Analysis Overview
SHA256
e3e2b21dee0127cb9ea06ae7184665284d36413d38146c252bf6fd8812e600ae
Threat Level: Known bad
The file LDPlayer9_vn_1003_CjwKCAjw1emzBhB8EiwAHwZZxWtNl3IEA0x9sc31PjIzcdYfkNjH0wcWdDj2avCzD0lx7NJQYWFR7RoCn4kQAvD_BwE_ld.exe was found to be: Known bad.
Malicious Activity Summary
Wannacry
Deletes shadow copies
Creates new service(s)
Manipulates Digital Signatures
Possible privilege escalation attempt
Modifies file permissions
Drops startup file
Downloads MZ/PE file
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Legitimate hosting services abused for malware hosting/C2
Writes to the Master Boot Record (MBR)
Adds Run key to start application
Event Triggered Execution: Component Object Model Hijacking
Sets desktop wallpaper using registry
Drops file in System32 directory
Drops file in Windows directory
Executes dropped EXE
Checks installed software on the system
Drops file in Program Files directory
Launches sc.exe
Loads dropped DLL
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Suspicious behavior: GetForegroundWindowSpam
Modifies data under HKEY_USERS
Suspicious behavior: LoadsDriver
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: EnumeratesProcesses
Runs net.exe
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
Modifies registry class
Enumerates system info in registry
Modifies registry key
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
NTFS ADS
Checks processor information in registry
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-26 04:53
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 04:53
Reported
2024-06-26 05:00
Platform
win11-20240611-en
Max time kernel
336s
Max time network
352s
Command Line
Signatures
Wannacry
Deletes shadow copies
Creates new service(s)
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubCleanup" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubInitialize" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPRemoveSignedDataMsg" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubCleanup" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2009\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2006\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.3\FuncName = "WVTAsn1CatMemberInfo2Decode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "HTTPSFinalProv" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubAuthenticode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCheckCert" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\CallbackAllocFunction = "SoftpubLoadDefUsageCallData" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.26\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.4\FuncName = "DecodeRecipientID" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPCreateIndirectData" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubLoadMessage" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.3\FuncName = "WVTAsn1SealingSignatureAttributeDecode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubLoadMessage" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCheckCert" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubAuthenticode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllFormatObject\1.3.6.1.5.5.7.3.4\FuncName = "FormatPKIXEmailProtection" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2011\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\CallbackFreeFunction = "SoftpubFreeDefUsageCallData" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "WintrustCertificateTrust" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubLoadSignature" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\FuncName = "CryptSIPPutSignedDataMsg" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\FuncName = "CryptSIPCreateIndirectData" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "Cryptdlg.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2130\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPPutSignedDataMsg" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\CRYPTOGRAPHY\OID\ENCODINGTYPE 0\CRYPTSIPDLLGETCAPS\{C689AAB9-8E78-11D0-8C47-00C04FC295EE} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.3\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.16.1.1\Dll = "cryptdlg.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "WintrustCertificateTrust" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubLoadSignature" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "SoftpubLoadSignature" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubCheckCert" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.26\FuncName = "WVTAsn1SpcMinimalCriteriaInfoEncode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubLoadMessage" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.20\FuncName = "WVTAsn1SpcLinkDecode" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\CallbackFreeFunction = "SoftpubFreeDefUsageCallData" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2005\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.16.1.1\FuncName = "EncodeAttrSequence" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "HTTPSFinalProv" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\$DLL = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.28\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2221\Dll = "WINTRUST.DLL" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPGetSignedDataMsg" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "DriverInitializePolicy" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "Cryptdlg.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD4F9D.tmp | C:\Users\Admin\Downloads\Ransomware.WannaCry\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD4FA4.tmp | C:\Users\Admin\Downloads\Ransomware.WannaCry\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\takeown.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oiaderoeworuv893 = "\"C:\\Users\\Admin\\Downloads\\Ransomware.WannaCry\\tasksche.exe\"" | C:\Windows\SysWOW64\reg.exe | N/A |
Downloads MZ/PE file
File and Directory Permissions Modification: Windows File and Directory Permissions Modification
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\Downloads\MEMZ.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\diskmgmt.msc | C:\Windows\system32\mmc.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" | C:\Users\Admin\Downloads\Ransomware.WannaCry\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" | C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected] | N/A |
Checks installed software on the system
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\ldplayer9box\VBoxC.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxVMM.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-core-file-l1-2-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\vccorlib140.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-file-l2-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-core-util-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\msvcp100.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\fastpipe2.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxSup.sys | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxStubBld.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-profile-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\libssl-1_1.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxPlaygroundDevice.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-crt-time-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-core-console-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-core-processenvironment-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\Ld9BoxSup.inf | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\SDL.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\vbox-img.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-crt-heap-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-core-localization-l1-2-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\crashreport.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\vcruntime140.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-core-rtlsupport-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\msvcp120.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\msvcp140.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-crt-multibyte-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\ossltest.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\padlock.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-core-processthreads-l1-1-1.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\Qt5Core.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\Qt5Gui.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\USBUninstall.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxAutostartSvc.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\Ld9VirtualBox.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\tstSSLCertDownloads.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-crt-locale-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\padlock.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxGuestControlSvc.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-debug-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-core-memory-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-memory-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\capi.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\libcurl.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\api-ms-win-crt-environment-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\tstAnimate.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxDD.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxExtPackHelperApp.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxSDL.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxSup.cat | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxNetLwf.sys | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxSharedClipboard.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-file-l1-2-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\VBoxInstallHelper.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\bldRTLdrCheckImports.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\tstInt.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\tstVMREQ.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-synch-l1-2-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-core-string-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-crt-private-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\x86\api-ms-win-crt-runtime-l1-1-0.dll | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\comregister.cmd | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\NetFltUninstall.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
| File created | C:\Program Files\ldplayer9box\USBTest.exe | C:\LDPlayer\LDPlayer9\dnrepairer.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Windows\SysWOW64\dism.exe | N/A |
| File opened for modification | C:\Windows\Logs\DISM\dism.log | C:\Users\Admin\AppData\Local\Temp\16920458-8FA5-442C-9C8D-D76D91F76D3F\dismhost.exe | N/A |
Executes dropped EXE
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Loads dropped DLL
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 | C:\Windows\System32\vds.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName | C:\Windows\System32\vds.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\LDPlayer\LDPlayer9\dnplayer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\LDPlayer\LDPlayer9\dnplayer.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION | C:\LDPlayer\LDPlayer9\dnplayer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\ldnews.exe = "11001" | C:\LDPlayer\LDPlayer9\dnplayer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\dnplayer.exe = "11001" | C:\LDPlayer\LDPlayer9\dnplayer.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133638513083733407" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3FF2-4F2E-8F09-07382EE25088}\TypeLib | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4974-A19C-4DC6-CC98C2269626}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}" | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-E191-400B-840E-970F3DAD7296}\ = "IPCIAddress" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-08A2-41AF-A05F-D7C661ABAEBE}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}" | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4430-499F-92C8-8BED814A567A}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-647D-45AC-8FE9-F49B3183BA37}\ = "IGuestSessionEvent" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E8B8-4838-B10C-45BA193734C1}\ProxyStubClsid32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-44E0-CA69-E9E0-D4907CECCBE5}\NumMethods\ = "35" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3CF5-4C0A-BC90-9B8D4CC94D89}\TypeLib | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4022-DC80-5535-6FB116815604}\TypeLib | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CB63-47A1-84FB-02C4894B89A9}\ProxyStubClsid32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7BA7-45A8-B26D-C91AE3754E37}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-FD1C-411A-95C5-E9BB1414E632}\NumMethods\ = "23" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-2354-4267-883F-2F417D216519}\TypeLib\Version = "1.3" | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7E67-4144-BF34-41C38E8B4CC7}\ = "IBIOSSettings" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-80F6-4266-8E20-16371F68FA25}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CB63-47A1-84FB-02C4894B89A9} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1640-41F9-BD74-3EF5FD653250}\ProxyStubClsid32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-00A7-4104-0009-49BC00B2DA80}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}" | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-6588-40A3-9B0A-68C05BA52C4B}\ProxyStubClsid32 | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-5FDC-4ABA-AFF5-6A39BBD7C38B}\ = "IHost" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3FF2-4F2E-8F09-07382EE25088}\NumMethods | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7BA7-45A8-B26D-C91AE3754E37}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-929C-40E8-BF16-FEA557CD8E7E}\NumMethods\ = "115" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-F4F4-4DD0-9D30-C89B873247EC}\NumMethods\ = "18" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ldmnq.ldbk\DefaultIcon | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CC7B-431B-98B2-951FDA8EAB89}\ProxyStubClsid32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-58D9-43AE-8B03-C1FD7088EF15}\NumMethods | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7071-4894-93D6-DCBEC010FA91}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-799A-4489-86CD-FE8E45B2FF8E}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-81A9-4005-9D52-FC45A78BF3F5}\ = "IUSBDevice" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-35F3-4F4D-B5BB-ED0ECEFD8538}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7966-481D-AB0B-D0ED73E28135} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-2F05-4D28-855F-488F96BAD2B2} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF}\InProcServer32\ThreadingModel = "Both" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-787B-44AB-B343-A082A3F2DFB1}\NumMethods | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-0721-4CDE-867C-1A82ABAF914C}\NumMethods\ = "15" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-CD54-400C-B858-797BCB82570E}\NumMethods\ = "25" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-44E0-CA69-E9E0-D4907CECCBE5}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4737-457B-99FC-BC52C851A44F}\ = "IKeyboardLedsChangedEvent" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4BA3-7903-2AA4-43988BA11554}\ProxyStubClsid32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-2D12-4D7C-BA6D-CE51D0D5B265}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0FF7-46B7-A138-3C6E5AC946B4}\TypeLib\Version = "1.3" | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-8F30-401B-A8CD-FE31DBE839C0} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-44A0-A470-BA20-27890B96DBA9}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-C8E9-466B-9660-45CB3E9979E4} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3FF2-4F2E-8F09-07382EE25088}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}" | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-73A5-46CC-8227-93FE57D006A6}\NumMethods | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-F6D4-4AB6-9CBF-558EB8959A6A} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7F29-4AAE-A627-5A282C83092C}\NumMethods\ = "19" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-1C58-440C-BB7B-3A1397284C7B}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.ldbk | C:\LDPlayer\LDPlayer9\LDPlayer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7006-40D4-B339-472EE3801844}\NumMethods\ = "13" | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-AC97-4C16-B3E2-81BD8A57CC27}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-44A0-A470-BA20-27890B96DBA9}\TypeLib | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-6679-422A-B629-51B06B0C6D93}\TypeLib | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-34B8-42D3-ACFB-7E96DAF77C22} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-1F04-4191-AA2F-1FAC9646AE4C} | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-DA7C-44C8-A7AC-9F173490446A}\ProxyStubClsid32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-6588-40A3-9B0A-68C05BA52C4B}\ProxyStubClsid32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-A1A9-4AC2-8E80-C049AF69DAC8}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-30E8-447E-99CB-E31BECAE6AE4}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}" | C:\Program Files\ldplayer9box\Ld9BoxSVC.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-D545-44AA-8013-181B8C288554}\NumMethods | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CB8D-4382-90BA-B7DA78A74573}\ProxyStubClsid32 | C:\Windows\SYSTEM32\regsvr32.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Ransomware.WannaCry.zip:Zone.Identifier | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\LDPlayer\LDPlayer9\dnplayer.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\LDPlayer9_vn_1003_CjwKCAjw1emzBhB8EiwAHwZZxWtNl3IEA0x9sc31PjIzcdYfkNjH0wcWdDj2avCzD0lx7NJQYWFR7RoCn4kQAvD_BwE_ld.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer9_vn_1003_CjwKCAjw1emzBhB8EiwAHwZZxWtNl3IEA0x9sc31PjIzcdYfkNjH0wcWdDj2avCzD0lx7NJQYWFR7RoCn4kQAvD_BwE_ld.