wannacry | 990803c15c5f42bdf81e7e8a0344d8ad08d6628ef06841b10fa0dd2697e1194b

Analysis

max time kernel
375s
max time network
381s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DiscordSetup.exe
Size

46.3MB
MD5

f6a8dca61c984137f9df99826747caca
SHA1

dba1c4a8ad77fb6afd47f4b98a6e10b5e2bcc785
SHA256

990803c15c5f42bdf81e7e8a0344d8ad08d6628ef06841b10fa0dd2697e1194b
SHA512

b230e1c6d91c3749fa15a30595b7172303e5b2bc01febab52018e08872da28952b67788f8e911cc9141bb70d8fc2485d36fb81c24b04621a3ce5860caac0edc0
SSDEEP

786432:SMEnRtpu84z8+IElBn5ydGZpM+NaW041cAySCq8j21XntkNGQjkqWJWqfetxTwBp:3+LWbIED5yIZfNaWsW1oGskfoqGtxTvY

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Update.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Update.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	Update.exe

Drops startup file 2 IoCs

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD5A05.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD59DE.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Executes dropped EXE 33 IoCs

Processes:

Update.exeSquirrel.exeDiscord.exeDiscord.exeUpdate.exeDiscord.exeDiscord.exeDiscord.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exetaskdl.exe@[email protected]@[email protected]taskhsvc.exetaskdl.exetaskse.exe@[email protected]Update.exeUpdate.exe

pid	process
392	Update.exe
980	Squirrel.exe
3648	Discord.exe
1268	Discord.exe
1852	Update.exe
816	Discord.exe
3556	Discord.exe
3404	Discord.exe
2280	Update.exe
4916	Update.exe
2528	Update.exe
1352	Update.exe
548	Update.exe
3244	Update.exe
4084	Update.exe
4024	Update.exe
4688	Update.exe
2844	Update.exe
4140	Update.exe
4496	Update.exe
3576	Update.exe
1972	Update.exe
740	Update.exe
1268	Update.exe
3696	taskdl.exe
4568	@[email protected]
4648	@[email protected]
3920	taskhsvc.exe
3576	taskdl.exe
4832	taskse.exe
3636	@[email protected]
4048	Update.exe
372	Update.exe

Loads dropped DLL 36 IoCs

Processes:

Discord.exeDiscord.exeDiscord.exeDiscord.exeDiscord.exetaskhsvc.exe

pid	process
3648	Discord.exe
3648	Discord.exe
3648	Discord.exe
3648	Discord.exe
3648	Discord.exe
3648	Discord.exe
1268	Discord.exe
1268	Discord.exe
1268	Discord.exe
1268	Discord.exe
1268	Discord.exe
816	Discord.exe
816	Discord.exe
816	Discord.exe
816	Discord.exe
816	Discord.exe
816	Discord.exe
3556	Discord.exe
3556	Discord.exe
3556	Discord.exe
3556	Discord.exe
3556	Discord.exe
3404	Discord.exe
3404	Discord.exe
3404	Discord.exe
3404	Discord.exe
3404	Discord.exe
3920	taskhsvc.exe
3920	taskhsvc.exe
3920	taskhsvc.exe
3920	taskhsvc.exe
3920	taskhsvc.exe
3920	taskhsvc.exe
3920	taskhsvc.exe
3920	taskhsvc.exe
3920	taskhsvc.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4484 icacls.exe

pid	process
4484	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Discord = "C:\\Users\\Admin\\AppData\\Local\\Discord\\app-0.0.291\\Discord.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\bbnbuexzwbcz676 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_Ransomware.WannaCry.zip\\tasksche.exe\""	reg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

108 raw.githubusercontent.com
107 raw.githubusercontent.com

flow	ioc
108	raw.githubusercontent.com
107	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe@[email protected]

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133598307561078168"	chrome.exe

Modifies registry class 15 IoCs

Processes:

reg.exereg.exeOpenWith.exereg.exechrome.exeOpenWith.exereg.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Discord	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Discord\DefaultIcon	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Discord\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Discord\\app-0.0.291\\Discord.exe\" --url \"%1\""	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Discord\URL Protocol	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Discord\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Discord\\app-0.0.291\\Discord.exe\",-1"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Discord\shell\open	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Discord	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Discord\ = "URL:Discord Protocol"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Discord\shell\open\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Discord	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Discord\shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	OpenWith.exe

Modifies registry key 1 TTPs 6 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exe

pid process

4136 reg.exe
1516 reg.exe
5052 reg.exe
1920 reg.exe
4776 reg.exe
3744 reg.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

4652 NOTEPAD.EXE

pid	process
4136	reg.exe
1516	reg.exe
5052	reg.exe
1920	reg.exe
4776	reg.exe
3744	reg.exe

pid	process
4652	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

Discord.exeDiscord.exechrome.exechrome.exetaskhsvc.exe

pid	process
3648	Discord.exe
3648	Discord.exe
816	Discord.exe
816	Discord.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
824	chrome.exe
824	chrome.exe
3920	taskhsvc.exe
3920	taskhsvc.exe
3920	taskhsvc.exe
3920	taskhsvc.exe
3920	taskhsvc.exe
3920	taskhsvc.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

OpenWith.exeOpenWith.exe

pid process

2888 OpenWith.exe
4032 OpenWith.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid process

2392 chrome.exe
2392 chrome.exe
2392 chrome.exe
2392 chrome.exe
2392 chrome.exe

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Update.exeAUDIODG.EXEUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exeUpdate.exechrome.exeUpdate.exeUpdate.exe

description	pid	process
Token: SeDebugPrivilege	392	Update.exe
Token: 33	452	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	452	AUDIODG.EXE
Token: SeDebugPrivilege	2280	Update.exe
Token: SeDebugPrivilege	4916	Update.exe
Token: SeDebugPrivilege	2528	Update.exe
Token: SeDebugPrivilege	1352	Update.exe
Token: SeDebugPrivilege	548	Update.exe
Token: SeDebugPrivilege	3244	Update.exe
Token: SeDebugPrivilege	4084	Update.exe
Token: SeDebugPrivilege	4024	Update.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeDebugPrivilege	4688	Update.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeDebugPrivilege	2844	Update.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe
Token: SeCreatePagefilePrivilege	2392	chrome.exe
Token: SeShutdownPrivilege	2392	chrome.exe

Suspicious use of FindShellTrayWindow 48 IoCs

Processes:

Update.exechrome.exeDiscord.exe

pid	process
392	Update.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
816	Discord.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe
2392	chrome.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

OpenWith.exeOpenWith.exe

pid	process
2888	OpenWith.exe
2888	OpenWith.exe
2888	OpenWith.exe
2888	OpenWith.exe
2888	OpenWith.exe
2888	OpenWith.exe
2888	OpenWith.exe
2888	OpenWith.exe
2888	OpenWith.exe
2888	OpenWith.exe
2888	OpenWith.exe
2888	OpenWith.exe
2888	OpenWith.exe
2888	OpenWith.exe
2888	OpenWith.exe
2888	OpenWith.exe
2888	OpenWith.exe
2888	OpenWith.exe
2888	OpenWith.exe
2888	OpenWith.exe
2888	OpenWith.exe
2888	OpenWith.exe
2888	OpenWith.exe
2888	OpenWith.exe
2888	OpenWith.exe
2888	OpenWith.exe
2888	OpenWith.exe
2888	OpenWith.exe
2888	OpenWith.exe
2888	OpenWith.exe
2888	OpenWith.exe
2888	OpenWith.exe
2888	OpenWith.exe
2888	OpenWith.exe
2888	OpenWith.exe
2888	OpenWith.exe
2888	OpenWith.exe
2888	OpenWith.exe
2888	OpenWith.exe
3620	OpenWith.exe
3620	OpenWith.exe
3620	OpenWith.exe
3620	OpenWith.exe
3620	OpenWith.exe
3620	OpenWith.exe
3620	OpenWith.exe
3620	OpenWith.exe
3620	OpenWith.exe
3620	OpenWith.exe
3620	OpenWith.exe
3620	OpenWith.exe
3620	OpenWith.exe
3620	OpenWith.exe
3620	OpenWith.exe
3620	OpenWith.exe
3620	OpenWith.exe
3620	OpenWith.exe
3620	OpenWith.exe
3620	OpenWith.exe
3620	OpenWith.exe
3620	OpenWith.exe
3620	OpenWith.exe
3620	OpenWith.exe
3620	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

DiscordSetup.exeUpdate.exeDiscord.exeDiscord.exechrome.exe

description	pid	process	target process
PID 1320 wrote to memory of 392	1320	DiscordSetup.exe	Update.exe
PID 1320 wrote to memory of 392	1320	DiscordSetup.exe	Update.exe
PID 1320 wrote to memory of 392	1320	DiscordSetup.exe	Update.exe
PID 392 wrote to memory of 980	392	Update.exe	Squirrel.exe
PID 392 wrote to memory of 980	392	Update.exe	Squirrel.exe
PID 392 wrote to memory of 980	392	Update.exe	Squirrel.exe
PID 392 wrote to memory of 3648	392	Update.exe	Discord.exe
PID 392 wrote to memory of 3648	392	Update.exe	Discord.exe
PID 392 wrote to memory of 3648	392	Update.exe	Discord.exe
PID 3648 wrote to memory of 1268	3648	Discord.exe	Discord.exe
PID 3648 wrote to memory of 1268	3648	Discord.exe	Discord.exe
PID 3648 wrote to memory of 1268	3648	Discord.exe	Discord.exe
PID 3648 wrote to memory of 1852	3648	Discord.exe	Update.exe
PID 3648 wrote to memory of 1852	3648	Discord.exe	Update.exe
PID 3648 wrote to memory of 1852	3648	Discord.exe	Update.exe
PID 3648 wrote to memory of 3744	3648	Discord.exe	reg.exe
PID 3648 wrote to memory of 3744	3648	Discord.exe	reg.exe
PID 3648 wrote to memory of 3744	3648	Discord.exe	reg.exe
PID 3648 wrote to memory of 4136	3648	Discord.exe	reg.exe
PID 3648 wrote to memory of 4136	3648	Discord.exe	reg.exe
PID 3648 wrote to memory of 4136	3648	Discord.exe	reg.exe
PID 3648 wrote to memory of 1516	3648	Discord.exe	reg.exe
PID 3648 wrote to memory of 1516	3648	Discord.exe	reg.exe
PID 3648 wrote to memory of 1516	3648	Discord.exe	reg.exe
PID 3648 wrote to memory of 5052	3648	Discord.exe	reg.exe
PID 3648 wrote to memory of 5052	3648	Discord.exe	reg.exe
PID 3648 wrote to memory of 5052	3648	Discord.exe	reg.exe
PID 3648 wrote to memory of 1920	3648	Discord.exe	reg.exe
PID 3648 wrote to memory of 1920	3648	Discord.exe	reg.exe
PID 3648 wrote to memory of 1920	3648	Discord.exe	reg.exe
PID 392 wrote to memory of 816	392	Update.exe	Discord.exe
PID 392 wrote to memory of 816	392	Update.exe	Discord.exe
PID 392 wrote to memory of 816	392	Update.exe	Discord.exe
PID 816 wrote to memory of 3556	816	Discord.exe	Discord.exe
PID 816 wrote to memory of 3556	816	Discord.exe	Discord.exe
PID 816 wrote to memory of 3556	816	Discord.exe	Discord.exe
PID 816 wrote to memory of 3404	816	Discord.exe	Discord.exe
PID 816 wrote to memory of 3404	816	Discord.exe	Discord.exe
PID 816 wrote to memory of 3404	816	Discord.exe	Discord.exe
PID 816 wrote to memory of 2280	816	Discord.exe	Update.exe
PID 816 wrote to memory of 2280	816	Discord.exe	Update.exe
PID 816 wrote to memory of 2280	816	Discord.exe	Update.exe
PID 816 wrote to memory of 4916	816	Discord.exe	Update.exe
PID 816 wrote to memory of 4916	816	Discord.exe	Update.exe
PID 816 wrote to memory of 4916	816	Discord.exe	Update.exe
PID 816 wrote to memory of 2528	816	Discord.exe	Update.exe
PID 816 wrote to memory of 2528	816	Discord.exe	Update.exe
PID 816 wrote to memory of 2528	816	Discord.exe	Update.exe
PID 816 wrote to memory of 1352	816	Discord.exe	Update.exe
PID 816 wrote to memory of 1352	816	Discord.exe	Update.exe
PID 816 wrote to memory of 1352	816	Discord.exe	Update.exe
PID 816 wrote to memory of 548	816	Discord.exe	Update.exe
PID 816 wrote to memory of 548	816	Discord.exe	Update.exe
PID 816 wrote to memory of 548	816	Discord.exe	Update.exe
PID 816 wrote to memory of 3244	816	Discord.exe	Update.exe
PID 816 wrote to memory of 3244	816	Discord.exe	Update.exe
PID 816 wrote to memory of 3244	816	Discord.exe	Update.exe
PID 816 wrote to memory of 4084	816	Discord.exe	Update.exe
PID 816 wrote to memory of 4084	816	Discord.exe	Update.exe
PID 816 wrote to memory of 4084	816	Discord.exe	Update.exe
PID 816 wrote to memory of 4024	816	Discord.exe	Update.exe
PID 816 wrote to memory of 4024	816	Discord.exe	Update.exe
PID 816 wrote to memory of 4024	816	Discord.exe	Update.exe
PID 2392 wrote to memory of 2852	2392	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

936 attrib.exe
1216 attrib.exe

pid	process
936	attrib.exe
1216	attrib.exe

C:\Users\Admin\AppData\Local\Temp\DiscordSetup.exe
"C:\Users\Admin\AppData\Local\Temp\DiscordSetup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1320

C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
"C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:392

C:\Users\Admin\AppData\Local\Discord\app-0.0.291\Squirrel.exe
"C:\Users\Admin\AppData\Local\Discord\app-0.0.291\Squirrel.exe" --updateSelf=C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
3⤵
- Executes dropped EXE
PID:980

C:\Users\Admin\AppData\Local\Discord\app-0.0.291\Discord.exe
"C:\Users\Admin\AppData\Local\Discord\app-0.0.291\Discord.exe" --squirrel-install 0.0.291
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3648

C:\Users\Admin\AppData\Local\Discord\app-0.0.291\Discord.exe
C:\Users\Admin\AppData\Local\Discord\app-0.0.291\Discord.exe --reporter-url=http://crash.discordapp.com:1127/post --application-name=Discord --v=1 --submit-backlog
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1268

C:\Users\Admin\AppData\Local\Discord\Update.exe
C:\Users\Admin\AppData\Local\Discord\Update.exe --createShortcut Discord.exe --setupIcon C:\Users\Admin\AppData\Local\Discord\app.ico
4⤵
- Executes dropped EXE
PID:1852

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Discord /d C:\Users\Admin\AppData\Local\Discord\app-0.0.291\Discord.exe /f
4⤵
- Adds Run key to start application
- Modifies registry key
PID:3744

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /ve /d "URL:Discord Protocol" /f
4⤵
- Modifies registry class
- Modifies registry key
PID:4136

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord /v "URL Protocol" /f
4⤵
- Modifies registry class
- Modifies registry key
PID:1516

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\DefaultIcon /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-0.0.291\Discord.exe\",-1" /f
4⤵
- Modifies registry class
- Modifies registry key
PID:5052

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe add HKCU\Software\Classes\Discord\shell\open\command /ve /d "\"C:\Users\Admin\AppData\Local\Discord\app-0.0.291\Discord.exe\" --url \"%1\"" /f
4⤵
- Modifies registry class
- Modifies registry key
PID:1920

C:\Users\Admin\AppData\Local\Discord\app-0.0.291\Discord.exe
"C:\Users\Admin\AppData\Local\Discord\app-0.0.291\Discord.exe" --squirrel-firstrun
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:816

C:\Users\Admin\AppData\Local\Discord\app-0.0.291\Discord.exe
C:\Users\Admin\AppData\Local\Discord\app-0.0.291\Discord.exe --reporter-url=http://crash.discordapp.com:1127/post --application-name=Discord --v=1 --submit-backlog
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3556

C:\Users\Admin\AppData\Local\Discord\app-0.0.291\Discord.exe
"C:\Users\Admin\AppData\Local\Discord\app-0.0.291\Discord.exe" --type=renderer --no-sandbox --lang=en-US --app-user-model-id=com.squirrel.Discord.Discord --node-integration=true --hidden-page --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --content-image-texture-target=3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553,3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="816.0.1588358508\1799767936" /prefetch:1
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3404

C:\Users\Admin\AppData\Local\Discord\Update.exe
C:\Users\Admin\AppData\Local\Discord\Update.exe --check https://discordapp.com/api/updates/stable
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Users\Admin\AppData\Local\Discord\Update.exe
C:\Users\Admin\AppData\Local\Discord\Update.exe --update https://discordapp.com/api/updates/stable
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4916

C:\Users\Admin\AppData\Local\Discord\Update.exe
C:\Users\Admin\AppData\Local\Discord\Update.exe --check https://discordapp.com/api/updates/stable
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2528

C:\Users\Admin\AppData\Local\Discord\Update.exe
C:\Users\Admin\AppData\Local\Discord\Update.exe --update https://discordapp.com/api/updates/stable
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Users\Admin\AppData\Local\Discord\Update.exe
C:\Users\Admin\AppData\Local\Discord\Update.exe --check https://discordapp.com/api/updates/stable
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:548

C:\Users\Admin\AppData\Local\Discord\Update.exe
C:\Users\Admin\AppData\Local\Discord\Update.exe --update https://discordapp.com/api/updates/stable
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3244

C:\Users\Admin\AppData\Local\Discord\Update.exe
C:\Users\Admin\AppData\Local\Discord\Update.exe --check https://discordapp.com/api/updates/stable
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Users\Admin\AppData\Local\Discord\Update.exe
C:\Users\Admin\AppData\Local\Discord\Update.exe --update https://discordapp.com/api/updates/stable
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4024

C:\Users\Admin\AppData\Local\Discord\Update.exe
C:\Users\Admin\AppData\Local\Discord\Update.exe --check https://discordapp.com/api/updates/stable
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4688

C:\Users\Admin\AppData\Local\Discord\Update.exe
C:\Users\Admin\AppData\Local\Discord\Update.exe --update https://discordapp.com/api/updates/stable
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2844

C:\Users\Admin\AppData\Local\Discord\Update.exe
C:\Users\Admin\AppData\Local\Discord\Update.exe --check https://discordapp.com/api/updates/stable
4⤵
- Executes dropped EXE
PID:4140

C:\Users\Admin\AppData\Local\Discord\Update.exe
C:\Users\Admin\AppData\Local\Discord\Update.exe --update https://discordapp.com/api/updates/stable
4⤵
- Executes dropped EXE
PID:4496

C:\Users\Admin\AppData\Local\Discord\Update.exe
C:\Users\Admin\AppData\Local\Discord\Update.exe --check https://discordapp.com/api/updates/stable
4⤵
- Executes dropped EXE
PID:3576

C:\Users\Admin\AppData\Local\Discord\Update.exe
C:\Users\Admin\AppData\Local\Discord\Update.exe --update https://discordapp.com/api/updates/stable
4⤵
- Executes dropped EXE
PID:1972

C:\Users\Admin\AppData\Local\Discord\Update.exe
C:\Users\Admin\AppData\Local\Discord\Update.exe --check https://discordapp.com/api/updates/stable
4⤵
- Executes dropped EXE
PID:740

C:\Users\Admin\AppData\Local\Discord\Update.exe
C:\Users\Admin\AppData\Local\Discord\Update.exe --update https://discordapp.com/api/updates/stable
4⤵
- Executes dropped EXE
PID:1268

C:\Users\Admin\AppData\Local\Discord\Update.exe
C:\Users\Admin\AppData\Local\Discord\Update.exe --check https://discordapp.com/api/updates/stable
4⤵
- Executes dropped EXE
PID:4048

C:\Users\Admin\AppData\Local\Discord\Update.exe
C:\Users\Admin\AppData\Local\Discord\Update.exe --update https://discordapp.com/api/updates/stable
4⤵
- Executes dropped EXE
PID:372

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x464 0x3a4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd4f0aab58,0x7ffd4f0aab68,0x7ffd4f0aab78
2⤵
PID:2852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1868 --field-trial-handle=1856,i,2638293953362121338,5978362690728009122,131072 /prefetch:2
2⤵
PID:4432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 --field-trial-handle=1856,i,2638293953362121338,5978362690728009122,131072 /prefetch:8
2⤵
PID:4016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2280 --field-trial-handle=1856,i,2638293953362121338,5978362690728009122,131072 /prefetch:8
2⤵
PID:4692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2972 --field-trial-handle=1856,i,2638293953362121338,5978362690728009122,131072 /prefetch:1
2⤵
PID:4048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2984 --field-trial-handle=1856,i,2638293953362121338,5978362690728009122,131072 /prefetch:1
2⤵
PID:2052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4372 --field-trial-handle=1856,i,2638293953362121338,5978362690728009122,131072 /prefetch:1
2⤵
PID:4656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4552 --field-trial-handle=1856,i,2638293953362121338,5978362690728009122,131072 /prefetch:8
2⤵
PID:2328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4716 --field-trial-handle=1856,i,2638293953362121338,5978362690728009122,131072 /prefetch:8
2⤵
PID:4660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4548 --field-trial-handle=1856,i,2638293953362121338,5978362690728009122,131072 /prefetch:8
2⤵
PID:3836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4656 --field-trial-handle=1856,i,2638293953362121338,5978362690728009122,131072 /prefetch:8
2⤵
PID:1340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 --field-trial-handle=1856,i,2638293953362121338,5978362690728009122,131072 /prefetch:8
2⤵
PID:4976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4720 --field-trial-handle=1856,i,2638293953362121338,5978362690728009122,131072 /prefetch:1
2⤵
PID:2700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3400 --field-trial-handle=1856,i,2638293953362121338,5978362690728009122,131072 /prefetch:8
2⤵
PID:3428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4236 --field-trial-handle=1856,i,2638293953362121338,5978362690728009122,131072 /prefetch:8
2⤵
PID:1500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4568 --field-trial-handle=1856,i,2638293953362121338,5978362690728009122,131072 /prefetch:8
2⤵
PID:1276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3468 --field-trial-handle=1856,i,2638293953362121338,5978362690728009122,131072 /prefetch:1
2⤵
PID:4524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3144 --field-trial-handle=1856,i,2638293953362121338,5978362690728009122,131072 /prefetch:8
2⤵
PID:2740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1720 --field-trial-handle=1856,i,2638293953362121338,5978362690728009122,131072 /prefetch:8
2⤵
PID:1276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 --field-trial-handle=1856,i,2638293953362121338,5978362690728009122,131072 /prefetch:8
2⤵
PID:2104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5136 --field-trial-handle=1856,i,2638293953362121338,5978362690728009122,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:824

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3400

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1852

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2888

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Locky.zip\Locky
2⤵
- Opens file in notepad (likely ransom note)
PID:4652

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3620

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.RedBoot.zip\1001a8c7f33185217e6e1bdbb8dba9780d475da944684fb4bf1fc04809525887"
2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
PID:3656

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
PID:4872

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6CE53D7D2458B66CFF3DBE2124E71035 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:2400

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=70AB40BDA7E8795A44E4563BAF87AFAB --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=70AB40BDA7E8795A44E4563BAF87AFAB --renderer-client-id=2 --mojo-platform-channel-handle=1772 --allow-no-sandbox-job /prefetch:1
4⤵
PID:4536

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EFCEB253BBD6F3F50A8A04281583B254 --mojo-platform-channel-handle=2340 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:1940

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3840

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
PID:1968

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- Views/modifies file attributes
PID:936

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:4484

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:3696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 168181715357358.bat
2⤵
PID:3000

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
3⤵
PID:4648

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
2⤵
- Views/modifies file attributes
PID:1216

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected] co
2⤵
- Executes dropped EXE
PID:4568

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3920

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
2⤵
PID:4964

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected] vs
3⤵
- Executes dropped EXE
PID:4648

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
PID:4496

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
PID:2648

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:3576

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:4832

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
PID:3636

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "bbnbuexzwbcz676" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\tasksche.exe\"" /f
2⤵
PID:3940

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "bbnbuexzwbcz676" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\tasksche.exe\"" /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:4776

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5068

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:4032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Discord\SquirrelSetup.log
Filesize
54KB

MD5
ded1c30b013f2fba871db0f6d55bdd39

SHA1
dd9da057e23e70aad121740d0255f22df06b4ec4

SHA256
dbe6562320fa82ac0d319b1f6a03304d437f796b3002570111d4ab42d4fcb0e4

SHA512
9c3dfc699fc91ac5d6c517754798772383865a305a8e460896a1f23006867c975a23112d31a3c0bf41612c1ad6d25aa072c8a35b2093ddaea7941f5ea6c86a06

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-0.0.291\MSVCR120.dll
Filesize
940KB

MD5
765b004d0d78f2c3b84d468f6cc310f9

SHA1
a9c588e2f2929d12bb2c831296815793f3e15131

SHA256
86568f26f33a43fb950e67351e2c2e92d6e3fc5c5b30be4db29788d2102a12e3

SHA512
48ccd6eed08b639f703386ef5c23486ee78b99a52629dc11c693a51f82077ea74fb684d348597daaa8e1335d8fa938d76586ecc5b5e629712b18fdfc2438b74d

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-0.0.291\Squirrel.exe
Filesize
1.5MB

MD5
f2dfb0f61cc772923a37645898274c5c

SHA1
1051a5c2c6388b8d2835ebd9cb86a7736835446d

SHA256
9b6cd0dd9ea9413aeaea6261d45386a6817e144e002c3cdfd5ca5bbd47e8b919

SHA512
8c06c7ef00effdb71530124d416df787415feeb286e2d06dc064f5023d772add407972466ec87ec28cbabe7d439187ba66efaa3b911be4da8f5340fe7c638b47

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-0.0.291\app.ico
Filesize
361KB

MD5
7568b6c37938a6d4fa1cb12c360e24ea

SHA1
2a16b212e677ec9ee2ca568dfccdafdecf7c69b0

SHA256
e6f5ea9bd0a7943d967a30bc8585593b69a11117496d684ab26b9a909383ddfb

SHA512
6e52f586b7c1363344fc3f19f1f9343c886634751d1fa0470a7023f010ab81be9c102c140dd143888761e8b2d16e38a5aee8f9915d27b5fab85ca88cfc065e87

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-0.0.291\content_resources_200_percent.pak
Filesize
15B

MD5
7c321056f805aabd5a503821fa1994cd

SHA1
9c690875c9189c66c93ebd4c0971739653bccd19

SHA256
261e6aad3ad0a5f608b5694919ee39026c4c3eb4256540068f7c1aa46be9315a

SHA512
8a5f4b3726e4513251475ac470f86f0daa0d5ae42bb750019ce96ed871cb04a7391cea2cef79e67c585e3a982041575e60d0f79b3a5bb9ad09be53362787f090

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-0.0.291\content_shell.pak
Filesize
9.1MB

MD5
dc5414d9ff517169faba23a5d8f50888

SHA1
33cd50296fa708534bda3eae4d62de020a50fa43

SHA256
ec7b6dbb3c64e2684f378b16388ff50acf463410b1876092073d7e03b35250c0

SHA512
75d785e21fd00fc040e6fceece1b692d84f8ab89ce069999720ebe8e6167774299da59d811d91531e0233c7e8f5d6887cd749ce14ee4351cb4bc3befcf361024

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-0.0.291\ffmpeg.dll
Filesize
1.7MB

MD5
64fbc221a5b0f3e2d04a439cbf1b2839

SHA1
0c4ddae4fbb854169ecfcbd28b747293ea5fcd07

SHA256
1edd6fc2d4f87a24dee17104553e1c2ea2280a06066cc0026aa86fe8ecd3187a

SHA512
4205c6846eeb58541bc410825e788c0650bc54809067a4729183d4ef34fcb54478fcedf25b99a69f46b330ed62cdeb6d8ed8edf6adb8f7f8cdd82d48749aad57

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-0.0.291\icudtl.dat
Filesize
9.7MB

MD5
d03ad9a1189d190119209072d048e428

SHA1
aa954098e3ae4c00f67bace45b39a7b4a8242c6a

SHA256
2857fbe46d007307b1e204c6eb1b7e4988973b958ec8edb07445988f332c1ab5

SHA512
4f73a2c0ceef525e5947dc6eeb7608db40e535eeadb37d83842bdd638eb4d9114f3654d8094c0b72c66ae4bb0214b0947cd4fe2b56426f778c07f3cac5faea21

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-0.0.291\libdiscord.dll
Filesize
2.7MB

MD5
7f2c301a1edbe35cf2ff558818fa98d9

SHA1
1e6ded77ec4c345d5e09f2a22a08b9b255cfe058

SHA256
c3e585d5da30afab2ef431ec14e931af6ff1ac2b885977e9873a46efd14d2db7

SHA512
2f95a4c5619304c47a1d808797b96c1c2447563960be804a49f88db25e2ccd34608f6c51b8c75b47946d158a275ad1d935aa5e1fd09d7ff105d7da9aacf0bbac

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-0.0.291\locales\en-US.pak
Filesize
3KB

MD5
b283164059f28057ebb422f1479302fe

SHA1
a896cb901ff74825b236d56274df8c739b0373ee

SHA256
238e9d6dd238521be01c4187a97226dc20ebafe0560011aa7e4bdd72b84a41f9

SHA512
a3a4d8167383fcbd1bbe5ca4c2bb6a46a59cc3f1f70a0235ba589c4495b72bd2d01f3c9b7ef149be7bc5d4e8e8adffbd3edef0156c3a86459b96f4c32c57fd9f

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-0.0.291\msvcp120.dll
Filesize
436KB

MD5
772232b5f8da4f3856c69bf83b3ae8d4

SHA1
46b3ec59eaec869a4f44952a1426628c243b544c

SHA256
0b52bea068520215e1a11c2751bb63f49025ea1a8a3080ee045f3565e3f3ef53

SHA512
105c49b8cf32859ceae4177327915be2c4789efa5363b446fd88fd8a24a1f27f1a8246f3edadd9c64410a51eb5a267eb71fe08f74d2098546297ef5e1097ede6

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-0.0.291\natives_blob.bin
Filesize
402KB

MD5
8f4d6515f4d321313a39a659c3c5ff01

SHA1
f4c95f1abd24c715a3dd4b3e4c9cff5decda7250

SHA256
7d9c0c4d88618bdd16bb0681fdec1dd736e2ed1141ae527a27b22fb93f27848f

SHA512
3c00eb9a8ca8d076140df0071cfa702e1c032edbc20481bb7f7b7a88c1a82c959b8ac901182c2f9d235f55b4528c8e12b1e765119f1e784645c61f66c1c2b007

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-0.0.291\node.dll
Filesize
10.0MB

MD5
6e41cad26b142efdf1f0644874af48ac

SHA1
3a673448b8e58f7784439f733cc3f317e85fe545

SHA256
eb98a24d60748c8fd92ab9586da4a7b9ba329f941ed6996bf43f81b774991373

SHA512
b67787382ba7350a70b9143a8c5b2f5d3f40991e81c87edb02b8f2c936f6e723c9baad8bb58523a107ab6213edb1181335be49e5432590b6e61c75160163d9ca

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-0.0.291\resources\app.asar
Filesize
12.1MB

MD5
1c5a27290af19a33dd11a72e8127dbf9

SHA1
876b7a777c607207635444a225167550af9df35a

SHA256
cb0cb9beed745c85160470100f6c04ce1c849605d1ba6464ff3c8c94d83b12f1

SHA512
b4836c7b9795969c6689a862c237bcec4d9a2243aa68ef926cc436c3f86d6e1b12541ca63368ac4fcb9083a0f28eefd6a18869df6204df66f5c34b19a2a2b557

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-0.0.291\resources\electron.asar
Filesize
161KB

MD5
08bece427f9b4b5590f1278445a2887c

SHA1
a4032b07f69f384fad55effcd3997c86195a8c48

SHA256
eb624b6749c661edb835247152c143b9da5a8dd6b8b668915d7756a863b96ca4

SHA512
0b0e65012b5aa1f47c89f2d2ac639717e95460579bff8923adbaa0e6f2a9f0be82c6f9b13e2c9d0ba36afb819956cca6b887925890d9797f5248a3c6f6ff9db0

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-0.0.291\resources\node_modules\discord_toaster\discord_toaster.node
Filesize
239KB

MD5
4fb01836032735873004e1f7ea1a088a

SHA1
6622a1f87bdee811d70bbd703235dd7c06af66d4

SHA256
02e69fa98b745566040259afa50d2bab78681305275891ac5084357fb761a6f5

SHA512
91e0f30e9c03cd5e5302a76092a976f92a35489acd296a169598565a2c95283a50cfe527d78e70f713a9d15818b003cb29fc55f234f0fca73f83213c66bd8f58

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-0.0.291\resources\node_modules\discord_toaster\index.js
Filesize
636B

MD5
91f1b5cf0692cb31a0d9a6a17689188e

SHA1
9f04c821cf82a9191b5888045ab5c5e521e11c74

SHA256
fba0c30dd0441f990f19cc3e9b1f3463aef47b2f9b5c0a1e76d7a3a2fb6d7047

SHA512
5153753b93691a4fc1a5cf32e4d9ed78269c0bf4eff5a4b910e2beadd60116d7bee1ce2ad9a036e511d13433a9236537e107ab39315f8b4d19339ba8018156d1

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-0.0.291\snapshot_blob.bin
Filesize
474KB

MD5
eb663314b69a1b6360f1feec17032749

SHA1
a70d9ca90e061150cc909743a30076d17064a72b

SHA256
55a1ff1967fb75c2113221f180638861159db8dbfd04129d376311f953d43654

SHA512
d15231c460a30b185141213e7ee338e738edd3d0e93a25e3c1e046de01cb23769bd42b8df7e6f50daf55b2743cdd13c1a6528c5c152f7fe7565b5db934171fd6

Download Submit
C:\Users\Admin\AppData\Local\Discord\app-0.0.291\ui_resources_200_percent.pak
Filesize
77KB

MD5
36d066788d56a024a41c61e61efe53f0

SHA1
e3272cfb326771b66c316dc9f1c5dbb24aa756c1

SHA256
cec4c4fb02a5d631fddf0d46667fc26d320cac19b75c5bccc4917344b3225422

SHA512
10fd56fda15372d57d99ea48ffdaaaf8feca4654dd71dddc186d3d4ee908ce25ec0771b1609c8534d755eaaf43a9506f76a881728427d828ca7704bf65b4b43d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
bd7fa0aecc8a08698c94d6283dd75616

SHA1
0fbf403de024e90d0b6b6a1fb0bf840fd1e336c6

SHA256
77ee7e352058e80ad462248aec2d92f29ea9b826bb647cad4e7b0d2c3bf3c210

SHA512
34946b7dc92c10369c8ed4e7518f23748c7f4c32037ae0c482803df7280d30bcf65d0e5c6bccd415ee93f3ee0a9470fe25f0a7e513e6baa591b3e5365e5c6218

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
50a6a516ed29a6d1c527399b48589281

SHA1
51ab2296ea9063931082710b8aef12ab9a6285ef

SHA256
f390b1c4c5191687f68168ca5a7727a846d230930a57c7ad51b81ce16948f050

SHA512
7fc564d39c55d975c52c0e975dcfce7d3f7b68abe274fb11f1c1e3cb3cd3e61c9cbeca28259512a1c31903988d1101a3e2d60ca5d2904c5306c180bbae921b50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
6ed2ea2c107c35bed3abd8eba19f1bc8

SHA1
fb38ebed0ef4aff8dd6861e8815de92bbc365caf

SHA256
8b6e6c74a971782158f3b344786929e848210d537a8f11dfaf7f99189a83a5d0

SHA512
f56e93a1d65e03ba855af4c60670dfe9735ae2a0e97de6a9d62d611e7e56f290a8ecbb888423ffd9af8e29b45e7dcbb3d7d5d1e538cfc5a50ebc03df1cec6e33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
5a80203976f00b3d402cece433306617

SHA1
61c20a62e014e1e3accde1afe51e23596ac4bd7d

SHA256
74d573d4a7af797579fdf68a3232a95dc9df03073ea9fcee392eafc2e3e75b20

SHA512
2eee174e7aeeaba4dd9e236ed72f0052b35b5c0c4d28769bfee5a3e672805938357c93449824f52a7df69921ec8fb90176c32ae2aa034fd4844cbfe8b62cbb22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
5cdd6cc8f39804c4e132a764b8fbf199

SHA1
ee8448d2bc10c3789eaa528d46e51398a6bce2b5

SHA256
45d5770f965a0b5dbd45913a6e4ce02791de630c8bf805afad89f169b5b2d5b3

SHA512
d5acd847af2b3548c6190d0696280d70dc4c60f4453414487832420a2845a3e93af95fa3832befb9e0caafacaffaef8abec7479f2f02df2095146afbdac28e63

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
ba92505a6fbf4cc97cbb98dd14be4277

SHA1
9fec0ba7f0ef64f71cd4d86c3581ca83ba4db74f

SHA256
e91a25c5e7b1b3b4a2f7bf93c327863f282a822640fed86db24d7a8e5f1d573f

SHA512
d2dae25f196ab77a58e158bc9efcf577f03f892f0f1ce9197a907c210b3b95833104aa81f8ddfa04beb75c781fb3b3bfa59fe0d5c0f6352b260e2767fa49c9df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
ae727917a5306aebe1bedf18a4fd1044

SHA1
9a3b5ff44b268a2150b9a3e40bb6b12b229717f1

SHA256
9d4f69701fc0071e378a95bee33a8b54c112425d135edbaf69faf2bfe212ded5

SHA512
7566a5a661a5ad88242364bb429909450f7ee9daafe907183a728a644aca5e69788b7336435899ea53f979fd5ca17d6c3586a83d8b8e9dc5e06060c70f7de9a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
7dd254913bfe38f8576b6b271163cb45

SHA1
c0bcf20e537bffa76112d6979c3dfadbd523ba39

SHA256
6d39446d203c81bf3eb9e9a12c4486bd9c15d0750cf7fbb52f6432dce2b09612

SHA512
f168e181922bbfa0554cc7f6c5b68c28429cf74bdbe24ff5230b2ea66a630c603513e485428eed9b013eadd2c058d11a26f85828ff8208a4c043902619fc43c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
69c5f372bcd042a6f4c660ed5f2f189d

SHA1
fc6dfc9c18b9aeb8f1371e07c07bb206c54346e0

SHA256
635dda29ec79523e68430c128fbb02f9842e6247b2453d81b06f14e0ecfdf5ca

SHA512
3054ff2a0a68cd2e99faf7304bd197c28be1e0cb2526ab4fef638e3c229a98f45787f5cb3b60bd28197dc64e410819fff4776839100ebf829b8dc74d4da83a23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
d1a441cf28e269d84936492fb37d9128

SHA1
83ad8f53d01364b293452631899703e181f0b7e8

SHA256
735e132394fb163fec382c208f3121533da8a90e851413493d63cfa2c7c69af5

SHA512
6fc55b5a4fb76144f9af743c2ea550f21a2e99a3d5ce71ad716eac24c8cbf43667b621b712e6940d216788b6ce95d6d2cd4c2ceef9fadb6092f28b1ec97b82c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
91972a2f5e3867c5779d04d7c0cb79c2

SHA1
0e2645a05912c558b14076c0900c6ffa461b0416

SHA256
ad1700ee1e4ae9f7197add14a5e90d09ec26ff148edaa0e11586cd0d7e7c0968

SHA512
c6f40236c0132198bceea649248b0dc355989c53bf525e328503d43365924e48ce15da94574cb18f5adbeb0cbccbf844060b7f774ce6942f553992e5efa81716

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
32206ad73eafae583801f1e056b9f981

SHA1
4fbfeaf3f79698f07af7bb97ad4bed63c8e3ee7d

SHA256
edeac87a1208bd32d5699d0f89e5a4d8a1c2e3316a8415b371c4b89f9774232b

SHA512
8587888c98974cc7bca97b814780682624b0eec2debd6e1d2ac82fce43ff363d76af18eefefe2941e6874711d0e3cd5a14efdc4e4aff23ddb6d34b9b43a2f0fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
7290fc23f7f7b897181e0e699e7f7eae

SHA1
05568a0c7cefd8bebdd2c8003767ef71fb2d61d4

SHA256
c832863bfc877d64272cc8732adb139025836b73ee51c9feee1339603a0e3b18

SHA512
bc59dc40f30f46217218c387c7ca6690049e5757eeb69e38776db4d1aa782824abf7d1127dd7db92a6ce78f48ad15580458f56d353a3f3f9e84fa2ee8cae5702

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
6659c69b881b0252d5ea13803267b6eb

SHA1
e73acc2e56aa4c962c8eacfc930b91345de30391

SHA256
f0ccef6124a973349c85bc32d1be39e82d7826dd2b23e0833630a81a17b8f4d8

SHA512
540a9f93d2ac3369b88bbfd83f549aa5f7b9c9d6e86120047dec8dd24b0e9849d891b0e6fcfef6d3871a87102df341889f83c1cf73df88c81cdc83f12fe3daa9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
b80ed88368f7267a9478d0e6e28c5e46

SHA1
d6fa757fb32af05a7251a5be5135be44b5b3c0b0

SHA256
d8f95173b8d6f11c23b026d6272e583d10592e87ec4b3f411aba7a735f737a77

SHA512
e63599cc6df3ec02c34d47c0ae8fd328a4edef153bfe1cf7ac7172a5882b48a439ad76eb754dc5d5152cbf832f0b0b75f08a57dc520f91c6caa00d4fb10bcb80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
0780a19d0128201080bb574111945f5c

SHA1
61934fa56683cfde233625a95c1fe42b1ad7050f

SHA256
3dba40b23e91dcc50b971c14d09e553ee35b5d0c93d9f20da1457ce905074498

SHA512
7d801a82bffe02c02f9e9249eab003827fddfea3dd6b4097e326e4987637654e52b7093fc73a95bc86c4e979f05f498c907f92d7c237aea1b26f9acda324c25f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\e5dd2a1c-3a4d-44fd-84ec-b5b21d9e02c8.tmp
Filesize
6KB

MD5
145a429f7eeb70cf1102d168320c5a39

SHA1
7ab805e0107507bcb722a8e185ea660d649e1dd3

SHA256
f87f1cd9e9f0221e3dd8b8979324a211961694e290de5d830ff47d572d76f199

SHA512
1794412c124244dcae5208a89a4836569a5fa90ec725b46719365740193d29091488cf4c29f503865b7bd82c83f1ca611b99e27fff29d8f8f0f077d98bdcf548

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
257KB

MD5
633cd91e1a27aa40743eeef2851ad4eb

SHA1
865e2daced7f5ed952101713407bcd6ea244fdfc

SHA256
6faa6775e23cecb9b111b5e579ad2f0452960545bd77985ec14dcb6d03eb6db3

SHA512
375f2dd952a2b4a78e88d429bbc736487de60c0b2d24ad86dd0175d66f1f4511d63fde886ce8470d503ec09036d967281d4b861c67f27bd30e8e9e6ce74c601d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
258KB

MD5
ecbc775cae5603d354a3a223d09b62e2

SHA1
2312b545a13cebd201fe2532f1867dcb75924444

SHA256
fafb69b071ade91366cd11146cba404aac639b58bf34f0789a3bc482cae069b4

SHA512
a9c3172a31f02af199619a4b305228148a6f8af5db59838feee28b58d4dd70e5e9a55255c9da23e509098810d922fa5cad8ed04ca32866932950e872ff93670c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
258KB

MD5
4000846311df9240647d52080fa12e99

SHA1
1ce519ee10f915a24a92b918b241654a60a5d645

SHA256
8ff4da2a10442e3d3801ea4b5d5be384d3bf5c2fd49a08021ae0654823477b7c

SHA512
5b63f095d30c5a90eb8a5e91f0684ff5baaf2881c221b61525b5e4b97022a1016af03eaa10b16530162e354ce4c344f3d5441b68a40ee8a1dca9d581c9efd2be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
278KB

MD5
ce45c89ae39f7469689599242a994537

SHA1
625b386b52afe426ccfe3070c3a289f1b9682745

SHA256
3f7461f1f5975905fa2c05136f51a2dc1d33b462bb3479098adaa810627509df

SHA512
d4ade26411af402b65e38f77fbd871e2635c9446d66d8a30c4226bdc0f2156b833d7779378e8ee3bb1bc6fcb254efb57f6eae9d157e716d2a70ef503f0673dc1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
100KB

MD5
aefc05410c5d445d2bd9758b22c612c8

SHA1
23eefde6048fab57f3f80130cf63cea202b66e21

SHA256
c4d119d732063910089a0fd157b19daa2a5c90909a425520dd3e1a6803024168

SHA512
3effe15c8d9c78ce0cb3e0d89f2b8e8e9b49fa73b594dc34c19ec8d0de05d2cc0e332c6b649dcf9f8e58a09004d61f763bcd94dead939d4ea94df9614e0f81c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
91KB

MD5
22fe3a8b714cee44dc5795441977d18c

SHA1
bab0b0df50971bdbb498689e1026cbb5a281e8cd

SHA256
351b5ddae9c1b7dee29858920ab694f833ca7d25589e241a034fd5840e03b1ac

SHA512
897cf87e33d559c2f752bc1302de193f5381f4fea3dc201f3716d0df9994b70010728119a4374230464ee919215699a704d9e0afee2a13d5c574b906d22cdf71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe59c308.TMP
Filesize
88KB

MD5
d2296e6fe083fb5bf2bc69a0f6dffba6

SHA1
36a3aa98417cf15a84f29d32819accc9dbaa04b3

SHA256
34fe257a74fa532fa8aecae4f677db0c9cc0238b1a73c9835c056271139b45f4

SHA512
be61bc9aa1f91e1d0de8c2c8e65f47137e9e942d44c1613d87aa52c0e47682a2583f4568f60ad7bc4ba395935fbec3b316a77c136aeb4a3e00ff55bfb16cdf1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Update.exe.log
Filesize
1KB

MD5
6eb96c16eb677b6a8c1df381a0497a1a

SHA1
d4596baadc2d4bee89d57e1718ab30c0b7d563ec

SHA256
e96331392d474ca0fbc51036c7d55aa3a37aae6b074d50ebd106a277b0cb4097

SHA512
3d472d56ceb73a3df3f65eff6af088b3a81ab553153cbda925091500a6543cf83e84872f2bc81f218deddecd8f3c9868d784c2fe08ece95f915138becaecfb0b

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Discord-0.0.291-full.nupkg
Filesize
45.3MB

MD5
a1a5a5e10e720817eaa0be013dcf8a56

SHA1
003141aa1d64ba93ce0734d405f07b0c65d5d6e8

SHA256
52fda1665b1cec0ee93a7eba354cce2fb58d31e5c4b4f92e2b2dfca9b1b0bbbc

SHA512
c03b989922b72ab548e100861336f1654f360f7de4908ba5989e05408a5cdff26ce637e08fdbbe6dec3f46062aab24397b2bf532473cacf5a4108bd25dffd2bd

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES
Filesize
79B

MD5
a3870895c0cc2179f76d0e0b753cfcc5

SHA1
24f8b81c565e8d52c48e8f5ac88b92859dad63d6

SHA256
1b56a6f78c0b980725b9b18f0e1de71c722303de099c952f10906077301167d6

SHA512
eab1657b9c2142ac87f707d503010d267626a520b4e44b761d062c8ed5488e9c93b24e366d4007c5dd38dc297c6f31ec3bd24689674f2185317743ec9eb5b2a5

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
Filesize
1.5MB

MD5
3d543a652f0c3d796eeafff6d8ee1b27

SHA1
ad05909e33da1d5117c227278c5b0417981c1492

SHA256
e7efaf018f997faa25c740b06a1cff268dcaf57ac9eee33fee8229fe0bf50c1c

SHA512
13d6a2c8d28b77bfa5d166a37660627e97419da55c2542f8eadfed6c9aa199c33f015e57a330da3d34552d217558ced26d8bffe49bf4e61b2418dc477ad909cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\.squirrel-lock-85C390EB33B0482E084B6817215048ABA63CDC69
Filesize
4B

MD5
a7e0f8ac46398a7876d1e40dd52c2aab

SHA1
b66922b4e6f09e23c072e4aff49c67c3121dd5af

SHA256
05174bbf0d407087e45b12baae17117426852ff3a9e58d12a0ebb9a10b409743

SHA512
e6b93215582f7f4f5e9292273a9466b5d0cc3a4ea7d77ae42854203755441dd5edbefb11fe8890cae7783e41e2edbf61ec7b03d7e5e9870a7821d4016b095f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\Discord Crashes\operation_log.txt
Filesize
1KB

MD5
9f6376545211237e2a852831d3bd8fdf

SHA1
9d71045267009c44cd150021a2c4faeb42fb3a81

SHA256
0f7bceae18c279b43c335062fb9edd117ca01adbad4df6705c5c1e700c085399

SHA512
2bf2d1444a1de005dfd87b1a4f3cd90b0d24bab6c81e73311e1189828744cac3c9ae97fcd687a56015aa7dfce250fd053dab15a0f57bbc451f0354ca45188ab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
Filesize
933B

