Overview

overview

10

Static

static

7

Convert_mp...kv.exe

windows7-x64

10

Convert_mp...kv.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-05-2024 15:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Convert_mp4_to_mkv.exe

  • Size

    290KB

  • MD5

    62878b796562c411dd59d57dc2076967

  • SHA1

    8f49669864e863ba3a081fe3bd10d88bfc01a10f

  • SHA256

    f3c1bfeb62067c797eb43f47daec11e72c0cbc85d5c26ca001caba5f2732d20a

  • SHA512

    49dd25c2c071376ccdf18ca2bc9d6c03a12226d1bd5e7cc04184d87b9e68c75cd4b4b3bd4d135ede3c821a65609ee26d97adecad9b89ccc5dfdc185d6c5b3795

  • SSDEEP

    3072:H4dzVTaer344JzthRZijQ1Jf12bj8E7bwcZflRVGLDyHzZLB3VDELbkWSecuwjZf:HmRHz4mnREj21g3J/bwGLjejjH6erO

Score
10/10
chaosbootkitdefense_evasionevasionexecutionimpactpersistenceransomwarespywarestealerupx

Malware Config

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 2 IoCs
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Renames multiple (205) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Disables Task Manager via registry modification
    evasion
  • Modifies Installed Components in the registry 2 TTPs 4 IoCs
    persistence
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops desktop.ini file(s) 34 IoCs
  • Enumerates connected drives 3 TTPs 8 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Kills process with taskkill 3 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 47 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\Convert_mp4_to_mkv.exe
    "C:\Users\Admin\AppData\Local\Temp\Convert_mp4_to_mkv.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:552
    • C:\Windows\system32\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3902.tmp\3903.tmp\3904.bat C:\Users\Admin\AppData\Local\Temp\Convert_mp4_to_mkv.exe"
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3000
      • C:\Users\Admin\AppData\Local\Temp\3902.tmp\MBR.exe
        MBR.exe
        3⤵
        • Executes dropped EXE
        • Writes to the Master Boot Record (MBR)
        PID:2764
      • C:\Windows\system32\reg.exe
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoLogOff" /t REG_DWORD /d 1 /f
        3⤵
          PID:1316
        • C:\Windows\system32\reg.exe
          reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoControlPanel" /t REG_DWORD /d 1 /f
          3⤵
            PID:3968
          • C:\Windows\system32\reg.exe
            reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRun" /t REG_DWORD /d 1 /f
            3⤵
              PID:3580
            • C:\Windows\system32\reg.exe
              reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d 1 /f
              3⤵
                PID:3620
              • C:\Windows\system32\reg.exe
                reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "shutdownwithoutlogon" /t REG_DWORD /d 0 /f
                3⤵
                  PID:3380
                • C:\Windows\system32\taskkill.exe
                  taskkill /f /im explorer.exe
                  3⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:748
                • C:\Windows\explorer.exe
                  explorer.exe
                  3⤵
                  • Modifies Installed Components in the registry
                  • Enumerates connected drives
                  • Checks SCSI registry key(s)
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  PID:1576
                • C:\Users\Admin\AppData\Local\Temp\3902.tmp\Windows_Mania_WannaCry_Removal.exe
                  Windows_Mania_WannaCry_Removal.exe
                  3⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2296
                  • C:\Users\Admin\AppData\Roaming\Windows Defender.exe
                    "C:\Users\Admin\AppData\Roaming\Windows Defender.exe"
                    4⤵
                    • Checks computer location settings
                    • Drops startup file
                    • Executes dropped EXE
                    • Drops desktop.ini file(s)
                    • Sets desktop wallpaper using registry
                    • Modifies registry class
                    • Suspicious behavior: AddClipboardFormatListener
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of WriteProcessMemory
                    PID:4040
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
                      5⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1424
                      • C:\Windows\system32\vssadmin.exe
                        vssadmin delete shadows /all /quiet
                        6⤵
                        • Interacts with shadow copies
                        PID:3776
                      • C:\Windows\System32\Wbem\WMIC.exe
                        wmic shadowcopy delete
                        6⤵
                          PID:2468
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
                        5⤵
                        • Suspicious use of WriteProcessMemory
                        PID:5028
                        • C:\Windows\system32\bcdedit.exe
                          bcdedit /set {default} bootstatuspolicy ignoreallfailures
                          6⤵
                          • Modifies boot configuration data using bcdedit
                          PID:2116
                        • C:\Windows\system32\bcdedit.exe
                          bcdedit /set {default} recoveryenabled no
                          6⤵
                          • Modifies boot configuration data using bcdedit
                          PID:3648
                      • C:\Windows\System32\cmd.exe
                        "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
                        5⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2820
                        • C:\Windows\system32\wbadmin.exe
                          wbadmin delete catalog -quiet
                          6⤵
                          • Deletes backup catalog
                          PID:4616
                      • C:\Windows\system32\NOTEPAD.EXE
                        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\README.txt
                        5⤵
                        • Opens file in notepad (likely ransom note)
                        PID:2576
                  • C:\Windows\system32\PING.EXE
                    ping 127.0.0.1 -n 70
                    3⤵
                    • Runs ping.exe
                    PID:5312
                  • C:\Windows\system32\taskkill.exe
                    taskkill /f /im notepad.exe
                    3⤵
                    • Kills process with taskkill
                    PID:1868
                  • C:\Windows\system32\taskkill.exe
                    taskkill /f /im explorer.exe
                    3⤵
                    • Kills process with taskkill
                    PID:2612
                  • C:\Users\Admin\AppData\Local\Temp\3902.tmp\SystemBlocker_Interface.exe
                    SystemBlocker_Interface.exe
                    3⤵
                    • Executes dropped EXE
                    PID:2472
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\3902.tmp\voice.vbs"
                    3⤵
                      PID:5240
                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                  1⤵
                  • Modifies registry class
                  • Suspicious use of SetWindowsHookEx
                  PID:1888
                • C:\Windows\explorer.exe
                  explorer.exe
                  1⤵
                  • Modifies Installed Components in the registry
                  • Enumerates connected drives
                  • Checks SCSI registry key(s)
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  PID:608
                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                  1⤵
                  • Modifies registry class
                  • Suspicious use of SetWindowsHookEx
                  PID:2520
                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                  1⤵
                  • Modifies Internet Explorer settings
                  • Modifies registry class
                  • Suspicious use of SetWindowsHookEx
                  PID:3576
                • C:\Windows\explorer.exe
                  explorer.exe
                  1⤵
                  • Modifies Installed Components in the registry
                  • Enumerates connected drives
                  • Checks SCSI registry key(s)
                  • Modifies registry class
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of SendNotifyMessage
                  PID:4392
                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                  1⤵
                  • Suspicious use of SetWindowsHookEx
                  PID:5028
                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                  1⤵
                  • Modifies Internet Explorer settings
                  • Modifies registry class
                  • Suspicious use of SetWindowsHookEx
                  PID:4616
                • C:\Windows\explorer.exe
                  explorer.exe
                  1⤵
                  • Modifies Installed Components in the registry
                  • Enumerates connected drives
                  • Checks SCSI registry key(s)
                  • Modifies Internet Explorer settings
                  • Modifies registry class
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of SendNotifyMessage
                  • Suspicious use of SetWindowsHookEx
                  PID:2812
                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                  1⤵
                  • Modifies registry class
                  • Suspicious use of SetWindowsHookEx
                  PID:3972
                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                  1⤵
                  • Modifies Internet Explorer settings
                  • Modifies registry class
                  • Suspicious use of SetWindowsHookEx
                  PID:2780
                • C:\Windows\system32\OpenWith.exe
                  C:\Windows\system32\OpenWith.exe -Embedding
                  1⤵
                  • Modifies registry class
                  • Suspicious use of SetWindowsHookEx
                  PID:4496
                • C:\Windows\system32\vssvc.exe
                  C:\Windows\system32\vssvc.exe
                  1⤵
                    PID:4208
                  • C:\Windows\system32\wbengine.exe
                    "C:\Windows\system32\wbengine.exe"
                    1⤵
                      PID:5676
                    • C:\Windows\System32\vdsldr.exe
                      C:\Windows\System32\vdsldr.exe -Embedding
                      1⤵
                        PID:5088
                      • C:\Windows\System32\vds.exe
                        C:\Windows\System32\vds.exe
                        1⤵
                        • Checks SCSI registry key(s)
                        PID:5116
                      • C:\Windows\system32\AUDIODG.EXE
                        C:\Windows\system32\AUDIODG.EXE 0x530 0x528
                        1⤵
                          PID:3804

                        Network

                        MITRE ATT&CK Enterprise v15

                        Reconnaissance

                        Resource Development

                        Initial Access

                        Execution

                        Command and Scripting Interpreter

                        1
                        T1059

                        Windows Management Instrumentation

                        1
                        T1047

                        Persistence

                        Boot or Logon Autostart Execution

                        1
                        T1547

                        Registry Run Keys / Startup Folder

                        1
                        T1547.001

                        Pre-OS Boot

                        1
                        T1542

                        Bootkit

                        1
                        T1542.003

                        Privilege Escalation

                        Boot or Logon Autostart Execution

                        1
                        T1547

                        Registry Run Keys / Startup Folder

                        1
                        T1547.001

                        Defense Evasion

                        Indicator Removal

                        3
                        T1070

                        File Deletion

                        3
                        T1070.004

                        Modify Registry

                        3
                        T1112

                        Pre-OS Boot

                        1
                        T1542

                        Bootkit

                        1
                        T1542.003

                        Credential Access

                        Unsecured Credentials

                        1
                        T1552

                        Credentials In Files

                        1
                        T1552.001

                        Discovery

                        Peripheral Device Discovery

                        2
                        T1120

                        Query Registry

                        4
                        T1012

                        Remote System Discovery

                        1
                        T1018

                        System Information Discovery

                        4
                        T1082

                        Lateral Movement

                        Collection

                        Data from Local System

                        1
                        T1005

                        Command and Control

                        Exfiltration

                        Impact

                        Defacement

                        1
                        T1491

                        Inhibit System Recovery

                        4
                        T1490

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
                          Filesize

                          471B

                          MD5

                          2ce7fea23c098215902ac261c83172b0

                          SHA1

                          aca7bda26f80d3a4154b4f1cdebaf6d30c3eb037

                          SHA256

                          b0932339947184c6434ffe2d84ca045e94768e365ed727695756a8ae8ff781aa

                          SHA512

                          291811ed456b9a41b937fc1f54ab9f05995497b276e4f723b662456c2e18d928830e75950d95b123ceacb8acbf34611d7cf50ca234b65237862e8640df042bdb

                          Download Submit

                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
                          Filesize

                          412B

                          MD5

                          ecff6a7041d9f095677d2dc0400e8626

                          SHA1

                          ee3dcf2eb8cdefc6a8c7d0bd4c6ed9021191282e

                          SHA256

                          330eed9943eac7eae5311030c1c709ba703b89a4563e4e99c690f2ac6917df13

                          SHA512

                          780331749f7b121f010e65a44944f903cc0b0937f5eb10e929777f5b624827ed69d7adfe5d250306639a8c21b2685c32969415b2bff958aa4ab4b1d102276672

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\M1A8XLO2\microsoft.windows[1].xml
                          Filesize

                          97B

                          MD5

                          d41119748cb5d1d2b33c6ac63d425110

                          SHA1

                          6dbcfa37860a490beae2c8d95bc2a2290b323495

                          SHA256

                          6448a8580ce1994365ec765d296896e96261e4039537300dc67c8d7f523d8b0b

                          SHA512

                          9f4242889858cb996e7f72c3baaa9af2dbccc09a3531ca9ed24ebe82e2c54e210278092ebc1ef8cd6c73cc51a6c6744f0cc799808a75add2a22e7e648084d478

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
                          Filesize

                          2KB

                          MD5

                          1314cdb1140aa53fa52a47f8ce4b1b6c

                          SHA1

                          ac184724c6b4be0ee0d646770a69472a5f13e70b

                          SHA256

                          e35b9883d556cce5767e5a35bb5a01cc89bcf5adefbeb1de30964022b8efe0af

                          SHA512

                          99ac1011c195cec95782e2477f3f772ecf4256cd6175a6940c6fea7ea8f00cd707811f7279994a5b9785a31988811232d0f8b8fa87ecccb13cf8743102b6a0ae

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133614699848481186.txt
                          Filesize

                          75KB

                          MD5

                          34fa8b82a87070b84103551c3e9339a1

                          SHA1

                          18560da9bcdbb5189dd1fe60b8d382edc36bda44

                          SHA256

                          6c4a6d167f02ff9dcb0490b79e9ea13b940799a9d66fdf9d702d6d8738481cc8

                          SHA512

                          d91a6f6018282714412b20d689c88cd1816a1c9c87b4f649f737df0726f732c8e1f7be4e54ac1950f9ca18d9ce51d1aa8f70540471b69ad36353c24c350adfc9

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\3902.tmp\3903.tmp\3904.bat
                          Filesize

                          845B

                          MD5

                          0785859d5f83bf5807e578547200037e

                          SHA1

                          1138b2cce9781ff7f21581106e5618a4322e04a4

                          SHA256

                          6f9bd0980bc9df446a12d92013a9fbe33ff79cf35b27809418c5c16344b2fdad

                          SHA512

                          82c53ff7682b615844fe164a6c07f16b60a743e2b140ef3fd3f3094a22ea7a9974933cb6b8077d68348b1705ac87280709792f6fd5faa7bed9da632452525729

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\3902.tmp\MBR.exe
                          Filesize

                          9KB

                          MD5

                          3e3286fdcbe16763fe0624d83c075e0e

                          SHA1

                          e9cab7c4be74edefde1a86b95b155d8507b1bb76

                          SHA256

                          c3fac331c62e1838ccb2cdf958c7b3d437415d1650c919235adf437bd756f40f

                          SHA512

                          a396bb94eac41ed9d97d06208d28dc64757e7d3ec4e95a0434b922de6742fa65e136a3e316a8566c6465558aa4286face63bc40def41aebd7b8c920ad2948357

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\3902.tmp\MBR.exe.config
                          Filesize

                          161B

                          MD5

                          c16b0746faa39818049fe38709a82c62

                          SHA1

                          3fa322fe6ed724b1bc4fd52795428a36b7b8c131

                          SHA256

                          d61bde901e7189cc97d45a1d4c4aa39d4c4de2b68419773ec774338506d659ad

                          SHA512

                          cbcba899a067f8dc32cfcbd1779a6982d25955de91e1e02cee8eaf684a01b0dee3642c2a954903720ff6086de5a082147209868c03665c89f814c6219be2df7c

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\3902.tmp\SystemBlocker_Interface.exe
                          Filesize

                          15KB

                          MD5

                          076a44a9243d96ee076d2aba78fc3131

                          SHA1

                          1026e1ba3615d6a5a51e02918da2724409835631

                          SHA256

                          77231a229da0b98fb709c6c8c40dd916d7f29abb3279e1b6834c8319e059c88f

                          SHA512

                          4f9251b70bf024e13b2a1420a96736cef970b67685a47d3da4d0cb308b15651ee578076824afc79a6437d44e43597aceaa39799e805b119eb7470783124ed5c7

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\3902.tmp\SystemBlocker_Interface.exe.config
                          Filesize

                          187B

                          MD5

                          15c8c4ba1aa574c0c00fd45bb9cce1ab

                          SHA1

                          0dad65a3d4e9080fa29c42aa485c6102d2fa8bc8

                          SHA256

                          f82338e8e9c746b5d95cd2ccc7bf94dd5de2b9b8982fffddf2118e475de50e15

                          SHA512

                          52baac63399340427b94bfdeb7a42186d5359ce439c3d775497f347089edfbf72a6637b23bb008ab55b8d4dd3b79a7b2eb7c7ef922ea23d0716d5c3536b359d4

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\3902.tmp\Windows_Mania_WannaCry_Removal.exe
                          Filesize

                          381KB

                          MD5

                          690fe7edb2e1814ab9ac0f72d71cfef1

                          SHA1

                          2ce66689bc79ad64033b611e607e7679be6a1231

                          SHA256

                          a01d3c8333bbf5e19b1b8ec5729599d7e876c2683042213e538566f282f088e7

                          SHA512

                          796501da715155e29df0168e42b2ce7dba41b8e5631417004bcdb9c2c6e0cffd18b0aa050047cd3d60ddb77c4a3e39baacfd8dc09568eb5e01052b0c1ed465b2

                          Download Submit

                        • C:\Users\Admin\AppData\Local\Temp\3902.tmp\voice.vbs
                          Filesize

