wannacry | be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 14:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WannaCry.exe
Size

224KB
MD5

5c7fb0927db37372da25f270708103a2
SHA1

120ed9279d85cbfa56e5b7779ffa7162074f7a29
SHA256

be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
SHA512

a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
SSDEEP

3072:Y059femWRwTs/dbelj0X8/j84pcRXPlU3Upt3or4H84lK8PtpLzLsR/EfcZ:+5RwTs/dSXj84mRXPemxdBlPvLzLeZ

Score

10^/10

wannacry defense_evasion execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

Processes:

taskmgr.exe

description pid process target process

PID 4204 created 788 4204 taskmgr.exe !WannaDecryptor!.exe
PID 4204 created 788 4204 taskmgr.exe !WannaDecryptor!.exe
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

description	pid	process	target process
PID 4204 created 788	4204	taskmgr.exe	!WannaDecryptor!.exe
PID 4204 created 788	4204	taskmgr.exe	!WannaDecryptor!.exe

Drops startup file 2 IoCs

Processes:

WannaCry.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD784B.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD7834.tmp	WannaCry.exe

Executes dropped EXE 6 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid	process
4388	!WannaDecryptor!.exe
1288	!WannaDecryptor!.exe
1292	!WannaDecryptor!.exe
788	!WannaDecryptor!.exe
3932	!WannaDecryptor!.exe
4072	!WannaDecryptor!.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WannaCry.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WannaCry.exe\" /r"	WannaCry.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

!WannaDecryptor!.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1556 taskkill.exe
2300 taskkill.exe
4624 taskkill.exe
4220 taskkill.exe
Modifies registry class 1 IoCs

Processes:

taskmgr.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings taskmgr.exe
Runs regedit.exe 1 IoCs

Processes:

regedit.exe

pid process

4576 regedit.exe

pid	process
1556	taskkill.exe
2300	taskkill.exe
4624	taskkill.exe
4220	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings	taskmgr.exe

pid	process
4576	regedit.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

taskmgr.exe

pid	process
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

regedit.exe

pid process

4576 regedit.exe

pid	process
4576	regedit.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exevssvc.exetaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	4220	taskkill.exe
Token: SeDebugPrivilege	1556	taskkill.exe
Token: SeDebugPrivilege	2300	taskkill.exe
Token: SeDebugPrivilege	4624	taskkill.exe
Token: SeIncreaseQuotaPrivilege	548	WMIC.exe
Token: SeSecurityPrivilege	548	WMIC.exe
Token: SeTakeOwnershipPrivilege	548	WMIC.exe
Token: SeLoadDriverPrivilege	548	WMIC.exe
Token: SeSystemProfilePrivilege	548	WMIC.exe
Token: SeSystemtimePrivilege	548	WMIC.exe
Token: SeProfSingleProcessPrivilege	548	WMIC.exe
Token: SeIncBasePriorityPrivilege	548	WMIC.exe
Token: SeCreatePagefilePrivilege	548	WMIC.exe
Token: SeBackupPrivilege	548	WMIC.exe
Token: SeRestorePrivilege	548	WMIC.exe
Token: SeShutdownPrivilege	548	WMIC.exe
Token: SeDebugPrivilege	548	WMIC.exe
Token: SeSystemEnvironmentPrivilege	548	WMIC.exe
Token: SeRemoteShutdownPrivilege	548	WMIC.exe
Token: SeUndockPrivilege	548	WMIC.exe
Token: SeManageVolumePrivilege	548	WMIC.exe
Token: 33	548	WMIC.exe
Token: 34	548	WMIC.exe
Token: 35	548	WMIC.exe
Token: 36	548	WMIC.exe
Token: SeIncreaseQuotaPrivilege	548	WMIC.exe
Token: SeSecurityPrivilege	548	WMIC.exe
Token: SeTakeOwnershipPrivilege	548	WMIC.exe
Token: SeLoadDriverPrivilege	548	WMIC.exe
Token: SeSystemProfilePrivilege	548	WMIC.exe
Token: SeSystemtimePrivilege	548	WMIC.exe
Token: SeProfSingleProcessPrivilege	548	WMIC.exe
Token: SeIncBasePriorityPrivilege	548	WMIC.exe
Token: SeCreatePagefilePrivilege	548	WMIC.exe
Token: SeBackupPrivilege	548	WMIC.exe
Token: SeRestorePrivilege	548	WMIC.exe
Token: SeShutdownPrivilege	548	WMIC.exe
Token: SeDebugPrivilege	548	WMIC.exe
Token: SeSystemEnvironmentPrivilege	548	WMIC.exe
Token: SeRemoteShutdownPrivilege	548	WMIC.exe
Token: SeUndockPrivilege	548	WMIC.exe
Token: SeManageVolumePrivilege	548	WMIC.exe
Token: 33	548	WMIC.exe
Token: 34	548	WMIC.exe
Token: 35	548	WMIC.exe
Token: 36	548	WMIC.exe
Token: SeBackupPrivilege	3312	vssvc.exe
Token: SeRestorePrivilege	3312	vssvc.exe
Token: SeAuditPrivilege	3312	vssvc.exe
Token: SeDebugPrivilege	4204	taskmgr.exe
Token: SeSystemProfilePrivilege	4204	taskmgr.exe
Token: SeCreateGlobalPrivilege	4204	taskmgr.exe
Token: 33	4204	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4204	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exeregedit.exe

