wannacry | c0424d0ae06ca1e6e0249b40d33ac40d74075856d543ec0924884664fba52b79

Resubmissions

26-03-2024 16:24

240326-twshjahb5y 10

26-03-2024 16:14

240326-tpnwrsdh78 8

Analysis

max time kernel
383s
max time network
394s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2024 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Windows10Upgrade9252.exe
Size

3.2MB
MD5

c0b25def4312fbddbcc4f01c6c0f5ba6
SHA1

8d16a183d61233e7d6b6af7b3cafc6645ac2acb1
SHA256

c0424d0ae06ca1e6e0249b40d33ac40d74075856d543ec0924884664fba52b79
SHA512

8c67619747bb108dae5661688ec8fa4c62bc6ac38ee6ff14a4691aab04d7ddd870fee4262cb30624a6bd85ac1f7595af05311496b0336f979e7e5f797791bc0e
SSDEEP

98304:GgjXlctych4cCzJ8k2omX8sUf0ht5f/LyXtcH/:JjKtych9CzJqXM32jyX

Score

10^/10

wannacry discovery persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	Windows10Upgrade9252.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	Windows10Upgrade9252.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	Windows10Upgrade9252.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD1501.tmp	WannaCry.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD1518.tmp	WannaCry.EXE

Executes dropped EXE 14 IoCs

pid	Process
5040	Windows10UpgraderApp.exe
1016	Windows10Upgrade9252.exe
6232	Windows10UpgraderApp.exe
6712	Windows10Upgrade9252.exe
5732	Windows10UpgraderApp.exe
5592	WannaCry.EXE
6092	taskdl.exe
5652	WannaCry.EXE
2096	@[email protected]
6220	@[email protected]
4504	taskhsvc.exe
4288	taskdl.exe
3108	taskse.exe
2884	@[email protected]

Loads dropped DLL 10 IoCs

pid	Process
5040	Windows10UpgraderApp.exe
6232	Windows10UpgraderApp.exe
5732	Windows10UpgraderApp.exe
4504	taskhsvc.exe
4504	taskhsvc.exe
4504	taskhsvc.exe
4504	taskhsvc.exe
4504	taskhsvc.exe
4504	taskhsvc.exe
4504	taskhsvc.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
6852	icacls.exe
6972	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eexnwotxq447 = "\"C:\\Users\\Admin\\Downloads\\tasksche.exe\""	reg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs

Web Service

T1102

flow	ioc
127	pastebin.com
424	camo.githubusercontent.com
126	pastebin.com
455	raw.githubusercontent.com
457	raw.githubusercontent.com
459	raw.githubusercontent.com
123	pastebin.com
128	pastebin.com
422	camo.githubusercontent.com
434	camo.githubusercontent.com
473	pastebin.com
423	camo.githubusercontent.com
456	raw.githubusercontent.com
458	raw.githubusercontent.com
461	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCry.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\WindowsInstallationAssistant\appraiserxp.dll	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\block.png	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\marketing.png	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\GetCurrentDeploy.dll	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\default.htm	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\Microsoft.WinJS\css\oobe-desktop.css	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\Microsoft.WinJS\css\oobe-desktopRS2.css	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\Microsoft.WinJS\css\ui-dark.css	Windows10Upgrade9252.exe
File opened for modification	C:\Program Files (x86)\WindowsInstallationAssistant\Configuration.ini	Windows10Upgrade9252.exe
File opened for modification	C:\Program Files (x86)\WindowsInstallationAssistant\appraiserxp.dll	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\WinDlp.dll	Windows10Upgrade9252.exe
File opened for modification	C:\Program Files (x86)\WindowsInstallationAssistant\Configuration.ini	Windows10Upgrade9252.exe
File opened for modification	C:\Program Files (x86)\WindowsInstallationAssistant\appraiserxp.dll	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\eula.css	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\loading.gif	Windows10Upgrade9252.exe
File opened for modification	C:\Program Files (x86)\WindowsInstallationAssistant\Configuration.ini	Windows10UpgraderApp.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\GetCurrentDeploy.dll	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\loading.gif	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\pass.png	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\downloader.dll	Windows10Upgrade9252.exe
File opened for modification	C:\Program Files (x86)\WindowsInstallationAssistant\Configuration.ini	Windows10UpgraderApp.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\Microsoft.WinJS\css\oobe-desktopRS2.css	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\Microsoft.WinJS\js\base.js	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\default.css	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\eula.css	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\downloader.dll	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\GetCurrentRollback.EXE	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\default.htm	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\bullet.png	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\Microsoft.WinJS\js\base.js	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\bullet.png	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\default.css	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\ESDHelper.dll	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\block.png	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\appraiserxp.dll	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\default.htm	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\logo.png	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\default_sunvalley.htm	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\marketing.png	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\WinDlp.dll	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\Microsoft.WinJS\js\ui.js	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\Microsoft.WinJS\css\oobe-desktopRS2.css	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\appraiserxp.dll	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\bullet.png	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\WinDlp.dll	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\downloader.dll	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\ESDHelper.dll	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\Microsoft.WinJS\css\ui-dark.css	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\Microsoft.WinJS\js\ui.js	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\block.png	Windows10Upgrade9252.exe
File opened for modification	C:\Program Files (x86)\WindowsInstallationAssistant\Configuration.ini	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\GetCurrentRollback.EXE	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\eula.css	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\default.css	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\Microsoft.WinJS\css\oobe-desktop.css	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\marketing.png	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\default_sunvalley.htm	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\Microsoft.WinJS\js\base.js	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\pass.png	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\GetCurrentOOBE.dll	Windows10Upgrade9252.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\pass.png	Windows10Upgrade9252.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
4240	5040	WerFault.exe	90
6548	6232	WerFault.exe	122
5304	5732	WerFault.exe	135

