wannacry | be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

Analysis

max time kernel
147s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09-04-2024 18:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WannaCry.exe
Size

224KB
MD5

5c7fb0927db37372da25f270708103a2
SHA1

120ed9279d85cbfa56e5b7779ffa7162074f7a29
SHA256

be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
SHA512

a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
SSDEEP

3072:Y059femWRwTs/dbelj0X8/j84pcRXPlU3Upt3or4H84lK8PtpLzLsR/EfcZ:+5RwTs/dSXj84mRXPemxdBlPvLzLeZ

Score

10^/10

wannacry persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

taskmgr.exe

description pid process target process

PID 1220 created 1356 1220 taskmgr.exe !WannaDecryptor!.exe
PID 1220 created 1356 1220 taskmgr.exe !WannaDecryptor!.exe
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

description	pid	process	target process
PID 1220 created 1356	1220	taskmgr.exe	!WannaDecryptor!.exe
PID 1220 created 1356	1220	taskmgr.exe	!WannaDecryptor!.exe

Drops startup file 2 IoCs

Processes:

WannaCry.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD4D45.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD4D5B.tmp	WannaCry.exe

Executes dropped EXE 6 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid	process
1052	!WannaDecryptor!.exe
3048	!WannaDecryptor!.exe
2988	!WannaDecryptor!.exe
1356	!WannaDecryptor!.exe
1784	!WannaDecryptor!.exe
2828	!WannaDecryptor!.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WannaCry.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WannaCry.exe\" /r"	WannaCry.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

3752 taskkill.exe
3324 taskkill.exe
3216 taskkill.exe
3080 taskkill.exe

pid	process
3752	taskkill.exe
3324	taskkill.exe
3216	taskkill.exe
3080	taskkill.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-275798769-4264537674-1142822080-1000\{C0592359-2C07-4F58-97F2-4BEB98F79FDA}	msedge.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

taskmgr.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1060	msedge.exe
1060	msedge.exe
2240	msedge.exe
2240	msedge.exe
3752	identity_helper.exe
3752	identity_helper.exe
3204	msedge.exe
3204	msedge.exe

Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid

4
4
4
4
4
660

pid
4
4
4
4
4
660

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

Processes:

msedge.exe

pid	process
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exevssvc.exetaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	3324	taskkill.exe
Token: SeDebugPrivilege	3752	taskkill.exe
Token: SeDebugPrivilege	3216	taskkill.exe
Token: SeDebugPrivilege	3080	taskkill.exe
Token: SeIncreaseQuotaPrivilege	2356	WMIC.exe
Token: SeSecurityPrivilege	2356	WMIC.exe
Token: SeTakeOwnershipPrivilege	2356	WMIC.exe
Token: SeLoadDriverPrivilege	2356	WMIC.exe
Token: SeSystemProfilePrivilege	2356	WMIC.exe
Token: SeSystemtimePrivilege	2356	WMIC.exe
Token: SeProfSingleProcessPrivilege	2356	WMIC.exe
Token: SeIncBasePriorityPrivilege	2356	WMIC.exe
Token: SeCreatePagefilePrivilege	2356	WMIC.exe
Token: SeBackupPrivilege	2356	WMIC.exe
Token: SeRestorePrivilege	2356	WMIC.exe
Token: SeShutdownPrivilege	2356	WMIC.exe
Token: SeDebugPrivilege	2356	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2356	WMIC.exe
Token: SeRemoteShutdownPrivilege	2356	WMIC.exe
Token: SeUndockPrivilege	2356	WMIC.exe
Token: SeManageVolumePrivilege	2356	WMIC.exe
Token: 33	2356	WMIC.exe
Token: 34	2356	WMIC.exe
Token: 35	2356	WMIC.exe
Token: 36	2356	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2356	WMIC.exe
Token: SeSecurityPrivilege	2356	WMIC.exe
Token: SeTakeOwnershipPrivilege	2356	WMIC.exe
Token: SeLoadDriverPrivilege	2356	WMIC.exe
Token: SeSystemProfilePrivilege	2356	WMIC.exe
Token: SeSystemtimePrivilege	2356	WMIC.exe
Token: SeProfSingleProcessPrivilege	2356	WMIC.exe
Token: SeIncBasePriorityPrivilege	2356	WMIC.exe
Token: SeCreatePagefilePrivilege	2356	WMIC.exe
Token: SeBackupPrivilege	2356	WMIC.exe
Token: SeRestorePrivilege	2356	WMIC.exe
Token: SeShutdownPrivilege	2356	WMIC.exe
Token: SeDebugPrivilege	2356	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2356	WMIC.exe
Token: SeRemoteShutdownPrivilege	2356	WMIC.exe
Token: SeUndockPrivilege	2356	WMIC.exe
Token: SeManageVolumePrivilege	2356	WMIC.exe
Token: 33	2356	WMIC.exe
Token: 34	2356	WMIC.exe
Token: 35	2356	WMIC.exe
Token: 36	2356	WMIC.exe
Token: SeBackupPrivilege	2408	vssvc.exe
Token: SeRestorePrivilege	2408	vssvc.exe
Token: SeAuditPrivilege	2408	vssvc.exe
Token: SeDebugPrivilege	1220	taskmgr.exe
Token: SeSystemProfilePrivilege	1220	taskmgr.exe
Token: SeCreateGlobalPrivilege	1220	taskmgr.exe
Token: 33	1220	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1220	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

!WannaDecryptor!.exetaskmgr.exe!WannaDecryptor!.exemsedge.exe

pid	process
1356	!WannaDecryptor!.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
2828	!WannaDecryptor!.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exemsedge.exe

pid	process
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
1220	taskmgr.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe
2240	msedge.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid	process
1052	!WannaDecryptor!.exe
1052	!WannaDecryptor!.exe
3048	!WannaDecryptor!.exe
3048	!WannaDecryptor!.exe
2988	!WannaDecryptor!.exe
2988	!WannaDecryptor!.exe
1356	!WannaDecryptor!.exe
1356	!WannaDecryptor!.exe
1784	!WannaDecryptor!.exe
2828	!WannaDecryptor!.exe
2828	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WannaCry.execmd.execmd.exe!WannaDecryptor!.execmd.exemsedge.exe

description	pid	process	target process
PID 540 wrote to memory of 3808	540	WannaCry.exe	cmd.exe
PID 540 wrote to memory of 3808	540	WannaCry.exe	cmd.exe
PID 540 wrote to memory of 3808	540	WannaCry.exe	cmd.exe
PID 3808 wrote to memory of 4592	3808	cmd.exe	cscript.exe
PID 3808 wrote to memory of 4592	3808	cmd.exe	cscript.exe
PID 3808 wrote to memory of 4592	3808	cmd.exe	cscript.exe
PID 540 wrote to memory of 1052	540	WannaCry.exe	!WannaDecryptor!.exe
PID 540 wrote to memory of 1052	540	WannaCry.exe	!WannaDecryptor!.exe
PID 540 wrote to memory of 1052	540	WannaCry.exe	!WannaDecryptor!.exe
PID 540 wrote to memory of 3752	540	WannaCry.exe	taskkill.exe
PID 540 wrote to memory of 3752	540	WannaCry.exe	taskkill.exe
PID 540 wrote to memory of 3752	540	WannaCry.exe	taskkill.exe
PID 540 wrote to memory of 3080	540	WannaCry.exe	taskkill.exe
PID 540 wrote to memory of 3080	540	WannaCry.exe	taskkill.exe
PID 540 wrote to memory of 3080	540	WannaCry.exe	taskkill.exe
PID 540 wrote to memory of 3216	540	WannaCry.exe	taskkill.exe
PID 540 wrote to memory of 3216	540	WannaCry.exe	taskkill.exe
PID 540 wrote to memory of 3216	540	WannaCry.exe	taskkill.exe
PID 540 wrote to memory of 3324	540	WannaCry.exe	taskkill.exe
PID 540 wrote to memory of 3324	540	WannaCry.exe	taskkill.exe
PID 540 wrote to memory of 3324	540	WannaCry.exe	taskkill.exe
PID 540 wrote to memory of 3048	540	WannaCry.exe	!WannaDecryptor!.exe
PID 540 wrote to memory of 3048	540	WannaCry.exe	!WannaDecryptor!.exe
PID 540 wrote to memory of 3048	540	WannaCry.exe	!WannaDecryptor!.exe
PID 540 wrote to memory of 5040	540	WannaCry.exe	cmd.exe
PID 540 wrote to memory of 5040	540	WannaCry.exe	cmd.exe
PID 540 wrote to memory of 5040	540	WannaCry.exe	cmd.exe
PID 5040 wrote to memory of 2988	5040	cmd.exe	!WannaDecryptor!.exe
PID 5040 wrote to memory of 2988	5040	cmd.exe	!WannaDecryptor!.exe
PID 5040 wrote to memory of 2988	5040	cmd.exe	!WannaDecryptor!.exe
PID 540 wrote to memory of 1356	540	WannaCry.exe	!WannaDecryptor!.exe
PID 540 wrote to memory of 1356	540	WannaCry.exe	!WannaDecryptor!.exe
PID 540 wrote to memory of 1356	540	WannaCry.exe	!WannaDecryptor!.exe
PID 2988 wrote to memory of 1388	2988	!WannaDecryptor!.exe	cmd.exe
PID 2988 wrote to memory of 1388	2988	!WannaDecryptor!.exe	cmd.exe
PID 2988 wrote to memory of 1388	2988	!WannaDecryptor!.exe	cmd.exe
PID 1388 wrote to memory of 2356	1388	cmd.exe	WMIC.exe
PID 1388 wrote to memory of 2356	1388	cmd.exe	WMIC.exe
PID 1388 wrote to memory of 2356	1388	cmd.exe	WMIC.exe
PID 540 wrote to memory of 2828	540	WannaCry.exe	!WannaDecryptor!.exe
PID 540 wrote to memory of 2828	540	WannaCry.exe	!WannaDecryptor!.exe
PID 540 wrote to memory of 2828	540	WannaCry.exe	!WannaDecryptor!.exe
PID 2240 wrote to memory of 1360	2240	msedge.exe	msedge.exe
PID 2240 wrote to memory of 1360	2240	msedge.exe	msedge.exe
PID 2240 wrote to memory of 3384	2240	msedge.exe	msedge.exe
PID 2240 wrote to memory of 3384	2240	msedge.exe	msedge.exe
PID 2240 wrote to memory of 3384	2240	msedge.exe	msedge.exe
PID 2240 wrote to memory of 3384	2240	msedge.exe	msedge.exe
PID 2240 wrote to memory of 3384	2240	msedge.exe	msedge.exe
PID 2240 wrote to memory of 3384	2240	msedge.exe	msedge.exe
PID 2240 wrote to memory of 3384	2240	msedge.exe	msedge.exe
PID 2240 wrote to memory of 3384	2240	msedge.exe	msedge.exe
PID 2240 wrote to memory of 3384	2240	msedge.exe	msedge.exe
PID 2240 wrote to memory of 3384	2240	msedge.exe	msedge.exe
PID 2240 wrote to memory of 3384	2240	msedge.exe	msedge.exe
PID 2240 wrote to memory of 3384	2240	msedge.exe	msedge.exe
PID 2240 wrote to memory of 3384	2240	msedge.exe	msedge.exe
PID 2240 wrote to memory of 3384	2240	msedge.exe	msedge.exe
PID 2240 wrote to memory of 3384	2240	msedge.exe	msedge.exe
PID 2240 wrote to memory of 3384	2240	msedge.exe	msedge.exe
PID 2240 wrote to memory of 3384	2240	msedge.exe	msedge.exe
PID 2240 wrote to memory of 3384	2240	msedge.exe	msedge.exe
PID 2240 wrote to memory of 3384	2240	msedge.exe	msedge.exe
PID 2240 wrote to memory of 3384	2240	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\WannaCry.exe
"C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 101131712688995.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:3808

C:\Windows\SysWOW64\cscript.exe
cscript //nologo c.vbs
3⤵
PID:4592

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe f
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1052

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im MSExchange*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3752

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Microsoft.Exchange.*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3080

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlserver.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3216

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlwriter.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3324

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe c
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3048

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b !WannaDecryptor!.exe v
2⤵
- Suspicious use of WriteProcessMemory
PID:5040

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe v
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2988

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1356

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2828

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2408

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:680

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
"C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1784

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1220

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\3f2c173628594d388539526ae1f7f129 /t 3424 /p 1356
1⤵
PID:3460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\ExpandConvertFrom.mhtml
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd6ab146f8,0x7ffd6ab14708,0x7ffd6ab14718
2⤵
PID:1360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,17802112997344235384,14862081328695371095,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:2
2⤵
PID:3384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,17802112997344235384,14862081328695371095,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2460 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,17802112997344235384,14862081328695371095,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
2⤵
PID:3732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17802112997344235384,14862081328695371095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1
2⤵
PID:4920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17802112997344235384,14862081328695371095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:1
2⤵
PID:1568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17802112997344235384,14862081328695371095,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
2⤵
PID:1576

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,17802112997344235384,14862081328695371095,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:8
2⤵
PID:1572

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,17802112997344235384,14862081328695371095,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17802112997344235384,14862081328695371095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
2⤵
PID:4132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17802112997344235384,14862081328695371095,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
2⤵
PID:3636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17802112997344235384,14862081328695371095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2572 /prefetch:1
2⤵
PID:4508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17802112997344235384,14862081328695371095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:1
2⤵
PID:3264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17802112997344235384,14862081328695371095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
2⤵
PID:1072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17802112997344235384,14862081328695371095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
2⤵
PID:4048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2172,17802112997344235384,14862081328695371095,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5760 /prefetch:8
2⤵
PID:4620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2172,17802112997344235384,14862081328695371095,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5964 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17802112997344235384,14862081328695371095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
2⤵
PID:3524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17802112997344235384,14862081328695371095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
2⤵
PID:5564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17802112997344235384,14862081328695371095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
2⤵
PID:5860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17802112997344235384,14862081328695371095,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
2⤵
PID:5868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17802112997344235384,14862081328695371095,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
2⤵
PID:6036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17802112997344235384,14862081328695371095,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1
2⤵
PID:6044

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3636

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1eb86108cb8f5a956fdf48efbd5d06fe

SHA1
7b2b299f753798e4891df2d9cbf30f94b39ef924

SHA256
1b53367e0041d54af89e7dd59733231f5da1393c551ed2b943c89166c0baca40

SHA512
e2a661437688a4a01a6eb3b2bd7979ecf96b806f5a487d39354a7f0d44cb693a3b1c2cf6b1247b04e4106cc816105e982569572042bdddb3cd5bec23b4fce29d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f35bb0615bb9816f562b83304e456294

SHA1
1049e2bd3e1bbb4cea572467d7c4a96648659cb4

SHA256
05e80abd624454e5b860a08f40ddf33d672c3fed319aac180b7de5754bc07b71

SHA512
db9100f3e324e74a9c58c7d9f50c25eaa4c6c4553c93bab9b80c6f7bef777db04111ebcd679f94015203b240fe9f4f371cae0d4290ec891a4173c746ff4b11c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\24ebc262-8a5e-455f-a103-04521c1919ac.tmp

Filesize
6KB

MD5
5c8bcf0b685bb8f2bf24af4e46292822

SHA1
61a944e111f491ca199b39156d2b0b1dc546966d

SHA256
42353e5562582789c0df8ad56101c541f372fc161d95e5eb8e61234bbb109771

SHA512
8da0944306e90240fb81d7f3dbbb0bdf64ae4feab4f9a7fbdf9e6f933c4282a3a362e7a571ae6412adfdcb69e3bf021336d4806531846c42393babf7cc1c8c40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
55e8e602f21624fffc9efbf53c7392d8

SHA1
e2248fc9c859d1d2f8963e65e1b6cb4b0c95e87d

SHA256
4b0085edfd4f3ee75de8ae18546e00e7914d844713a94c46ce7ee5ab2bc61ea5

SHA512
3085f537bb5cb2498c7e6151435a6bb1177f5cf42b67bbf73e7541add94e11b8b932ba6029e1fcd63f34177c83edd550132ace9874d46a2c6d700aa52fa0757b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0c500297956de426208b60af70109eb7

SHA1
9e03607e5e005ea6a68e1fb64a92638f604979f9

SHA256
5f38e514fc0dff4f1d5eda6492c2d5a24b3bedfafce9a2bd39a17eb63ecbf598

SHA512
9128440832302bee999faafbe99a233063675be964eb9e2823ab6adcdcd6f02796651ad248fd0b6a946876c2778c8804b333fb1bff6570d51e111c104775142a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4b9589e6ba657fd646085f9bcdd4a7a4

SHA1
19f3ccf4bdc05dad28c778c0caefa1d386903bd4

SHA256
480338e23b310538d08b3e79c1b7c6a343f2b8f136ffaf937c5fefb310bbcae0

SHA512
027ccabf5929eedb20097f20f27ccd71895292bdca07a8f5a574ce3b8b2aacc26c75d835db22e5a8601f3353a453f65ec7e515f4188df2b9ad3e787a1337ffa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk

Filesize
1KB

MD5
ce2f9b9eb8ab321d1b1218359ccf0958

SHA1
b18d15bd89fda2d3b1e804bd311c9e0a0d0ca0d5

SHA256
5dfa27563ff1968e1d23871def68b07cccb7f1c46d7b5646a339d8a9cf2b0ea2

SHA512
1e5dac01b3ca75f0c493d54b7ff94ad608cec9c5a9d63ae1c05c6b4220937d509ff28fa2712e6d842f9d6aca5ec1a1eb8dc911964b86d0c93316acefee36b57f

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
7fbe176c4d95d086ddab128be6176171

SHA1
d74b1a7c6a62b47d10c929e8340b52e1affb404c

SHA256
bdf208bcda3b78cdcd517be713fbfd2eaeccb1cea7f94c06d0f4ed233bcb732b

SHA512
a5052017cadbab2756f1bbbab51d1a8259d10c668155d7988cdf18b3848b6047ad283689f64333965a9705c09e68151e6550890e4b3b2f2e15a673ee602ceb22

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
be3be4489a6a9e959cf000bde6904fb2

SHA1
f6460feb511e8436203bef1efe5a5bc7d0fb8bc8

SHA256
0935898403f83ea7fe597c0cdb9facdcd7b84dab33ae31156d2149b707d86fcd

SHA512
53e850a8fe7ace9abdaef17ce059ec6ae7d811321f5301f593be95cf6993354aa0f5ace3e301f70797e231dfb168f7dbd2e12939ec6630ce979bdda74944bc6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
4e221c309ff5fd74585e9d40b51199c6

SHA1
b307a27f2fb8e4c25fe701cffe40f0146b11d6c5

SHA256
e8ffef95c9f166742255c47c51135d76fa6c505f8b74c8c7610bcff65cf60687

SHA512
a257f36a40f00a2bbab1ac33a5fc97b561ea1664481b0e53116753db9761ffa9b1bd12af73295a79be3cf8fdb10322a3b62f6fbbbad2699e45074366486b4453

Download Submit
C:\Users\Admin\AppData\Local\Temp\101131712688995.bat

Filesize
336B

MD5
3540e056349c6972905dc9706cd49418

SHA1
492c20442d34d45a6d6790c720349b11ec591cde

SHA256
73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc

SHA512
c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.vbs

Filesize
219B

MD5
5f6d40ca3c34b470113ed04d06a88ff4

SHA1
50629e7211ae43e32060686d6be17ebd492fd7aa

SHA256
0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1

SHA512
4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wry

Filesize
628B

MD5
1c2bf134df9662ec69d463c2de159ef4

SHA1
ebc22b0a262f65ebd4d45e7cd0dfd5c2af4557b4

SHA256
2b4e70bfcbb30d1df44ba823ed4c1f3a4f48b43a48f10e9cbb487cbebc447c74

SHA512
bbccca595305b16e8b732a0391dcb1572ed90a7b1d9fa095a458e3c753960ca95217cf6b3d23c02693092c8806f3a78f6e25d1dae9996877f0e00a7db94bba26

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
\??\pipe\LOCAL\crashpad_2240_MQYBYSYVBQFPEGES

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/540-6-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/1220-1405-0x000002CB7D950000-0x000002CB7D951000-memory.dmp

Filesize
4KB

Download
memory/1220-1414-0x000002CB7D950000-0x000002CB7D951000-memory.dmp

Filesize
4KB

Download
memory/1220-1415-0x000002CB7D950000-0x000002CB7D951000-memory.dmp

Filesize
4KB

Download
memory/1220-1410-0x000002CB7D950000-0x000002CB7D951000-memory.dmp

Filesize
4KB

Download
memory/1220-1412-0x000002CB7D950000-0x000002CB7D951000-memory.dmp

Filesize
4KB

Download
memory/1220-1413-0x000002CB7D950000-0x000002CB7D951000-memory.dmp

Filesize
4KB

Download
memory/1220-1411-0x000002CB7D950000-0x000002CB7D951000-memory.dmp

Filesize
4KB

Download
memory/1220-1409-0x000002CB7D950000-0x000002CB7D951000-memory.dmp

Filesize
4KB

Download
memory/1220-1404-0x000002CB7D950000-0x000002CB7D951000-memory.dmp

Filesize
4KB

Download
memory/1220-1403-0x000002CB7D950000-0x000002CB7D951000-memory.dmp

Filesize
4KB

Download