Resubmissions
02-10-2024 11:53
241002-n2j6fsycqb 313-09-2024 04:59
240913-fmwxpswcpb 311-09-2024 15:54
240911-tcmg6sygmm 311-09-2024 15:53
240911-tbsmsszbnh 1025-08-2024 22:53
240825-2t6als1gll 1024-08-2024 21:25
240824-z93hjsscrp 924-08-2024 21:20
240824-z65thazfpa 1021-08-2024 23:05
240821-23av3azamj 1021-08-2024 16:22
240821-tvn4qayekh 321-08-2024 16:20
240821-ttkd5sydng 10Analysis
-
max time kernel
657s -
max time network
657s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
12-08-2024 19:58
General
-
Target
dl2.exe
-
Size
849KB
-
MD5
c2055b7fbaa041d9f68b9d5df9b45edd
-
SHA1
e4bd443bd4ce9029290dcd4bb47cb1a01f3b1b06
-
SHA256
342f04c4720590c40d24078d46d9b19d8175565f0af460598171d58f5ffc48f3
-
SHA512
18905b75938b8af9468b1aa3ffbae796a139c2762e623aa6ffb9ec2b293dd04aa1f90d1ed5a7dbda7853795a3688e368121a134c7f63e527a8e5e7679301a1dc
-
SSDEEP
12288:A3RY3yNqMRTF4q2rxHn2ot/81xpNQyjUXlmoe7ufjHAtjXD7r2:A3RY3R24q+xn/8Xp2yOl5fzQ/2
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\!Please Read Me!.txt
wannacry
15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1
Signatures
-
BazarBackdoor 64 IoCs
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Tries to connect to .bazar domain 64 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 8 IoCs
-
Unexpected DNS network traffic destination 64 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 4 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 49 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 14 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\dl2.exe"C:\Users\Admin\AppData\Local\Temp\dl2.exe"1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\dl2.exeC:\Users\Admin\AppData\Local\Temp\dl2.exe {2477C1F6-13F6-4930-839F-6C3FB31159A4}1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- BazarBackdoor
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe49ff46f8,0x7ffe49ff4708,0x7ffe49ff47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,8000091377025545190,16919769351407852325,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,8000091377025545190,16919769351407852325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,8000091377025545190,16919769351407852325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8000091377025545190,16919769351407852325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8000091377025545190,16919769351407852325,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8000091377025545190,16919769351407852325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8000091377025545190,16919769351407852325,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,8000091377025545190,16919769351407852325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4316 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,8000091377025545190,16919769351407852325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4316 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8000091377025545190,16919769351407852325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8000091377025545190,16919769351407852325,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8000091377025545190,16919769351407852325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8000091377025545190,16919769351407852325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8000091377025545190,16919769351407852325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8000091377025545190,16919769351407852325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8000091377025545190,16919769351407852325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8000091377025545190,16919769351407852325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8000091377025545190,16919769351407852325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2152,8000091377025545190,16919769351407852325,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5600 