                          406B

                          MD5

                          3d8f5bc566c6517b691e8e04da9c085e

                          SHA1

                          db45e77dc279c9b97d4d23ccaa04578d84804436

                          SHA256

                          1064953cbfa62eea51c3e05f1679de7106f01b37347a420f54a91d8f9605e50f

                          SHA512

                          273600126b69370a380baee43be60db384a13d050110e7d2766187b3ad55722083301b9bcee61ac4180ebd0b44470045f7eb9ed61173b7891132478010949f20

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\File Explorer.lnk.sysblock
                          Filesize

                          756B

                          MD5

                          1e97dba0240624dfec17da125b0485a4

                          SHA1

                          a8c6e1c0a4a53801c56aaf6dce1f659d9d5c0dc4

                          SHA256

                          f6ff7b51fd7e948796a88c34a13330cf9f2f415063a0e6859cf3a0c17a725eb3

                          SHA512

                          04125de402752d9c981ee4ea977641c803c904121c6ee4db61e5378dbf11c1b3103cdd1338ffdb1a1fe284b53dac3e2bd5bdb389ab1d7c77b3b91068b5c8baef

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnk.sysblock
                          Filesize

                          1KB

                          MD5

                          8bc2910125e45c0f9b123e7441b686e5

                          SHA1

                          1ed591b5ad5814531bc7a2b460b3ebf01c8fff81

                          SHA256

                          43f32df5539c89e553cf6a841675e35207a8214694a417178ca36d2850bf94ca

                          SHA512

                          45c2f479359ab80c59a2d5aa18604394e1ecefd1e292c7fe52d455d29e5cd79e00a7f4e239347cd37d239d4aa30d771fdb63a397992a2b5fd20f4531859539bd

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk.sysblock
                          Filesize

                          3KB

                          MD5

                          a5b704cbdaa5a5bd44e037e2b6bb52a1

                          SHA1

                          53ea6824955504b70e2e340ea0eff65dd20e1907

                          SHA256

                          3655bd62d50bb88e76be2bfe56346694df95d104dbed0124ab7fa3c117fc9749

                          SHA512

                          524a76833b941de26055d39a7e59bad19d344a699d58da79ef903cff09edf4d1e84ec9ee3793c13501934a01008454871927fa8576d58b9766a038526cad577c

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk.sysblock
                          Filesize

                          3KB

                          MD5

                          07d09b195d67d75636802dc3b82f1650

                          SHA1

                          c1b0be63aaab11e5df3aeccef951168863cd7787

                          SHA256

                          502b57896281688c783c30e2eaaeb84a6a826f405a6d65f918a0972fdd7297ff

                          SHA512

                          50d53b6df175b0ee1848c80b4c150f9268f17dcd3f3b82073c0f5bfda7401da1727e73970fe1d34c6c97a0acb5945ff738fe6d6654a2f0e670a784de01e3ac27

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_3C53147A29A041BDA49EF70B5C9F0A26.dat
                          Filesize

                          940B

                          MD5

                          bf332832163132fe65cabd659f7309de

                          SHA1

                          3a2ef4d88e244b3df412ab46db949d6d8239b11e

                          SHA256

                          b40fe4b9d89c0f8d9d965c77c0c896c004869ac9feecfce58cc1ac0af54b6c8c

                          SHA512

                          a08d0186b0d37dbf4b7b98e6763170fa452048f987a5594fa5e630f887e79b654cf55146456d090e510f929434a10a2b3010b434993e92034305302e8da6ca6b

                          Download Submit

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\UnlockAssert.raw.lnk
                          Filesize

                          578B

                          MD5

                          5f9b934ea9489bf7ae25d66868cb01ba

                          SHA1

                          1e8641cb9869b26b92240b49ef3f3888be579558

                          SHA256

                          7ec3763dee918ca95ea870b3d2db18053b32f19c75dd4712c64cf60fb36af905

                          SHA512

                          986391a166e6af48b4d04c4c5df6158ceab2ed11f03a3a594d1784bd57346050bd34ed13e2c7306df2bbd49025b6fb7d27d90b4d3ce0d4a871bb77e87717b0e6

                          Download Submit

                        • C:\Users\Admin\Documents\README.txt
                          Filesize

                          538B

                          MD5

                          96afef89fb98d6369d2aa9f93332acc3

                          SHA1

                          2365caa97ced4c3d452c7df5249c6e3090e47d7b

                          SHA256

                          1eaf097f068fb23de560e69655abaec0a5c42a233dd2f59b3ec337c011a03b30

                          SHA512

                          1bafb3094fbb2c6bb1f541e6ed7a975833335aeba17b9c875c7499050b39dc1ed2bb9e565ad44537774d7a1211b92ab7689b9385943474301859534f1429a2fd

                          Download Submit

                        • memory/552-0-0x0000000140000000-0x0000000140083000-memory.dmp

                          Filesize

                          524KB

                          Download

                        • memory/552-151-0x0000000140000000-0x0000000140083000-memory.dmp

                          Filesize

                          524KB

                          Download

                        • memory/608-39-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/2296-31-0x0000000000A50000-0x0000000000AB4000-memory.dmp

                          Filesize

                          400KB

                          Download

                        • memory/2472-988-0x00000000050E0000-0x0000000005684000-memory.dmp

                          Filesize

                          5.6MB

                          Download

                        • memory/2472-989-0x0000000004BD0000-0x0000000004C62000-memory.dmp

                          Filesize

                          584KB

                          Download

                        • memory/2472-993-0x0000000004C80000-0x0000000004C8A000-memory.dmp

                          Filesize

                          40KB

                          Download

                        • memory/2472-987-0x0000000000350000-0x000000000035A000-memory.dmp

                          Filesize

                          40KB

                          Download

                        • memory/2764-25-0x000002611C160000-0x000002611C168000-memory.dmp

                          Filesize

                          32KB

                          Download

                        • memory/2764-26-0x00007FFAD2F93000-0x00007FFAD2F95000-memory.dmp

                          Filesize

                          8KB

                          Download

                        • memory/2780-363-0x0000028AA0900000-0x0000028AA0920000-memory.dmp

                          Filesize

                          128KB

                          Download

                        • memory/2780-329-0x0000028A9F400000-0x0000028A9F500000-memory.dmp

                          Filesize

                          1024KB

                          Download

                        • memory/2780-334-0x0000028AA0120000-0x0000028AA0140000-memory.dmp

                          Filesize

                          128KB

                          Download

                        • memory/2780-338-0x0000028A9FDE0000-0x0000028A9FE00000-memory.dmp

                          Filesize

                          128KB

                          Download

                        • memory/2812-328-0x0000000002230000-0x0000000002231000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/3576-43-0x000002058AD00000-0x000002058AE00000-memory.dmp

                          Filesize

                          1024KB

                          Download

                        • memory/3576-57-0x000002058BD20000-0x000002058BD40000-memory.dmp

                          Filesize

                          128KB

                          Download

                        • memory/3576-69-0x000002058C120000-0x000002058C140000-memory.dmp

                          Filesize

                          128KB

                          Download

                        • memory/3576-46-0x000002058BD60000-0x000002058BD80000-memory.dmp

                          Filesize

                          128KB

                          Download

                        • memory/3576-41-0x000002058AD00000-0x000002058AE00000-memory.dmp

                          Filesize

                          1024KB

                          Download

                        • memory/3576-42-0x000002058AD00000-0x000002058AE00000-memory.dmp

                          Filesize

                          1024KB

                          Download

                        • memory/4392-185-0x0000000003ED0000-0x0000000003ED1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/4616-187-0x000001DFEDF00000-0x000001DFEE000000-memory.dmp

                          Filesize

                          1024KB

                          Download

                        • memory/4616-219-0x000001DFEF360000-0x000001DFEF380000-memory.dmp

                          Filesize

                          128KB

                          Download

                        • memory/4616-206-0x000001DFEEF50000-0x000001DFEEF70000-memory.dmp

                          Filesize

                          128KB

                          Download

                        • memory/4616-192-0x000001DFEEF90000-0x000001DFEEFB0000-memory.dmp

                          Filesize

                          128KB

                          Download

                        • memory/4616-189-0x000001DFEDF00000-0x000001DFEE000000-memory.dmp

                          Filesize

                          1024KB

                          Download

                        • memory/4616-188-0x000001DFEDF00000-0x000001DFEE000000-memory.dmp

                          Filesize

                          1024KB

                          Download