wannacry | be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

Resubmissions

18/04/2025, 14:38

250418-rz5adswshv 10

Analysis

max time kernel
130s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2025, 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WannaCry.exe
Size

224KB
MD5

5c7fb0927db37372da25f270708103a2
SHA1

120ed9279d85cbfa56e5b7779ffa7162074f7a29
SHA256

be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
SHA512

a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
SSDEEP

3072:Y059femWRwTs/dbelj0X8/j84pcRXPlU3Upt3or4H84lK8PtpLzLsR/EfcZ:+5RwTs/dSXj84mRXPemxdBlPvLzLeZ

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD9280.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD9297.tmp	WannaCry.exe

Executes dropped EXE 4 IoCs

pid	Process
4520	!WannaDecryptor!.exe
5344	!WannaDecryptor!.exe
5960	!WannaDecryptor!.exe
4452	!WannaDecryptor!.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WannaCry.exe\" /r"	WannaCry.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe

Kills process with taskkill 4 IoCs

defense_evasion

pid	Process
668	taskkill.exe
4168	taskkill.exe
5960	taskkill.exe
3948	taskkill.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1708	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1708	vlc.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	3948	taskkill.exe
Token: SeDebugPrivilege	5960	taskkill.exe
Token: SeDebugPrivilege	668	taskkill.exe
Token: SeDebugPrivilege	4168	taskkill.exe
Token: SeIncreaseQuotaPrivilege	6056	WMIC.exe
Token: SeSecurityPrivilege	6056	WMIC.exe
Token: SeTakeOwnershipPrivilege	6056	WMIC.exe
Token: SeLoadDriverPrivilege	6056	WMIC.exe
Token: SeSystemProfilePrivilege	6056	WMIC.exe
Token: SeSystemtimePrivilege	6056	WMIC.exe
Token: SeProfSingleProcessPrivilege	6056	WMIC.exe
Token: SeIncBasePriorityPrivilege	6056	WMIC.exe
Token: SeCreatePagefilePrivilege	6056	WMIC.exe
Token: SeBackupPrivilege	6056	WMIC.exe
Token: SeRestorePrivilege	6056	WMIC.exe
Token: SeShutdownPrivilege	6056	WMIC.exe
Token: SeDebugPrivilege	6056	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6056	WMIC.exe
Token: SeRemoteShutdownPrivilege	6056	WMIC.exe
Token: SeUndockPrivilege	6056	WMIC.exe
Token: SeManageVolumePrivilege	6056	WMIC.exe
Token: 33	6056	WMIC.exe
Token: 34	6056	WMIC.exe
Token: 35	6056	WMIC.exe
Token: 36	6056	WMIC.exe
Token: SeIncreaseQuotaPrivilege	6056	WMIC.exe
Token: SeSecurityPrivilege	6056	WMIC.exe
Token: SeTakeOwnershipPrivilege	6056	WMIC.exe
Token: SeLoadDriverPrivilege	6056	WMIC.exe
Token: SeSystemProfilePrivilege	6056	WMIC.exe
Token: SeSystemtimePrivilege	6056	WMIC.exe
Token: SeProfSingleProcessPrivilege	6056	WMIC.exe
Token: SeIncBasePriorityPrivilege	6056	WMIC.exe
Token: SeCreatePagefilePrivilege	6056	WMIC.exe
Token: SeBackupPrivilege	6056	WMIC.exe
Token: SeRestorePrivilege	6056	WMIC.exe
Token: SeShutdownPrivilege	6056	WMIC.exe
Token: SeDebugPrivilege	6056	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6056	WMIC.exe
Token: SeRemoteShutdownPrivilege	6056	WMIC.exe
Token: SeUndockPrivilege	6056	WMIC.exe
Token: SeManageVolumePrivilege	6056	WMIC.exe
Token: 33	6056	WMIC.exe
Token: 34	6056	WMIC.exe
Token: 35	6056	WMIC.exe
Token: 36	6056	WMIC.exe
Token: SeBackupPrivilege	5912	vssvc.exe
Token: SeRestorePrivilege	5912	vssvc.exe
Token: SeAuditPrivilege	5912	vssvc.exe