pid	process
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4576	regedit.exe

Suspicious use of SendNotifyMessage 63 IoCs

Processes:

taskmgr.exe

pid	process
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe
4204	taskmgr.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid	process
4388	!WannaDecryptor!.exe
4388	!WannaDecryptor!.exe
1288	!WannaDecryptor!.exe
1288	!WannaDecryptor!.exe
1292	!WannaDecryptor!.exe
1292	!WannaDecryptor!.exe
788	!WannaDecryptor!.exe
788	!WannaDecryptor!.exe
3932	!WannaDecryptor!.exe
3932	!WannaDecryptor!.exe
4072	!WannaDecryptor!.exe
4072	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

WannaCry.execmd.execmd.exe!WannaDecryptor!.execmd.exe

description	pid	process	target process
PID 4868 wrote to memory of 4072	4868	WannaCry.exe	cmd.exe
PID 4868 wrote to memory of 4072	4868	WannaCry.exe	cmd.exe
PID 4868 wrote to memory of 4072	4868	WannaCry.exe	cmd.exe
PID 4072 wrote to memory of 3836	4072	cmd.exe	cscript.exe
PID 4072 wrote to memory of 3836	4072	cmd.exe	cscript.exe
PID 4072 wrote to memory of 3836	4072	cmd.exe	cscript.exe
PID 4868 wrote to memory of 4388	4868	WannaCry.exe	!WannaDecryptor!.exe
PID 4868 wrote to memory of 4388	4868	WannaCry.exe	!WannaDecryptor!.exe
PID 4868 wrote to memory of 4388	4868	WannaCry.exe	!WannaDecryptor!.exe
PID 4868 wrote to memory of 1556	4868	WannaCry.exe	taskkill.exe
PID 4868 wrote to memory of 1556	4868	WannaCry.exe	taskkill.exe
PID 4868 wrote to memory of 1556	4868	WannaCry.exe	taskkill.exe
PID 4868 wrote to memory of 2300	4868	WannaCry.exe	taskkill.exe
PID 4868 wrote to memory of 2300	4868	WannaCry.exe	taskkill.exe
PID 4868 wrote to memory of 2300	4868	WannaCry.exe	taskkill.exe
PID 4868 wrote to memory of 4220	4868	WannaCry.exe	taskkill.exe
PID 4868 wrote to memory of 4220	4868	WannaCry.exe	taskkill.exe
PID 4868 wrote to memory of 4220	4868	WannaCry.exe	taskkill.exe
PID 4868 wrote to memory of 4624	4868	WannaCry.exe	taskkill.exe
PID 4868 wrote to memory of 4624	4868	WannaCry.exe	taskkill.exe
PID 4868 wrote to memory of 4624	4868	WannaCry.exe	taskkill.exe
PID 4868 wrote to memory of 1288	4868	WannaCry.exe	!WannaDecryptor!.exe
PID 4868 wrote to memory of 1288	4868	WannaCry.exe	!WannaDecryptor!.exe
PID 4868 wrote to memory of 1288	4868	WannaCry.exe	!WannaDecryptor!.exe
PID 4868 wrote to memory of 4796	4868	WannaCry.exe	cmd.exe
PID 4868 wrote to memory of 4796	4868	WannaCry.exe	cmd.exe
PID 4868 wrote to memory of 4796	4868	WannaCry.exe	cmd.exe
PID 4796 wrote to memory of 1292	4796	cmd.exe	!WannaDecryptor!.exe
PID 4796 wrote to memory of 1292	4796	cmd.exe	!WannaDecryptor!.exe
PID 4796 wrote to memory of 1292	4796	cmd.exe	!WannaDecryptor!.exe
PID 4868 wrote to memory of 788	4868	WannaCry.exe	!WannaDecryptor!.exe
PID 4868 wrote to memory of 788	4868	WannaCry.exe	!WannaDecryptor!.exe
PID 4868 wrote to memory of 788	4868	WannaCry.exe	!WannaDecryptor!.exe
PID 1292 wrote to memory of 1732	1292	!WannaDecryptor!.exe	cmd.exe
PID 1292 wrote to memory of 1732	1292	!WannaDecryptor!.exe	cmd.exe
PID 1292 wrote to memory of 1732	1292	!WannaDecryptor!.exe	cmd.exe
PID 1732 wrote to memory of 548	1732	cmd.exe	WMIC.exe
PID 1732 wrote to memory of 548	1732	cmd.exe	WMIC.exe
PID 1732 wrote to memory of 548	1732	cmd.exe	WMIC.exe
PID 4868 wrote to memory of 3932	4868	WannaCry.exe	!WannaDecryptor!.exe
PID 4868 wrote to memory of 3932	4868	WannaCry.exe	!WannaDecryptor!.exe
PID 4868 wrote to memory of 3932	4868	WannaCry.exe	!WannaDecryptor!.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\WannaCry.exe
"C:\Users\Admin\AppData\Local\Temp\WannaCry.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 133681718895356.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:4072

C:\Windows\SysWOW64\cscript.exe
cscript //nologo c.vbs
3⤵
PID:3836

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe f
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4388

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im MSExchange*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Microsoft.Exchange.*
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlserver.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4220

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlwriter.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4624

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe c
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1288

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b !WannaDecryptor!.exe v
2⤵
- Suspicious use of WriteProcessMemory
PID:4796

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe v
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:548

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:788

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3932

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3312

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4204

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2972

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\9a38ba52023b4e55842c079d166d12f3 /t 2392 /p 788
1⤵
PID:4384

C:\Windows\regedit.exe
"C:\Windows\regedit.exe"
1⤵
- Runs regedit.exe
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4576

C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
"C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk

Filesize
1KB

MD5
84b3f62db923b1849f95a655f3b828f6

SHA1
34228f88524430479dd8f9db60f723d983ac21af

SHA256
ac56586ae3a436a1124b19dfa9efd8e0e5f3f196521e2c5fb8bdf10aa9cd5806

SHA512
c7b0fc2e134f00fcb0e24780026e6e6950bd3657119e320e67485a5f92e4b40e395d2318ec5b6f4e83a1f4a5a461bcad94348428b2de95fe1f475536d226228d

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.pky

Filesize
276B

MD5
7c564ab211dd7df39a601c9bd240e2ce

SHA1
aea596ef45bc4602c817a342fc6be5524950959f

SHA256
afe5efad5de23f27e5df09580a2580203a692506228f841a595bb0bbcfb671b3

SHA512
37b02f8a96e135b6603d8a529b4bdc6b5ba05fb5f541c7f1b25b9413663c4326476342d63f64aa6d7a84ede57316a4681d959f0c5e825934b4b472e85e6f07fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
fa64b7d3198d373f61ecfc6f0ac4af85

SHA1
a26b1875f8b22adabebbe6feb631faf6dce6594f

SHA256
d3e8e9297210e355ac62d3614e778912734bb25e6c6b4f97212d931c18b4103e

SHA512
ce0bffbbdc7a52c0a5b1e8271f724e9cf1d8ace06396a5716a92c8c4f1668628d8a8d1e7cbe5b55e268c245bdd071bcb425af5a0d1efcb9b027f6e1e87270c62

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
48165dc8c1bdd12e94936ca168b8376c

SHA1
d421ebfa3960b0ac8883ddd920b49677fb87c5f0

SHA256
1de4b327624d3afca3a9d0ecedeaed52d1d0c71d1003d67ac12de82574279810

SHA512
26f4a0dcc4d5443d7fff4e78e0278870f2272630db6390607b3e293fa305fa2d3e1c41d7d10b47988f13fd86a6378adc8d0d2f8e5caff9f3738546bbd43b1772

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
ab78db9f308555a034a747ffb1264ad3

SHA1
a8500ac8ebf69e401e7042f730974427d71a14a1

SHA256
3733513968eab0e68e4c8434f5dacc15f88cf75c211e6d4f51dfa86d7afa8380

SHA512
944f2ad094007729051b07ef1fb32331b2171414b29cbf0cf9098fbfd220a573c584be4c7d86d8386bab4435b0b08269f4b277c75a5d6f2d5994a19b2647e04d

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
919da450dc9fcd3fc56b4ea044037827

SHA1
6a0ac117d841dabf0c617ca24f614f3bc929ecb6

SHA256
f890e5e8db0721bbd725599d5e1e67d60c344b5fa82c4212ac211e78f8bfa6b9

SHA512
283c4b6a0dfb9b5bfabfb3a00e7435366dd83c3c345485a04ad06c903e3932b4eead3b3743d9d68b87174cc184c217bc3b9d615ef3efb14bbaf2efc5b4802951