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
5412	taskkill.exe
7140	taskkill.exe
1760	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Windows10UpgraderApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Windows10UpgraderApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\IESettingSync	Windows10UpgraderApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Windows10UpgraderApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Windows10UpgraderApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\IESettingSync	Windows10UpgraderApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Windows10UpgraderApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Windows10UpgraderApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\IESettingSync	Windows10UpgraderApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Windows10UpgraderApp.exe
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Windows10UpgraderApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Windows10UpgraderApp.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000_Classes\Local Settings	firefox.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2632	reg.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Windows10Upgrade9252.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4504	taskhsvc.exe
4504	taskhsvc.exe
4504	taskhsvc.exe
4504	taskhsvc.exe
4504	taskhsvc.exe
4504	taskhsvc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	5044	Windows10Upgrade9252.exe
Token: SeRestorePrivilege	5044	Windows10Upgrade9252.exe
Token: SeDebugPrivilege	4444	firefox.exe
Token: SeDebugPrivilege	4444	firefox.exe
Token: SeBackupPrivilege	1016	Windows10Upgrade9252.exe
Token: SeRestorePrivilege	1016	Windows10Upgrade9252.exe
Token: SeBackupPrivilege	1016	Windows10Upgrade9252.exe
Token: SeRestorePrivilege	1016	Windows10Upgrade9252.exe
Token: SeDebugPrivilege	6232	Windows10UpgraderApp.exe
Token: SeDebugPrivilege	6232	Windows10UpgraderApp.exe
Token: SeDebugPrivilege	6232	Windows10UpgraderApp.exe
Token: SeDebugPrivilege	6232	Windows10UpgraderApp.exe
Token: SeBackupPrivilege	6712	Windows10Upgrade9252.exe
Token: SeRestorePrivilege	6712	Windows10Upgrade9252.exe
Token: SeBackupPrivilege	6712	Windows10Upgrade9252.exe
Token: SeRestorePrivilege	6712	Windows10Upgrade9252.exe
Token: SeDebugPrivilege	4444	firefox.exe
Token: SeDebugPrivilege	4444	firefox.exe
Token: SeDebugPrivilege	4444	firefox.exe
Token: SeDebugPrivilege	6152	cscript.exe
Token: SeDebugPrivilege	6152	cscript.exe
Token: SeDebugPrivilege	6152	cscript.exe
Token: SeDebugPrivilege	4444	firefox.exe
Token: SeIncreaseQuotaPrivilege	6424	WMIC.exe
Token: SeSecurityPrivilege	6424	WMIC.exe
Token: SeTakeOwnershipPrivilege	6424	WMIC.exe
Token: SeLoadDriverPrivilege	6424	WMIC.exe
Token: SeSystemProfilePrivilege	6424	WMIC.exe
Token: SeSystemtimePrivilege	6424	WMIC.exe
Token: SeProfSingleProcessPrivilege	6424	WMIC.exe
Token: SeIncBasePriorityPrivilege	6424	WMIC.exe
Token: SeCreatePagefilePrivilege	6424	WMIC.exe
Token: SeBackupPrivilege	6424	WMIC.exe
Token: SeRestorePrivilege	6424	WMIC.exe
Token: SeShutdownPrivilege	6424	WMIC.exe
Token: SeDebugPrivilege	6424	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6424	WMIC.exe
Token: SeRemoteShutdownPrivilege	6424	WMIC.exe
Token: SeUndockPrivilege	6424	WMIC.exe
Token: SeManageVolumePrivilege	6424	WMIC.exe
Token: SeImpersonatePrivilege	6424	WMIC.exe
Token: 33	6424	WMIC.exe
Token: 34	6424	WMIC.exe
Token: 35	6424	WMIC.exe
Token: 36	6424	WMIC.exe
Token: SeIncreaseQuotaPrivilege	6424	WMIC.exe
Token: SeSecurityPrivilege	6424	WMIC.exe
Token: SeTakeOwnershipPrivilege	6424	WMIC.exe
Token: SeLoadDriverPrivilege	6424	WMIC.exe
Token: SeSystemProfilePrivilege	6424	WMIC.exe
Token: SeSystemtimePrivilege	6424	WMIC.exe
Token: SeProfSingleProcessPrivilege	6424	WMIC.exe
Token: SeIncBasePriorityPrivilege	6424	WMIC.exe
Token: SeCreatePagefilePrivilege	6424	WMIC.exe
Token: SeBackupPrivilege	6424	WMIC.exe
Token: SeRestorePrivilege	6424	WMIC.exe
Token: SeShutdownPrivilege	6424	WMIC.exe
Token: SeDebugPrivilege	6424	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6424	WMIC.exe
Token: SeRemoteShutdownPrivilege	6424	WMIC.exe
Token: SeUndockPrivilege	6424	WMIC.exe
Token: SeManageVolumePrivilege	6424	WMIC.exe
Token: SeImpersonatePrivilege	6424	WMIC.exe
Token: 33	6424	WMIC.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4444	firefox.exe
4444	firefox.exe
4444	firefox.exe
4444	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4444	firefox.exe
4444	firefox.exe
4444	firefox.exe

Suspicious use of SetWindowsHookEx 34 IoCs

pid	Process
5040	Windows10UpgraderApp.exe
5040	Windows10UpgraderApp.exe
5040	Windows10UpgraderApp.exe
5040	Windows10UpgraderApp.exe
5040	Windows10UpgraderApp.exe
4444	firefox.exe
4444	firefox.exe
4444	firefox.exe
4444	firefox.exe
1016	Windows10Upgrade9252.exe
6232	Windows10UpgraderApp.exe
6232	Windows10UpgraderApp.exe
6232	Windows10UpgraderApp.exe
6232	Windows10UpgraderApp.exe
6232	Windows10UpgraderApp.exe
6232	Windows10UpgraderApp.exe
6232	Windows10UpgraderApp.exe
6712	Windows10Upgrade9252.exe
5732	Windows10UpgraderApp.exe
5732	Windows10UpgraderApp.exe
5732	Windows10UpgraderApp.exe
5732	Windows10UpgraderApp.exe
5732	Windows10UpgraderApp.exe
5732	Windows10UpgraderApp.exe
5732	Windows10UpgraderApp.exe
4444	firefox.exe
4444	firefox.exe
4444	firefox.exe
2096	@[email protected]
2096	@[email protected]
6220	@[email protected]
6220	@[email protected]
2884	@[email protected]
2884	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 5040	5044	Windows10Upgrade9252.exe	90
PID 5044 wrote to memory of 5040	5044	Windows10Upgrade9252.exe	90
PID 5044 wrote to memory of 5040	5044	Windows10Upgrade9252.exe	90
PID 1500 wrote to memory of 4444	1500	firefox.exe	103
PID 1500 wrote to memory of 4444	1500	firefox.exe	103
PID 1500 wrote to memory of 4444	1500	firefox.exe	103
PID 1500 wrote to memory of 4444	1500	firefox.exe	103
PID 1500 wrote to memory of 4444	1500	firefox.exe	103
PID 1500 wrote to memory of 4444	1500	firefox.exe	103
PID 1500 wrote to memory of 4444	1500	firefox.exe	103
PID 1500 wrote to memory of 4444	1500	firefox.exe	103
PID 1500 wrote to memory of 4444	1500	firefox.exe	103
PID 1500 wrote to memory of 4444	1500	firefox.exe	103
PID 1500 wrote to memory of 4444	1500	firefox.exe	103
PID 4444 wrote to memory of 848	4444	firefox.exe	105
PID 4444 wrote to memory of 848	4444	firefox.exe	105
PID 4444 wrote to memory of 2292	4444	firefox.exe	107
PID 4444 wrote to memory of 2292	4444	firefox.exe	107
PID 4444 wrote to memory of 2292	4444	firefox.exe	107
PID 4444 wrote to memory of 2292	4444	firefox.exe	107
PID 4444 wrote to memory of 2292	4444	firefox.exe	107
PID 4444 wrote to memory of 2292	4444	firefox.exe	107
PID 4444 wrote to memory of 2292	4444	firefox.exe	107
PID 4444 wrote to memory of 2292	4444	firefox.exe	107
PID 4444 wrote to memory of 2292	4444	firefox.exe	107
PID 4444 wrote to memory of 2292	4444	firefox.exe	107
PID 4444 wrote to memory of 2292	4444	firefox.exe	107
PID 4444 wrote to memory of 2292	4444	firefox.exe	107
PID 4444 wrote to memory of 2292	4444	firefox.exe	107
PID 4444 wrote to memory of 2292	4444	firefox.exe	107
PID 4444 wrote to memory of 2292	4444	firefox.exe	107
PID 4444 wrote to memory of 2292	4444	firefox.exe	107
PID 4444 wrote to memory of 2292	4444	firefox.exe	107
PID 4444 wrote to memory of 2292	4444	firefox.exe	107
PID 4444 wrote to memory of 2292	4444	firefox.exe	107
PID 4444 wrote to memory of 2292	4444	firefox.exe	107
PID 4444 wrote to memory of 2292	4444	firefox.exe	107
PID 4444 wrote to memory of 2292	4444	firefox.exe	107
PID 4444 wrote to memory of 2292	4444	firefox.exe	107
PID 4444 wrote to memory of 2292	4444	firefox.exe	107
PID 4444 wrote to memory of 2292	4444	firefox.exe	107
PID 4444 wrote to memory of 2292	4444	firefox.exe	107
PID 4444 wrote to memory of 2292	4444	firefox.exe	107
PID 4444 wrote to memory of 2292	4444	firefox.exe	107
PID 4444 wrote to memory of 2292	4444	firefox.exe	107
PID 4444 wrote to memory of 2292	4444	firefox.exe	107
PID 4444 wrote to memory of 2292	4444	firefox.exe	107
PID 4444 wrote to memory of 2292	4444	firefox.exe	107
PID 4444 wrote to memory of 2292	4444	firefox.exe	107
PID 4444 wrote to memory of 2292	4444	firefox.exe	107
PID 4444 wrote to memory of 2292	4444	firefox.exe	107
PID 4444 wrote to memory of 2292	4444	firefox.exe	107
PID 4444 wrote to memory of 2292	4444	firefox.exe	107
PID 4444 wrote to memory of 2292	4444	firefox.exe	107
PID 4444 wrote to memory of 2292	4444	firefox.exe	107
PID 4444 wrote to memory of 2292	4444	firefox.exe	107
PID 4444 wrote to memory of 2292	4444	firefox.exe	107
PID 4444 wrote to memory of 2292	4444	firefox.exe	107
PID 4444 wrote to memory of 2292	4444	firefox.exe	107
PID 4444 wrote to memory of 2292	4444	firefox.exe	107
PID 4444 wrote to memory of 2292	4444	firefox.exe	107
PID 4444 wrote to memory of 2292	4444	firefox.exe	107
PID 4444 wrote to memory of 2292	4444	firefox.exe	107
PID 4444 wrote to memory of 2292	4444	firefox.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
6652	attrib.exe
6108	attrib.exe
5876	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Windows10Upgrade9252.exe
"C:\Users\Admin\AppData\Local\Temp\Windows10Upgrade9252.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe
  "C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:5040
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 1920
    3⤵
    - Program crash
    PID:4240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5040 -ip 5040
1⤵
PID:3800

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4444
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.0.1133154674\1040154297" -parentBuildID 20221007134813 -prefsHandle 1912 -prefMapHandle 1904 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {817761c0-cca8-4d83-864f-29d89471d2ad} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 1992 28b88404e58 gpu
    3⤵
    PID:848
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.1.179644539\1721960012" -parentBuildID 20221007134813 -prefsHandle 2376 -prefMapHandle 2372 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {901c5ce3-5697-464e-a351-5c55f1594d83} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 2396 28bfa872558 socket
    3⤵
    PID:2292
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.2.723059931\1118095674" -childID 1 -isForBrowser -prefsHandle 3680 -prefMapHandle 3676 -prefsLen 20823 -prefMapSize 233444 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {045f1ebf-e8fc-4223-98e2-51840ed28419} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 3212 28b8affaf58 tab
    3⤵
    PID:4108
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.3.1923181218\2015164613" -childID 2 -isForBrowser -prefsHandle 3856 -prefMapHandle 3860 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6d9aa09-3618-4381-8ab1-e3f78f36962e} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 3848 28bfa862858 tab
    3⤵
    PID:1772
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.4.1245629915\152869652" -childID 3 -isForBrowser -prefsHandle 4444 -prefMapHandle 4452 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9bc38a6-1ca8-4606-a74f-314f757d0726} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 3244 28bff92d758 tab
    3⤵
    PID:2756
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.5.53681774\913080083" -childID 4 -isForBrowser -prefsHandle 5188 -prefMapHandle 5172 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {caca4e43-a05b-49f0-acc8-34813cad1942} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 5196 28b8c82bb58 tab
    3⤵
    PID:5328
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.6.1874181086\517906128" -childID 5 -isForBrowser -prefsHandle 5332 -prefMapHandle 5336 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {25cca580-8687-4fb3-a98b-35697e6a9c65} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 4864 28b8d6f1f58 tab
    3⤵
    PID:5336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.7.133918794\1091840930" -childID 6 -isForBrowser -prefsHandle 5320 -prefMapHandle 5324 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b67bcfca-c69f-4ac2-b40c-040a2bfff41d} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 5196 28b8d6efe58 tab
    3⤵
    PID:5344
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.8.1664570242\63859491" -childID 7 -isForBrowser -prefsHandle 5888 -prefMapHandle 3200 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {819d5e43-188b-4007-b1c9-41f330f2b519} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 2952 28b8d890b58 tab
    3⤵
    PID:5784
- - C:\Users\Admin\Downloads\Windows10Upgrade9252.exe
    "C:\Users\Admin\Downloads\Windows10Upgrade9252.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1016
  - - C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe
      "C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Modifies Internet Explorer settings
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:6232
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6232 -s 1952
        5⤵
        Program crash
        
        PID:6548
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.9.136825546\1585567157" -childID 8 -isForBrowser -prefsHandle 6856 -prefMapHandle 5132 -prefsLen 27456 -prefMapSize 233444 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7eb1f3cd-fa7e-4c25-85f3-e163d353bcd9} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 6852 28b88a39f58 tab
    3⤵
    PID:1064
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.10.768621710\1495196951" -childID 9 -isForBrowser -prefsHandle 4364 -prefMapHandle 5712 -prefsLen 27465 -prefMapSize 233444 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc960d63-8e4f-46d8-a7ec-43aa43099c3f} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 5348 28b8f641958 tab
    3⤵
    PID:6632
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.11.480794245\1169899230" -childID 10 -isForBrowser -prefsHandle 6672 -prefMapHandle 6588 -prefsLen 27465 -prefMapSize 233444 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd4a5661-6f9d-4a0f-be7d-d0f7ac392a2c} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 9744 28b90d55c58 tab
    3⤵
    PID:6400
- - C:\Users\Admin\Downloads\WannaCry.EXE
    "C:\Users\Admin\Downloads\WannaCry.EXE"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    PID:5592
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h .
      4⤵
      Views/modifies file attributes
      PID:6652
  - - C:\Windows\SysWOW64\icacls.exe
      icacls . /grant Everyone:F /T /C /Q
      4⤵
      Modifies file permissions
      PID:6852
  - - C:\Users\Admin\Downloads\taskdl.exe
      taskdl.exe
      4⤵
      Executes dropped EXE
      PID:6092
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c 243591711470541.bat
      4⤵
      PID:7068
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript.exe //nologo m.vbs
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6152
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h +s F:\$RECYCLE
      4⤵
      Views/modifies file attributes
      PID:6108
  - - C:\Users\Admin\Downloads\@[email protected]
      @[email protected] co
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2096
    - - C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe
        
        TaskData\Tor\taskhsvc.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:4504
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c start /b @[email protected] vs
      4⤵
      PID:6624
    - - C:\Users\Admin\Downloads\@[email protected]
        
        @[email protected] vs
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:6220
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        6⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6424
  - - C:\Users\Admin\Downloads\taskdl.exe
      taskdl.exe
      4⤵
      Executes dropped EXE
      PID:4288
  - - C:\Users\Admin\Downloads\taskse.exe
      taskse.exe C:\Users\Admin\Downloads\@[email protected]
      4⤵
      Executes dropped EXE
      PID:3108
  - - C:\Users\Admin\Downloads\@[email protected]
      @[email protected]
      4⤵
      Executes dropped EXE
      Sets desktop wallpaper using registry
      Suspicious use of SetWindowsHookEx
      PID:2884
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "eexnwotxq447" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
      4⤵
      PID:4436
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "eexnwotxq447" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:2632
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.12.1820309792\1052745141" -childID 11 -isForBrowser -prefsHandle 9108 -prefMapHandle 9224 -prefsLen 27474 -prefMapSize 233444 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aeae7ac1-2cc4-496d-8342-6e693da04e80} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 9952 28b89be2f58 tab
    3⤵
    PID:6268
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.13.460411771\2022190470" -childID 12 -isForBrowser -prefsHandle 4512 -prefMapHandle 4508 -prefsLen 27474 -prefMapSize 233444 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d93ba69d-2acc-4805-bda3-61bc9c10ed9c} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 4740 28b89be3558 tab
    3⤵
    PID:2512
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4444.14.1519163799\1782981324" -childID 13 -isForBrowser -prefsHandle 4540 -prefMapHandle 5192 -prefsLen 27474 -prefMapSize 233444 -jsInitHandle 1440 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {85fc68c0-6f4d-4471-b6a4-f595f8b651a6} 4444 "\\.\pipe\gecko-crash-server-pipe.4444" 4676 28b89b70b58 tab
    3⤵
    PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 6232 -ip 6232
1⤵
PID:6512

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5272

C:\Users\Admin\Downloads\Windows10Upgrade9252.exe
"C:\Users\Admin\Downloads\Windows10Upgrade9252.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:6712
- C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe
  "C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:5732
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5732 -s 1932
    3⤵
    - Program crash
    PID:5304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5732 -ip 5732
1⤵
PID:6120

C:\Users\Admin\Downloads\WannaCry.EXE
"C:\Users\Admin\Downloads\WannaCry.EXE"
1⤵
- Executes dropped EXE
PID:5652
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - Views/modifies file attributes
  PID:5876
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:6972

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1364

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:1520
- C:\Windows\system32\taskkill.exe
  taskkill /f /im WannaCry.exe
  2⤵
  - Kills process with taskkill
  PID:7140
- C:\Windows\system32\taskkill.exe
  taskkill /f /im @[email protected]
  2⤵
  - Kills process with taskkill
  PID:1760
- C:\Windows\system32\taskkill.exe
  taskkill /f /im WannaCry.exe
  2⤵
  - Kills process with taskkill
  PID:5412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsInstallationAssistant\Configuration.ini

Filesize
27B

MD5
ca22263c7a6f965df18f5c601f5db7ce

SHA1
e4b1a401ed497523a583ae8613646b03778a33a6

SHA256
299fa3043627954c524b6171c26fcc3513790310aa2561e6f012eff15254381c

SHA512
3cd39b438f7cb34b38f32240b1ba6a5010f49e12123db770460cf74217bc6946e2032355376c203b68863ee85596d21aa7b2d77c94da48a54def111d147311f8

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\Downloader.dll

Filesize
197KB

MD5
5b62ad6ae42f32806062ad1bcb3e2de5

SHA1
8d4a543eac9643931fcb620cd588e2cc1067920a

SHA256
96f7b268820511abeeb6bbfad0918cf9161366bc2f558ef7f011331e7de1d6f3

SHA512
af5bdbc5019b56eb9a32b6d264388e309e36013d43dbe09c61224ba6fabf1ff905371bc5b6ddaa0d5bfedae99cc5a7051f13fbf26cc756793799e568094eabcf

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe

Filesize
3.5MB

MD5
ab38a78503d8ad3ce7d69f937d71a99c

SHA1
00b6a6f09dd45e356ef9e2cacd554c728313fa99

SHA256
f635cd1996967c2297e3f20c4838d2f45d1535cfea38971909683e26158fb782

SHA512
fe8e4c6973cb26b863ef97d95a7ae8b1b2dbce14bf3b317d085b38347be27db1adc46f5503c110df43e032911e5b070f3e9139857573fffdafff684f27ef1b8f

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe

Filesize
1.8MB

MD5
22735f32273b96c53299dd96d3651189

SHA1
8b6e35e6d18a35e60c68824e4a4e97edae041414

SHA256
f306aacfb53c22e5c27c03eb2b53accde9f43dda3d55928cc47e92e2947efdd5

SHA512
37e4c9a6b8ddc25dda2f962a6ca5261dd21853fb06ea9fd933280c1332874c421166150d9e53a10b2a22894641971d7c762561ed93f947d2e2512cdb10307318

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe

Filesize
1.9MB

MD5
a6663a421fb4b3e86247ed6d7d0fccd3

SHA1
58d03c9fe7c85014ce8d5d9bb3a4e644ef6ca97e

SHA256
fc66d354488872e6c3271401c7f9fae753908f67730dc2e242518549787bd839

SHA512
fbf8c3543796d54214c54f0814e28c4f8754f5282b83be1a1c230b068ee5a53a48602e0102abd3093de0a0779cd0726394d3c43540e805b038ab613e9921bb9e

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA.css

Filesize
82B

MD5
b81d1e97c529ac3d7f5a699afce27080

SHA1
0a981264db289afd71695b4d6849672187e8120f

SHA256
35c6e30c7954f7e4b806c883576218621e2620166c8940701b33157bdd0ba225

SHA512
e5a8c95d0e9f7464f7bd908cf2f76c89100e69d9bc2e9354c0519bf7da15c5665b3ed97cd676d960d48c024993de0e9eb6683352d902eb86b8af68692334e607

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\default.css

Filesize
5KB

MD5
7f5fcac447cc2150ac90020f8dc8c98b

SHA1
5710398d65fba59bd91d603fc340bf2a101df40a

SHA256
453d8ca4f52fb8fd40d5b4596596911b9fb0794bb89fbf9b60dc27af3eaa2850

SHA512
b9fb315fdcf93d028423f49438b1eff40216b377d8c3bc866a20914c17e00bef58a18228bebb8b33c8a64fcaaa34bee84064bb24a525b4c9ac2f26e384edb1ff

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\default.htm

Filesize
60KB

MD5
b2a06af2867a2bb3d4b198a22f7936b3

SHA1
98a28e15abdd2d6989d667cc578bf6ab954c29f5

SHA256
40f468006ab37ef4fcc54c5ff25005644f15d696f1269f67b450c9e3ce5e8d23

SHA512
eefc295a7cd517c93bbeadee51ab778f371be8b21a92b0c06339da2e624abd19c34907e0a8965e6bfe81863752c56cc509fcf015a3ee986d208a5fc7cac8bfc5

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\default.htm

Filesize
57KB

MD5
9d8b2fbc314f6513278dd48240571ed9

SHA1
ce6b3b73b07c04f78915ecb006986cf2b62e32c9

SHA256
945b78bf7c335f79352218b11717eada9c1dfd1507caa4a1de172182665f24ee

SHA512
cf203916f30138490a048c5d256c76b07932e5e337f0090286bdfbc40f75edaf9806dd5b2c3489bd60c19fb208614767ed5d3099fb1c8f395ee495e2b6dc444f

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\loading.gif

Filesize
16KB

MD5
1a276cb116bdece96adf8e32c4af4fee

SHA1
6bc30738fcd0c04370436f4d3340d460d25b788f

SHA256
9d9a156c6ca2929f0f22c310260723e28428cb38995c0f940f2617b25e15b618

SHA512
5b515b5975fda333a6d9ca0e7de81dbc70311f4ecd8be22770d31c5f159807f653c87acf9df4a72b2d0664f0ef3141088de7f5aa12efc6307715c1c31ba55bb6

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\logo.png

Filesize
2KB

MD5
afeed45df4d74d93c260a86e71e09102

SHA1
2cc520e3d23f6b371c288645649a482a5db7ccd9

SHA256
f5fb1e3a7bca4e2778903e8299c63ab34894e810a174b0143b79183c0fa5072f

SHA512
778a6c494eab333c5bb00905adf556c019160c5ab858415c1dd918933f494faf3650e60845d557171c6e1370bcff687672d5af0f647302867b449a2cff9b925d