Suspicious use of FindShellTrayWindow 20 IoCs

pid	Process
1708	vlc.exe
1708	vlc.exe
1708	vlc.exe
1708	vlc.exe
1708	vlc.exe
1708	vlc.exe
1708	vlc.exe
1708	vlc.exe
1708	vlc.exe
1708	vlc.exe
1708	vlc.exe
1708	vlc.exe
1708	vlc.exe
1708	vlc.exe
1708	vlc.exe
1708	vlc.exe
1708	vlc.exe
1708	vlc.exe
1708	vlc.exe
1708	vlc.exe

Suspicious use of SendNotifyMessage 19 IoCs

pid	Process
1708	vlc.exe
1708	vlc.exe
1708	vlc.exe
1708	vlc.exe
1708	vlc.exe
1708	vlc.exe
1708	vlc.exe
1708	vlc.exe
1708	vlc.exe
1708	vlc.exe
1708	vlc.exe
1708	vlc.exe
1708	vlc.exe
1708	vlc.exe
1708	vlc.exe
1708	vlc.exe
1708	vlc.exe
1708	vlc.exe
1708	vlc.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
4520	!WannaDecryptor!.exe
4520	!WannaDecryptor!.exe
5344	!WannaDecryptor!.exe
5344	!WannaDecryptor!.exe
5960	!WannaDecryptor!.exe
5960	!WannaDecryptor!.exe
4452	!WannaDecryptor!.exe
4452	!WannaDecryptor!.exe
1708	vlc.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1336 wrote to memory of 688	1336	WannaCry.exe	86
PID 1336 wrote to memory of 688	1336	WannaCry.exe	86
PID 1336 wrote to memory of 688	1336	WannaCry.exe	86
PID 6036 wrote to memory of 5404	6036	cmd.exe	88
PID 6036 wrote to memory of 5404	6036	cmd.exe	88
PID 6036 wrote to memory of 5404	6036	cmd.exe	88
PID 688 wrote to memory of 2708	688	cmd.exe	89
PID 688 wrote to memory of 2708	688	cmd.exe	89
PID 688 wrote to memory of 2708	688	cmd.exe	89
PID 1336 wrote to memory of 4520	1336	WannaCry.exe	94
PID 1336 wrote to memory of 4520	1336	WannaCry.exe	94
PID 1336 wrote to memory of 4520	1336	WannaCry.exe	94
PID 1336 wrote to memory of 668	1336	WannaCry.exe	95
PID 1336 wrote to memory of 668	1336	WannaCry.exe	95
PID 1336 wrote to memory of 668	1336	WannaCry.exe	95
PID 1336 wrote to memory of 3948	1336	WannaCry.exe	96
PID 1336 wrote to memory of 3948	1336	WannaCry.exe	96
PID 1336 wrote to memory of 3948	1336	WannaCry.exe	96
PID 1336 wrote to memory of 5960	1336	WannaCry.exe	97
PID 1336 wrote to memory of 5960	1336	WannaCry.exe	97
PID 1336 wrote to memory of 5960	1336	WannaCry.exe	97
PID 1336 wrote to memory of 4168	1336	WannaCry.exe	98
PID 1336 wrote to memory of 4168	1336	WannaCry.exe	98
PID 1336 wrote to memory of 4168	1336	WannaCry.exe	98
PID 1336 wrote to memory of 5344	1336	WannaCry.exe	110
PID 1336 wrote to memory of 5344	1336	WannaCry.exe	110
PID 1336 wrote to memory of 5344	1336	WannaCry.exe	110
PID 1336 wrote to memory of 2220	1336	WannaCry.exe	111
PID 1336 wrote to memory of 2220	1336	WannaCry.exe	111
PID 1336 wrote to memory of 2220	1336	WannaCry.exe	111
PID 2220 wrote to memory of 5960	2220	cmd.exe	113
PID 2220 wrote to memory of 5960	2220	cmd.exe	113
PID 2220 wrote to memory of 5960	2220	cmd.exe	113
PID 1336 wrote to memory of 4452	1336	WannaCry.exe	116
PID 1336 wrote to memory of 4452	1336	WannaCry.exe	116
PID 1336 wrote to memory of 4452	1336	WannaCry.exe	116
PID 5960 wrote to memory of 5992	5960	!WannaDecryptor!.exe	117
PID 5960 wrote to memory of 5992	5960	!WannaDecryptor!.exe	117
PID 5960 wrote to memory of 5992	5960	!WannaDecryptor!.exe	117
PID 5992 wrote to memory of 6056	5992	cmd.exe	119
PID 5992 wrote to memory of 6056	5992	cmd.exe	119
PID 5992 wrote to memory of 6056	5992	cmd.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\WannaCry.exe
"C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 13171744987136.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:688
- - C:\Windows\SysWOW64\cscript.exe
    cscript //nologo c.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2708
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe f
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4520
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im MSExchange*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:668
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Microsoft.Exchange.*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3948
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlserver.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5960
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlwriter.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4168
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe c
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5344
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b !WannaDecryptor!.exe v
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
    !WannaDecryptor!.exe v
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5960
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5992
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:6056
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\WannaCry.exe" /r
1⤵
- Suspicious use of WriteProcessMemory
PID:6036
- C:\Users\Admin\AppData\Local\Temp\WannaCry.exe
  C:\Users\Admin\AppData\Local\Temp\WannaCry.exe /r
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5404