Download Submit
C:\Users\Admin\AppData\Local\Temp\133681718895356.bat

Filesize
336B

MD5
3540e056349c6972905dc9706cd49418

SHA1
492c20442d34d45a6d6790c720349b11ec591cde

SHA256
73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc

SHA512
c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdobeSFX.log

Filesize
1KB

MD5
144411485699bc2c1d7b831502eabc73

SHA1
7fecfb00a22aa1ebec60e779af7491386ebf6ed4

SHA256
b3821cdc1d9fae47565729b3cdb3667885bf2437a671f7de17634390bdacf0ca

SHA512
5e371502616840dd19d1d52cea3413beb092b9f6e99d2dade0f8eb3bf15ca1a9abd2b4a1bf731bf1741bc3dd899f3d6bb306e20798b56ceed8c0746bf437447a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroadcastMsg_1715164888.txt.WCRY

Filesize
280B

MD5
c7ce809ec3aad94a10143bffff8e9ce1

SHA1
f235117e4569bb6acb74368fa0a6d943fae29bef

SHA256
49d56f69f8ceb956c2ee20c69d855e37e4249507520e432460160cbe4446d037

SHA512
14215dfb68b58ecaea4cda711ead2c91353ba91b00be8a8c6461d7987bd619833b02f749ed6408999e8fbd36c4fcadba0b7c55a5d63ca695869fcbdf4a2ebe0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log

Filesize
31KB

MD5
55a9de2b57670d25111d9d0a19ba3b1a

SHA1
b14ffab7ca81c6bd506d98418e34622c2667bdc1

SHA256
7efac198276f33572fec33b8e486f0b03abb8df56592711d9016a9c83988572c

SHA512
1e68c096b16ec6f3f7421afec888782c9166266900679c0808a96924ea8ff385b3c495d5e72ead74336ad1a8a1bfb4ee90e2d8160815778015f108b524de086a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240508_103632603.html

Filesize
93KB

MD5
891755b330018b59f891fea38f15dac6

SHA1
b9e1adcfc071e87ccd6ea9e7c32739d627206aa6

SHA256
6234bde22ed9671d03933d074a597733bc65fe3866d3fd0e06d1644a92a1c0a8

SHA512
1911c0dd61400e67236cc0e6ddd900a15c236d7f184865d3ff87b366486acd7eb55fff7f57bbb5af54e56499b82f8894c24c292485ad23a99c554d3b2b0b3e49

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240508103709.log

Filesize
15KB

MD5
484cb96a11bd2cdcdfded476307dc6df

SHA1
7d07b419aae194dca8af363e1bf81b1efc318d0c

SHA256
dff15d5918fb95818dbf668c6d96485d16969853c03719f7b3e7464975ae0a62

SHA512
c4ca85c61fba1e04997d8ea2d8749b09352077e9e2521cba4cdbd3cc6579ba8b8a4cd8be877d335cc656d97b8e1fe5092567ea1e015eb9d48d7b2bc68d160f69

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240508103709_000_dotnet_runtime_6.0.27_win_x64.msi.log

Filesize
551KB

MD5
ed127d581850a161b1ecea544136c0a9

SHA1
6d9b371df6d41f2ba1e70569b4c5dda91be96b61

SHA256
02c603ae6cf627db2dc909b941606008d643e072f88da54b0dc5727060770222

SHA512
82be02ed7464c4774f44507114d767a173afbe272be313d89b3f920e81ede46544846d13aa498c5f670956ce2ff3eaa293aa9df64abc44adad1495e49b67874a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240508103709_001_dotnet_hostfxr_6.0.27_win_x64.msi.log

Filesize
95KB

MD5
1297361755b1f7cd6f689af03f9eb834

SHA1
c3680ea1db539568aaf4f1f5537bab73d58f7a0a

SHA256
2d8aef479fd2233227cc788303144d4916914c82ba866003885b4c85f939d27a

SHA512
6b6bc398ab181f2f14e37cde9964c40b774a4298e6695a1628d8df87b996740f807600fb65f520a03315568ae32b22af0dcfb761e50bf1379fc3b1ba4524917a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240508103709_002_dotnet_host_6.0.27_win_x64.msi.log

Filesize
105KB

MD5
946c9de84e0cc02fbb4d510a9a0fb914

SHA1
c0ef1e645a8e6ffc8ace3d40316db89b65bc2dbb

SHA256
35c87723d7757a38dd6bcd50f6f9460c645fde9467c0fbf097acd21890240be3

SHA512
2a0e7d2f5f7bce673387af684ee5263cb21b936e61248be0883cf632dc8fb9a5a59a784546be925c13c9008b3ab533617d60ba91e8b8ba70668538a63e05bf4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20240508103709_003_windowsdesktop_runtime_6.0.27_win_x64.msi.log

Filesize
847KB

MD5
aad665c79d50d2c1a0a07bd0e96e2cb3

SHA1
8e8958f91104bc09df97f9e40e85f13bde95d463

SHA256
055eea2c53bcf0b01e7f14ee8e6f1fb2683a9db26231ca02eaf59f7fba96d97b

SHA512
3c96ec52c3d1265e01303b822435e0f531adbef4313abb132045578af05eede6325fec8c148021e7d0179ec07fcf49b6a7e5de132f266adcbb8aae4c13769588

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20240508103748.log

Filesize
15KB

MD5
8f979cfb69a0716536e5127070841278

SHA1
574bc57df138a39b4f8657c73e242d062e348ebf

SHA256
55f767db1620c6232dca6e5649287b2b0a9f8f565d06d51a6e5133134f64a7b9

SHA512
60d098b04c436d91204b3ce27bfae67a2a22389d3aa4f7d70f9b48d1c785c51080dceff937825ee5cf48280378cde8a7fbe7cf311a70ee1993bd2d64b11dc10e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20240508103748_000_dotnet_runtime_7.0.16_win_x64.msi.log

Filesize
470KB

MD5
e589c21a5ce436f7e149f2adf49a9525

SHA1
3917ca32cb74de7606760539201b3f4900295fbf

SHA256
0e549adb0ec39387869fbbbca563bd4c75a30a303bb1801570a8c33668f3840b

SHA512
eacaf77ca20a31ef0ee3a9021cb28bd29df59cfb1650294538c57b4534387d3c2f2a2ad8b233fa73ddf37b73e02a9ccbd64bc697a2c2ebc95384bcebcd8dd3cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20240508103748_001_dotnet_hostfxr_7.0.16_win_x64.msi.log

Filesize
95KB

MD5
21f591f68a72f98437d9b3a20ddb151a

SHA1
8dfb33eb7ffe4067d5f2fffe00ef1caaf80a4b32

SHA256
a9129cccc8e43ebad2ccf52b8b8de56190f0f4b7a1bcac7d440352edc1944966

SHA512
7033da241855e3ebfdf17015739b14761fe7c8c39bb8cd06d84a697a8160a3308183848561e93968330957b6b21d93ba1398a0ea3e868909caf3c224ef6c9dca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20240508103748_002_dotnet_host_7.0.16_win_x64.msi.log

Filesize
109KB

MD5
c08f7a51dcd3524e4adc9c716fd8be65

SHA1
4e3e7235be13a0c967d95a41d45dd12fdaf0b4ee

SHA256
f20396cc1475a7e6e86edf7ebe966c6558368621f15a81ced9343492a4829ae8

SHA512
3d6d7bd5ba460ec422ff1e4983075f4afbd9f71a6642a430e1adafe81740a46c194d99daee74af468b208d7cb41b1c728e2162f9e19cd6a8bb7ed3d4d2860989

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20240508103748_003_windowsdesktop_runtime_7.0.16_win_x64.msi.log

Filesize
852KB

MD5
a37ea55a6805d0d3404947143a5cf2b8

SHA1
32ec0e538432577156b1e21bbc40566933007f1a

SHA256
0b634fd731eefc29f6e6120d99c48d6eaf79e7cfe849694cf1466d595a3931ef

SHA512
ecfbe28881c1edae18a7f3c767df5addede5eeba2d4d95d141f3ad314f404e0da43f1aa57ccf6667b4d6b4258ae9299da022553b0904978b38f1ed71a06d6649

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20240508103811.log

Filesize
15KB

MD5
c40a2f36518069a980a871bf39f5850b

SHA1
9753b02102b35248029844812dc0945c68778051

SHA256
bfafc3404472b8397e066603b12f4171f7d6404678e6955b4a10b60d6147c890

SHA512
fda8eb4c16a230edd5437e1f4094eeba09e62f8edd0885f8ce686b1bb118e4cbb11e3f3c45f81a35f0dd024416f90c70ce48654c7ba9fc83d8fd804557ac740b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20240508103811_000_dotnet_runtime_8.0.2_win_x64.msi.log

Filesize
469KB

MD5
59e88f12a2686aa356a689814d2fc79b

SHA1
169725dc3a0c4c65d384404565ccade201a3101f

SHA256
e6b00723f7613521ddb8de67aa178c3b29c2303f502cf16a0be351f116486017

SHA512
73618aa406c3ecf89fbdcb41c5b2c6879804f82cd1a55f008c71a0750b61b379befd4b07598028e64adf7fb938e7d0288b2c06fc52630ffbbbf42a9fa8460e3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20240508103811_001_dotnet_hostfxr_8.0.2_win_x64.msi.log

Filesize
95KB

MD5
f6205fe1b9c4e50c20a40ddba77b11fb

SHA1
64b8a1603a76e3ee105e973c6487cede40b4a31f

SHA256
d231bf5c76687088844e8b89af72fc4cae38a780b95537f873a00f766d49fcde

SHA512
25026e66dc8d674c3f9d4a41f48345e3a8e462d22dcf159cc5392be3a6971a64975d97bd86a90ff005325018d6ad29fd1fdaefddf8d5605302a3c6e11e6df643

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20240508103811_002_dotnet_host_8.0.2_win_x64.msi.log

Filesize
109KB

MD5
8aacd4fbfe6c1503d2b08874bbd4991a

SHA1
31380d11c457951ee59874b25ab57665eba9ad4b

SHA256
e718eb381c6c6851f9b78d12c1e05f094996c91d6f9e743740f5a8b303e744da

SHA512
3189b724918d307918feb2c7a5705269f70edd88621e05eec8696860c332a724dbd39364ed97f081af1f0e47cfbcb9059a0ff6e79f2341e8e8aade5c0b3111ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20240508103811_003_windowsdesktop_runtime_8.0.2_win_x64.msi.log

Filesize
846KB

MD5
bd9424404e31df0af757188791c87059

SHA1
2916d4b1ae93caef492ac36a49676dc23b9c45e1

SHA256
e4eadfaf9186533630050153f4929ebb96a3d826d2c3ad18b6e512c7019a508c

SHA512
d24401c341c70608c5b7127e351963fecd6bfb531bdbdf4e7d85fe58b78979e26417d91eb219aaac1c34948130c6eddd70d468b55b72772fb83d1e44ee34dc01

Download Submit
C:\Users\Admin\AppData\Local\Temp\SNFVGQLU-20240508-1042.log

Filesize
57KB

MD5
1515cdaf5b6c46dd56f5d6d60d9c04dc

SHA1
25ac8b17ecd54eeefda60499f01d91c091648fb0

SHA256
8a8977148462da19391a3de534459f967a4f4bcfab36496441f8323879f23f01

SHA512
a1b6ab9421f88ffd86fea8e1c11541658fed8c1832103274d78c2d72e2f96c3c05a1d5630a0691b44eae0e1f064ba7b431019abc6119943ce274a6c7f1f6015c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SNFVGQLU-20240508-1042a.log

Filesize
180KB

MD5
5c73621e996bf18ace340b6ef64d3e50

SHA1
4c0198699908952e725b3a487dd639d33acfae0e

SHA256
28fc2c1c8c18beb9bfc44377b4fb6835b78d8fce5ebab25ebc2231500dd533d6

SHA512
bdfcbb252423c6b739da5d91573fdefca99388cbdda688ac1de31536d3900bf99e71ff5e31817c4d375bd75a59d2460c399b1121382e8326aae7726a6f85fb08

Download Submit
C:\Users\Admin\AppData\Local\Temp\aria-debug-3608.log

Filesize
470B

MD5
6a0e2af4e2ab6952fc6880e9fc407f43

SHA1
62fab53c8ca1ea7c3eaee6ce9657b64bcfde9773

SHA256
282ce9247e81f0f7e32195c22ff330c61aa52f060637f1870d465ca9d0e28bd3

SHA512
6be88cd26f492dbcb80ee405446f9c043df295ea92d56832516b48c234a3187d283efaccc9bf65ff23ed8bf536dde5a9dd3f42069bf8e7711601fdceecddb250

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.vbs

Filesize
219B

MD5
5f6d40ca3c34b470113ed04d06a88ff4

SHA1
50629e7211ae43e32060686d6be17ebd492fd7aa

SHA256
0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1

SHA512
4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wry

Filesize
628B

MD5
ce5be3b96ced79fac52ba56d062d0ccb

SHA1
38c34f064b23e8bdd130c63f9d9c5eb2d00b10fd

SHA256
0c92d8e8cb38205315c57d63a5eee5edd8f999ca2637529fe7f691ac6fead9c6

SHA512
319bc279977e35786a8ab241374432531b85a24282fde294f8c852af9833352a8cc029b26e39e5cbcdc26f185515afc13e48bcc72df43426de63eb08955d9f85

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
6KB

MD5
fae9eb9e0f690b18a68a01c1f402096c

SHA1
e4874dce7f44b3cda31c460079166c0aa34a3ba5

SHA256
ad5bd5590c5aa59ff95c99f5c2a4e40ee98fb215ba7f6f5aac2a9f1177de29b4

SHA512
96fdfa64b21e18e2f25153ecffa0b4f721a66a6bd79688e02fbdcc9298b78979df03587bf5066a301866a0bb6c54e1b98e92abfa385ff07c8da5fd0acf0d8e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt.WCRY

Filesize
1KB

MD5
9110c8fdde607db0c186f4dd556d9b8a

SHA1
89620e7e8ba0508e243ae8ebe959a23c2e096626

SHA256
0467ab96edec2181909c7233631c5298cf7e1c129e90c4f32be9dc307ddb5193

SHA512
365328ff10afd22fd0494382456657a5cf4d847ffe5625f0af2d5bd778cdbb9bdee22ebf73e2d96ceff547b412a0d6823860f6c2e4837e2ef7fa880ee1d6f514

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI1058.txt.WCRY

Filesize
426KB

MD5
fb5e37689ee27f7361ffd0e857b74d6c

SHA1
9a3fe943be7e32d387c349615435b2e262b5c732

SHA256
f66ae11035aeb4ae99639c48781f0b7a380ee7cbf9b990b5ca1e0ba739b391ae

SHA512
73139ed8c024078dac7091b52f9e9a7537b376743a9a25b85ec35c23ee3f674df03ac33585ddd1fb74f00a1fe4d9d7e8638011cd436f0ce7d2a31d781b12d348

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI107C.txt.WCRY

Filesize
413KB

MD5
a7cbc8001664338ae57ae14b78446521

SHA1
9cdcaf2453da27b5e866c0213466b5a67d3cba9b

SHA256
fe978232a798d2233c02554fd9d7eb0126f173bce280ecc9d668d8d84e2ba32d

SHA512
4e1534329d242f0129d2a2358df5886adcd6b747213e3849f051b97259fbeb8cbe67ba5b4d915d26f37ee953ca0ad3e51614996eb0b0f11931488d265f98cccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI1058.txt.WCRY

Filesize
11KB

MD5
9941593a3ad41f1c52bbecb80dc278a5

SHA1
6e2f33f99ae3f0011558a0a8af9dec49d8f69c37

SHA256
d1a452a91bfe5f49236f8da580d7ec33e701fd0c9576d3b5da7c423a17c7b2ae

SHA512
816d84921b648ddcb365abc383d9799f4c3808b29b3237a276969bda82579f568783b2726c56cc6c58c47d78bd66d52c25767f2266abee2734cf28628ad449d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI107C.txt.WCRY

Filesize
11KB

MD5
2f9b885b1daf07dc13e88299407ebcb4

SHA1
b3aa0063157aba9c715547eac8e9dbf97842fd09

SHA256
05ca39e0314f9f6c15625206929bb53ada64801056b131dec80a1c037916e762

SHA512
e84432334852f0e9d19e9342d015b61f48bfbb3342e2ccc13b6581441a5d055e909b07e545e5c0b1af28112a542a8fd41de1a0d228beb39f40fff16b2fd77285

Download Submit
C:\Users\Admin\AppData\Local\Temp\f.wry

Filesize
619B

MD5
d2303cd4b6a2fa8d325947e67aec4c0b

SHA1
45c026ad2cfeee99903d50d02b58324c1dabb9f4

SHA256
94b8855cad3a1d7efc4166a80c56dfaca04b4e2025e7caf4b5557db4e2f2f85c

SHA512
422400a95f858b5860b4e4c1f06e487e2167bdd28581f6dc6e1442687bec19795ec83bfe06d7a6e50d48fe9f11c94600830b8d8600403d1dcd5a2cefd834f596

Download Submit
C:\Users\Admin\AppData\Local\Temp\jawshtml.html

Filesize
13B

MD5
b2a4bc176e9f29b0c439ef9a53a62a1a

SHA1
1ae520cbbf7e14af867232784194366b3d1c3f34

SHA256
7b4f72a40bd21934680f085afe8a30bf85acff1a8365af43102025c4ccf52b73

SHA512
e04b85d8d45d43479abbbe34f57265b64d1d325753ec3d2ecadb5f83fa5822b1d999b39571801ca39fa32e4a0a7caab073ccd003007e5b86dac7b1c892a5de3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
295KB

MD5
db39cd592fa524ed725b7a5b4169d5ef

SHA1
8edadccb311cd29b2946eaa70443665ffb4018fb

SHA256
27e907cf9d6f78acd72182bce07109ab0380c1af6be0c6dadfa3f2cd54ad2d82

SHA512
3d5ccc3560616c80a6dda6f54a9bb0c92bc1178e8e7688461f0f58c1c8727f38ad56576a8304db65ff8d245e8745b5eaacffe67db7c51fa6bc2ba4248cb352ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\AppData\Local\Temp\msedge_installer.log