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\marketing.png

Filesize
420B

MD5
0968430a52f9f877d83ef2b46b107631

SHA1
c1436477b4ee1ee0b0c81c9036eb228e4038b376

SHA256
b210f3b072c60c2feb959e56c529e24cec77c1fcf933dcadad1f491f974f5e96

SHA512
7a8a15524aecdb48753cc201c215df19bc79950373adc6dd4a8f641e3add53eba31d1309bf671e3b9e696616a3badce65839b211591a2eeebb9306390d81cfcf

Download Submit
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

Filesize
585B

MD5
99acb945265723edead374b02a55d663

SHA1
aa83782f50e227cff50469d4042203cf6e47e625

SHA256
9ae435f007268b74286f14009d2335ed4ef0b8d7cc4b6c3bcd89eaa54c9f0273

SHA512
90c4e7c5ccd81b096fd585b73f4f6b3fbffe8d095cbff18edcd478fba2b3f133ca1c9013563282639cd65c463896048c131c095cf87009e5ee7ab810824adef3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\gaix9yhh.default-release\cache2\doomed\19060

Filesize
9KB

MD5
3e7991f954dc360f7e4a05cec4ed4247

SHA1
f174a326aa954a3c66530874c76bc21cdfbff86c

SHA256
cb2cffe14262b90908e3367f0b0dece9f6db28ef6cafbed89078f4610c3111b7

SHA512
95d447a5e3a273486b85621f7adab0db3d17526ef090076829b68d78978a71c5ba274d15a67a10adbe23f3c7a3a0ac576accf562fcfa7e80c8120a8582a93aa8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\gaix9yhh.default-release\jumpListCache\FozodaIYjM6XkkoR9qkY3w==.ico

Filesize
965B

MD5
c9da4495de6ef7289e392f902404b4c8

SHA1
aa002e5d746c3ba0366cd90337a038fc01c987c9

SHA256
13ec8c9e113de6737a59d45ea5a99f345d6cba07f9a820bb2297121b8094790f

SHA512
bb72f0cc815e7b4c44959808b153aad28dbced8d97e50f83ef90229d19ea1c4b3fffff650bf49efe562451fcae0325cdbdffc1a5c4ec5d2c7c70ae9d1a0d8a16

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU2834.tmp\ESDHelper.dll

Filesize
59KB

MD5
c61dcf4db82482a4498fcca646a6c640

SHA1
981bf318813c54e94efe04cc20dc6ac070adcfe9

SHA256
c98289454cdcb2266e82204af73a799b09458a899cdd8366e24fbb613273c0ff

SHA512
6b26c8e4c1c15f224a5d196524f35583f1e2f878fa2532a199be068d89c06bdbafd2ca3e740b1ed104844d760e62b25d8a6d589c511ed6fe2713b925949ab2af

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU2834.tmp\GetCurrentDeploy.dll

Filesize
128KB

MD5
a4d884d459e4fbfcf51f1a0a8d5e9e9d

SHA1
6a6c9ef52606f1c17b03ff95baee9a38687d34a9

SHA256
0f52fcef954d8d1e892df6025eb686f1ad843e10428ecb14c9e515c40ab29aca

SHA512
262d68c3ec194022d69411c95f0c53e34a84888ae194b8fa2d8e556f154949298c3268b132a4711533e5e19f52a36b5537c24832e23e9243b1d952530531858c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU2834.tmp\GetCurrentOOBE.dll

Filesize
64KB

MD5
844330ea4b4e839d39aeb335a6c0962a

SHA1
976090f4c2532e8b0098b92306d824918248da56

SHA256
3d5e643aab1e35c0c7311f3106e803c02bdd7f0f40434112b4777308b55f4a60

SHA512
dd8036040b2b3e844db107257c7a689059a5080e7c186b7ca98db7278913a4a505883b94decf2edec6887514bc85ddd268f4c3c374b164d2432731c6404f9983

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU2834.tmp\resources\ux\Microsoft.WinJS\js\base.js

Filesize
1.2MB

MD5
221c534deb612992681b0a2fb55bc5ed

SHA1
1ac3eb5a4ea6a0d876f8077e87357fccba472323

SHA256
7b67ab12bd5dcc229ea7f197fcb7723b1c41a517e198fad31020d8fea42e9715

SHA512
c9bd493fad305eb4c881eb6c9aa1daf672ec3531ca4871c44f3383b48389db24232b6dfe35ab6e82a5c8bc1a38f68b57fd30e2fab35bd6237d751285fd74444e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU6AB0.tmp\appraiserxp.dll

Filesize
363KB

MD5
cbb270591c9a1bfb1b10559ab672f705

SHA1
fed0d59d60709b5b05b9d31030ea7a5422767a7e

SHA256
770a9a15e1eb8e2729f23a3d262b55bef16e4bb7822a2d16eeac3db35a116d7f

SHA512
67c4154d47981f22965966aa823dc0e05872b2f6d8fc7d80b4130f1cdb8bf9f326a20980e29c085e2940fc1f7b033b85d2eb192f5bda2da136364a842ea20f6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU6AB0.tmp\resources\ux\Microsoft.WinJS\css\oobe-desktopRS2.css

Filesize
40KB

MD5
415d4bb726c52bd91be8f3afd81e50cc

SHA1
9732e1e6aeb13a6f180b21bb5bd8a4acf7d96dbd

SHA256
c6dd0940a263382fb735f1cdc8550234f9c081625bfe2e5363cb8bb65cc06440

SHA512
c7a8b805027906d8b67d50773a7e362f2e87d3af61b23fab33aec929e21f42610a35f857ede9a17772c5f2b42c1382f8daf7240b76f3996aa65988a87c367847

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
20KB

MD5
29bff2f30964d9f68ec33c71679e9d2d

SHA1
c16d906a546f86a621c7b01dfbd762874d86c757

SHA256
9014a22dac51fc8fc505f348df6361a9e6a9a52bb1ad82c7de99a8765c3bb79c

SHA512
fa0553a83f93fe74d59a464f8a8220522c43accd71d5064fd4d0ab05a3f08e6021f1a85209df10bc94d1d8c0646730795d7034d366789c8da1add4f2942657f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
19KB

MD5
938db3c290b1235def358a870ea6273c

SHA1
a90e09fb404f975d6b7cf2c8f408cc71337afb68

SHA256
03124b54d2df7c7eee36639123f188e0769739e99a17e8290055b05e16089074

SHA512
b5efafa8acac71aeaf75da31096bcfa2eef011496aa49237e639726d53ff672f7c3ec3361b7fe876a4894ee2840b3f404268048714cc9f2c4a097a2602970a7f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
13KB

MD5
5f86905a8119919c2920b28353885d5d

SHA1
03828e0829dd6474188b016b8525f1605c0cb09b

SHA256
80af7ac2cf3114c948c4d6dbdc5b64c345f0321ea259f10a3d4f937487ba170a

SHA512
cafa238b10a3cb27274157bbe7ae4a77e2b1ae5a88077224c0e0041e795cc1bb69d9ae6eb5b3cb81c0b83d7c554ee3240cc99b9bd77cbe7982a9c5f189b11df0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
96434752b5d8321ec3a007c18b307481

SHA1
65f4785df03a9b0ebbb8c01f746d53bd1df89de7

SHA256
3cc0b2f6a43af25fbc22eb5ae1be5b146a9b8ee7353051df90fe38805d0c14c6

SHA512
44f652096067d042d31bf7baa62eb3c12a73ee3a7daf02ada6c8ea26a1fc9e694abbecbc1f3fc0c22456f7a367a5100c7c3cb1032a31b8e604b9b5851ac95289