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff82d3ab58,0x7fff82d3ab68,0x7fff82d3ab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1500 --field-trial-handle=1800,i,5789875336623999582,9270191431281300053,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1800,i,5789875336623999582,9270191431281300053,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2176 --field-trial-handle=1800,i,5789875336623999582,9270191431281300053,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3032 --field-trial-handle=1800,i,5789875336623999582,9270191431281300053,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3060 --field-trial-handle=1800,i,5789875336623999582,9270191431281300053,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4268 --field-trial-handle=1800,i,5789875336623999582,9270191431281300053,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4116 --field-trial-handle=1800,i,5789875336623999582,9270191431281300053,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4160 --field-trial-handle=1800,i,5789875336623999582,9270191431281300053,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4624 --field-trial-handle=1800,i,5789875336623999582,9270191431281300053,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4700 --field-trial-handle=1800,i,5789875336623999582,9270191431281300053,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4576 --field-trial-handle=1800,i,5789875336623999582,9270191431281300053,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4124 --field-trial-handle=1800,i,5789875336623999582,9270191431281300053,131072 /prefetch:1
C:\LDPlayer\LDPlayer9\LDPlayer.exe
"C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=1003 -language=vn -path="C:\LDPlayer\LDPlayer9\" -googleid=CjwKCAjw1emzBhB8EiwAHwZZxWtNl3IEA0x9sc31PjIzcdYfkNjH0wcWdDj2avCzD0lx7NJQYWFR7RoCn4kQAvD_BwE
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3320 --field-trial-handle=1800,i,5789875336623999582,9270191431281300053,131072 /prefetch:1
C:\LDPlayer\LDPlayer9\dnrepairer.exe
"C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=524666
C:\Windows\SysWOW64\net.exe
"net" start cryptsvc
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start cryptsvc
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Softpub.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Wintrust.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Initpki.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32" Initpki.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" dssenh.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" rsaenh.dll /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" cryptdlg.dll /s
C:\Windows\SysWOW64\takeown.exe
"takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y
C:\Windows\SysWOW64\icacls.exe
"icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t
C:\Windows\SysWOW64\takeown.exe
"takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"
C:\Windows\SysWOW64\icacls.exe
"icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t
C:\Windows\SysWOW64\dism.exe
C:\Windows\system32\dism.exe /Online /English /Get-Features
C:\Users\Admin\AppData\Local\Temp\16920458-8FA5-442C-9C8D-D76D91F76D3F\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\16920458-8FA5-442C-9C8D-D76D91F76D3F\dismhost.exe {D5578CBD-A9FB-43D7-BED2-B01977BCAA50}
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2484 --field-trial-handle=1800,i,5789875336623999582,9270191431281300053,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3028 --field-trial-handle=1800,i,5789875336623999582,9270191431281300053,131072 /prefetch:8
C:\Windows\SysWOW64\sc.exe
sc query HvHost
C:\Windows\SysWOW64\sc.exe
sc query vmms
C:\Windows\SysWOW64\sc.exe
sc query vmcompute
C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer
C:\Windows\SYSTEM32\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s
C:\Windows\SYSTEM32\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s
C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s
C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto
C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" start Ld9BoxSup
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'C:\LDPlayer\LDPlayer9\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow
C:\LDPlayer\LDPlayer9\driverconfig.exe
"C:\LDPlayer\LDPlayer9\driverconfig.exe"
C:\Windows\SysWOW64\takeown.exe
"takeown" /f C:\LDPlayer\ldmutiplayer\ /r /d y
C:\Windows\SysWOW64\icacls.exe
"icacls" C:\LDPlayer\ldmutiplayer\ /grant everyone:F /t
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/vn.ldplayer
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff7ff33cb8,0x7fff7ff33cc8,0x7fff7ff33cd8
C:\LDPlayer\LDPlayer9\dnplayer.exe
"C:\LDPlayer\LDPlayer9\\dnplayer.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004F0 0x00000000000004EC
C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" -Embedding
C:\Windows\SysWOW64\sc.exe
sc query HvHost
C:\Windows\SysWOW64\sc.exe
sc query vmms
C:\Windows\SysWOW64\sc.exe
sc query vmcompute
C:\Program Files\ldplayer9box\vbox-img.exe
"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\..\system.vmdk" --uuid 20160302-bbbb-bbbb-0eee-bbbb00000000
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,18082489614307061864,8724572083196805793,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2020 /prefetch:2
C:\Program Files\ldplayer9box\vbox-img.exe
"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\data.vmdk" --uuid 20160302-cccc-cccc-0eee-000000000000
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2012,18082489614307061864,8724572083196805793,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2012,18082489614307061864,8724572083196805793,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1972 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files\ldplayer9box\vbox-img.exe
"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk" --uuid 20160302-dddd-dddd-0eee-000000000000
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,18082489614307061864,8724572083196805793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,18082489614307061864,8724572083196805793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,18082489614307061864,8724572083196805793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,18082489614307061864,8724572083196805793,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4664 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2012,18082489614307061864,8724572083196805793,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4628 /prefetch:8
C:\Users\Admin\Downloads\Ransomware.WannaCry\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\Downloads\Ransomware.WannaCry\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
C:\Windows\SysWOW64\attrib.exe
attrib +h .
C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe
taskdl.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 213581719377793.bat
C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
C:\Users\Admin\Downloads\Ransomware.WannaCry\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe
taskdl.exe
C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "oiaderoeworuv893" /t REG_SZ /d "\"C:\Users\Admin\Downloads\Ransomware.WannaCry\tasksche.exe\"" /f
C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "oiaderoeworuv893" /t REG_SZ /d "\"C:\Users\Admin\Downloads\Ransomware.WannaCry\tasksche.exe\"" /f
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe
taskdl.exe
C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe
taskdl.exe
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe
taskdl.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\diskmgmt.msc"
C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe
taskdl.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xe0,0x104,0x108,0xb8,0x10c,0x7fff82d3ab58,0x7fff82d3ab68,0x7fff82d3ab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=1684,i,15440612967196259988,7576226313483073340,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1684,i,15440612967196259988,7576226313483073340,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2188 --field-trial-handle=1684,i,15440612967196259988,7576226313483073340,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2992 --field-trial-handle=1684,i,15440612967196259988,7576226313483073340,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3248 --field-trial-handle=1684,i,15440612967196259988,7576226313483073340,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4220 --field-trial-handle=1684,i,15440612967196259988,7576226313483073340,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4368 --field-trial-handle=1684,i,15440612967196259988,7576226313483073340,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4516 --field-trial-handle=1684,i,15440612967196259988,7576226313483073340,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4556 --field-trial-handle=1684,i,15440612967196259988,7576226313483073340,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4716 --field-trial-handle=1684,i,15440612967196259988,7576226313483073340,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4720 --field-trial-handle=1684,i,15440612967196259988,7576226313483073340,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x7ff67bedae48,0x7ff67bedae58,0x7ff67bedae68
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3996 --field-trial-handle=1684,i,15440612967196259988,7576226313483073340,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4140 --field-trial-handle=1684,i,15440612967196259988,7576226313483073340,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4120 --field-trial-handle=1684,i,15440612967196259988,7576226313483073340,131072 /prefetch:1
C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe
taskdl.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4720 --field-trial-handle=1684,i,15440612967196259988,7576226313483073340,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5084 --field-trial-handle=1684,i,15440612967196259988,7576226313483073340,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4720 --field-trial-handle=1684,i,15440612967196259988,7576226313483073340,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4580 --field-trial-handle=1684,i,15440612967196259988,7576226313483073340,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5196 --field-trial-handle=1684,i,15440612967196259988,7576226313483073340,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 --field-trial-handle=1684,i,15440612967196259988,7576226313483073340,131072 /prefetch:8
C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe"
C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /main
C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
Network
| Country | Destination | Domain | Proto |
| GB | 2.18.66.72:443 | tcp | |
| NL | 23.62.61.97:443 | r.bing.com | tcp |
| NL | 23.62.61.97:443 | r.bing.com | tcp |
| NL | 23.62.61.97:443 | r.bing.com | tcp |
| NL | 23.62.61.97:443 | r.bing.com | tcp |
| NL | 23.62.61.97:443 | r.bing.com | tcp |
| NL | 23.62.61.97:443 | r.bing.com | tcp |
| FR | 3.162.38.96:443 | cdn.ldplayer.net | tcp |
| US | 8.8.8.8:53 | 154.200.245.18.in-addr.arpa | udp |
| SG | 8.219.4.49:443 | middledata.ldplayer.net | tcp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| GB | 142.250.180.14:443 | apis.google.com | udp |
| GB | 142.250.180.14:443 | apis.google.com | tcp |
| GB | 216.58.213.14:443 | clients2.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 216.58.213.14:443 | clients2.google.com | tcp |
| GB | 142.250.200.46:443 | play.google.com | udp |
| GB | 142.250.200.46:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | 46.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | consent.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| GB | 216.58.213.14:443 | consent.google.com | tcp |
| SG | 8.219.4.49:443 | middledata.ldplayer.net | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| GB | 172.217.16.238:80 | www.youtube.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 140.82.112.22:443 | collector.github.com | tcp |
| US | 140.82.112.22:443 | collector.github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| NL | 52.111.243.30:443 | tcp | |
| SG | 8.219.48.146:443 | middledata.ldplayer.net | tcp |
| SG | 8.219.48.146:443 | middledata.ldplayer.net | tcp |
| SG | 8.219.48.146:443 | middledata.ldplayer.net | tcp |
| US | 8.8.8.8:53 | en.ldplayer.net | udp |
| FR | 3.162.38.96:443 | cdn.ldplayer.net | tcp |
| FR | 3.162.38.96:443 | cdn.ldplayer.net | tcp |
| GB | 79.133.176.219:443 | en.ldplayer.net | tcp |
| SG | 8.219.48.146:443 | middledata.ldplayer.net | tcp |
| FR | 52.222.149.101:443 | ad.ldplayer.net | tcp |
| FR | 3.162.38.96:443 | cdn.ldplayer.net | tcp |
| FR | 3.162.38.96:443 | cdn.ldplayer.net | tcp |
| FR | 3.162.38.96:443 | cdn.ldplayer.net | tcp |
| GB | 163.70.147.35:443 | www.facebook.com | tcp |
| GB | 163.70.147.35:443 | www.facebook.com | tcp |
| GB | 79.133.176.235:443 | advertise.ldplayer.net | tcp |
| GB | 216.58.213.3:443 | beacons.gcp.gvt2.com | tcp |
| GB | 163.70.147.23:443 | scontent.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | scontent-lhr6-1.xx.fbcdn.net | udp |
| US | 8.8.8.8:53 | scontent-lhr8-2.xx.fbcdn.net | udp |
| US | 8.8.8.8:53 | scontent-lhr6-2.xx.fbcdn.net | udp |
| GB | 163.70.147.23:443 | scontent-lhr6-1.xx.fbcdn.net | tcp |
| GB | 163.70.147.23:443 | scontent-lhr6-1.xx.fbcdn.net | tcp |
| GB | 163.70.147.23:443 | scontent-lhr6-1.xx.fbcdn.net | tcp |
| GB | 163.70.147.23:443 | scontent-lhr6-1.xx.fbcdn.net | tcp |
| GB | 163.70.147.23:443 | scontent-lhr6-1.xx.fbcdn.net | tcp |
| GB | 163.70.147.23:443 | scontent-lhr6-1.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | scontent-lhr8-1.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | scontent-lhr8-1.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | scontent-lhr8-1.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | scontent-lhr8-1.xx.fbcdn.net | tcp |
| GB | 157.240.221.16:443 | scontent-lhr8-1.xx.fbcdn.net | tcp |
| GB | 163.70.147.23:443 | scontent-lhr6-1.xx.fbcdn.net | tcp |
| GB | 163.70.147.23:443 | scontent-lhr6-1.xx.fbcdn.net | tcp |
| GB | 163.70.147.23:443 | scontent-lhr6-1.xx.fbcdn.net | tcp |
| GB | 157.240.214.11:443 | scontent-lhr8-2.xx.fbcdn.net | tcp |
| GB | 163.70.151.21:443 | scontent-lhr6-2.xx.fbcdn.net | tcp |
| SG | 8.219.48.146:443 | middledata.ldplayer.net | tcp |
| GB | 163.70.151.21:443 | scontent-lhr6-2.xx.fbcdn.net | tcp |
| GB | 163.70.147.23:443 | scontent-lhr6-1.xx.fbcdn.net | tcp |
| US | 163.181.154.180:443 | res.ldplayer.net | tcp |
| US | 163.181.154.180:443 | res.ldplayer.net | tcp |
| US | 163.181.154.180:443 | res.ldplayer.net | tcp |
| US | 163.181.154.180:443 | res.ldplayer.net | tcp |
| US | 163.181.154.180:443 | res.ldplayer.net | tcp |
| US | 163.181.154.180:443 | res.ldplayer.net | tcp |
| FR | 52.222.149.101:443 | ad.ldplayer.net | tcp |
| GB | 79.133.176.235:443 | advertise.ldplayer.net | tcp |
| FR | 52.222.201.96:80 | apivn.ldmnq.com | tcp |
| FR | 52.222.201.96:443 | apivn.ldmnq.com | tcp |
| FR | 52.222.193.204:80 | ocsp.r2m03.amazontrust.com | tcp |
| US | 163.181.154.180:443 | res.ldplayer.net | tcp |
| US | 163.181.154.180:443 | res.ldplayer.net | tcp |
| FR | 3.162.38.96:443 | cdn.ldplayer.net | tcp |
| FR | 13.249.9.34:443 | encdn.ldmnq.com | tcp |
| FR | 13.249.9.34:443 | encdn.ldmnq.com | tcp |
| US | 163.181.154.180:443 | res.ldplayer.net | tcp |
| US | 163.181.154.180:443 | res.ldplayer.net | tcp |
| FR | 3.162.38.96:443 | cdn.ldplayer.net | tcp |
| FR | 52.222.201.96:443 | apivn.ldmnq.com | tcp |
| FR | 52.222.149.101:443 | ad.ldplayer.net | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:53112 | tcp | |
| CA | 204.11.50.131:9001 | tcp | |
| SE | 171.25.193.9:80 | tcp | |
| DE | 167.86.127.130:443 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| GB | 2.18.66.72:443 | tcp | |
| N/A | 127.0.0.1:9050 | tcp | |
| GB | 142.250.187.196:443 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 142.250.200.46:443 | www.youtube.com | udp |
| GB | 142.250.200.46:443 | www.youtube.com | tcp |
| GB | 216.58.213.14:443 | consent.google.com | udp |
| GB | 142.250.187.227:443 | id.google.com | tcp |
| GB | 172.217.169.54:443 | i.ytimg.com | tcp |
| GB | 216.58.212.238:443 | www.youtube.com | tcp |
| GB | 172.217.169.54:443 | i.ytimg.com | udp |
| GB | 216.58.201.98:443 | googleads.g.doubleclick.net | tcp |
| GB | 216.58.213.6:443 | static.doubleclick.net | tcp |
| GB | 142.250.187.202:443 | jnn-pa.googleapis.com | tcp |
| GB | 216.58.201.98:443 | googleads.g.doubleclick.net | udp |
| GB | 142.250.187.202:443 | jnn-pa.googleapis.com | udp |
| GB | 142.250.200.46:443 | www.youtube.com | udp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 185.199.109.154:443 | github.githubassets.com | tcp |
| US | 185.199.111.133:443 | raw.githubusercontent.com | tcp |
| US | 140.82.114.22:443 | collector.github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| N/A | 127.0.0.1:9050 | tcp | |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
Files
\??\pipe\crashpad_2684_PDTGAJZMIHTQSSDE
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 779d9b421efd97fd47adf81e48a55737 |
| SHA1 | b7fb28c33ead16648e7adef8c9c53e4b24b77e3d |
| SHA256 | a4f0c63706a98981584a04963bb7b0a6d1ff9959eb5c8f285391ecfe8feca63a |
| SHA512 | 6ff147808c4ade029914b2eb4390a020a051447c0ad60a33265afff1811e601508d3564e7a844f765be724a65df96e4c567592294cd455f5572ecc2fbb998076 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | b17f17b2b4b8d9b4204a7917112ffa06 |
| SHA1 | c00be27f900bdae5c4469892e7a7ac1b9877af2c |
| SHA256 | 0e0911a1f6953611aebb31f632eff253054f11af1e8dcb8e402d383c7a67a0e4 |
| SHA512 | 94749dc073ff4fb64c2dc3ba3e0293e999de8a8b566d961fc92c136dc8ddbf36f5109c7e2b6b2e69e42ce3a501965c583a063307087525789aee69e022f4b939 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 4405c5543d1f1dbc32d1f9ffb312272b |
| SHA1 | 6d30b2a3d15a6709c396932c9c9cfcafc147e30e |
| SHA256 | 0e26c605bbe8d539efe34cb2f271aeb2f39a9a3b40686e14c470c95be7a47a0f |
| SHA512 | 24c43a60c0c5ad24998c4f59bbb0af5ddc489f8d966fbb6b45e2a3f48e7b9d5b54fbfae8b38eac1831312fba401dbaa4caa0ebf0aedbf73a1eae9054fd8e81c3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 0eeb706af867c08c4bda97507131c482 |
| SHA1 | 438af8ee51fae2673abcae0a62bf9e68a114b272 |
| SHA256 | e1c5af0026f2619e92ad070b8af67454ddf5f7a1d8e084b691f7d99cc50f0768 |
| SHA512 | fd63092925a35190220f808b36b03fe06058c60fcc23249af982f29d080b87af6ff7ed9867285d4dddafdb0bad77a63069ffb13ba4b8db32b5e7865549e90025 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 52f1c8e530105cbf48040a3eb419c4e9 |
| SHA1 | cbcf86ef2980f1c0ea2470787c60c2dfdc9ff266 |
| SHA256 | e5f91c0771f3c913b428a80afd12087c8d0a21b90be68dbdef97c9282ac85a01 |
| SHA512 | 5a1ec80b47ec0150b1bd3e365e8b6bd1f308b20663220b80d8f4e8a6ff7901092ea4a4b937bb05c5d71d20887b9f85a04638591102da54784f89a3e962a3f0f9 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 5d51af1289e6392c439574d526836a1b |
| SHA1 | 941207a3da9f02dfa6d75b278bc6bdbb9507e9db |
| SHA256 | 1392d9c93c475c27f00fc607686f91ccc795786f3b4c1e5419dce74ce3187c68 |
| SHA512 | 4e0ada97cd77a3ea4f93e7d376ee30fbce45bb1d924edff15777294517bc9a1ad86435c5d3f5b6ceff9cf10c0096c5e2e5e072c6372d28eadf63f62fbed261bf |
C:\LDPlayer\LDPlayer9\MSVCR120.dll
| MD5 | 50097ec217ce0ebb9b4caa09cd2cd73a |
| SHA1 | 8cd3018c4170072464fbcd7cba563df1fc2b884c |
| SHA256 | 2a2ff2c61977079205c503e0bcfb96bf7aa4d5c9a0d1b1b62d3a49a9aa988112 |
| SHA512 | ac2d02e9bfc2be4c3cb1c2fff41a2dafcb7ce1123998bbf3eb5b4dc6410c308f506451de9564f7f28eb684d8119fb6afe459ab87237df7956f4256892bbab058 |
C:\LDPlayer\LDPlayer9\MSVCP120.dll
| MD5 | 50260b0f19aaa7e37c4082fecef8ff41 |
| SHA1 | ce672489b29baa7119881497ed5044b21ad8fe30 |
| SHA256 | 891603d569fc6f1afed7c7d935b0a3c7363c35a0eb4a76c9e57ef083955bc2c9 |
| SHA512 | 6f99d39bfe9d4126417ff65571c78c279d75fc9547ee767a594620c0c6f45f4bb42fd0c5173d9bc91a68a0636205a637d5d1c7847bd5f8ce57e120d210b0c57d |
C:\LDPlayer\LDPlayer9\dnresource.rcc
| MD5 | d4d2fd2ce9c5017b32fc054857227592 |
| SHA1 | 7ee3b1127c892118cc98fb67b1d8a01748ca52d5 |
| SHA256 | c4b7144dd50f68ca531568cafb6bb37bf54c5b078fbac6847afa9c3b34b5f185 |
| SHA512 | d2f983dde93099f617dd63b37b8a1039166aaf852819df052a9d82a8407eb299dac22b4ffe8cab48331e695bf01b545eb728bec5d793aeb0045b70ea9ceab918 |
C:\LDPlayer\LDPlayer9\crashreport.dll
| MD5 | 19dae6362eb73913f7947f719be52516 |
| SHA1 | e157307ae8e87c9a6f31bc62ecdf32d70f8648d9 |
| SHA256 | ae0eba69019294d03e11d68fea0ee72e77bfe156803f1b83bc8566a0a4d3584d |
| SHA512 | f5eb5771eb03f7f2067e32573397814ff3ef54dc7fae0abadad6bfdcafef6a4a5bf6f3ab9874c0530cb70cb995f6716ca8fa1cba175ed5a1d298c700f6e59ad2 |
C:\LDPlayer\LDPlayer9\dnrepairer.exe
| MD5 | 4def56a3500d5a4dec3ff797a88c5751 |
| SHA1 | 1a53c9c6f3d1e27ac8532e09f87990505c8090de |
| SHA256 | c09b51bdc9039b976a55eb8dc7c517d65d8d5f6eadda92d2de27ceee7845b0e4 |
| SHA512 | a96322ca61f45875bfdb7b514ce1a95bbc1faba3fc0b7bc7c0af3f05d68c14e47fddff64e595f6bf053df7e1efad3e5f9e33f3bc2e09501c3c20de62864ae1d8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 4145d7c741b4e2e2d50306ec8a953ad5 |
| SHA1 | c49b225fa5e33c8961e4cd1d618ff8f46b2ff321 |
| SHA256 | 3385750425309fc791c267bcc08340632db10b4494ab401b2e9a256cc75f6a45 |
| SHA512 | 4c72ea7e2abc7ae1aa8c191e44318f7ededef1a686ca6e4148508b634972f4915187b5b1d5fa55a4139fb9c6a1d722f37f2b0b5cf1f16eee52273e29cb70335c |
C:\LDPlayer\LDPlayer9\vms\config\leidian0.config
| MD5 | 95bfc18a8a765491b04692f6b4bdb1de |
| SHA1 | 97368f2bb78aa06e19ba87318405460cb602e17c |
| SHA256 | e0cd70894cad83ea758fc70a3e4e6a587e62ad7c8fa7b30190bd6b81393e2e3b |
| SHA512 | 07ffa0f4b57671f794bef18a455b052cf99581aa90cbf8f1f1ed99c21f0c2524b6a64dc7a24b726ca386bfaa05bd2b04f24016c0d1c6736c6e039278dab6034b |
C:\Users\Admin\AppData\Local\Temp\16920458-8FA5-442C-9C8D-D76D91F76D3F\DismHost.exe
| MD5 | 17275206102d1cf6f17346fd73300030 |
| SHA1 | bbec93f6fb2ae56c705efd6e58d6b3cc68bf1166 |
| SHA256 | dead0ebd5b5bf5d4b0e68ba975e9a70f98820e85d056b0a6b3775fc4df4da0f6 |
| SHA512 | ce14a4f95328bb9ce437c5d79084e9d647cb89b66cde86a540b200b1667edc76aa27a36061b6e2ceccecb70b9a011b4bd54040e2a480b8546888ba5cc84a01b3 |
C:\Users\Admin\AppData\Local\Temp\16920458-8FA5-442C-9C8D-D76D91F76D3F\DismCorePS.dll
| MD5 | 7f751738de9ac0f2544b2722f3a19eb0 |
| SHA1 | 7187c57cd1bd378ef73ba9ad686a758b892c89dc |
| SHA256 | db995f4f55d8654fc1245da0df9d1d9d52b02d75131bc3bce501b141888232fc |
| SHA512 | 0891c2dedb420e10d8528996bc9202c9f5f96a855997f71b73023448867d7d03abee4a9a7e2e19ebe2811e7d09497bce1ea4e9097fcb810481af10860ff43dfb |
C:\Users\Admin\AppData\Local\Temp\16920458-8FA5-442C-9C8D-D76D91F76D3F\dismprov.dll
| MD5 | 2ac64cc617d144ae4f37677b5cdbb9b6 |
| SHA1 | 13fe83d7489d302de9ccefbf02c7737e7f9442f9 |
| SHA256 | 006464f42a487ab765e1e97cf2d15bfa7db76752946de52ff7e518bc5bbb9a44 |
| SHA512 | acdb2c9727f53889aa4f1ca519e1991a5d9f08ef161fb6680265804c99487386ca6207d0a22f6c3e02f34eaeb5ded076655ee3f6b4b4e1f5fab5555d73addfd7 |
C:\Users\Admin\AppData\Local\Temp\16920458-8FA5-442C-9C8D-D76D91F76D3F\OSProvider.dll
| MD5 | e9833a54c1a1bfdab3e5189f3f740ff9 |
| SHA1 | ffb999c781161d9a694a841728995fda5b6da6d3 |
| SHA256 | ec137f9caebcea735a9386112cf68f78b92b6a5a38008ce6415485f565e5cf85 |
| SHA512 | 0b18932b24c0257c80225c99be70c5125d2207f9b92681fd623870e7a62599a18fa46bcb5f2b4b01889be73aeb084e1b7e00a4968c699c7fdb3c083ef17a49f9 |
C:\Users\Admin\AppData\Local\Temp\16920458-8FA5-442C-9C8D-D76D91F76D3F\ImagingProvider.dll
| MD5 | 4c6d681704e3070df2a9d3f42d3a58a2 |
| SHA1 | a9f6286ac25f17b6b2acd1fce6459b0bc94c6c81 |
| SHA256 | f1bbab35b2602d04d096c8de060b2a5cf802499a937fd1ffe749ff7f54852137 |
| SHA512 | daa0c723312680256c24457162e0ef026b753ba267f3e2755f838e2864a163802c078d8668dd2c2064cb8887f4e382a73d6402a5533b6ac5c3cbf662ad83db86 |
C:\Users\Admin\AppData\Local\Temp\16920458-8FA5-442C-9C8D-D76D91F76D3F\TransmogProvider.dll
| MD5 | c1c56a9c6ea636dbca49cfcc45a188c3 |
| SHA1 | d852e49978a08e662804bf3d7ec93d8f6401a174 |
| SHA256 | b20b3eb2df22998fd7f9ff6898ba707d6b8833a8274719a5e09d5148d868faaf |
| SHA512 | f6db05e4644d734f81c2461e4ad49c4e81880c9e4beee13dbbda923360ef6cf4821fccd9040671b86ab2cd8c85fc313c951c1a69e4df14d94268753ce7ae5b2e |
C:\Users\Admin\AppData\Local\Temp\16920458-8FA5-442C-9C8D-D76D91F76D3F\ServicingCommon.dll
| MD5 | 07231bdae9d15bfca7d97f571de3a521 |
| SHA1 | 04aec0f1afcf7732bc4cd1f7aab36e460c325ba6 |
| SHA256 | be75afbbc30cad7235adf03dcc07fcee3c0c330c89b00e326ebbef2e57df5935 |
| SHA512 | 2a46e0657e84481faf5c9d3de410884cb5c6e7b35039f5be04183cdac6c088cc42b12d0097e27836af14699e7815d794ca1cec80960833ab093b8dc6d44e2129 |
C:\Windows\Logs\DISM\dism.log
| MD5 | 27e2512216f6515313485c4a3684da5a |
| SHA1 | 617076a2e2619d614dab0bc050b4707d5ac05454 |
| SHA256 | f1e17be2f125dc52dea5e9ccef4aa91b4087fc60ecf77410413109879b50e6bd |
| SHA512 | 90f9d59fe994931a11d3222f641e1bdfc525ebd46696e035cd12e656afef7ef796d33093faa8c006a61b421c955976f67159c0eebf31877aaaa9b4de1e820f6f |
C:\Users\Admin\AppData\Local\Temp\16920458-8FA5-442C-9C8D-D76D91F76D3F\LogProvider.dll
| MD5 | c63f6b6d4498f2ec95de15645c48e086 |
| SHA1 | 29f71180feed44f023da9b119ba112f2e23e6a10 |
| SHA256 | 56aca41c62c8d0d1b26db3a01ef6c2da4a6a51fc963eb28411f8f7f029f1bfde |
| SHA512 | 3a634340d8c66cbc1bef19f701d8bdb034449c28afecce4e8744d18181a20f85a17af3b66c8853cecb8be53f69ae73f85b70e45deac29debab084a25eb3c69dc |
C:\Users\Admin\AppData\Local\Temp\16920458-8FA5-442C-9C8D-D76D91F76D3F\IBSProvider.dll
| MD5 | f6b7301c18f651567a5f816c2eb7384d |
| SHA1 | 40cd6efc28aa7efe86b265af208b0e49bec09ae4 |
| SHA256 | 8f4e3f600917d49ada481ff0ed125fef4a316b659bb1197dc3036fc8c21a5a61 |
| SHA512 | 4087d819706c64a5d2eed546163c55caacc553b02dc4db0d067b8815d3a24fb06ea08de3de86aac058ff2907f200e4e89eef2357ca23328aaacbe29501ea3286 |
C:\Users\Admin\AppData\Local\Temp\16920458-8FA5-442C-9C8D-D76D91F76D3F\AssocProvider.dll
| MD5 | 702f9c8fb68fd19514c106e749ec357d |
| SHA1 | 7c141106e4ae8f3a0e5f75d8277ec830fc79eccc |
| SHA256 | 21ad24a767aeb22d27d356bc8381f103ab620de1a47e374b9f961e44b543a358 |
| SHA512 | 2e7d403c89dacdda623ed1a107bac53aafde089fdd66088d578d6b55bcfe0a4fc7b54733642162bd62d0ca3f1696667a6f0cb4b572d81a6eefd6792d6003c0d9 |
C:\Users\Admin\AppData\Local\Temp\16920458-8FA5-442C-9C8D-D76D91F76D3F\IntlProvider.dll
| MD5 | 34035aed2021763bec1a7112d53732f1 |
| SHA1 | 7132595f73755c3ae20a01b6863ac9518f7b75a4 |
| SHA256 | aac13ddb9ab5a165a38611f1b61229268a40d416f07740d4eefba1a8fcf7c731 |
| SHA512 | ea045aa46713133a5d0ad20514cc2a8c8fffb99b4e19c4d5262f86167cfce08a31d336222fd3c91e6efbfd90312bb2325337aa02a8489e047b616085fdf46c1d |
C:\Users\Admin\AppData\Local\Temp\16920458-8FA5-442C-9C8D-D76D91F76D3F\SysprepProvider.dll
| MD5 | 4dfa1eeec0822bfcfb95e4fa8ec6c143 |
| SHA1 | 54251e697e289020a72e1fd412e34713f2e292cf |
| SHA256 | 901cea68c7a158a1d9c030d3939f8f72057d1cf2f902aec1bc1b22a0000c0494 |
| SHA512 | 5f3f710bef75da8cddb6e40686d6a19f59fbc7d8a6842eaceb9a002ab284a91ecf48c352171e13f6a75366610988e67710439f1dde579311ebbb3cd9e4751aa4 |
C:\Users\Admin\AppData\Local\Temp\16920458-8FA5-442C-9C8D-D76D91F76D3F\UnattendProvider.dll
| MD5 | 7c61284580a6bc4a4c9c92a39bd9ea08 |
| SHA1 | 4579294e3f3b6c03b03b15c249b9cac66e730d2a |
| SHA256 | 3665872e68264bbf3827c2bf0cfa60124ea1d87912728f2fc3685dce32855cb8 |
| SHA512 | b30b89d0d5e065042811d6ff397d226877ff698aeb1153681692aedabe3730e2f3746ad9d70e3120e336552bab880644f9ead0c91a451197a8f0977a2126a0fe |
C:\Users\Admin\AppData\Local\Temp\16920458-8FA5-442C-9C8D-D76D91F76D3F\OfflineSetupProvider.dll
| MD5 | 3437087e6819614a8d54c9bc59a23139 |
| SHA1 | ae84efe44b02bacdb9da876e18715100a18362be |
| SHA256 | 8b247665218f5151f0d19f59ea902a7c28f745d67a5d51b63b77242ffb4bdd74 |
| SHA512 | 018e88f6c121dd4ecaceb44794e2fa7a44b52ddb22e7a5a30a332905e02065cbc1d1dcddc197676277b22f741195c1b7c4c185d328b096b6560b84e9749d6dde |
C:\Users\Admin\AppData\Local\Temp\16920458-8FA5-442C-9C8D-D76D91F76D3F\WimProvider.dll
| MD5 | bcf8735528bb89555fc687b1ed358844 |
| SHA1 | 5ef5b24631d2f447c58b0973f61cb02118ae4adc |
| SHA256 | 78b742deddee8305ea06d77f296ad9fe0f4b4a27d71b34dcdff8ae199364790c |
| SHA512 | 8b2be4e9a4334a5fc7f7c58579c20974c9194b771f7a872fd8e411d79f45fc5b7657df4c57ad11acb915d5ea5d1f0583c8a981b2c05104e3303b3ee1469b93f5 |
C:\Users\Admin\AppData\Local\Temp\16920458-8FA5-442C-9C8D-D76D91F76D3F\EdgeProvider.dll
| MD5 | c22cc16103ee51ba59b765c6b449bddb |
| SHA1 | b0683f837e1e44c46c9a050e0a3753893ece24ad |
| SHA256 | eb68c7d48f78b46933acba617cf3b5fcb5b8695c8a29295a9fa075f36910825b |
| SHA512 | 2c382aaddeca4efda63162584c4a2338ffcc1f4828362ce7e927e0b39c470f1f66a7933ae2210d63afb5a2ae25412266fde2ee6bdb896c3c030bdc08b67ec54e |
C:\Users\Admin\AppData\Local\Temp\16920458-8FA5-442C-9C8D-D76D91F76D3F\ProvProvider.dll
| MD5 | 2ef388f7769205ca319630dd328dcef1 |
| SHA1 | 6dc9ed84e72af4d3e7793c07cfb244626470f3b6 |
| SHA256 | 4915b0c9cd8dc8a29dd649739974d244f9105dc58725f1da0d592af3b546e2bf |
| SHA512 | b465917424dd98125d080c135c7e222a9485ed7ec89004f9a70e335b800e5b9419fbc932c8069bae9ff126494174cf48e2790030dd22aa2d75b7b9d8ccff752b |
C:\Users\Admin\AppData\Local\Temp\16920458-8FA5-442C-9C8D-D76D91F76D3F\Ffuprovider.dll
| MD5 | a41b0e08419de4d9874893b813dccb5c |
| SHA1 | 2390e00f2c2bc9779e99a669193666688064ea77 |
| SHA256 | 57ce7761531058f3c4289b1240bea6dc06355c9c4b4e88b9c9c0df8012edc5b3 |
| SHA512 | bd370e49da266148d50144c621f6415bdd5358e6274b1d471b8d4ee1888d93774331c3f75e6cb99782f1c8e772981cbc5a4baf5592c6400f340407dc670e547a |
C:\Users\Admin\AppData\Local\Temp\16920458-8FA5-442C-9C8D-D76D91F76D3F\Vhdprovider.dll
| MD5 | 8a655555544b2915b5d8676cbf3d77ab |
| SHA1 | 5a7529f8a6d50d3f4e13b2e3a0585f08eb0511a2 |
| SHA256 | d3a2dd7d47bfbb3897b927d1b7230b5b12e5fd7315d687458de15fbb08fb7e27 |
| SHA512 | c6da649ae3c3688065b37bccfb5525ade25ba7bc3b163ad7d61f3b3d1c4957c8fd6c9f2bf23b0dbc4fffe32e980acb5a5d3895b8a012c5ed086e3e38caee2e93 |
C:\Users\Admin\Downloads\Ransomware.WannaCry.zip.crdownload
| MD5 | efe76bf09daba2c594d2bc173d9b5cf0 |
| SHA1 | ba5de52939cb809eae10fdbb7fac47095a9599a7 |
| SHA256 | 707a9f323556179571bc832e34fa592066b1d5f2cac4a7426fe163597e3e618a |
| SHA512 | 4a1df71925cf2eb49c38f07c6a95bea17752b025f0114c6fd81bc0841c1d1f2965b5dda1469e454b9e8207c2e0dfd3df0959e57166620ccff86eeeb5cf855029 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | c2199b0845cac185fc23bd839b8dc2bc |
| SHA1 | 4521501cae2e484b41d9c3c641b6c34b5580e9f1 |
| SHA256 | 5b93a6d22741ee09d1f7f87cf414c8ac57464c4960e437dd03a714f821d365e3 |
| SHA512 | 277b7f6897396e44ce118f91b2329eb838a1c799ae99e5353bd3fbd0713765705c9c449c54c9b438401c21d39a25e7ada0c57673aaac6f3b0a706eb432402dc2 |
C:\Windows\Logs\DISM\dism.log
| MD5 | 1004e396a9f3d8f8c3c32cf2791f616a |
| SHA1 | eef6b512f8d199edf475d3f0506b1f074fadd0c9 |
| SHA256 | 9fd35325a803eb82357b7e11d64a82fa1292089e9e88f1a6dd044c6c72827a09 |
| SHA512 | 2feec06cdfa1d95a2b631c2e0b6894b2bea95dd8adfa7062a8f552c37d39cd37f0573f6636be940d530ffe6d1b47edd3d17a6ccaa350cb50d8c25fc22781d358 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | f8701eba2f8ecdf71987964bbb3d9d1c |
| SHA1 | 889542f5604b0969bb8db3595e125463a026f341 |
| SHA256 | 509a9f53be2bdae84844fd98bb32476da03a0b89bab694d8b04b42b0b5e384d3 |
| SHA512 | 64aca46f5b4273b1bd442b16d095eda51d57816b17fbe9a3637cd8d207f18733196e2fbb21901da8620a22cc9b198b6662ea5375c2fa81815689df80a8b594a7 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58a0df.TMP
| MD5 | 0ca530fcc8a88a47c331dd0cc5fb3aa8 |
| SHA1 | 124c96d964fd478f93d8aac0469690cc4393ad69 |
| SHA256 | 3263e4ce5cac31215b16942840f564ea45edcf5d22cfd97b5584d21b4259f29f |
| SHA512 | 913aa691149abe5a6248316e0cf9921be29de1729f1e7bbfc259db2105fc3be985508a57026f1578ece4667609d06ad35e2a824b820e8e7340a8a57346f0ff86 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 22c651bccbac36842361130cd871ab41 |
| SHA1 | 619d297acaf97f5e624551f90bf377f79111e22f |
| SHA256 | 948a8af9303edae0f947b7db8a5c9440e4aec52dd8e6b0d5ad53330932de5976 |
| SHA512 | 225b864ec33ecd06cfe1be4ec8bc7250702a2a9ec72bd3df3fd09ce1b08d94b1e414e2757b62136f33fd1a54c2e0989d282e5d20691f0e0ddd8679c79242f30a |
memory/4680-926-0x0000000002D00000-0x0000000002D36000-memory.dmp
memory/4680-927-0x0000000005960000-0x0000000005F8A000-memory.dmp
memory/4680-930-0x0000000006000000-0x0000000006066000-memory.dmp
memory/4680-928-0x0000000005680000-0x00000000056A2000-memory.dmp
memory/4680-929-0x0000000005F90000-0x0000000005FF6000-memory.dmp
memory/4680-931-0x0000000006070000-0x00000000063C7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h53kiylb.phx.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4680-941-0x0000000006550000-0x000000000659C000-memory.dmp
memory/4680-940-0x0000000006520000-0x000000000653E000-memory.dmp
memory/4680-943-0x000000006F360000-0x000000006F3AC000-memory.dmp
memory/4680-942-0x0000000006B00000-0x0000000006B34000-memory.dmp
memory/4680-952-0x0000000006AE0000-0x0000000006AFE000-memory.dmp
memory/4680-953-0x0000000007750000-0x00000000077F4000-memory.dmp
memory/4680-954-0x0000000007EB0000-0x000000000852A000-memory.dmp
memory/4680-955-0x0000000007870000-0x000000000788A000-memory.dmp
memory/4680-956-0x00000000078F0000-0x00000000078FA000-memory.dmp
memory/4680-957-0x0000000007B00000-0x0000000007B96000-memory.dmp
memory/4680-958-0x0000000007A80000-0x0000000007A91000-memory.dmp
memory/4680-959-0x0000000007AC0000-0x0000000007ACE000-memory.dmp
memory/4680-960-0x0000000007BA0000-0x0000000007BBA000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 86894ac1f2f342e713f2bcf9d18534b5 |
| SHA1 | 2faa913531a45f68cf54768f7e7b094a50396dbb |
| SHA256 | 15681a417d224cb39e2cfd5c3d02fc92ff66f54cba24cc16e4df599315fdafb4 |
| SHA512 | d896b5f2824dc114d43b4e5343a9aefeaffa3eb55d55f12bcc50cf54fcd133d533be03a36c30046bf33eab67cd8ab814b5788c55f22bf304ee21bc4b50379abf |
memory/3528-976-0x0000000005720000-0x0000000005A77000-memory.dmp
memory/3528-977-0x000000006F360000-0x000000006F3AC000-memory.dmp
memory/4656-995-0x000000006F360000-0x000000006F3AC000-memory.dmp
C:\LDPlayer\ldmutiplayer\fonts\NotoSans-Regular.otf
| MD5 | 93b877811441a5ae311762a7cb6fb1e1 |
| SHA1 | 339e033fd4fbb131c2d9b964354c68cd2cf18bd1 |
| SHA256 | b3899a2bb84ce5e0d61cc55c49df2d29ba90d301b71a84e8c648416ec96efc8b |
| SHA512 | 7f053cec61fbddae0184d858c3ef3e8bf298b4417d25b84ac1fc888c052eca252b24f7abfff7783442a1b80cc9fc2ce777dda323991cc4dc79039f4c17e21df4 |
C:\LDPlayer\ldmutiplayer\fonts\Roboto-Regular.otf
| MD5 | 4acd5f0e312730f1d8b8805f3699c184 |
| SHA1 | 67c957e102bf2b2a86c5708257bc32f91c006739 |
| SHA256 | 72336333d602f1c3506e642e0d0393926c0ec91225bf2e4d216fcebd82bb6cb5 |
| SHA512 | 9982c1c53cee1b44fd0c3df6806b8cbf6b441d3ed97aeb466dba568adce1144373ce7833d8f44ac3fa58d01d8cdb7e8621b4bb125c4d02092c355444651a4837 |
C:\LDPlayer\LDPlayer9\ldmutiplayer\ssleay32.dll
| MD5 | 0054560df6c69d2067689433172088ef |
| SHA1 | a30042b77ebd7c704be0e986349030bcdb82857d |
| SHA256 | 72553b45a5a7d2b4be026d59ceb3efb389c686636c6da926ffb0ca653494e750 |
| SHA512 | 418190401b83de32a8ce752f399b00c091afad5e3b21357a53c134cce3b4199e660572ee71e18b5c2f364d3b2509b5365d7b569d6d9da5c79ae78c572c1d0ba0 |
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcr110.dll
| MD5 | 4ba25d2cbe1587a841dcfb8c8c4a6ea6 |
| SHA1 | 52693d4b5e0b55a929099b680348c3932f2c3c62 |
| SHA256 | b30160e759115e24425b9bcdf606ef6ebce4657487525ede7f1ac40b90ff7e49 |
| SHA512 | 82e86ec67a5c6cddf2230872f66560f4b0c3e4c1bb672507bbb8446a8d6f62512cbd0475fe23b619db3a67bb870f4f742761cf1f87d50db7f14076f54006f6c6 |
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcp110.dll
| MD5 | 3e29914113ec4b968ba5eb1f6d194a0a |
| SHA1 | 557b67e372e85eb39989cb53cffd3ef1adabb9fe |
| SHA256 | c8d5572ca8d7624871188f0acabc3ae60d4c5a4f6782d952b9038de3bc28b39a |
| SHA512 | 75078c9eaa5a7ae39408e5db1ce7dbce5a3180d1c644bcb5e481b0810b07cb7d001d68d1b4f462cd5355e98951716f041ef570fcc866d289a68ea19b3f500c43 |
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssl-1_1.dll
| MD5 | e8fd6da54f056363b284608c3f6a832e |
| SHA1 | 32e88b82fd398568517ab03b33e9765b59c4946d |
| SHA256 | b681fd3c3b3f2d59f6a14be31e761d5929e104be06aa77c883ada9675ca6e9fd |
| SHA512 | 4f997deebf308de29a044e4ff2e8540235a41ea319268aa202e41a2be738b8d50f990ecc68f4a737a374f6d5f39ce8855edf0e2bb30ce274f75388e3ddd8c10b |
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssh2.dll
| MD5 | 52c43baddd43be63fbfb398722f3b01d |
| SHA1 | be1b1064fdda4dde4b72ef523b8e02c050ccd820 |
| SHA256 | 8c91023203f3d360c0629ffd20c950061566fb6c780c83eaa52fb26abb6be86f |
| SHA512 | 04cc3d8e31bd7444068468dd32ffcc9092881ca4aaea7c92292e5f1b541f877bdec964774562cb7a531c3386220d88b005660a2b5a82957e28350a381bea1b28 |
C:\LDPlayer\LDPlayer9\ldmutiplayer\libeay32.dll
| MD5 | ba46e6e1c5861617b4d97de00149b905 |
| SHA1 | 4affc8aab49c7dc3ceeca81391c4f737d7672b32 |
| SHA256 | 2eac0a690be435dd72b7a269ee761340099bf444edb4f447fa0030023cbf8e1e |
| SHA512 | bf892b86477d63287f42385c0a944eee6354c7ae557b039516bf8932c7140ca8811b7ae7ac111805773495cf6854586e8a0e75e14dbb24eba56e4683029767b6 |
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcurl.dll
| MD5 | 2d40f6c6a4f88c8c2685ee25b53ec00d |
| SHA1 | faf96bac1e7665aa07029d8f94e1ac84014a863b |
| SHA256 | 1d7037da4222de3d7ca0af6a54b2942d58589c264333ef814cb131d703b5c334 |
| SHA512 | 4e6d0dc0dc3fb7e57c6d7843074ee7c89c777e9005893e089939eb765d9b6fb12f0e774dc1814f6a34e75d1775e19e62782465731fd5605182e7984d798ba779 |
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcrypto-1_1.dll
| MD5 | 01c4246df55a5fff93d086bb56110d2b |
| SHA1 | e2939375c4dd7b478913328b88eaa3c91913cfdc |
| SHA256 | c9501469ad2a2745509ab2d0db8b846f2bfb4ec019b98589d311a4bd7ac89889 |
| SHA512 | 39524d5b8fc7c9d0602bc6733776237522dcca5f51cc6ceebd5a5d2c4cbda904042cee2f611a9c9477cc7e08e8eadd8915bf41c7c78e097b5e50786143e98196 |
C:\LDPlayer\LDPlayer9\ldmutiplayer\cximagecrt.dll
| MD5 | 66df6f7b7a98ff750aade522c22d239a |
| SHA1 | f69464fe18ed03de597bb46482ae899f43c94617 |
| SHA256 | 91e3035a01437b54adda33d424060c57320504e7e6a0c85db2654815ba29c71f |
| SHA512 | 48d4513e09edd7f270614258b2750d5e98f0dbce671ba41a524994e96ed3df657fce67545153ca32d2bf7efcb35371cae12c4264df9053e4eb5e6b28014ed20e |
C:\LDPlayer\LDPlayer9\ldmutiplayer\7za.exe
| MD5 | ad9d7cbdb4b19fb65960d69126e3ff68 |
| SHA1 | dcdc0e609a4e9d5ff9d96918c30cb79c6602cb3d |
| SHA256 | a6c324f2925b3b3dbd2ad989e8d09c33ecc150496321ae5a1722ab097708f326 |
| SHA512 | f0196bee7ad8005a36eea86e31429d2c78e96d57b53ff4a64b3e529a54670fa042322a3c3a21557c96b0b3134bf81f238a9e35124b2d0ce80c61ed548a9791e7 |
C:\LDPlayer\LDPlayer9\dnmultiplayer.exe
| MD5 | 330013a714c5dc0c561301adcccd8bc8 |
| SHA1 | 030b1d6ac68e64dec5cbb82a75938c6ce5588466 |
| SHA256 | c22a57cd1b0bdba47652f5457c53a975b2e27daa3955f5ef4e3eaee9cf8d127a |
| SHA512 | 6afb7e55a09c9aac370dff52755b117ad16b4fc6973665fce266ea3a7934edfb65f821f4f27f01f4059adb0cf54cc3a97d5ff4038dc005f51ecee626fd5fadd1 |
C:\LDPlayer\LDPlayer9\dnplayer.exe
| MD5 | 2061141f3c490b5b441eff06e816a6c2 |
| SHA1 | d24166db06398c6e897ff662730d3d83391fdaaa |
| SHA256 | 2f1e555c3cb142b77bd72209637f9d5c068d960cad52100506ace6431d5e4bb0 |
| SHA512 | 6b6e791d615a644af9e3d8b31a750c4679e18ef094fea8cd1434473af895b67f8c45a7658bfedfa30cc54377b02f7ee8715e11ee376ed7b95ded9d82ddbd3ccc |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | c05de9317348b27f674bec859013b66f |
| SHA1 | 4acac2495703281ae742973733ffc3a0ba511dc5 |
| SHA256 | ad4e67c62a139f32dc7a16f7f133f52342aeb1d1085b5459f9515d0dbf3d0a30 |
| SHA512 | 23646d12d149ae47d33e51d1b9724ba8c4e95c5392c0e96832a9ece26a4576864f178d2544ff55df5a0362e283939acab279dc9dd16454c6569035312b705548 |
memory/2724-1116-0x0000000000FE0000-0x0000000000FF6000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | bbfb66ff6f5e565ac00d12dbb0f4113d |
| SHA1 | 8ee31313329123750487278afb3192d106752f17 |
| SHA256 | 165401ef4e6bbd51cb89d3f9e6dc13a50132669d5b0229c7db12f2ec3f605754 |
| SHA512 | 8ea206daabc7895923f3df9798bfd96f459bf859c78f3e5640fad550678b5090539f2a1b590883cd9797efee999acccac16d499772f61f5390e91bcc44d60560 |
C:\Users\Admin\AppData\Roaming\XuanZhi9\ldopengl32x.dll
| MD5 | b001f88504c8c9973e9a3b4dc03e6d1a |
| SHA1 | a54b3046a70a4f2c792ad6a382b637b599f1dc48 |
| SHA256 | 8ee4cbed114a588e934b5043f95c9c06f40468c2300fa0d1d938d16c1d46a8fd |
| SHA512 | 390e53be657fc35fb2e9f41b76b3b07c161a860d72445a4b1425ca973a6d8c0f32f6de6844719c6e9813e8d949ab65263642dea01c800a00285bd45595bed4d8 |
memory/2724-1137-0x0000000035D10000-0x0000000035D20000-memory.dmp
C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk
| MD5 | 4d592fd525e977bf3d832cdb1482faa0 |
| SHA1 | 131c31bcff32d11b6eda41c9f1e2e26cc5fbc0ef |
| SHA256 | f90ace0994c8cae3a6a95e8c68ca460e68f1662a78a77a2b38eba13cc8e487b6 |
| SHA512 | afa31b31e1d137a559190528998085c52602d79a618d930e8c425001fdfbd2437f732beda3d53f2d0e1fc770187184c3fb407828ac39f00967bf4ae015c6ba77 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 9a91b6dd57fc9c4880d34e9e7c6b760f |
| SHA1 | 77a09da6ef4343a8b232386e000cd2d6b9fc30a3 |
| SHA256 | 0170297f0103d4e415653f86dedc31b0827580042f86862206fd3f6f135b543a |
| SHA512 | 9fc3b9be931b3edebc4a6809d62d805046bdceb4c27a7db21cfbbcb0e5e253ab529c54d64e465e60904a6ab3b83156e26b97f852c9526f46f037944f806a7f0f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 886c0c6cd52ce1ddd55747ecb79e2d14 |
| SHA1 | 3fccadb37e3e4883438d288261a95f55873c7823 |
| SHA256 | 9c784421e3bf2bc4b063c2f895e61a4187a68873a25d47dad1434ceaf6aff2f5 |
| SHA512 | 733a333b5ece88a4f27a7363a04e14c4a03372f5879c59fbcdfd1d1febdea7f1a36a7017d2043b2bf38be4a650f95a66bb5375d46d799429bdbcbda03619f844 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 9408427cd427b28063a03bfc5f604ecc |
| SHA1 | 1d25f571675655bd42194783af0d981772e2bf2e |
| SHA256 | ab6b79a1d17b791b48029dfe72cba638789ba2230b6091115aef3c3f80820501 |
| SHA512 | 34ea8a64fc29c542792bf04e4163dfbf8783094010be985545e2e22d4a7f886eaf5956447535b0986aa7d0b3753f70e003a7e319b9483f6f9633168eed993f5b |
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_finnish.wnry
| MD5 | 35c2f97eea8819b1caebd23fee732d8f |
| SHA1 | e354d1cc43d6a39d9732adea5d3b0f57284255d2 |
| SHA256 | 1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e |
| SHA512 | 908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf |
memory/5192-1390-0x0000000010000000-0x0000000010010000-memory.dmp
memory/2724-1405-0x0000000070760000-0x00000000707DE000-memory.dmp
memory/2724-1407-0x0000000072B50000-0x0000000072BA9000-memory.dmp
memory/2724-1406-0x00000000706E0000-0x000000007075A000-memory.dmp
memory/2724-1404-0x00000000707E0000-0x0000000070D86000-memory.dmp
memory/2724-1408-0x0000000070D90000-0x000000007278B000-memory.dmp
C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
| MD5 | 7bf2b57f2a205768755c07f238fb32cc |
| SHA1 | 45356a9dd616ed7161a3b9192e2f318d0ab5ad10 |
| SHA256 | b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25 |
| SHA512 | 91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 5786a8c3312d35b7e09d2a086a402d73 |
| SHA1 | 66639c7966b10c0c173ae39a5a7886d64feb44c4 |
| SHA256 | 023783f8c2184040f4b9060ff617772dcb1e5696e63211e5784437199f4a4787 |
| SHA512 | d707895153cb42779f936bf4492682bbfd26f2c30936f2e8729cafa4cd6346c4d40869b330cb4aa47e986aa892972a4abfafb3b6f58f1c8f11037f0e1190ef3b |
C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
| MD5 | f97d2e6f8d820dbd3b66f21137de4f09 |
| SHA1 | 596799b75b5d60aa9cd45646f68e9c0bd06df252 |
| SHA256 | 0e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a |
| SHA512 | efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 8fd3b2ea08ff050d4e20110035de2a95 |
| SHA1 | 6f9799afbbddc9546ab6c5351d6d7e5d29d311ab |
| SHA256 | a02ed93efa4cfc1881d51f240be9a235d9e809c9260bd514f8b6ef81fc6a3da8 |
| SHA512 | b3430dcc4f1021996eb126085b3d19b6670480821b8f062e441cbc0bb11a6716819b44f84d1c50b339ad6d113cbfcb3e83d64d3188c6386a62c9d499c8e31681 |
C:\ProgramData\Microsoft\AppV\Setup\@[email protected]
| MD5 | 09d6086c245487fe6bb3961df853eb13 |
| SHA1 | eebc847bf20bb0a998e5309363460d13472b5806 |
| SHA256 | 4babd7b3e6b2ac073e6685b41bc723756cd44f6e7651e9f0222df4b160b0bdcc |
| SHA512 | ce1a7159a083f3e7f8ef8943fdb4c75c869597076836bc588a8e14b365983f97a855b82fc3a546e5acf43d9231bfd4bcef765cfb05d16534ecb5992aae80b8db |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 101b17c352cbf3c732f6cdf592458c80 |
| SHA1 | 89ef03df0789a030252ddeb2a1572c4f49770af7 |
| SHA256 | 66e1231618122d6f8d4891ee2566b642e7f79b5cd8ff4220f9a6b466ba4718ad |
| SHA512 | 1ffe8e8c97d0ffd96bf46e6fefeaa4e0ca55d50e982a82d8c3f9941e7b6d1e1bac8b99c17e4e2baacc9fa62664a727e48ccd09b37955954f719a78f71db668a6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 1e797f4eef77d748f23a98272a10924d |
| SHA1 | 756693ef840bb761831f1bdd98d47a9c7df26439 |
| SHA256 | 500e8d4178c3d50db2cba772a2de2d3530b8ed42efb030bcfa82cc299ebe68a7 |
| SHA512 | a5eb42e177077c28144ca42902049252e0c3edc05e97e98dadc370f4cc922d04949d0dea86d4976bb6a17c52476b2c9ebd53b536052211949ec8c9818ab93625 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 216fa273cd6051861092bbcdc1430717 |
| SHA1 | 5047e8c7d0a672a2406048c339f3561452b9257c |
| SHA256 | 21310552862717605ab6a576e92add5d4e6b948211dfdcd65e39b94029eadc5b |
| SHA512 | 41e65bbe351588200812138a463b43eddf1a65c68cf5089006bb3aaf3357539805515008476ba20c934615f6c26c60e63406a03b599d63017028156343e76d51 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 49370f4457ecb4d2873419c59e5be8da |
| SHA1 | 1b841bb035c1a304f4157655b785a94500e4afd7 |
| SHA256 | e2278e8d208e7e3c03ab7450c27cd642529f8d2e6b501a6687fc3c7862fe2151 |
| SHA512 | 0a64afafb966658e7ccf732323e734d15e574c37456483e710781d7b28628decd01bb4b58721b8a5c8a229910a29e35821dacdfb7aa34c2b7c285985159f83da |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 06bea2b07206c1fe5fe708b12d441d56 |
| SHA1 | ed6ad20da7926e397a91502258d33f6b922b6c09 |
| SHA256 | ab1efb2729e2eb1983d333b5abb2e01544407536bb83abbd9dcd7f10cf18817b |
| SHA512 | df06d81577fe274e78449a4777b6b8c2ed983a4da8d3661cd6b990612f175109119315240a943f7a480d164295dd25a47d148fd7e41eb1049e62b68e986dbc01 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe594f4f.TMP
| MD5 | fff3de24bf327f1eb09508d5cc86e3a3 |
| SHA1 | 8f42147f8281cc75c27aa759ee24b7fd4523d28d |
| SHA256 | 2eb5fe7061461abfa8fa6744d5330b13dadf0fba84bb17ea0e4133102438acca |
| SHA512 | 194ee7a1d0493f3cdebb0aecef4a126fbf4a345165eafff9077680db36364e9b396ddc44e6935739b33f2dddf0d9f6fe7c60fee091e589fa799840f0b636cb30 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | cb271268b782bce9486ad5c6e2d5e9ea |
| SHA1 | 9781d9ab06c66e5196bba06a1b817106258bcaab |
| SHA256 | d1cdeeec11a079cbe0f358b90bc8bac6740c19354afbe06b1f5ba006b2b5255c |
| SHA512 | 9e0669b042f17b465540974074c8719ac1b08daafd8ceb418f577be4f6ceeb9909831f3816f7773c1deaa529fbe04a7efb99f248cedfee31681304eb1abbd6b1 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | e3984b1a0fdff782d18c6a4bfbd7df0f |
| SHA1 | 23375c777ec8f7087747acb5981a9dedca16cd00 |
| SHA256 | 4d3c91063dab4b0f08d6ac64dcddd70b00abe361dd9c89084ab25558dad8a7d2 |
| SHA512 | d4e45487ea532d21520a68d9b08c8420d508d64d92d720666971c04dd6e40d6d9f7693e5353db5fb227a7e9cdfb1f94f1c2964a870d09a040ec5a26df697568a |
C:\Users\Default\Desktop\@[email protected]