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5912

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:216

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Pictures\!Please Read Me!.txt
1⤵
PID:6100

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\AssertExpand.wma"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1708

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk

Filesize
1KB

MD5
d325d5ba5797182d2f2c21280f91a15b

SHA1
ce35fb67189e01de0de0469b913af58ce04a313a

SHA256
e83bd38f7d090fe17a08cebd68e1d77147057d715179b3270c1b89190dd03865

SHA512
a4a4dae4af66a7d8cc5b924d71ebcd67e3ed9bdd835cfd08f3d43e9f24a7ab81af7fe62a485d750f9d9c189c75c1f669e1012528306cc589fada5aaa78ee1507

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
3c5e4042cea1231113309b4e633b0cef

SHA1
8c29bcebefedaea40eeb3ad985b3a46123f54577

SHA256
0f3872e4d2e1b826a65af1c191cfff67ec8c4d16a10140f31649a1273a8c1c00

SHA512
f4b9b3454ca5a38274739ca1cc59d0f8750a90b73ebd59ed00b16189a2413eda0aa2aa465aa075dc01ac4e5c02921e9f485006e16470257f2da73a07007432df

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
f40752b259cd06701053bab9a6d17a7d

SHA1
aebc23bb2e20f0f74335b4eb0a928746914bbc28

SHA256
fe05e71e59ee333ea4e96a57039acdf302fc7a31d4ecc6ffe2cbaab1c92cb2c0

SHA512
2898099b3fae4b6c471e956ea19e7e35ed7cd7e832c05979c4677faf2d998231d98eb4e2dfebc4495d6c8e8699d7814ad13a7fb847c48852237da9e049da4b53

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
d9ec1faf07ef35d5ca322cbbab3b5751

SHA1
3e9b02af58c3f07ee0b37e537eb960cab95040c3

SHA256
9133bb976ee8c4495bf9a9c03f66eaf01d55c777f00e19165cf46e408b858c78

SHA512
3cd7f2ec863a0afea5b72faf4a75539eab05c7d0ad86574e7dbc2f8f7a4b32356aa7fb2b022055ee1f82e23bb849a748cf28d0cf8b723877907b77cacebf5e46