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\datareporting\glean\pending_pings\08304748-18e3-45f4-86be-2408a5a132ea

Filesize
12KB

MD5
9bb70b8aa1b51de54faed15800274881

SHA1
e6b5d18806f942a4c4aa973fcad7fbd290e2d6a7

SHA256
d9ddc6448b8476552e6281392ee85a3ede6a7568bf9ef86ce565229dac178ac8

SHA512
97bb4c7439446e8a32070feff85f4e56b2f6f04497f21d675da6764d7407174e651c2e0403360d9f4528a57d2366e7ff6bc2c30b14ac3020a901ffbe7df74b28

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\datareporting\glean\pending_pings\e50a3cc5-f985-444d-89ad-4873f4cdd2a8

Filesize
746B

MD5
86e6cb4eb6a2917a9da4c9b34377c6a9

SHA1
9cd748c546ddcdcd659d99cf9473b87c1a40fd66

SHA256
d1544f5b4fb0d257dc156658898d8bde9f0483964eb0d7228d6f545589b2fe26

SHA512
eb4ffd50027344d94ec6b55c1dd80937a05273bc124c40d28328ec1d6cc0d0d9808ed8e11c7394ed8ef5d29d83bf4bf781f09229c86228a77cf8ebc5df2cd856

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\prefs-1.js

Filesize
6KB

MD5
7ca70e9922f8a5d08bfbdde8b10ec850

SHA1
7928454dc632fea2da2546df257fdcb0651ac651

SHA256
7a5275688e89a7b448d09e9c26f67ce141bd1c21c13b7af363bd6f21e826e782

SHA512
9ccb40c506975a5143f5dfa5b1fda0a713feb6de7c6f784e0e1869c848fd2c08ed46748745a6435ad10e1b5e7eae5d6a098534671171c89a9c960d5c4a852e47

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\prefs-1.js

Filesize
7KB

MD5
cb72ccdde09e5626b95870ca115d27c0

SHA1
4d8191be988b1d3063e83f87f75b2c4c47f29f14

SHA256
f041386cbe79530529015ef348e697906bfb4993f79128f9336a7738aa3cc671

SHA512
13fa82b7eae13137176772108adcc4a72fd8cb218aed9900dc682487a429ce36c7d38e7576ff9bc69a07eb382cd090c218263dbf6df63c3acdbe927d5dccec2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\prefs-1.js

Filesize
6KB

MD5
b015e2d1d6ac67dd7ca17c9552d6b471

SHA1
fd40d3902ef188cb405f383a1d1b53cf359d4c34

SHA256
a70417f77bced33ca1959a310e631260fb6aeaf71002a0a6c628b2629dde415d

SHA512
2f7ebc606d2e4a6e77e24c79946a7bec095534d9b3cfa281bd309af7fb4f73674af57f99d677e43b6911ec41f3b9736210c1d3134405141e00562681d24bcb93

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
04da2895364515d015391d737e0b6830

SHA1
0926651a657322e4faafa94e5b4077d75567a108

SHA256
f74e8ddf87d2c0dfd9b8ed718a50aae8ca71ad4875213cda76232d67f6184307

SHA512
b8cb928361b1d7e2a38009bdf796e3b5f0b7ae2c5700bb0507da2da5e41305cd98c99f56969f280cd015a0beaeffb1bd6d035c46d28ccd389a53ea0f950dc784

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
4a083f9e29c200ae989049dbcf41ea97

SHA1
206392aa2e1b37e34081bc975b12d884fff8d8e6

SHA256
d891f458e8987fa45aa4a433c9850d7588235bdc736e94e3dfa5cea21c237c8b

SHA512
ef35ca37a8b95237cc2aaedbf49ed5106e9ab32a3a2b3924cae3ba3b1487d51005fd643ba1e20618e321ea7e7b6a5fb3982a30bc42f5529907395b05dc3dfff4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
1d696526120a1bf5108341c077805c52

SHA1
3633550640a154221f6956bb304a2e17c47123b7

SHA256
6e54fe7c177c51d31dcd10ac72d6d5841106bff374aaa13cc936db4151914858

SHA512
8ef54026f27e698a28f3d9b48024ebc36929ac16e7354722a51d189d9cc5e519135a93cbcca0be99bfe15e1049b71132fcb2a7dab40c6a4badbb4e061efce3b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
bac587754a00bdc4f9a797c5a1e98ac2

SHA1
881d02113cb32ea30fac494138507dd0ad9c158f

SHA256
3937d7195a3302d805f320465ecb921d32792912f591afb5068c9829da7373a1

SHA512
0c263529ccf4d498750095ba766f0fe9883646e0bdc483c3d0710edd3587e0d1a9eba7832532257204f5d54c1e6b7c6a0cda2f911c1146327b8d13db0ae3215e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
8KB

MD5
b3a137c8e26779ee918e8d3d29239fb2

SHA1
690e49355660489003bf296d01471b1e3f1b61d4

SHA256
271518cb29b31d6ec97cab320a7ca84086c76ad7a132321793a12c8f4942ccb6

SHA512
79bae8af867688e7c9c0de61ca754b9cd7aedd709ed785cc470cf37b90293bc8d9126c5ca066a9a85910ba87d898cf5ec4d9c51c3c3561c7c9dbe4c92ceae34a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
76c53f6529b7e089d741392b4479ff4a

SHA1
17f280bb55bd432bee6b33967d522224b1688b8c

SHA256
d029bff9df71d47c9603df88a48dfb73d7f726b58f3ac0024b9f527e1584cec9

SHA512
3046fdc55ec957c45f4b5389b648512b3b124335432e0d7f5033cd8714635630c9ec99889ae10f6ee4462f92190033f22b27b8e5f463ca1ee7025c18fa072a9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
581e2adbb910a2e1f0b325e95caa0048

SHA1
b49662e00b0a1e05d891f8902ad059f670b62a94

SHA256
5dd55f8ad558bb4dd485e921e33c113ad04cf5c47001f214bb1edf0a74590ecd

SHA512
098db42c01236abba8a6a72ef65caa542ea4d21c326fe0f6069cbf66a2f9370d8001e43605710e8170177c9141c559e65400415361b57741958fcef96f83a4b7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
93ce8dbf88d516e21fb2a5dca964d691

SHA1
28e78e00a498655c52a4d5ae2c6c4963cae1ad33

SHA256
1d22daaf658e9e23f523cc676fdf6adc46f0a2686a44299222e6afd091631e51

SHA512
3cb98626443b37b025b5aaa7898f0f1b365cd52ee19d379934b7fd6128acb6db3f74104f832eb7135e81765281237b4d520e60bf3149e1dca2fbca38ef0ff203

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
b64338af0085fdff0568727f45e4762b

SHA1
047e45fdac81eb7ea98ec5301472cc53dfefb2f6

SHA256
88938b79499b65578fbcbee058dd9f36c0f7e918073328eec34bb13e91be0856

SHA512
f14db3bf438e89901803b75f4829f857636f9f1ce26ddeaddfcaa578fce0cceb293a003fdb5ca6b7739b4551c1c6d5cb3c0d373cb1bc693870b26682bdc6b61b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gaix9yhh.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
8KB

MD5
42c3453102f91a5196b4109bda05c941

SHA1
171cdb89e2ce18735995c55769a15f7ef14f226c

SHA256
62a5c1adb4fb752d6ad7d4f5cb17f4282f34483152a7930cd7e5e6404da2dbe7

SHA512
446691922dfb67d5cdebac76f421d0a4db6ddf84c02b325c8110ac8692fbdbc363cd5d48a35b3b4c99a1b8a245f719d775bb6ec4448bd3b71237b12bba104589

