 2472	1468	Wannacry.exe	30
PID 1468 wrote to memory of 2472	1468	Wannacry.exe	30
PID 1468 wrote to memory of 2472	1468	Wannacry.exe	30
PID 1468 wrote to memory of 2452	1468	Wannacry.exe	31
PID 1468 wrote to memory of 2452	1468	Wannacry.exe	31
PID 1468 wrote to memory of 2452	1468	Wannacry.exe	31
PID 1468 wrote to memory of 2452	1468	Wannacry.exe	31
PID 1468 wrote to memory of 636	1468	Wannacry.exe	34
PID 1468 wrote to memory of 636	1468	Wannacry.exe	34
PID 1468 wrote to memory of 636	1468	Wannacry.exe	34
PID 1468 wrote to memory of 636	1468	Wannacry.exe	34
PID 1468 wrote to memory of 2948	1468	Wannacry.exe	35
PID 1468 wrote to memory of 2948	1468	Wannacry.exe	35
PID 1468 wrote to memory of 2948	1468	Wannacry.exe	35
PID 1468 wrote to memory of 2948	1468	Wannacry.exe	35
PID 2948 wrote to memory of 2684	2948	cmd.exe	37
PID 2948 wrote to memory of 2684	2948	cmd.exe	37
PID 2948 wrote to memory of 2684	2948	cmd.exe	37
PID 2948 wrote to memory of 2684	2948	cmd.exe	37
PID 1468 wrote to memory of 3044	1468	Wannacry.exe	38
PID 1468 wrote to memory of 3044	1468	Wannacry.exe	38
PID 1468 wrote to memory of 3044	1468	Wannacry.exe	38
PID 1468 wrote to memory of 3044	1468	Wannacry.exe	38
PID 1468 wrote to memory of 1496	1468	Wannacry.exe	41
PID 1468 wrote to memory of 1496	1468	Wannacry.exe	41
PID 1468 wrote to memory of 1496	1468	Wannacry.exe	41
PID 1468 wrote to memory of 1496	1468	Wannacry.exe	41
PID 1468 wrote to memory of 1560	1468	Wannacry.exe	42
PID 1468 wrote to memory of 1560	1468	Wannacry.exe	42
PID 1468 wrote to memory of 1560	1468	Wannacry.exe	42
PID 1468 wrote to memory of 1560	1468	Wannacry.exe	42
PID 1560 wrote to memory of 1708	1560	cmd.exe	44
PID 1560 wrote to memory of 1708	1560	cmd.exe	44
PID 1560 wrote to memory of 1708	1560	cmd.exe	44
PID 1560 wrote to memory of 1708	1560	cmd.exe	44
PID 1496 wrote to memory of 304	1496	@[email protected]	45
PID 1496 wrote to memory of 304	1496	@[email protected]	45
PID 1496 wrote to memory of 304	1496	@[email protected]	45
PID 1496 wrote to memory of 304	1496	@[email protected]	45
PID 1708 wrote to memory of 1448	1708	@[email protected]	48
PID 1708 wrote to memory of 1448	1708	@[email protected]	48
PID 1708 wrote to memory of 1448	1708	@[email protected]	48
PID 1708 wrote to memory of 1448	1708	@[email protected]	48
PID 1448 wrote to memory of 3052	1448	cmd.exe	50
PID 1448 wrote to memory of 3052	1448	cmd.exe	50
PID 1448 wrote to memory of 3052	1448	cmd.exe	50
PID 1448 wrote to memory of 3052	1448	cmd.exe	50
PID 1448 wrote to memory of 1544	1448	cmd.exe	52
PID 1448 wrote to memory of 1544	1448	cmd.exe	52
PID 1448 wrote to memory of 1544	1448	cmd.exe	52
PID 1448 wrote to memory of 1544	1448	cmd.exe	52
PID 1468 wrote to memory of 692	1468	Wannacry.exe	54
PID 1468 wrote to memory of 692	1468	Wannacry.exe	54
PID 1468 wrote to memory of 692	1468	Wannacry.exe	54
PID 1468 wrote to memory of 692	1468	Wannacry.exe	54
PID 1468 wrote to memory of 2624	1468	Wannacry.exe	55
PID 1468 wrote to memory of 2624	1468	Wannacry.exe	55
PID 1468 wrote to memory of 2624	1468	Wannacry.exe	55
PID 1468 wrote to memory of 2624	1468	Wannacry.exe	55
PID 1468 wrote to memory of 292	1468	Wannacry.exe	56
PID 1468 wrote to memory of 292	1468	Wannacry.exe	56
PID 1468 wrote to memory of 292	1468	Wannacry.exe	56
PID 1468 wrote to memory of 292	1468	Wannacry.exe	56

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3044	attrib.exe
2472	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Wannacry-main\Wannacry\Wannacry.exe
"C:\Users\Admin\AppData\Local\Temp\Wannacry-main\Wannacry\Wannacry.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:2472
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:2452
- C:\Users\Admin\AppData\Local\Temp\Wannacry-main\Wannacry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:636
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 137951742719335.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2684
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:3044
- C:\Users\Admin\AppData\Local\Temp\Wannacry-main\Wannacry\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Users\Admin\AppData\Local\Temp\Wannacry-main\Wannacry\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:304
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Users\Admin\AppData\Local\Temp\Wannacry-main\Wannacry\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1708
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1448
    - - C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        System Location Discovery: System Language Discovery
        Interacts with shadow copies
        
        PID:3052
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
- C:\Users\Admin\AppData\Local\Temp\Wannacry-main\Wannacry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:692
- C:\Users\Admin\AppData\Local\Temp\Wannacry-main\Wannacry\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Wannacry-main\Wannacry\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2624
- C:\Users\Admin\AppData\Local\Temp\Wannacry-main\Wannacry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:292
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "kdnsrcndc333" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Wannacry-main\Wannacry\tasksche.exe\"" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2008
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "kdnsrcndc333" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Wannacry-main\Wannacry\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2684

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\fhihpiojkbmbpdjeoajapmgkhlnakfjf\Icons\96.png.WNCRY

Filesize
2KB

MD5
9b661dffe568ad82a93555936232a7df

SHA1
ba962a7b76c66724eeaecf8d4fc6e73637aead7c

SHA256
599d6d4a8ff34bd8b91f1a17d2e81008a20be35686561318bc9c155858cdc49d

SHA512
73cddc7494ef12d0aebe68e64de34308484c8be2f9a5c6c63c95386cafd2225aecebf22724a45da00ea4a2bc8d247e88572808cd3025486bf1879b461f8690f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wannacry-main\Wannacry\00000000.res

Filesize
136B

MD5
6a8b3e09ba5f44698e0e7c8669610387

SHA1
71166e25f703876a054a308d3eedb7802748968c

SHA256
da28b9e69876513d865a58e092b7e6c9e0f121631c20a5bb9993133c59d5060b

SHA512
298922b91d9297b9ffabda1f82a5c7679fea9cd64b863f1e64d2acbf5284d2d583258321380db24674ff706d3d320e581430a502392f3881b33dd59e0edde8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wannacry-main\Wannacry\00000000.res

Filesize
136B

MD5
486d450e80a0346ffa0c5f3a785943d5

SHA1
5ec0850580471d184c576f3f5ca23745239451a1

SHA256
7e801e333463e6bb825dd05a9aa902d8bd154c124932b8c819950b1b5b9afd97

SHA512
66b20d2594a21adc69b8d5c4e69f74e21f130505641927635e37c460b0bc2faf31ca0a481071a5601509f48d783739258d67acd81de5f1daeaf7b01f0af55b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wannacry-main\Wannacry\137951742719335.bat

Filesize
386B

MD5
df36ee10f852d22a2da87ac3b8cf044e

SHA1
8c103f48d643e7a5e5b2d2ed50f6e2ea08c3d69c

SHA256
8225856487c57545f1594ef7711a4497f89220adc6474d942874e1d4323da1df

SHA512
8662f60a086ece2a7034420588b01748d0e5075261d2374a50e6ff52b8cc36ea24d319fe2de09b12ba29effe3656b675ae8350b670f0cd30b49b368cb688e80d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wannacry-main\Wannacry\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wannacry-main\Wannacry\@[email protected]

Filesize
1KB

MD5
b2cca282fdc14df4d64964a11fe0f559

SHA1
dbb95b91982b14e3de2ff4d8c0a32c7f539a7efa

SHA256
c2b06e57f8500be9cbbbdc6027e3256a6e95fff39756db1249a4e620a9bed901

SHA512
6ca6cf15712bfd6c07779a6706b2853661834280480404812ea686f31199987a98026610570cf6f440c8b3427d655f9951b8bec6a6df80ce382ede72a9c62153

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wannacry-main\Wannacry\TaskData\Tor\LIBEAY32.dll

Filesize
3.0MB

MD5
6ed47014c3bb259874d673fb3eaedc85

SHA1
c9b29ba7e8a97729c46143cc59332d7a7e9c1ad8

SHA256
58be53d5012b3f45c1ca6f4897bece4773efbe1ccbf0be460061c183ee14ca19

SHA512
3bc462d21bc762f6eec3d23bb57e2baf532807ab8b46fab1fe38a841e5fde81ed446e5305a78ad0d513d85419e6ec8c4b54985da1d6b198acb793230aeecd93e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wannacry-main\Wannacry\TaskData\Tor\SSLEAY32.dll

Filesize
694KB

MD5
a12c2040f6fddd34e7acb42f18dd6bdc

SHA1
d7db49f1a9870a4f52e1f31812938fdea89e9444

SHA256
bd70ba598316980833f78b05f7eeaef3e0f811a7c64196bf80901d155cb647c1

SHA512
fbe0970bcdfaa23af624daad9917a030d8f0b10d38d3e9c7808a9fbc02912ee9daed293dbdea87aa90dc74470bc9b89cb6f2fe002393ecda7b565307ffb7ec00

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wannacry-main\Wannacry\TaskData\Tor\libevent-2-0-5.dll

Filesize
702KB

MD5
90f50a285efa5dd9c7fddce786bdef25

SHA1
54213da21542e11d656bb65db724105afe8be688

SHA256
77a250e81fdaf9a075b1244a9434c30bf449012c9b647b265fa81a7b0db2513f

SHA512
746422be51031cfa44dd9a6f3569306c34bbe8abf9d2bd1df139d9c938d0cba095c0e05222fd08c8b6deaebef5d3f87569b08fb3261a2d123d983517fb9f43ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wannacry-main\Wannacry\TaskData\Tor\libgcc_s_sjlj-1.dll

Filesize
510KB

MD5
73d4823075762ee2837950726baa2af9

SHA1
ebce3532ed94ad1df43696632ab8cf8da8b9e221

SHA256
9aeccf88253d4557a90793e22414868053caaab325842c0d7acb0365e88cd53b

SHA512
8f4a65bd35ed69f331769aaf7505f76dd3c64f3fa05cf01d83431ec93a7b1331f3c818ac7008e65b6f1278d7e365ed5940c8c6b8502e77595e112f1faca558b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wannacry-main\Wannacry\TaskData\Tor\libssp-0.dll

Filesize
90KB

MD5
78581e243e2b41b17452da8d0b5b2a48

SHA1
eaefb59c31cf07e60a98af48c5348759586a61bb

SHA256
f28caebe9bc6aa5a72635acb4f0e24500494e306d8e8b2279e7930981281683f

SHA512
332098113ce3f75cb20dc6e09f0d7ba03f13f5e26512d9f3bee3042c51fbb01a5e4426c5e9a5308f7f805b084efc94c28fc9426ce73ab8dfee16ab39b3efe02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wannacry-main\Wannacry\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wannacry-main\Wannacry\c.wnry

Filesize
780B

MD5
a1cb2f2fff21eabed7809f11a11e7b37

SHA1
91ba7a4deed88cc4a15eec61dc23bd427fcfb888

SHA256
b72a2ba33741bd633b80d26c9ffe9cd935395d40cb540c8d7b20baf660b82c74

SHA512
99927497903617cf1edda8d7b1d6543873edb2cb9d204a3c4bd5087976c7ebc9296e14c42ffeb91ea82f1ddcc3eb180db1afe708d30f3dd29b82f2a855c3a670

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wannacry-main\Wannacry\c.wnry

Filesize
780B

MD5
383a85eab6ecda319bfddd82416fc6c2

SHA1
2a9324e1d02c3e41582bf5370043d8afeb02ba6f

SHA256
079ce1041cbffe18ff62a2b4a33711eda40f680d0b1d3b551db47e39a6390b21

SHA512
c661e0b3c175d31b365362e52d7b152267a15d59517a4bcc493329be20b23d0e4eb62d1ba80bb96447eeaf91a6901f4b34bf173b4ab6f90d4111ea97c87c1252

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wannacry-main\Wannacry\f.wnry

Filesize
251B

MD5
a8db5d0dee1d56066c59033f1abefb3b

SHA1
80e3a2457d91fb22aefe8d988c45178306e06e33

SHA256
b2758787f138711600f56d8f066b7b1a1003b14699ff7a1653cb0231cec926b4

SHA512
56f304427b3ca42e658c55cf945236a09ef68f4274234e63369877f225549c1282bacde5c1bf06c4e3248d7c063add9885ed812bd640f3f80641620de44dd86a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wannacry-main\Wannacry\m.vbs

Filesize
265B

MD5
9eb09ae76b63238c7d07b1b26109fe2e

SHA1
e2248830f222bb2e0f7c19ddf428840aaccd5f5a

SHA256
6693448b5ccce9a8fb1901520f8bb4c4c63d172b96b588ef68fbc95b0e6e0105

SHA512
0067c041f627ac756955150da9e90e2cd536deb2b963e92021b35113e98b1ad4fc238d3da9c0660573e9e803b29fafa762dfd18c1f257d96d18bce8f5e81e944

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wannacry-main\Wannacry\msg\m_German.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wannacry-main\Wannacry\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wannacry-main\Wannacry\s.wnry

Filesize
2.9MB

MD5
ad4c9de7c8c40813f200ba1c2fa33083

SHA1
d1af27518d455d432b62d73c6a1497d032f6120e

SHA256
e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b

SHA512
115733d08e5f1a514808a20b070db7ff453fd149865f49c04365a8c6502fa1e5c3a31da3e21f688ab040f583cf1224a544aea9708ffab21405dde1c57f98e617

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wannacry-main\Wannacry\taskse.exe

Filesize
20KB

MD5
8495400f199ac77853c53b5a3f278f3e

SHA1
be5d6279874da315e3080b06083757aad9b32c23

SHA256
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

SHA512
0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
5.7MB

MD5
1e3afccd1adbc537c0a4fbcb90957dbc

SHA1
944740f32ccd8ed80ceb62bb0c3bccad527c7c10

SHA256
653dc6dcb3c6437a3e9258674c78fb92bf8c2c666917f648b8c63baf5fbb6c8c

SHA512
63558066698e1588f64076234ff455a6dad230a5aaf3666024847eca7c370973b8c382684a7e3dc81186e066dfbbed2c64d832790844c451d8d5ff164957558a

Download Submit
C:\Users\Admin\Documents\@[email protected]

Filesize
933B

MD5
f97d2e6f8d820dbd3b66f21137de4f09

SHA1
596799b75b5d60aa9cd45646f68e9c0bd06df252

SHA256
0e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a

SHA512
efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0

Download Submit
C:\Users\Admin\Downloads\ResumeDisable.png.WNCRY

Filesize
663KB

MD5
89045080b9376c16675b67f343f35340

SHA1
30d8fb8c00e89991f349358c73ec179b36f87338

SHA256
6a6747e1a3b69777b51e96484fc4c5c601271559e918591d085e67bb35a30bfe

SHA512
086242339dfc7e9788359f79d22fee3d9558fc6005d08b42c0b6c07686d48d2efa6ac3fe4bed4e071e02d1c54b618507fcf6aa344532073540bc0a22052a9f04

Download Submit
C:\Users\Admin\Downloads\ShowInitialize.cmd.WNCRY

Filesize
413KB

MD5
a3cc0272f9b629fd3100357a84938426

SHA1
a70d3834c6781233aebc9be39476c7852fceff57

SHA256
d770262f24b79caccd05417641567a882a8ddbf11db6b0594c67c77c49f33b84

SHA512
b95ad37c10977f0feddbce3e7fd79edbce442a54e5de36b15cf0030c9e230f764c29629d43102d63bfda033362cd483c5c2aaf84156f4156479e245a71fcb843

Download Submit
\Users\Admin\AppData\Local\Temp\Wannacry-main\Wannacry\TaskData\Tor\taskhsvc.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
\Users\Admin\AppData\Local\Temp\Wannacry-main\Wannacry\TaskData\Tor\zlib1.dll

Filesize
105KB

MD5
fb072e9f69afdb57179f59b512f828a4

SHA1
fe71b70173e46ee4e3796db9139f77dc32d2f846

SHA256
66d653397cbb2dbb397eb8421218e2c126b359a3b0decc0f31e297df099e1383

SHA512
9d157fece0dc18afe30097d9c4178ae147cc9d465a6f1d35778e1bff1efca4734dd096e95d35faea32da8d8b4560382338ba9c6c40f29047f1cc0954b27c64f8

Download Submit
\Users\Admin\AppData\Local\Temp\Wannacry-main\Wannacry\taskdl.exe

Filesize
20KB

MD5
4fef5e34143e646dbf9907c4374276f5

SHA1
47a9ad4125b6bd7c55e4e7da251e23f089407b8f

SHA256
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

SHA512
4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

Download Submit
memory/304-972-0x00000000743D0000-0x00000000743F2000-memory.dmp

Filesize
136KB

Download
memory/304-1023-0x0000000000840000-0x0000000000B3E000-memory.dmp

Filesize
3.0MB

Download
memory/304-968-0x0000000074BA0000-0x0000000074BBC000-memory.dmp

Filesize
112KB

Download
memory/304-966-0x0000000000840000-0x0000000000B3E000-memory.dmp

Filesize
3.0MB

Download
memory/304-970-0x0000000074490000-0x00000000746AC000-memory.dmp

Filesize
2.1MB

Download
memory/304-985-0x0000000000840000-0x0000000000B3E000-memory.dmp

Filesize
3.0MB

Download
memory/304-954-0x00000000743D0000-0x00000000743F2000-memory.dmp

Filesize
136KB

Download
memory/304-955-0x0000000000840000-0x0000000000B3E000-memory.dmp

Filesize
3.0MB

Download
memory/304-971-0x0000000074400000-0x0000000074482000-memory.dmp

Filesize
520KB

Download
memory/304-969-0x00000000746B0000-0x0000000074727000-memory.dmp

Filesize
476KB

Download
memory/304-967-0x0000000074730000-0x00000000747B2000-memory.dmp

Filesize
520KB

Download
memory/304-951-0x0000000074730000-0x00000000747B2000-memory.dmp

Filesize
520KB

Download
memory/304-1045-0x0000000074490000-0x00000000746AC000-memory.dmp

Filesize
2.1MB

Download
memory/304-952-0x0000000074490000-0x00000000746AC000-memory.dmp

Filesize
2.1MB

Download
memory/304-953-0x0000000074400000-0x0000000074482000-memory.dmp

Filesize
520KB

Download
memory/304-1041-0x0000000000840000-0x0000000000B3E000-memory.dmp

Filesize
3.0MB

Download
memory/1468-39-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download