Filesize
3KB

MD5
a83e9e1514847916601ad44b98515d47

SHA1
4abe9c2bd35ab2957661ddb16be34f2ab276765b

SHA256
a84e3a06573ceac21ab5f520d1d31d904b982a8d39a3b6299772feaae5c14966

SHA512
660da952cd4b66636c64cb4196455b0cb2f6b1af4019fefab64455370d8973f415c12ff4290826b978421a6866c3ae1b6a496fc157e071d14f5e318f32aee9f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\r.wry

Filesize
729B

MD5
880e6a619106b3def7e1255f67cb8099

SHA1
8b3a90b2103a92d9facbfb1f64cb0841d97b4de7

SHA256
c9e9dc06f500ae39bfeb4671233cc97bb6dab58d97bb94aba4a2e0e509418d35

SHA512
c35ca30e0131ae4ee3429610ce4914a36b681d2c406f67816f725aa336969c2996347268cb3d19c22abaa4e2740ae86f4210b872610a38b4fa09ee80fcf36243

Download Submit
C:\Users\Admin\AppData\Local\Temp\t.wry

Filesize
68KB

MD5
5557ee73699322602d9ae8294e64ce10

SHA1
1759643cf8bfd0fb8447fd31c5b616397c27be96

SHA256
a7dd727b4e0707026186fcab24ff922da50368e1a4825350bd9c4828c739a825

SHA512
77740de21603fe5dbb0d9971e18ec438a9df7aaa5cea6bd6ef5410e0ab38a06ce77fbaeb8fc68e0177323e6f21d0cee9410e21b7e77e8d60cc17f7d93fdb3d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA795.tmp

Filesize
25.9MB

MD5
bd2866356868563bd9d92d902cf9cc5a

SHA1
c677a0ad58ba694891ef33b54bb4f1fe4e7ce69b

SHA256
6676ba3d4bf3e5418865922b8ea8bddb31660f299dd3da8955f3f37961334ecb

SHA512
5eccf7be791fd76ee01aafc88300b2b1a0a0fb778f100cbc37504dfc2611d86bf3b4c5d663d2b87f17383ef09bd7710adbe4ece148ec12a8cfd2195542db6f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct7407.tmp

Filesize
40.2MB

MD5
fb4aa59c92c9b3263eb07e07b91568b5

SHA1
6071a3e3c4338b90d892a8416b6a92fbfe25bb67

SHA256
e70e80dbbc9baba7ddcee70eda1bb8d0e6612dfb1d93827fe7b594a59f3b48b9

SHA512
60aabbe2fd24c04c33e7892eab64f24f8c335a0dd9822eb01adc5459e850769fc200078c5ccee96c1f2013173bc41f5a2023def3f5fe36e380963db034924ace

Download Submit
C:\Users\Admin\AppData\Local\Temp\wctA330.tmp

Filesize
63KB

MD5
e516a60bc980095e8d156b1a99ab5eee

SHA1
238e243ffc12d4e012fd020c9822703109b987f6

SHA256
543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

SHA512
9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\{FA0D50BF-C071-40AC-889D-C5DC53A76F26} - OProcSessId.dat

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4204-1425-0x00000234B7C90000-0x00000234B7C91000-memory.dmp

Filesize
4KB

Download
memory/4204-1427-0x00000234B7C90000-0x00000234B7C91000-memory.dmp

Filesize
4KB

Download
memory/4204-1426-0x00000234B7C90000-0x00000234B7C91000-memory.dmp

Filesize
4KB

Download
memory/4204-1437-0x00000234B7C90000-0x00000234B7C91000-memory.dmp

Filesize
4KB

Download
memory/4204-1436-0x00000234B7C90000-0x00000234B7C91000-memory.dmp

Filesize
4KB

Download
memory/4204-1435-0x00000234B7C90000-0x00000234B7C91000-memory.dmp

Filesize
4KB

Download
memory/4204-1434-0x00000234B7C90000-0x00000234B7C91000-memory.dmp

Filesize
4KB

Download
memory/4204-1433-0x00000234B7C90000-0x00000234B7C91000-memory.dmp

Filesize
4KB

Download
memory/4204-1432-0x00000234B7C90000-0x00000234B7C91000-memory.dmp

Filesize
4KB

Download
memory/4204-1431-0x00000234B7C90000-0x00000234B7C91000-memory.dmp

Filesize
4KB

Download
memory/4868-6-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download