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
933B

MD5
f97d2e6f8d820dbd3b66f21137de4f09

SHA1
596799b75b5d60aa9cd45646f68e9c0bd06df252

SHA256
0e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a

SHA512
efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\TaskData\Tor\tor.exe

Filesize
1.8MB

MD5
91ffb48289d9f69865e0bd6af94ca3a1

SHA1
0e9d101829efc910410e6df39d980708f9ca1494

SHA256
b7b965d9a80338d467df4fc9a37dbb58344b27f9529c500722ae1375c53094c7

SHA512
26f49a82bba38aba4b3c9c910dd137f03de24fe41c3a18d6002c398d6e93d02eb2794100a3ce5ae357fe7b811dc63bb562d7e8c04be6a08113e39796903515bf

Download Submit
C:\Users\Admin\Downloads\WannaCry.yIBIoB9u.EXE.part

Filesize
76KB

MD5
1f69275c9544eed0cd90f96c06e17e8e

SHA1
946df9b84bd7bf5b7b7b90df28f37dc7cd8ede23

SHA256
e58e15ad72080af24d7ed3eaaf0bb303b799b56d25cd95ac468269108f1f2c3a

SHA512
d1c74f7facd413e55fd0373dd732c18d85b7f9b894029da1de43308ae5fcd326309194a2a1bb8e7d34989fc6a0c8a5e265ea0f07cda2398ca9ecf645361284b9

Download Submit
C:\Users\Admin\Downloads\Windows10Upgrade9252.52fKVjMs.exe.part

Filesize
128KB

MD5
0b3135d9ac1660a906bae694d8fcc5a9

SHA1
128ffd3699162f5ce483866338e16cec1fcf2a2c

SHA256
1e95d30d6983696ead639187f1bc59ef254ed6b03a7fc87821e0c52bdaad9c8e

SHA512
40bf58c418266643888a1125164caec3b217c2e46a5b5e9df84d3cfb96ad1d9efe5ca1b9f4c2aa3b442a991bc7a2743014a48b7e6e5d4d2960ab5a77ae91b5b5

Download Submit
C:\Users\Admin\Downloads\Windows10Upgrade9252.exe

Filesize
1.1MB

MD5
d4249b12dc365ecaa5b3e93c731d922f

SHA1
b1b13ce05bd59194e70803e940905875cecef8b6

SHA256
04b672d243a34c18923fe982cd3bc4a119a458f216de68f74d706467851979a8

SHA512
0bc57e0f7774f79d9d345a171519ca96e989caa6cca27eb60d697de15fe844bff9e70a102c3a9deece46ef8fd2a581283cf9e9bfd615481c87afec6f49e16a8e

Download Submit
C:\Users\Admin\Downloads\Windows10Upgrade9252.exe

Filesize
1024KB

MD5
c4d744b19b47f7e2a93f857d1d5c0907

SHA1
a909d47dbf7eeced48040a90357ee1c5d23c8a3a

SHA256
77f4c399b84d9eec484015fecc75c89ad0c3e561241c22dfc0f90c552d4bf3a4

SHA512
cf17f2a2e731143d0505138989798c4d6485164a654036869aec3dd1fc78ef20dd763a46c2db6524f7bedf208b73f7ae9a28afb2d447f9d16b596b42c672f6da

Download Submit
C:\Users\Admin\Downloads\Windows10Upgrade9252.exe

Filesize
3.2MB

MD5
c0b25def4312fbddbcc4f01c6c0f5ba6

SHA1
8d16a183d61233e7d6b6af7b3cafc6645ac2acb1

SHA256
c0424d0ae06ca1e6e0249b40d33ac40d74075856d543ec0924884664fba52b79

SHA512
8c67619747bb108dae5661688ec8fa4c62bc6ac38ee6ff14a4691aab04d7ddd870fee4262cb30624a6bd85ac1f7595af05311496b0336f979e7e5f797791bc0e

Download Submit
C:\Users\Admin\Downloads\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\Downloads\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
\??\Volume{ef76cfc2-0000-0000-0000-d01200000000}\Program Files (x86)\WindowsInstallationAssistant\Configuration.ini

Filesize
40B

MD5
51ddd33b146cc550591608dfd8bd5852

SHA1
5f3c2e218369bbe6ea3302348cb6f79df1b1b744

SHA256
1dbee252f9d0765ad4203577e0c7d67678f4406f94f60fa2b6b5a2a642ecc649

SHA512
4d25994b063dc6662d90f7c75199f66c695968f258afb80007a7d4700019211f6045e3834b7c34de93659b965bb4ce6b229c1db57b9dd5d4ec7c9555e653af51

Download Submit
\??\Volume{ef76cfc2-0000-0000-0000-d01200000000}\Program Files (x86)\WindowsInstallationAssistant\GetCurrentDeploy.dll

Filesize
404KB

MD5
410fac98056ab0be74e4539a4c0eaaff

SHA1
10a66618bd67f26b3b6e418df4aeb93f0e599c2b

SHA256
09ec6dc5cb94160b2c4d9f1f4224a7dc1951f227dd311acb1bc4335f23db9b24

SHA512
84999daecb8fce1c4c76ac2527278ca7896c5e90ec37754bb0f10f3cb391adc338cde923c51a3ffa90d49ebbf0516f7632889970efb20ee6ea797185edf74222

Download Submit
\??\Volume{ef76cfc2-0000-0000-0000-d01200000000}\Program Files (x86)\WindowsInstallationAssistant\GetCurrentOOBE.dll

Filesize
126KB

MD5
c062b03a177cf1d25b91d0a911784533

SHA1
dd96534252e07bb6db047bf990a3caed70e05cc3

SHA256
396df40adac039f8a6847b7c8efff7dfead7a77b93e12b0b141a4cfa808c0035

SHA512
27850b93c3f33e1c6672cea4e0a1d572375f0dd8c9f2d3521f1060123eacdc9da456447afcc23ca751222941e09d611fdd80d236b7620b15b12c16f133d6e41c

Download Submit
\??\Volume{ef76cfc2-0000-0000-0000-d01200000000}\Program Files (x86)\WindowsInstallationAssistant\GetCurrentRollback.EXE

Filesize
64KB

MD5
d705a34a869ac46e3f07c9be3ea1693a

SHA1
b21847a23ed6d0b7c04c0519ef0e11b5e422c3b1

SHA256
0436deda2dbbd46d74e4a83b5897ba26a3ec35a9ab77d4b46e7477d9cdd213b8

SHA512
cfe243ab1385ee1086c50f434a934654b5bbc6fb4e9b562bf1738c2f7b50a49f22e748d2b71d9f69bad505272de70e4be09d8cf13475121defec1e6aeb923479

Download Submit
\??\Volume{ef76cfc2-0000-0000-0000-d01200000000}\Program Files (x86)\WindowsInstallationAssistant\WinDlp.dll

Filesize
1.0MB

MD5
87bc3d50a51cae672f2e3ed50691e5b5

SHA1
8da385a349012cb8e2e56b320d04fe4a1e56e14d

SHA256
896994df8e63229dc8c860f40cfd92c6fcea6e684ec0d51f111c812eee7349ba

SHA512
504d89b40935dc266af46438fb391f9e3d9a925fdce6c5daebc34e5c7fc33ced01ebd32f8da083c41f01a2766dafb9102b02b2800b1cb1ab3057413a6d9ca8ec

Download Submit
\??\Volume{ef76cfc2-0000-0000-0000-d01200000000}\Program Files (x86)\WindowsInstallationAssistant\resources\ux\Microsoft.WinJS\css\oobe-desktop.css