MD5
7a2726bb6e6a79fb1d092b7f2b688af0

SHA1
b3effadce8b76aee8cd6ce2eccbb8701797468a2

SHA256
840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

SHA512
4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\TaskData\Tor\tor.exe
Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_finnish.wnry
Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Hammer & Chisel, Inc\Discord.lnk
Filesize
2KB

MD5
32a40961d79f9b67bc0dfe61e88419f8

SHA1
6b5f09f1070620fd8c22f15e817e40116c63c023

SHA256
f13c9efe04f65a5219c2aea70e4fde6ce57d2db0a81dfdf719c816f49405442a

SHA512
f810456ab5098914c9f2db025f133f714933197ef3ed318dcd4b2ac33c08d416580e46e6a70b14aa8260d3f780861aa5b5515cd321e296df13d9969aac9437df

Download Submit
C:\Users\Admin\AppData\Roaming\discord\@[email protected]
Filesize
1KB

MD5
601093e6f6f52af466985034636b61a6

SHA1
4ee31be4db548da5230a42e1d2b5e9cc45788607

SHA256
72f0d45ece0b5a0e006457019db99b8692b3013788da1fb55007de226ead9d38

SHA512
eefc8e85c6fdd8720361999320ce9bdef10d11906dbc1fff6296c8ca9340378ef5d604cfd0eaeb4b7fbfe2b4248bcfdaed6ea09ad110f828d7fd8375310b57c8

Download Submit
C:\Users\Admin\AppData\Roaming\discord\tray-unread.png
Filesize
1KB

MD5
b4f3da4e8976d181ebbb6b197bb55150

SHA1
55a6bed3be7893f89e34f988fbb5741dbcc4f4c4

SHA256
ffa5fff7eb0b91338d4ada7156bc342e2a2e1cfc1265dfb2cf965522ca43e264

SHA512
9966d199dbb57e2321a904e098b73e2a7b58f3450f9a7dc00fdbb5ac05d80dbdbf7bec7d559cb13c5dff942cc94905e2922c828abbd236cc03249e52a58b1efe

Download Submit
C:\Users\Admin\AppData\Roaming\discord\tray.png
Filesize
1KB

MD5
8336c5c34613d39e1ed154172039d1d8

SHA1
8e9c242f4987b192dcd078b463347a202ac84136

SHA256
1c2bbd7c7dd2f91a11471e405cf2ea886157bfcda660d00a93739018fd413fd5

SHA512
7a6017f73c9eaf91508b82cb766ed2cd08dbe7928dcb13c95a4e87e6350f766d02e2c1b79469f8207c364b67ff5e92a95b0cfe1d1df79ffb95ec833b25279045

Download Submit
C:\Users\Admin\Desktop\Discord.lnk
Filesize
2KB

MD5
5f821ed421b7a852ab50f2cff6b0b736

SHA1
054a71f63c8a9c5078d7f2648d0f56fcd07aee8d

SHA256
8d2a40a1e210f3aedc449eeb71cc3a2ce97028deb2f24ecec326b2bc266d7120

SHA512
6217cb3c1e9fa9ea6a35d48821b6366e604ff9a0a579b6656c58736f6bc6bfc174781adcc0eb0db2d0a40ae23cd04a27eb32be01d3059a42ad6a9d64f2fe5ece

Download Submit
C:\Users\Admin\Downloads\Ransomware-Samples-main.zip.crdownload
Filesize
15.1MB

MD5
e88a0140466c45348c7b482bb3e103df

SHA1
c59741da45f77ed2350c72055c7b3d96afd4bfc1

SHA256
bab1853454ca6fdd3acd471254101db1b805b601e309a49ec7b4b1fbcfc47ad7

SHA512
2dc9682f4fb6ea520acc505bdbe7671ab7251bf9abd25a5275f0c543a6157d7fa5325b9dce6245e035641ab831d646f0e14f6649f9464f5e97431ab1bf7da431

Download Submit
C:\Users\Default\Desktop\@[email protected]
Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
memory/392-321-0x000000000AC80000-0x000000000AD12000-memory.dmp

Filesize
584KB

Download
memory/392-328-0x0000000073970000-0x0000000074120000-memory.dmp

Filesize
7.7MB

Download
memory/392-9-0x000000007397E000-0x000000007397F000-memory.dmp

Filesize
4KB

Download
memory/392-11-0x0000000073970000-0x0000000074120000-memory.dmp

Filesize
7.7MB

Download
memory/392-268-0x0000000005AB0000-0x0000000005ABE000-memory.dmp

Filesize
56KB

Download
memory/392-10-0x0000000000820000-0x000000000099A000-memory.dmp

Filesize
1.5MB

Download
memory/392-263-0x0000000007F10000-0x0000000007F18000-memory.dmp

Filesize
32KB

Download
memory/392-267-0x0000000008720000-0x0000000008758000-memory.dmp

Filesize
224KB

Download
memory/816-326-0x0000000032500000-0x0000000032501000-memory.dmp

Filesize
4KB

Download
memory/980-248-0x0000000000750000-0x00000000008CA000-memory.dmp

Filesize
1.5MB

Download
memory/1852-294-0x0000000002B60000-0x0000000002B80000-memory.dmp

Filesize
128KB

Download
memory/1968-903-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2280-351-0x0000000005F50000-0x000000000647C000-memory.dmp

Filesize
5.2MB

Download
memory/3404-350-0x0000000011900000-0x0000000011901000-memory.dmp

Filesize
4KB

Download
memory/3648-269-0x000000001EE00000-0x000000001EE01000-memory.dmp

Filesize
4KB

Download
memory/3920-2349-0x0000000072DA0000-0x0000000072E22000-memory.dmp

Filesize
520KB

Download
memory/3920-2383-0x0000000072E30000-0x0000000072EB2000-memory.dmp

Filesize
520KB

Download
memory/3920-2348-0x0000000072B30000-0x0000000072D4C000-memory.dmp

Filesize
2.1MB

Download
memory/3920-2351-0x0000000000330000-0x000000000062E000-memory.dmp

Filesize
3.0MB

Download
memory/3920-2347-0x0000000072E30000-0x0000000072EB2000-memory.dmp

Filesize
520KB

Download
memory/3920-2385-0x0000000072AB0000-0x0000000072B27000-memory.dmp

Filesize
476KB

Download
memory/3920-2384-0x0000000072B30000-0x0000000072D4C000-memory.dmp

Filesize
2.1MB

Download
memory/3920-2350-0x0000000072D70000-0x0000000072D92000-memory.dmp

Filesize
136KB

Download
memory/3920-2382-0x0000000072D50000-0x0000000072D6C000-memory.dmp

Filesize
112KB

Download
memory/3920-2379-0x0000000000330000-0x000000000062E000-memory.dmp

Filesize
3.0MB

Download
memory/3920-2381-0x0000000072D70000-0x0000000072D92000-memory.dmp

Filesize
136KB

Download
memory/3920-2380-0x0000000072DA0000-0x0000000072E22000-memory.dmp

Filesize
520KB

Download
memory/3920-2389-0x0000000000330000-0x000000000062E000-memory.dmp

Filesize
3.0MB

Download
memory/3920-2405-0x0000000000330000-0x000000000062E000-memory.dmp

Filesize
3.0MB

Download