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,8000091377025545190,16919769351407852325,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4416 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,8000091377025545190,16919769351407852325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5920 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\WannaCry.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\WannaCry.exe"1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 323011723493157.bat2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cscript.execscript //nologo c.vbs3⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\!WannaDecryptor!.exe!WannaDecryptor!.exe f2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im MSExchange*2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Microsoft.Exchange.*2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlserver.exe2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlwriter.exe2⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\!WannaDecryptor!.exe!WannaDecryptor!.exe c2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /b !WannaDecryptor!.exe v2⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\!WannaDecryptor!.exe!WannaDecryptor!.exe v3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\!WannaDecryptor!.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\!WannaDecryptor!.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\!WannaDecryptor!.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\!WannaDecryptor!.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\!WannaDecryptor!.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\!WannaDecryptor!.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\!WannaDecryptor!.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\!WannaDecryptor!.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD52783c40400a8912a79cfd383da731086
SHA1001a131fe399c30973089e18358818090ca81789
SHA256331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5
SHA512b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ff63763eedb406987ced076e36ec9acf
SHA116365aa97cd1a115412f8ae436d5d4e9be5f7b5d
SHA2568f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c
SHA512ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\6ac179a4-b785-40d2-9cae-252598559e26.tmpFilesize
6KB
MD5fa90542f5208ab8a47412ac27102d9e8
SHA13a90e6b412c38fe10bb9b32055bf8f2cc80a68c8
SHA256932113bad30cc32be3679b052bd2253d9a327627b46b9296e1744952e6b2b7dd
SHA512e5b2bcb933bd35c3ae7ccc0c42258e75780a3bce09e9ab994ae9c5b2d4c872ad719a7718f3624bc2ed3df3b84b174108a915ef9a2578f8f1154da4f651904a8f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
3KB
MD56d9c4dc1ece8d6930308d8178415cbb5
SHA191559dd5f50c9992a60bf67871694489143855f0
SHA25600fd5699b1b3d98610fdc51bb0ca4812b17c2bb2460fa338cee1fa20c51254a9
SHA5120af19dfcd4ba5b6334fc6135691b3fd95fb7a10893b5a533bb2e4989f0553e8e464b35ab69e7875a8e1afa5acf32680b1f12029731796057d0730fcc1afbedf4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5807419ca9a4734feaf8d8563a003b048
SHA1a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
794B
MD5bb72222c8540002b691b1bfefe095a84
SHA12b8eb9bb39b9275132bd04b425304df7193b981b
SHA256d62356684712e7fa6f64b2030c0e27732f9586b650f409e99311b6ed39df45a3
SHA512658dc98c6a1417eaa059f80baaa24b4062cfed99d3236e627a8d0139797b25eb303391194221856443b79c03a2e8bb2c3e42629a078b9c33cace915d7119f645
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5e45c04fc6fc1c30d6bef6336474ee7a3
SHA193719832f0e7de2dc66730f32dd84976df2d653b
SHA256bc4d774c75d238d8b05afb4c5c8074feb831f0a65d054570f7e115667f3d7186
SHA5124742877592ff548280bd578268cd8e464ad1df24ecfa1e907ef1e16c1cb3b60ace10bf4b2a07f00ac736e3f55dca92888e22cbcb2ef0e0c0b0eac966cdb0b18b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5399ee577b60498f1972898da8c8251f9
SHA1bca17ff28ed6436ad6eb9b75933f3bb0ced32218
SHA2564e6230811a0d78faa1e9d9e8017a5368aa8c52a0a674c4ed38411c64e9f05245
SHA51293d22b26e78201e4e6e3c78eef582aeb50959ab5d233139bd4ce8538adfa2ea5c5bd926c1192967933daca8a3b34e4942e5b761df18780a938936e8172c67a02
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD58ccfe6f18cac17a3710862fa21d79b2a
SHA1121c6308e1b1a6152f5f411757c2e5449567994c
SHA2562441d229a9c42c1a4f66c26c032635bfef30784093df82bf971ea20b81b1f97d
SHA512b483bf03ffab968b90ab7d71a8ee1f16a7c422d7490181a9d8d06e90b841e518c6ea93ce0096f17d7ee237ad1cf73294cf4f1f5cb579958b288b98c590c001e0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5eeedda7eed2afd17ac126e05fb17d2d0
SHA1cec7ee154f86eaaa8f30c68df58d9a057ef42c83
SHA25672d01ca6bb6b6401f15aca4c8fcf970844f1e7edc025fd97103d5946e51c51cd
SHA512fe75fc60b853b1e99c73c493b708fb8bd2798e762adb09177223499f5afa5ad6e3cacc5948b7bcc247f30785357c2bf208337db861e1f17b85ecb5efe54e6a2f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD59322174613e5efe81d770eadb17af22a
SHA1c35620e13508d4fbce84e7e0153513b3aae4a977
SHA2565ee4827cc3c672b4973ca6cb3be43c5d7a15d563928da799f86965033715dd51
SHA5125f80748500d03262dd19bafb633c781b009b742332f8a5915826ab1d8bc54c8693badf93e8c7c34988901d05c0f805b69a1c30d05e8a41445c11f109536daef8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5324a805b28d6c37e3efd30cb7045d776
SHA14604ab7d4016ca2b19e09c86f5ba9332e885ace8
SHA2562b08eb3c4e1cdb2436acfb7a034cd806c47dc700c14023c1430532180eeec901
SHA51296bd60610773819c4b1008d5f3e8401e4815a0825a4d8cfc30368d1ab33bfc1aaa4237e2a64c6c8b1e8ea12906b36466a097d1f188669fafb2a9f9ff6e83f72e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe587441.TMPFilesize
1KB
MD57d852919723d4914670a8783a591b0bc
SHA18e0de853d11dc49f2a7524f6ff8d9d97c5caf8ed
SHA256c2780823429c4203e4a48bbb1b15e5f8bf8f8ce31eaf1439410e3e0dc7e16278
SHA51209c753981529d26a69089f142928f0e33165c0e89adeafde2d045372e78312e921dda158710e51ea949236a873bbbc1a28ccce7e989019da3b3c2f5b70b9545f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d5f5384d-e557-4eae-af6e-d256ade0e255.tmpFilesize
1KB
MD512ec8213f772bdfb243a7018f83d2013
SHA1b85b7ae5ad7c14b2cd32cd0a622ff99d02666ff8
SHA2565d590f667b3d2bc525bad3a0aca91efb8df51599ef70d2ba92dbd347b1e202e3
SHA512aa4ece4f983f7f272546a27ba709bdf9b87402e77280e2b7b3e59448b5622d10c0de56295396b25f9d34cb84cfcd88b6324809d91ae169343a9fb03a6840637c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD54c467486b2d042d134e2d4cfecfdf6ab
SHA1afab6394b64a48ca85376a7f0b56d5f521a12896
SHA256dff9bf1d7f0835621d72b6cfdf16d0f00c8a8470bd610edc3ffae8bdb8e3bed1
SHA512fd605795035287fb2597b2c1f0d929f18c69f493482492ba144074b59b279d565138d059f31b46e0af732bca7044869d5bf5465fa67c1820234d423d315a4d4e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5a854e01da0a71d906f4b09cde4768a10
SHA130e8aa815890dbb270d4f4e8b3dc76afa89f9f8c
SHA25602bf9b0fcb51384b3a5db828111c0b5a39fde22ef33a755c3e8b83207fa1960a
SHA5123ef8acdc167c24e0fc8e30f5bb616c3804c8415385caa7bdcdbb15b360f3e93c3beabed3d519f73bafeb3a7c011ef8dea5d68b962045a1fb8275813376bbf6c3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD55b7c32797c67ce74194ae56e7d4443db
SHA1f29f268415b91736cb4de37dbaacd870bd6a9bc1
SHA2568ce799921a75e4bcc371526ec95a28e926142ce005317f902ce8fee31113083e
SHA5122b2b8482ab605594f7cf387aefd1b85444e8bb20f43791eb31f380bb0de3e2ba041f464d6041b57e9e492c7d58b7737e3908c67b3caceec1ac421c0707bdcea4
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\LogoImages\OneDriveMedTile.contrast-black_scale-125.png.WCRYFilesize
1KB
MD56b12c2fed52ea049787faf098497ecdd
SHA1276bfe667503bd790cb982e47f7e87320531c5ca
SHA2565b1e5b9e628b4abd051ec4110cbcf1b58b33e44457751b96a64a033b1ec447f5
SHA512e0f1f906c390a5312410ad6082b69b1d183aa34b39fc85e6831efc262ca388c4a9fe1923d8ef38f949f6e2fcc44178d0b0c2798997129daa827fc84be94d0c2a
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133670754214864666.txt.WCRYFilesize
77KB
MD55c1a293a1ed5fcea204b8f17723f046f
SHA11197700310a5054f1fcd3657bce2c5c76394bb4c
SHA256b27ef4b14ef67843ba7dc6876c46727ba728327a44fb07d7ec02e123179ec974
SHA51238e83a6bd97d1d003a255a8db61aa465c2a818ad7697539c4cd76333e19e1f8110b096000d49a2f65eaaa89066bea5355c54928aba6a463182d77fa6c9aa7959
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\!Please Read Me!.txtFilesize
797B
MD5afa18cf4aa2660392111763fb93a8c3d
SHA1c219a3654a5f41ce535a09f2a188a464c3f5baf5
SHA256227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0
SHA5124161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\!WannaDecryptor!.exe.lnkFilesize
1KB
MD571af205973448734190d9f810bfa9c2f
SHA1084f26c55c884c4207695d6f7d264252ffa4bebe
SHA2565f25926746b2b1d18c2708898ec54e57dac70820bb82738f340f1ec87356b60c
SHA5128ce8ed174dfb24383b701fb347f7c9b1f74c2f16339669876967a3eb25ea5225118110f3549631163fb3986b872b0f6ff182adbf18834cc3587b3d574670a0dc
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\00000000.resFilesize
136B
MD522bd09ee87c3ccd15d24376c547a8eca
SHA143e873d9002b9ed827bf3300af4f1df6331aae84
SHA2562126a048aa863de9823d67368e7c97afe8247709e9a87b74e40f91139640f4e7
SHA5124454002663908821e5a04e0f3fadb5e8e4ae4d9bf1eb52b489a0092b003340ae60b3a34dc3ef44c0ff4bb314a51a1b9da7c46dc9999a20e1fdc6a63281e843d0
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\00000000.resFilesize
136B
MD5eb93c24acbc61086f0a35ab668b7c141
SHA1ae35c7e99c481c51fccdcaf3c35bc9388029e135
SHA256868d3d9b15b80962e0ce264573ace556326d78684858b47bce37bac3ce29652a
SHA5124086e804de670b2d15f9184228eb2c7542a7dff8ba421c40a345e024d411a06bb971b7a1dd97f2308933db73eaebfc3026e97ef028698fd22f4c54bb7fe1bb40
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\00000000.resFilesize
136B
MD58edf933125f5b7bcac7d8f16d523765d
SHA1bed3e1ae6619666d4fc6366ff2c93570f091d2ae
SHA256cbf64bddd44cdfe6cdccb6d140dca435c9d13222f6c9f902a497869f535d97f2
SHA51278d96bb57bca06c27ac2afc764c3fe337bd52b0367a8ed854ee1a61f29b39a3c87823900977fb558e33a6cd1038819660d55f3c4113f609bf5028f46fe6fdbef
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\00000000.resFilesize
136B
MD5faf5cc110ad19842b6b533305cfacc2a
SHA1beb6b2c346494f22f4049bb1065b4caafa7774bd
SHA2561bdd3558ee36dabfc658eae73fecd5bb455c6fe2364f8d99f8b02d4d11d3c722
SHA51283b1f416770c5757414efeec82e15a64ac8ab76b1c253e30e4dca472648e77d632ef640e9ea0f3cec24eddc73ebe7fa1dc739b8217460cc8dc81d276d26fe8b0
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\323011723493157.batFilesize
474B
MD58c747809f440565ae31ff56fc6ee3726
SHA1ef010d0ba47bd09652b4910e72ddac78e3c76cf4
SHA25638de07ecb4fd6c81a4b4d0d5e9a30feac3bba198eccdee8271fef4ae005dc9d1
SHA512cc3637528185ddc8a3e6b79aeb3945ca67282d9588a552606547bbef88a77e8195e50a29aa676041fb2263651fde4986f74011acbc3eb49923d7f250b01759ca
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\c.vbsFilesize
357B
MD5d20fdcc99bb6d4f26f0d22266e855c4a
SHA15a3ce3d72c0ce3d857188fc9e26a11076eeec91c
SHA256e1060f60ad87c2bf95f68cda720055265855c878dc9d572872677a2ad1159605
SHA5124f11b2316abbc28d80e77aef1494fae55abcf3bc116429702d32bf423b9b5c9162be63d78361810204a1fbb363c6ab65c000e51c550e36634c0feaf21cf6debd
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\c.wryFilesize
628B
MD549c87eb80545ac21505698d3f65e62fd
SHA1e80b987ee979f9e0da531f2ee76a338a92f2d996
SHA256491ddb619f35f06bd0dd3a7e2427a3e9794ba55f7714f251f231658b13e6e532
SHA512137324cc36b6185bc459d53bf079c1aaccb948952f30273209adf0b2940284beff1ac279f2b6ff8a776d10985e02d39a5e68912bdb99acef6fea6a242e8e388b
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\f.wryFilesize
352B
MD5fac7ea6f0deac68266bae0df419201ef
SHA11ea7fe981f3f508ecaaf0e5a433c4ad9691e2ee1
SHA2567ede0646b47227fd56becf552152530141341033c79a6a504d0e1c6b345a0850
SHA5126b04094dd2b56648ff99c962bbaecaa14f060e3c9f3fbef44b761336766328a3649623632bb5662522a6bce611614da01641ca2310a48eedb11001f53095f91a
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\m.wryFilesize
42KB
MD5980b08bac152aff3f9b0136b616affa5
SHA12a9c9601ea038f790cc29379c79407356a3d25a3
SHA256402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9
SHA512100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496
-
C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\u.wryFilesize
236KB
MD5cf1416074cd7791ab80a18f9e7e219d9
SHA1276d2ec82c518d887a8a3608e51c56fa28716ded
SHA25678e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA5120bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5
-
C:\Users\Admin\AppData\Roaming\SendRemove.pot.WCRYFilesize
360KB
MD5c217804c5c197ea25665c94f8cddb58a
SHA1b53228b557f47d88a8bf2dba34458fc606e50b90
SHA256b42a6b9e4f3fc6f88468376e0e9ba6e211cf29a77828cedd14afe6c7d75713d4
SHA5129fe5472122859ae50846f67a73fb0b7d4fa11207b6457f8aadfee9e21fa462e4c96f5ccc49992038efb4dff1d964619b4d7bad720ea56ba810c0d33feed45031
-
C:\Users\Admin\Downloads\ExpandGroup.sql.WCRYFilesize
479KB
MD51e8faeee88674b4734fd331e904db95f
SHA1ffad085cb184ef59a0382b32c90c6e8cd861ea0f
SHA256429cdcfd11e5dbdb8d5cb0aad7dcd4f0fed3f288aa3508021f2ad7b55218b2d1
SHA51254e107cfddb6257583172cc0de45b4ba9205eafb38d743860c5ffa60155f0238c5e2ac465f73e4bd7fe0ce310a1688a1bf2c03651b1b1e9752baffb23a76af0e
-
\??\pipe\LOCAL\crashpad_4980_FNGVUEQAGJMPYUGOMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1872-17-0x00000000005C0000-0x00000000006C0000-memory.dmpFilesize
1024KB
-
memory/1872-11-0x00000000020E0000-0x0000000002110000-memory.dmpFilesize
192KB
-
memory/2812-483-0x0000000010000000-0x0000000010012000-memory.dmpFilesize
72KB
-
memory/3076-8-0x0000000000660000-0x0000000000760000-memory.dmpFilesize
1024KB
-
memory/3076-2-0x0000000002100000-0x0000000002130000-memory.dmpFilesize
192KB
-
memory/3076-18-0x0000000000660000-0x0000000000760000-memory.dmpFilesize
1024KB