Filesize
39KB

MD5
5ad8ceea06e280b9b42e1b8df4b8b407

SHA1
693ea7ac3f9fed186e0165e7667d2c41376c5d61

SHA256
03a724309e738786023766fde298d17b6ccfcc3d2dbbf5c41725cf93eb891feb

SHA512
1694fa3b9102771eef8a42b367d076c691b002de81eb4334ac6bd7befde747b168e7ed8f94f1c8f8877280f51c44adb69947fc1d899943d25b679a1be71dec84

Download Submit
\??\Volume{ef76cfc2-0000-0000-0000-d01200000000}\Program Files (x86)\WindowsInstallationAssistant\resources\ux\Microsoft.WinJS\css\ui-dark.css

Filesize
262KB

MD5
c9674190d140117be506a070c4ef5be2

SHA1
51db8cf46f6ecac6cab85a52402fd66c035e837f

SHA256
1e8e74e5a29f269157c043718b43c10c6f8beb806a6d2b3f3f2dd542731fd196

SHA512
9d41b784a377dc9a1bb61e337ade6acf7f841a672609626697925ace30f8fc574e58ee54388a76b446a84d4ba6de46d72e0b7cad64ada5bf5664c28df09ca585

Download Submit
\??\Volume{ef76cfc2-0000-0000-0000-d01200000000}\Program Files (x86)\WindowsInstallationAssistant\resources\ux\Microsoft.WinJS\js\ui.js

Filesize
2.9MB

MD5
b02d15ec9159d708837121c9685fa551

SHA1
577edd3d56f6a92d5248b35cd76a442b2c1caf37

SHA256
d23519634fa23488b7151ff1c31cc81e9531033f669d10c119f375198d02e22b

SHA512
60305cd9baa19a7e526f4ee9eac425f17563ab4dda0c861cc163b64495e72b547258ff7e804dd7c9820bd3543b2158109b1f72775096a2ba36ce02ad908f8a0a

Download Submit
\??\Volume{ef76cfc2-0000-0000-0000-d01200000000}\Program Files (x86)\WindowsInstallationAssistant\resources\ux\block.png

Filesize
919B

MD5
a132f4d4f23f1bc40cfdb88223b1c74a

SHA1
11fc3eea08765c7dfa697cd9cacd18f7a9900181

SHA256
35825ad138cec97d3cff27cd8d139377e6ba4d0a55b473b59fb4f5f4b9508be6

SHA512
c5284f403c6617947545b0282d935d7e3b2ccb30c67d85920907b7cbd00c01e4c560824c3e7d77a51e97a646aff806879f76e418973a66e2fe1086b8288326b3

Download Submit
\??\Volume{ef76cfc2-0000-0000-0000-d01200000000}\Program Files (x86)\WindowsInstallationAssistant\resources\ux\bullet.png

Filesize
174B

MD5
062f3f1fff1deb4e8abe7a16c8aa6398

SHA1
c943234ce3e553a05be711da23cbafbe459c5988

SHA256
f67ac334038896e37ca126ac4dbd1fff51cd0ffe8c99ed1cb709d64864b72392

SHA512
c6bf7e63476f4ba36aa09a133bff02c6d68503361d9487d598b28a0bda631a496810bb9b0ba8c89efbfe16bb53693a6a81c93da1d00fc923b655a070d5dbdd2d

Download Submit
\??\Volume{ef76cfc2-0000-0000-0000-d01200000000}\Program Files (x86)\WindowsInstallationAssistant\resources\ux\default_sunvalley.htm

Filesize
54KB

MD5
66b63e270cc9186f7186b316606f541f

SHA1
35468eeefc8d878f843bbf0bb0b4b1d43b843cdf

SHA256
00f8f3e4534146858326d6d2524f3360dfc9e5d149e207d61cabac17ad7a5f9f

SHA512
b9d1b4b201cabf087a44d958584ecb1c110807b9bd9865f1e76bf9d989d7d000ee84f07558bcae5e05d11f7121fe2c402fcf916b00ff5d8eac7eaf05e21a29f2

Download Submit
\??\Volume{ef76cfc2-0000-0000-0000-d01200000000}\Program Files (x86)\WindowsInstallationAssistant\resources\ux\pass.png

Filesize
1KB

MD5
5a7499645619886bfe949250e1807415

SHA1
152295cf08fcf1e21e26f05969cbb02bd22a8af6

SHA256
db27bad6e59128d58031706c83210ae780a9261e01af6fde6323bd30f7a97b12

SHA512
201fc4fa1aa035cf09872d6f335d94c97433b79af343d532d0dd5c6ab6ba60b5a3a3b60f466e2c7107c19e04ffcdfa8a016842b4f29ea3ee6dd3d60304d8d8dc

Download Submit
memory/4504-2973-0x0000000073760000-0x00000000737E2000-memory.dmp

Filesize
520KB

Download
memory/4504-2974-0x0000000073540000-0x000000007375C000-memory.dmp

Filesize
2.1MB

Download
memory/4504-2931-0x0000000073540000-0x000000007375C000-memory.dmp

Filesize
2.1MB

Download
memory/4504-2930-0x00000000738C0000-0x0000000073942000-memory.dmp

Filesize
520KB

Download
memory/4504-2936-0x00000000737F0000-0x0000000073812000-memory.dmp

Filesize
136KB

Download
memory/4504-2934-0x0000000073760000-0x00000000737E2000-memory.dmp

Filesize
520KB

Download
memory/4504-2935-0x0000000000EC0000-0x00000000011BE000-memory.dmp

Filesize
3.0MB

Download
memory/4504-2967-0x0000000000EC0000-0x00000000011BE000-memory.dmp

Filesize
3.0MB

Download
memory/4504-2969-0x0000000073840000-0x00000000738B7000-memory.dmp

Filesize
476KB

Download
memory/4504-2929-0x00000000738C0000-0x0000000073942000-memory.dmp

Filesize
520KB

Download
memory/4504-2972-0x0000000073540000-0x000000007375C000-memory.dmp

Filesize
2.1MB

Download
memory/4504-2970-0x0000000073820000-0x000000007383C000-memory.dmp

Filesize
112KB

Download
memory/4504-2968-0x00000000738C0000-0x0000000073942000-memory.dmp

Filesize
520KB

Download
memory/4504-2933-0x00000000737F0000-0x0000000073812000-memory.dmp

Filesize
136KB

Download
memory/4504-2975-0x0000000000EC0000-0x00000000011BE000-memory.dmp

Filesize
3.0MB

Download
memory/4504-2983-0x0000000000EC0000-0x00000000011BE000-memory.dmp

Filesize
3.0MB

Download
memory/4504-3001-0x0000000000EC0000-0x00000000011BE000-memory.dmp

Filesize
3.0MB

Download
memory/4504-3006-0x0000000073540000-0x000000007375C000-memory.dmp

Filesize
2.1MB

Download
memory/4504-3008-0x0000000000EC0000-0x00000000011BE000-memory.dmp

Filesize
3.0MB

Download
memory/4504-3017-0x0000000000EC0000-0x00000000011BE000-memory.dmp

Filesize
3.0MB

Download
memory/4504-2932-0x0000000073760000-0x00000000737E2000-memory.dmp

Filesize
520KB

Download
memory/4504-3060-0x0000000000EC0000-0x00000000011BE000-memory.dmp

Filesize
3.0MB

Download
memory/4504-3065-0x0000000073540000-0x000000007375C000-memory.dmp

Filesize
2.1MB

Download
memory/4504-3068-0x0000000000EC0000-0x00000000011BE000-memory.dmp

Filesize
3.0MB

Download
memory/5592-1432-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download