| MD5 | c17170262312f3be7027bc2ca825bf0c |
| SHA1 | f19eceda82973239a1fdc5826bce7691e5dcb4fb |
| SHA256 | d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa |
| SHA512 | c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c |
C:\Users\Admin\Downloads\Ransomware.WannaCry\TaskData\Tor\tor.exe
| MD5 | fe7eb54691ad6e6af77f8a9a0b6de26d |
| SHA1 | 53912d33bec3375153b7e4e68b78d66dab62671a |
| SHA256 | e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb |
| SHA512 | 8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f |
memory/5468-3241-0x00000000742B0000-0x0000000074332000-memory.dmp
memory/5468-3244-0x0000000074170000-0x0000000074192000-memory.dmp
memory/5468-3245-0x0000000000AF0000-0x0000000000DEE000-memory.dmp
memory/5468-3242-0x0000000073650000-0x000000007386C000-memory.dmp
memory/5468-3243-0x00000000741A0000-0x0000000074222000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | ad30f3f5ca170d5c4d465b0f28774737 |
| SHA1 | c6c0bb097ed092d9cb5607bbcb3b9f6f0c3eb00a |
| SHA256 | 16e6eb00adddb9ed000322eb6cebcb9b582e6b948aaafcca9ea41940c997b80b |
| SHA512 | 29f010b4af4759a2395292ca0ed4eab709282ad86f0d06ebe7fbaa768d3e76f82bba2762aed6e687113df20e12cf6e38af7f67d10192821958fe309af2f62e67 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 481115d51d3c85ca035c07a4c73d90f0 |
| SHA1 | 8d0197386ec46759abd3259126032670b9901f20 |
| SHA256 | 05d5fede7ea8b2f90e71317c6499820ef49075da811f5de047b62e8b2f0b2528 |
| SHA512 | 004e68c33b5196037f5fc6b5f75a1c02165483f89392772945b915a9746246cd5c22b077ac9a93d9a884d0d273a379caeba96335e2ecd7db01b4624f4b144caa |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 243e78263855b485d8463e1e1e17ffe1 |
| SHA1 | d73977511c2319e58019f42e7bd8e29a5c663f6f |
| SHA256 | f2b3a2816e67cb1d2d81a81e65ebb8e8ee624484ee9cc1ae083bc0b978fc07a1 |
| SHA512 | 906d5923653cd4b6a27e96fdf4da85ff82a690c8c4a8fec9aefc6a70d068f3f8848f30098b1bf64cfa3347c83d0885f9323508a5316e9b88ddd95534d1ae8c43 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
| MD5 | de56d29c4110a312895ce08d5fcf0324 |
| SHA1 | 59070c1d414c666329e2371d333040c3cb89cd6f |
| SHA256 | 0d7e7434e4a820ca7e3447053f06c110df5e1c588d4302d492e1965733bfa614 |
| SHA512 | e0698c31a681f752fb3cd52a51fb54d10a19c64064d52df8579a877ff0969ad133b34244dde2638fa1116e2f138cd3e66870828c4b7e48750b05167e5d6bf062 |
memory/5468-3374-0x0000000000AF0000-0x0000000000DEE000-memory.dmp
memory/5468-3380-0x0000000073650000-0x000000007386C000-memory.dmp
memory/5468-3379-0x0000000074170000-0x0000000074192000-memory.dmp
memory/5468-3378-0x00000000741A0000-0x0000000074222000-memory.dmp
memory/5468-3377-0x0000000074230000-0x00000000742A7000-memory.dmp
memory/5468-3376-0x00000000743E0000-0x00000000743FC000-memory.dmp
memory/5468-3375-0x00000000742B0000-0x0000000074332000-memory.dmp
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
| MD5 | 10fee8f62ccc54009e4507eab4c0b2c6 |
| SHA1 | 93b34bddf0a6adb007c1d1b6b4e170a2e8d1d2af |
| SHA256 | 6dcbf629bb08bbd791cdf550cc3b9af0078bce4e50998e9458c44c719566ec0b |
| SHA512 | 11c33c0db2f7ad0d564cfdf049c8a70bb26cca1461423ad3636edbe307d509953623dcc72dc3fedde09ac6ba439a4180b59421b53217a165c54b2fe6666bf463 |
memory/5468-3400-0x0000000000AF0000-0x0000000000DEE000-memory.dmp
memory/5468-3413-0x0000000000AF0000-0x0000000000DEE000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | 1d89a492b7be156f3343cb595d937e33 |
| SHA1 | 460e807b14f3172546c939d91194863d68949700 |
| SHA256 | c82d4e8b8208a3a22f0f6d700652d172c00b19ca508d71a35eadb0c953d23e96 |
| SHA512 | eefd2c107a14520a05032e93fdd153838b7417f37f55d71dcc4fdf7ac349c6db9bdbeb3199a9a1f03efe0864511a2df1c15169fe0af13cbfa3760babcd66c517 |
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SettingsCache.txt
| MD5 | 766f5efd9efca73b6dfd0fb3d648639f |
| SHA1 | 71928a29c3affb9715d92542ef4cf3472e7931fe |
| SHA256 | 9111e9a5093f97e15510bf3d3dc36fd4a736981215f79540454ce86893993fdc |
| SHA512 | 1d4bb423d9cc9037f6974a389ff304e5b9fbd4bfd013a09d4ceeff3fd2a87ad81fe84b2ee880023984978391daf11540f353d391f35a4236b241ccced13a3434 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
| MD5 | 80faf8da59c87e3470d7e5c39570965e |
| SHA1 | 5591d926f085ec3f70dd7d6642628eea139ee1ef |
| SHA256 | ec406d96ded7030cc2a179d2a179d9497c5eadeb93ee7296dc182c210890617d |
| SHA512 | 4cfe38bf7eb4b0b6c5660e06482f8981e5b2205318167eb420296deb3b33724943a25e2818e869cc960c49b484895448ec3423c4b238dd217fd63a64be68f3bb |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\f0bd0389-d374-4298-974b-40620dac4b25.tmp
| MD5 | 5058f1af8388633f609cadb75a75dc9d |
| SHA1 | 3a52ce780950d4d969792a2559cd519d7ee8c727 |
| SHA256 | cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8 |
| SHA512 | 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | d4e1d73985e3eedb978d181e99d0360e |
| SHA1 | f3561fb115a7cbcdc07a2506578109a8d142ea82 |
| SHA256 | 834dabb7c5600a944f02272b379f33b7795801c34e1a888692e1ae88f03c0310 |
| SHA512 | 207c8e5fd68e8f3bd046317bb30ddd8d03115381efa2323e24d0c77ea45fc3e6084dd82d1725220ff9893390b0438e71786ff687a03b016fb9161f79583cf96c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | c126299b0dc6ade35b73901bccb52422 |
| SHA1 | 4b9e6cd26fdd26f98b621f0dfb895ce66878bec6 |
| SHA256 | d51c1cabea96db33401e2af471daa6745f155f9e7aebe7e02f2cba5653139ce4 |
| SHA512 | c247613a5bf3f565973014ef5dac1976b9cf3826835d670cea09ca205d26183a18c6b788cb4ce972571bfab955a4aa5c13e20806e00ba0804eeacf6689be762f |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | bc1b4d63eb956cc99809da0c4a524be4 |
| SHA1 | 1639b7522d00ba2de7e23ffa21712769cbcf7005 |
| SHA256 | d2f22be0b00b3dfc684897e941f8fa2b8f4876f52cf9f8688b099c24c4157fd5 |
| SHA512 | 3631da56e5d3a80fe9ad93ed02fb649f18380364f58ad5b5d8348bf340fef5f296a4d4686155bcb6fb5a1cdf235156e389505f7ebcbdf81003e04ce367b06405 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
| MD5 | 94275bde03760c160b707ba8806ef545 |
| SHA1 | aad8d87b0796de7baca00ab000b2b12a26427859 |
| SHA256 | c58cb79fa4a9ade48ed821dd9f98957b0adfda7c2d267e3d07951c2d371aa968 |
| SHA512 | 2aabd49bc9f0ed3a5c690773f48a92dbbbd60264090a0db2fe0f166f8c20c767a74d1e1d7cc6a46c34cfbd1587ddb565e791d494cd0d2ca375ab8cc11cd8f930 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5be897.TMP
| MD5 | 3e8f09c3a5d98b0efb5fa72d462a8cf8 |
| SHA1 | 5691b3d0e7b8f6871c0097403bb3cc9459883982 |
| SHA256 | a8036a76f16368ddb458260445b0f54bd16ff14744e6c00d6a865aa0b6ae43d7 |
| SHA512 | 070b4a4addfaa013ca785521474825513c70c9d1ca69bbf7c1d880efb6b15719912a2ac95a25d059fcb041bbd591f7589a0a5bdcd5a40f50fe8dec88801f8db2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | 53cabb37345d254d223599ea83dc9aee |
| SHA1 | 2b9f8d1b7689ca62c0969cedb4c33aa3cabbf24a |
| SHA256 | bf6f3e03734f73e81a59b0852073c97d8717ead0a5ba412f620dedb3652cfeeb |
| SHA512 | 8d9cd1956cc44dda186b56227ba2362b607a8f64c9d36e903e0357b645fbaad0f9be1bf5c157a9cf3f698c74a754ebe0e7cdf36211656082e0fdd32a3d7fd81a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 9c1b26a15e7d12b1858d8e4d1f00da22 |
| SHA1 | 40dfbb62f0910908f7667881a9eda23539019736 |
| SHA256 | e5b19bf469fc05aa77a6182c5ecfeeba5fa772bc648402a8b8825f2dd914dc77 |
| SHA512 | dc41c4775fd926608d4e5bee0a92f0a4fd862cff2e11d5ee9ca7b164b11c5d62525c33d7a7c6932f444c1675fac34f0023d3ba780d8447bb73b12ae305294667 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 877b810a82d92873ab13982156e307fe |
| SHA1 | c1fbf612516fe4775e0b0afb3a1e7a34e0b9e18b |
| SHA256 | f70b123bab935a941950518235a2c1debfc5651edee781b0650ab9c4b29c8b1e |
| SHA512 | c76cf96168145036d5cd9ae206dca5f8bdfaed3dff21ac81a3562edac148d4d856dac59803a16af04b671e9a7baae4a6a5a10a6c7745fafcc9c9301edc331443 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 2f6925a398741ce0ac994532ca645c25 |
| SHA1 | d9157818aafac920c0642fa7a3e689c1326a93eb |
| SHA256 | eeeaa949a68b55d384d96c00a0b59ac9c5c29df0fc4c83bec59183f51b0a9aa9 |
| SHA512 | 8feebd93ff90c054ae943119ee0bbc3618b5520ae97f5c4ccf1f754667908602286a4649000825ecb15ca1832a90410e6f3a1c942ef8f2bca9d10886e047a3f2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5c480d.TMP
| MD5 | 7e33bb2930218b1dfcbc1cd7f3adb3be |
| SHA1 | 9b821fa675861f50a73f2121f4e3858c56a7b74a |
| SHA256 | 1d9a6e39a39324505dd70cef9d06c255a67f0366064a542b8bdc5c5a62859228 |
| SHA512 | 8ea6e8d554ec3d4c30f5d1d4463a24f61202fc6905ab92ac4c515f3dd19fa1472c0b0c87af6914da328ece8a279168caeb30b32e62569374eaf438f6815858f3 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 37a4f07a59c73a8cc930206d6348bb13 |
| SHA1 | 4ccaaf16214d1bb631cbafb1c00707f28b2aba27 |
| SHA256 | 0e4cac08573ccadfcd31f7ddbb7d4bf72510046096b2959dda344af346ce034e |
| SHA512 | 7b23846e32a81b197b0f1840c70e0864307cfdb80de71a6975c9578a860acdecc0ad6df369fb611de0f840b629cf8fc0c0ff2d6c7a7c5fd34704131eef6901b2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 8ccbf0b27c192ef80463a608ce631fa5 |
| SHA1 | a5dcd54565eda7ba113fba05dd6e77b59ebede73 |
| SHA256 | 8a54211b9806ec9c3cdb11ee1e652b5dee72d1d3b6077fb0bca63760142f4552 |
| SHA512 | 53d20db69a5516f8bf61f34f7ea5217401dffbf630b407b473881fb6c39c53a93dae72cd6d5784cebe6f8d1dbac89e260117382f8e446e712d46230b174a2a97 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | bfddac58d0e271cc25041c6c54b21a71 |
| SHA1 | 3bbe29b6b404a5bb71653fde614af77e8191dca2 |
| SHA256 | 4f724568f59837dd9f3a12a8344e6b0b1d98f09d03c4de266aa8d7369ca14f67 |
| SHA512 | 7a8127a39d8299b4f95247d53d53d1bac2f974ce844bad28e3322a84c0555393bc4c995b884fbc9ca60287545315ef2ec18aab05d743900269f79922feda5352 |