Malware Analysis Report

2024-10-19 07:15

Sample ID 240916-nevnnsvbqq
Target 2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry
SHA256 b15052d17afc1a01e83cdc0624dd268838237f8cd66fa12c56706bdee8a61286
Tags
chaos defense_evasion discovery evasion execution impact macro persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b15052d17afc1a01e83cdc0624dd268838237f8cd66fa12c56706bdee8a61286

Threat Level: Known bad

The file 2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry was found to be: Known bad.

Malicious Activity Summary

chaos defense_evasion discovery evasion execution impact macro persistence ransomware spyware stealer

Chaos

Chaos family

Chaos Ransomware

Deletes shadow copies

Modifies boot configuration data using bcdedit

Deletes backup catalog

Disables Task Manager via registry modification

Suspicious Office macro

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Drops startup file

Adds Run key to start application

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Uses Volume Shadow Copy service COM API

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

Opens file in notepad (likely ransom note)

Interacts with shadow copies

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-16 11:19

Signatures

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Chaos family

chaos

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-16 11:19

Reported

2024-09-16 11:21

Platform

win7-20240903-en

Max time kernel

141s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe"

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Disables Task Manager via registry modification

evasion

Suspicious Office macro

macro
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\UpdateTask = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\UpdateTask = "C:\\Users\\Admin\\AppData\\Local\\Temp\\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe" C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-312935884-697965778-3955649944-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
File opened for modification C:\Users\Public\Recorded TV\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4DY23DRT\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CUMHXU73\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
File opened for modification C:\Users\Public\Pictures\Sample Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0plh5ibj2.jpg" C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kkjxu3n8z.jpg" C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Synaptics\Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2756 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
PID 2756 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
PID 2756 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
PID 2756 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
PID 2756 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2756 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2756 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2756 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2732 wrote to memory of 2624 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2732 wrote to memory of 2624 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2732 wrote to memory of 2624 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2732 wrote to memory of 2624 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2680 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe C:\Windows\System32\cmd.exe
PID 2680 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe C:\Windows\System32\cmd.exe
PID 2680 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe C:\Windows\System32\cmd.exe
PID 2800 wrote to memory of 2908 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2800 wrote to memory of 2908 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2800 wrote to memory of 2908 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2624 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2624 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2624 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1968 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 1968 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 1968 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 1940 wrote to memory of 968 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1940 wrote to memory of 968 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1940 wrote to memory of 968 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2800 wrote to memory of 1636 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2800 wrote to memory of 1636 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2800 wrote to memory of 1636 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2680 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe C:\Windows\System32\cmd.exe
PID 2680 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe C:\Windows\System32\cmd.exe
PID 2680 wrote to memory of 1512 N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe C:\Windows\System32\cmd.exe
PID 1512 wrote to memory of 2988 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1512 wrote to memory of 2988 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1512 wrote to memory of 2988 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1512 wrote to memory of 1564 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1512 wrote to memory of 1564 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1512 wrote to memory of 1564 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2680 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe C:\Windows\System32\cmd.exe
PID 2680 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe C:\Windows\System32\cmd.exe
PID 2680 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe C:\Windows\System32\cmd.exe
PID 2456 wrote to memory of 2644 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2456 wrote to memory of 2644 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2456 wrote to memory of 2644 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1940 wrote to memory of 2508 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1940 wrote to memory of 2508 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1940 wrote to memory of 2508 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1968 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 1968 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 1968 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2716 wrote to memory of 1236 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2716 wrote to memory of 1236 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2716 wrote to memory of 1236 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2716 wrote to memory of 2820 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2716 wrote to memory of 2820 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 2716 wrote to memory of 2820 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1968 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 1968 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 1968 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 2812 wrote to memory of 2020 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2812 wrote to memory of 2020 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 2812 wrote to memory of 2020 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1968 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\system32\NOTEPAD.EXE

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe

"C:\Users\Admin\AppData\Local\Temp\2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe"

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 xred.mooo.com udp
US 8.8.8.8:53 freedns.afraid.org udp
US 69.42.215.252:80 freedns.afraid.org tcp
US 8.8.8.8:53 docs.google.com udp
GB 142.250.187.238:443 docs.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.179.227:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.179.225:443 drive.usercontent.google.com tcp

Files

memory/2756-0-0x00000000003B0000-0x00000000003B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe

MD5 e7d91103647b76f121b854fe806f80e2
SHA1 e6adca5f83dfb2cca099cf18d6960d422b82bb9e
SHA256 04ed744d9643830fc5f0499203a6fde506b5f2c89868695bfe179a8edb3b28c0
SHA512 69dc672bfe3a89ebe71b8041159afab0231701ea59438feb1f000ddddf52627c1f7c6f36bd8c2f77f037dd2659e6ef8f27db283476dae228522051659f2f67b0

C:\ProgramData\Synaptics\Synaptics.exe

MD5 8728ba233fcb020a6a2eaabb90df630c
SHA1 c6dc576f2e0423e8a0f36bba51fa7c65e1e281e7
SHA256 b15052d17afc1a01e83cdc0624dd268838237f8cd66fa12c56706bdee8a61286
SHA512 24e494c64647794fc9aa91da6975117d27984b4bb21859dbf0c60faba5b7f0ec26c26ebbe1ad57f185e1d7ecd4b797d530639d287456ac9bc2930a111fd4613a

memory/2756-25-0x0000000000400000-0x0000000000545000-memory.dmp

memory/2680-28-0x0000000000BD0000-0x0000000000C5C000-memory.dmp

memory/2624-36-0x0000000000B70000-0x0000000000BFC000-memory.dmp

memory/2388-37-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VuK48T7f.xlsm

MD5 e566fc53051035e1e6fd0ed1823de0f9
SHA1 00bc96c48b98676ecd67e81a6f1d7754e4156044
SHA256 8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512 a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

C:\Users\Admin\AppData\Local\Temp\VuK48T7f.xlsm

MD5 a8280db3a4e3639c37acbdf1401214c2
SHA1 f35738d2914b1b3c30238d32782f9461ff0c223f
SHA256 00daff2a509963b8901029f73229e9e3cc6edfc0c70f2c3b178b175ace861728
SHA512 e984c9f560759cca21fc0616f03efcd5688105686dedbdc8eba79740fdceb46fb8beb791b3bcce24f36387aaa7424933c4d9612e119586d0fcfbb40136b296af

memory/1968-79-0x0000000000B60000-0x0000000000BEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\VuK48T7f.xlsm

MD5 409cd2af4eabe981a17beec9595fcee2
SHA1 f4f27852322c788aba8a14d856c7256e0dd3ab37
SHA256 21f802148e5065379d37caa3603e0e5cc5e8852110c78a2bd8857a952efa61a6
SHA512 c1da61f896fcfb99e930fb15a7cb00fc3bfc75d07e62d22d1c300a9c92e555a0ce9e1e399b6ef5c455b00165837e3bb10bf0b7e02ab7dc3ccaf46a8388b0bf6b

C:\Users\Admin\AppData\Local\Temp\VuK48T7f.xlsm

MD5 d9bdefeb3d6882ae88133589c8190e49
SHA1 86ea2b2964bfe4902573d0b2e6d0f7d30978bd6d
SHA256 e47d401b28d64865676c51d875fae12290edeae694667291efdd663d00652e2c
SHA512 deec9be7ec8338e25da444b2bf3e5c9ad85d68e7c9281af7a1b61a28c057a0ebbfe7788dd53a8f7504680c839b78cc59d956b12e2780994eb2db27e68f1d97e0

C:\Users\Admin\AppData\Local\Temp\VuK48T7f.xlsm

MD5 c308feaffdbda1f86e01dc6bf3275ae1
SHA1 b2831a1b3e3c9e0bc1deb806b3ea79a1f4fd7b05
SHA256 f2ebd490150d0435fcec2df65db36437d4fe79f55248e41e84e2c63d739f4a4f
SHA512 6aacaf22f5e8b7076ddc4b8d49ade264d4d284d22399c298ce9840f7f874422f3c4085898082fd25fa1a7c2a276196abcb41ea4e0f059ea47bde7735eee19066

C:\Users\Admin\Desktop\~$ConvertFromExpand.xlsx

MD5 ff09371174f7c701e75f357a187c06e8
SHA1 57f9a638fd652922d7eb23236c80055a91724503
SHA256 e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8
SHA512 e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

C:\Users\Admin\AppData\Local\Temp\VuK48T7f.xlsm

MD5 a7e9b45377d45b264b48ed341bead67d
SHA1 c18577bf2ef8d17c112730552972ee1bfbfa40b5
SHA256 b62834cc22c6a8a4bfd6494a8713c0c3a1ff4ea5f1827b9b27c043cd1a462fc4
SHA512 a5b00649727d34ec932076742a62931fe50b2f4939ed63f28abd126f9fec1aa5bf0b0ce5dd4d83437f32f59ac1d0b76d8c5ab4340550d754088beafdd9d2247a

C:\Users\Admin\AppData\Local\Temp\VuK48T7f.xlsm

MD5 a9532f5d0d062e72684fb9514b9e05c7
SHA1 70966e0b4a4776e42713081c902f9e234a518333
SHA256 d68756198adabae1ae7997538f533e4dfd77b76581bb0e7f890cfd5aaa8b59e8
SHA512 c6aebeb990f31f865acda024384941485fadcd4b7cc6fbffcf6ede90c41e7e6aab868d6ba7310b3be525b7f12a5d01168e88ce14d69e4e467eb74bf04f2a598c

memory/2388-143-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\read_it.txt

MD5 76e381f78e94c35d358a4fc048d3aa37
SHA1 361d4153f76f32d36c1edd3da27e59f41f7e2d0f
SHA256 db317b799b14715d1b26661dd60570faa3b5c377656d490cd2697f78271c413f
SHA512 ef1d2bd09d8e34eb6260d11a3ac821cdd1b6aa1dba0c8616cbed1d233979d39ceb00c369ccabb6630324ef0027a83b6b61729b2ed66d55bf249387782a1fe4e3

C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Command Prompt.lnk

MD5 d1457b72c3fb323a2671125aef3eab5d
SHA1 5bab61eb53176449e25c2c82f172b82cb13ffb9d
SHA256 8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1
SHA512 ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

C:\Users\Admin\AppData\Roaming\ConvertSplit.mpg.zcso

MD5 0ee0646c1c77d8131cc8f4ee65c7673b
SHA1 dd5783bcf1e9002bc00ad5b83a95ed6e4ebb4ad5
SHA256 66840dda154e8a113c31dd0ad32f7f3a366a80e8136979d8f5a101d3d29d6f72
SHA512 1818cc2acd207880a07afc360fd0da87e51ccf17e7c604c4eb16be5788322724c298e1fcc66eb293926993141ef0863c09eda383188cf5df49b910aacac17ec5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1bogwdvw.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite.d8ah

MD5 1fdfbf46e7f37b90383e0b92a302a34f
SHA1 fdaf14775437f4aada02c3a09af796e810deb667
SHA256 ad45cb8cfdc8f5d4dc946c381988b37fbd30b3ebe587c8faf7de866d172cc812
SHA512 4283fbcf4b55f3f2dc6a12c37da44cf5d5338a74c886e8a7c8337d091921591691993d9e4855b0c49c4d1fb2bd6d8a72331205cace04d3a634ef2ec14a1f48d1

memory/2732-1379-0x0000000000400000-0x0000000000545000-memory.dmp

memory/2732-1380-0x0000000000400000-0x0000000000545000-memory.dmp

memory/2732-1415-0x0000000000400000-0x0000000000545000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-16 11:19

Reported

2024-09-16 11:21

Platform

win10v2004-20240802-en

Max time kernel

141s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe"

Signatures

Chaos

ransomware chaos

Chaos Ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes shadow copies

ransomware defense_evasion impact execution

Modifies boot configuration data using bcdedit

ransomware evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Deletes backup catalog

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\wbadmin.exe N/A

Disables Task Manager via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\ProgramData\Synaptics\Synaptics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\read_it.txt C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UpdateTask = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-656926755-4116854191-210765258-1000\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Application Shortcuts\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\AccountPictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Libraries\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn1\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn2\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Public\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Default\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pcx4l1o6e.jpg" C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\Synaptics\Synaptics.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 C:\Windows\System32\vds.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName C:\Windows\System32\vds.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 C:\Windows\System32\vds.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\ProgramData\Synaptics\Synaptics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbengine.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbengine.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2740 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
PID 2740 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe
PID 2740 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2740 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2740 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 4696 wrote to memory of 4020 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 4696 wrote to memory of 4020 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 4020 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 4020 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2636 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 2636 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 1652 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 1652 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 1612 wrote to memory of 2036 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1612 wrote to memory of 2036 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1612 wrote to memory of 4352 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1612 wrote to memory of 4352 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1652 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 1652 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 4796 wrote to memory of 1624 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4796 wrote to memory of 1624 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4796 wrote to memory of 4848 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 4796 wrote to memory of 4848 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\bcdedit.exe
PID 1652 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 1652 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\System32\cmd.exe
PID 4036 wrote to memory of 4704 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 4036 wrote to memory of 4704 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\wbadmin.exe
PID 1652 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\system32\NOTEPAD.EXE
PID 1652 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Windows\system32\NOTEPAD.EXE

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe

"C:\Users\Admin\AppData\Local\Temp\2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe"

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete

C:\Windows\system32\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} bootstatuspolicy ignoreallfailures

C:\Windows\system32\bcdedit.exe

bcdedit /set {default} recoveryenabled no

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet

C:\Windows\system32\wbadmin.exe

wbadmin delete catalog -quiet

C:\Windows\system32\wbengine.exe

"C:\Windows\system32\wbengine.exe"

C:\Windows\System32\vdsldr.exe

C:\Windows\System32\vdsldr.exe -Embedding

C:\Windows\System32\vds.exe

C:\Windows\System32\vds.exe

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 46.28.109.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 xred.mooo.com udp
US 8.8.8.8:53 freedns.afraid.org udp
US 69.42.215.252:80 freedns.afraid.org tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 252.215.42.69.in-addr.arpa udp
US 8.8.8.8:53 26.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 docs.google.com udp
GB 142.250.187.238:443 docs.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.179.227:80 o.pki.goog tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.179.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 227.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 225.179.250.142.in-addr.arpa udp

Files

memory/2740-0-0x0000000002500000-0x0000000002501000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\._cache_2024-09-16_8728ba233fcb020a6a2eaabb90df630c_darkgate_wannacry.exe

MD5 e7d91103647b76f121b854fe806f80e2
SHA1 e6adca5f83dfb2cca099cf18d6960d422b82bb9e
SHA256 04ed744d9643830fc5f0499203a6fde506b5f2c89868695bfe179a8edb3b28c0
SHA512 69dc672bfe3a89ebe71b8041159afab0231701ea59438feb1f000ddddf52627c1f7c6f36bd8c2f77f037dd2659e6ef8f27db283476dae228522051659f2f67b0

C:\ProgramData\Synaptics\Synaptics.exe

MD5 8728ba233fcb020a6a2eaabb90df630c
SHA1 c6dc576f2e0423e8a0f36bba51fa7c65e1e281e7
SHA256 b15052d17afc1a01e83cdc0624dd268838237f8cd66fa12c56706bdee8a61286
SHA512 24e494c64647794fc9aa91da6975117d27984b4bb21859dbf0c60faba5b7f0ec26c26ebbe1ad57f185e1d7ecd4b797d530639d287456ac9bc2930a111fd4613a

memory/2636-71-0x00007FFF4AD73000-0x00007FFF4AD75000-memory.dmp

memory/2636-119-0x0000000000FB0000-0x000000000103C000-memory.dmp

memory/2740-130-0x0000000000400000-0x0000000000545000-memory.dmp

memory/2636-133-0x00007FFF4AD70000-0x00007FFF4B831000-memory.dmp

memory/4460-192-0x00007FFF28E70000-0x00007FFF28E80000-memory.dmp

memory/4460-193-0x00007FFF28E70000-0x00007FFF28E80000-memory.dmp

memory/4460-194-0x00007FFF28E70000-0x00007FFF28E80000-memory.dmp

memory/4460-195-0x00007FFF28E70000-0x00007FFF28E80000-memory.dmp

memory/4460-196-0x00007FFF28E70000-0x00007FFF28E80000-memory.dmp

memory/4460-197-0x00007FFF269D0000-0x00007FFF269E0000-memory.dmp

memory/4460-198-0x00007FFF269D0000-0x00007FFF269E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8UP7DNcI.xlsm

MD5 e566fc53051035e1e6fd0ed1823de0f9
SHA1 00bc96c48b98676ecd67e81a6f1d7754e4156044
SHA256 8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512 a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

C:\Users\Admin\AppData\Local\Temp\2AD75E00

MD5 8566f7724f4d848fd3fc6c6b688d369d
SHA1 5037dc0ff48d6a90e9996da0d73e668281208bd3
SHA256 1afbf8ce4a65b546e80f9db40bfeae4ce0432f65f7ca8ba9966e2d005c5323b8
SHA512 52b85ddf4d8c344007d59e00e18adc6cbb28e3f070a85c5993b30404f2600fbdb57ceffacfef69a71a23491a5efbde44e250f0ede9275df774187de571ae4629

memory/2636-261-0x00007FFF4AD70000-0x00007FFF4B831000-memory.dmp

C:\Users\Admin\AppData\Local\read_it.txt

MD5 76e381f78e94c35d358a4fc048d3aa37
SHA1 361d4153f76f32d36c1edd3da27e59f41f7e2d0f
SHA256 db317b799b14715d1b26661dd60570faa3b5c377656d490cd2697f78271c413f
SHA512 ef1d2bd09d8e34eb6260d11a3ac821cdd1b6aa1dba0c8616cbed1d233979d39ceb00c369ccabb6630324ef0027a83b6b61729b2ed66d55bf249387782a1fe4e3

C:\Users\Admin\Desktop\CompressEdit.cmd

MD5 d1457b72c3fb323a2671125aef3eab5d
SHA1 5bab61eb53176449e25c2c82f172b82cb13ffb9d
SHA256 8a8de823d5ed3e12746a62ef169bcf372be0ca44f0a1236abc35df05d96928e1
SHA512 ca63c07ad35d8c9fb0c92d6146759b122d4ec5d3f67ebe2f30ddb69f9e6c9fd3bf31a5e408b08f1d4d9cd68120cced9e57f010bef3cde97653fed5470da7d1a0

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

C:\Users\Admin\AppData\Local\Temp\~$8UP7DNcI.xlsm

MD5 ff09371174f7c701e75f357a187c06e8
SHA1 57f9a638fd652922d7eb23236c80055a91724503
SHA256 e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8
SHA512 e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite.ha2r

MD5 f5c319fe433d56b004bd6a86ebadd8cb
SHA1 65340049894b968c737f0d0dfc654520a8ee8a53
SHA256 e5335c78c82d635749698e372a910e7c95d0b4e27c321c54a6dc9f2b1e4157bb
SHA512 bab369338c699b9dbbffdc1e66343aedb415f4c5a2d2bc653646175ca80b1dd4a417811706c18237e99f96e816c7cefc04157fd2ec8aff18636855469bf54b87

memory/4696-1521-0x0000000000400000-0x0000000000545000-memory.dmp

memory/4696-1528-0x0000000000400000-0x0000000000545000-memory.dmp

memory/4696-1556-0x0000000000400000-0x0000000000545000-memory.dmp