Download Submit
C:\Users\Admin\AppData\Local\Temp\13171744987136.bat

Filesize
336B

MD5
3540e056349c6972905dc9706cd49418

SHA1
492c20442d34d45a6d6790c720349b11ec591cde

SHA256
73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc

SHA512
c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.vbs

Filesize
219B

MD5
5f6d40ca3c34b470113ed04d06a88ff4

SHA1
50629e7211ae43e32060686d6be17ebd492fd7aa

SHA256
0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1

SHA512
4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wry

Filesize
628B

MD5
53e0f54851e81573460410e592809854

SHA1
ab7391bd5dcec4b7b56b89a60b920f40781e8370

SHA256
fcbdca949234e9d905de0e1060cd90660c103da31ab273bab7933a902f886b68

SHA512
3b31020de289fd0d6fdaf2e8bebdacaae1485baab97b7c916ff72f54327ffa6a8e85bd25b1124ac7eeec33c658b922b387898de49ee156c1228333377e07e8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wry

Filesize
628B

MD5
663e55df21852bc8870b86bc38e58262

SHA1
1c691bf030ecfce78a9476fbdef3afe61724e6a9

SHA256
bf22e8e18db1638673f47591a13d18ee58d8c6019314bab5a90be82ae3dc9538

SHA512
6a54be1fa549633a2fd888c559207437b8f6efda98bb18d491c8749f39e9754f1e680fa8e2d623777b5f665b2c04d19385c75ce4e61fb251db16018963a9a6f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\AppData\Local\Temp\r.wry

Filesize
729B

MD5
880e6a619106b3def7e1255f67cb8099

SHA1
8b3a90b2103a92d9facbfb1f64cb0841d97b4de7

SHA256
c9e9dc06f500ae39bfeb4671233cc97bb6dab58d97bb94aba4a2e0e509418d35

SHA512
c35ca30e0131ae4ee3429610ce4914a36b681d2c406f67816f725aa336969c2996347268cb3d19c22abaa4e2740ae86f4210b872610a38b4fa09ee80fcf36243

Download Submit
C:\Users\Admin\AppData\Local\Temp\t.wry

Filesize
68KB

MD5
5557ee73699322602d9ae8294e64ce10

SHA1
1759643cf8bfd0fb8447fd31c5b616397c27be96

SHA256
a7dd727b4e0707026186fcab24ff922da50368e1a4825350bd9c4828c739a825

SHA512
77740de21603fe5dbb0d9971e18ec438a9df7aaa5cea6bd6ef5410e0ab38a06ce77fbaeb8fc68e0177323e6f21d0cee9410e21b7e77e8d60cc17f7d93fdb3d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
79B

MD5
bbf5d453c944f307089268fa0750ba47

SHA1
7fffefe72c1e58d3efa69a0af9bbc4f6117f6543

SHA256
02a048392e9201678c7c3eee04467d775ef538f633af6efa8b054bb2208fc737

SHA512
71feb3c34c5602dd922a5ee47e76075db666923c185c50a24513709a54d3c757f84f05e68ce0e1bd29a05419cc7de1ff74615613860d6b692d42b480547355c6

Download Submit
C:\Users\Admin\Downloads\AssertExpand.wma

Filesize
418KB

MD5
99698b5743ffef3d5cd3a1320518ff55

SHA1
01a9759ac8e1b06fc95167ce2d20e55b2227a94f

SHA256
c42cc199bd9d0725b79f91b9cb4a77d518d1da29e0623542ada3894bd18a9b26

SHA512
2e1b4296ad5d9095be3006d2b61eb65e1baae4b8d5946343e9d5429690c6ec7b75e880251d06c5a8daf231dc778af6a3b164e01a3c6740679c913482f5301ac4

Download Submit
memory/1336-6-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/1708-1642-0x00007FFCA6F80000-0x00007FFCA6FB4000-memory.dmp

Filesize
208KB

Download
memory/1708-1641-0x00007FF790480000-0x00007FF790578000-memory.dmp

Filesize
992KB

Download
memory/1708-1643-0x00007FFC906B0000-0x00007FFC90966000-memory.dmp

Filesize
2.7MB

Download
memory/1708-1644-0x00007FFC8F3F0000-0x00007FFC904A0000-memory.dmp

Filesize
16.7MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads