wannacry | e3e2b21dee0127cb9ea06ae7184665284d36413d38146c252bf6fd8812e600ae

Analysis

max time kernel
336s
max time network
352s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
26-06-2024 04:53

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

LDPlayer9_vn_1003_CjwKCAjw1emzBhB8EiwAHwZZxWtNl3IEA0x9sc31PjIzcdYfkNjH0wcWdDj2avCzD0lx7NJQYWFR7RoCn4kQAvD_BwE_ld.exe
Size

12.3MB
MD5

757987a8437039276dad42102cba8f23
SHA1

9a1ba7bdf9ecc849525bb099bbd9d277dd46da15
SHA256

e3e2b21dee0127cb9ea06ae7184665284d36413d38146c252bf6fd8812e600ae
SHA512

9ebab1a503184ce029c319413c4c0698ee3ae0a71d3363f191b3464f7ab7b35d561c36489478bb481c734974ff3f469f4e3d5e0c553c7af88341dc2950af19a6
SSDEEP

393216:nBHhaxbxp41TXj2w5311sHznZc+TEI4gw6:B8bxWT6w5AbZbTNC

Score

10^/10

wannacry bootkit defense_evasion discovery execution exploit impact persistence privilege_escalation ransomware worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Manipulates Digital Signatures 1 TTPs 64 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

Processes:

regsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubInitialize"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPRemoveSignedDataMsg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubCleanup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2009\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2006\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.12.2.3\FuncName = "WVTAsn1CatMemberInfo2Decode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "HTTPSFinalProv"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllRemoveSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubAuthenticode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCheckCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\CallbackAllocFunction = "SoftpubLoadDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.26\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.16.4\FuncName = "DecodeRecipientID"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPCreateIndirectData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubLoadMessage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.3\FuncName = "WVTAsn1SealingSignatureAttributeDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "SoftpubLoadMessage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$Function = "SoftpubCheckCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{189A3842-3041-11D1-85E1-00C04FC295EE}\$Function = "SoftpubAuthenticode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllFormatObject\1.3.6.1.5.5.7.3.4\FuncName = "FormatPKIXEmailProtection"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{189A3842-3041-11D1-85E1-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2011\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.4.1.311.10.3.3\CallbackFreeFunction = "SoftpubFreeDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$Function = "WintrustCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\FuncName = "CryptSIPPutSignedDataMsg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllCreateIndirectData\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\FuncName = "CryptSIPCreateIndirectData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "Cryptdlg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2130\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{DE351A42-8E59-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPPutSignedDataMsg"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\CRYPTOGRAPHY\OID\ENCODINGTYPE 0\CRYPTSIPDLLGETCAPS\{C689AAB9-8E78-11D0-8C47-00C04FC295EE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllPutSignedDataMsg\{9BA61D3F-E73A-11D0-8CD2-00C04FC295EE}\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.4.3\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.16.1.1\Dll = "cryptdlg.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "WintrustCertificateTrust"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "SoftpubLoadSignature"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{FC451C16-AC75-11D1-B4B8-00C04FB66EA0}\$Function = "SoftpubCheckCert"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.26\FuncName = "WVTAsn1SpcMinimalCriteriaInfoEncode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{00AAC56B-CD44-11D0-8CC2-00C04FC295EE}\$Function = "SoftpubLoadMessage"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\1.3.6.1.4.1.311.2.1.20\FuncName = "WVTAsn1SpcLinkDecode"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\1.3.6.1.5.5.7.3.1\CallbackFreeFunction = "SoftpubFreeDefUsageCallData"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\DiagnosticPolicy\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllDecodeObject\#2005\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Cleanup\{573E31F8-DDBA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.16.1.1\FuncName = "EncodeAttrSequence"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{64B9D180-8DA2-11CF-8736-00AA00A485EB}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{573E31F8-AABA-11D0-8CCB-00C04FC295EE}\$Function = "HTTPSFinalProv"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Message\{C6B2E8D0-E005-11CF-A134-00C04FD7BF43}\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Usages\2.16.840.1.113730.4.1\$DLL = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\1.3.6.1.4.1.311.2.1.28\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 1\CryptDllEncodeObject\#2221\Dll = "WINTRUST.DLL"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg\{C689AABA-8E78-11D0-8C47-00C04FC295EE}\FuncName = "CryptSIPGetSignedDataMsg"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\$Function = "DriverInitializePolicy"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{7801EBD0-CF4B-11D0-851F-0060979387EA}\$DLL = "Cryptdlg.dll"	regsvr32.exe

Possible privilege escalation attempt 7 IoCs
exploit

Processes:

icacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid process

2776 icacls.exe
4680 takeown.exe
2636 icacls.exe
3572 icacls.exe
4904 takeown.exe
1396 icacls.exe
2236 takeown.exe

pid	process
2776	icacls.exe
4680	takeown.exe
2636	icacls.exe
3572	icacls.exe
4904	takeown.exe
1396	icacls.exe
2236	takeown.exe

Drops startup file 2 IoCs

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD4F9D.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD4FA4.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Modifies file permissions 1 TTPs 7 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

3572 icacls.exe
4904 takeown.exe
1396 icacls.exe
2236 takeown.exe
2776 icacls.exe
4680 takeown.exe
2636 icacls.exe

pid	process
3572	icacls.exe
4904	takeown.exe
1396	icacls.exe
2236	takeown.exe
2776	icacls.exe
4680	takeown.exe
2636	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oiaderoeworuv893 = "\"C:\\Users\\Admin\\Downloads\\Ransomware.WannaCry\\tasksche.exe\""	reg.exe

Downloads MZ/PE file
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

51 raw.githubusercontent.com
69 raw.githubusercontent.com
192 raw.githubusercontent.com
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

MEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ.exe
Drops file in System32 directory 1 IoCs

Processes:

mmc.exe

description ioc process

File opened for modification C:\Windows\system32\diskmgmt.msc mmc.exe
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

flow	ioc
51	raw.githubusercontent.com
69	raw.githubusercontent.com
192	raw.githubusercontent.com

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

description	ioc	process
File opened for modification	C:\Windows\system32\diskmgmt.msc	mmc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe@[email protected]

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

dnrepairer.exe

description	ioc	process
File created	C:\Program Files\ldplayer9box\VBoxC.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxVMM.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-file-l1-2-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\vccorlib140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-file-l2-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-util-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\msvcp100.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\fastpipe2.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxSup.sys	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxStubBld.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-profile-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\libssl-1_1.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxPlaygroundDevice.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-time-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-console-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-processenvironment-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9BoxSup.inf	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\SDL.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\vbox-img.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-heap-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-localization-l1-2-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\crashreport.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\vcruntime140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-rtlsupport-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\msvcp120.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\msvcp140.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-multibyte-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\ossltest.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\padlock.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-processthreads-l1-1-1.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Qt5Core.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Qt5Gui.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\USBUninstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxAutostartSvc.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\Ld9VirtualBox.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\tstSSLCertDownloads.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-locale-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\padlock.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxGuestControlSvc.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-debug-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-core-memory-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-memory-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\capi.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\libcurl.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\api-ms-win-crt-environment-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\tstAnimate.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxDD.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxExtPackHelperApp.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxSDL.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxSup.cat	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\driver-PreW10\Ld9BoxNetLwf.sys	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxSharedClipboard.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-file-l1-2-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\VBoxInstallHelper.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\bldRTLdrCheckImports.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\tstInt.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\tstVMREQ.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-synch-l1-2-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-core-string-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-private-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\x86\api-ms-win-crt-runtime-l1-1-0.dll	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\comregister.cmd	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\NetFltUninstall.exe	dnrepairer.exe
File created	C:\Program Files\ldplayer9box\USBTest.exe	dnrepairer.exe

Drops file in Windows directory 2 IoCs

Processes:

dism.exedismhost.exe

description ioc process

File opened for modification C:\Windows\Logs\DISM\dism.log dism.exe
File opened for modification C:\Windows\Logs\DISM\dism.log dismhost.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\DISM\dism.log	dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe

Executes dropped EXE 44 IoCs

Processes:

LDPlayer.exednrepairer.exedismhost.exeLd9BoxSVC.exedriverconfig.exednplayer.exeLd9BoxSVC.exevbox-img.exevbox-img.exevbox-img.exeLd9BoxHeadless.exeLd9BoxHeadless.exeLd9BoxHeadless.exeLd9BoxHeadless.exeLd9BoxHeadless.exetaskdl.exe@[email protected]@[email protected]taskhsvc.exetaskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
4828	LDPlayer.exe
5040	dnrepairer.exe
3060	dismhost.exe
1060	Ld9BoxSVC.exe
4180	driverconfig.exe
2724	dnplayer.exe
3152	Ld9BoxSVC.exe
552	vbox-img.exe
4068	vbox-img.exe
5308	vbox-img.exe
5440	Ld9BoxHeadless.exe
5628	Ld9BoxHeadless.exe
5756	Ld9BoxHeadless.exe
5840	Ld9BoxHeadless.exe
5916	Ld9BoxHeadless.exe
3472	taskdl.exe
648	@[email protected]
5344	@[email protected]
5468	taskhsvc.exe
2280	taskdl.exe
1556	taskse.exe
1624	@[email protected]
1568	taskdl.exe
5860	taskse.exe
4616	@[email protected]
5720	taskse.exe
3456	@[email protected]
5676	taskdl.exe
3092	taskse.exe
720	@[email protected]
1396	taskdl.exe
1768	taskse.exe
2696	@[email protected]
5080	taskdl.exe
4912	taskse.exe
3648	@[email protected]
3804	taskdl.exe
6080	MEMZ.exe
4200	MEMZ.exe
5432	MEMZ.exe
3904	MEMZ.exe
3948	MEMZ.exe
2588	MEMZ.exe
1492	MEMZ.exe

Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

4936 sc.exe
4008 sc.exe
4780 sc.exe
4476 sc.exe
3952 sc.exe
4476 sc.exe
568 sc.exe
3760 sc.exe

pid	process
4936	sc.exe
4008	sc.exe
4780	sc.exe
4476	sc.exe
3952	sc.exe
4476	sc.exe
568	sc.exe
3760	sc.exe

Loads dropped DLL 64 IoCs

Processes:

dnrepairer.exedismhost.exeLd9BoxSVC.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

pid	process
5040	dnrepairer.exe
5040	dnrepairer.exe
5040	dnrepairer.exe
5040	dnrepairer.exe
3060	dismhost.exe
3060	dismhost.exe
3060	dismhost.exe
3060	dismhost.exe
3060	dismhost.exe
3060	dismhost.exe
3060	dismhost.exe
3060	dismhost.exe
3060	dismhost.exe
3060	dismhost.exe
3060	dismhost.exe
3060	dismhost.exe
3060	dismhost.exe
3060	dismhost.exe
3060	dismhost.exe
3060	dismhost.exe
3060	dismhost.exe
3060	dismhost.exe
3060	dismhost.exe
3060	dismhost.exe
3060	dismhost.exe
3060	dismhost.exe
3060	dismhost.exe
1060	Ld9BoxSVC.exe
1060	Ld9BoxSVC.exe
1060	Ld9BoxSVC.exe
1060	Ld9BoxSVC.exe
1060	Ld9BoxSVC.exe
1060	Ld9BoxSVC.exe
1060	Ld9BoxSVC.exe
1060	Ld9BoxSVC.exe
1060	Ld9BoxSVC.exe
1060	Ld9BoxSVC.exe
4804	regsvr32.exe
4804	regsvr32.exe
4804	regsvr32.exe
4804	regsvr32.exe
4804	regsvr32.exe
4804	regsvr32.exe
4804	regsvr32.exe
4804	regsvr32.exe
1036	regsvr32.exe
1036	regsvr32.exe
1036	regsvr32.exe
1036	regsvr32.exe
1036	regsvr32.exe
1036	regsvr32.exe
1036	regsvr32.exe
1036	regsvr32.exe
4688	regsvr32.exe
4688	regsvr32.exe
4688	regsvr32.exe
4688	regsvr32.exe
4688	regsvr32.exe
4688	regsvr32.exe
4688	regsvr32.exe
4688	regsvr32.exe
800	regsvr32.exe
800	regsvr32.exe
800	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

dnplayer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	dnplayer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dnplayer.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exemsedge.exechrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

dnplayer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION	dnplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\ldnews.exe = "11001"	dnplayer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2394516847-3409208829-2230326962-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\dnplayer.exe = "11001"	dnplayer.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

chrome.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133638513083733407"	chrome.exe

Modifies registry class 64 IoCs

Processes:

Ld9BoxSVC.exeregsvr32.exeregsvr32.exeLDPlayer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3FF2-4F2E-8F09-07382EE25088}\TypeLib	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4974-A19C-4DC6-CC98C2269626}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}"	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-E191-400B-840E-970F3DAD7296}\ = "IPCIAddress"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-08A2-41AF-A05F-D7C661ABAEBE}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}"	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-4430-499F-92C8-8BED814A567A}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-647D-45AC-8FE9-F49B3183BA37}\ = "IGuestSessionEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-E8B8-4838-B10C-45BA193734C1}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-44E0-CA69-E9E0-D4907CECCBE5}\NumMethods\ = "35"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3CF5-4C0A-BC90-9B8D4CC94D89}\TypeLib	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4022-DC80-5535-6FB116815604}\TypeLib	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CB63-47A1-84FB-02C4894B89A9}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7BA7-45A8-B26D-C91AE3754E37}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-FD1C-411A-95C5-E9BB1414E632}\NumMethods\ = "23"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-2354-4267-883F-2F417D216519}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7E67-4144-BF34-41C38E8B4CC7}\ = "IBIOSSettings"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-80F6-4266-8E20-16371F68FA25}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CB63-47A1-84FB-02C4894B89A9}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-1640-41F9-BD74-3EF5FD653250}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-00A7-4104-0009-49BC00B2DA80}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-6588-40A3-9B0A-68C05BA52C4B}\ProxyStubClsid32	Ld9BoxSVC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-5FDC-4ABA-AFF5-6A39BBD7C38B}\ = "IHost"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3FF2-4F2E-8F09-07382EE25088}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7BA7-45A8-B26D-C91AE3754E37}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-929C-40E8-BF16-FEA557CD8E7E}\NumMethods\ = "115"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-F4F4-4DD0-9D30-C89B873247EC}\NumMethods\ = "18"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ldmnq.ldbk\DefaultIcon	LDPlayer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CC7B-431B-98B2-951FDA8EAB89}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-58D9-43AE-8B03-C1FD7088EF15}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-7071-4894-93D6-DCBEC010FA91}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-799A-4489-86CD-FE8E45B2FF8E}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-81A9-4005-9D52-FC45A78BF3F5}\ = "IUSBDevice"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-35F3-4F4D-B5BB-ED0ECEFD8538}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7966-481D-AB0B-D0ED73E28135}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-2F05-4D28-855F-488F96BAD2B2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20191216-1807-4249-5BA5-EA42D66AF0BF}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-787B-44AB-B343-A082A3F2DFB1}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-0721-4CDE-867C-1A82ABAF914C}\NumMethods\ = "15"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-CD54-400C-B858-797BCB82570E}\NumMethods\ = "25"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-44E0-CA69-E9E0-D4907CECCBE5}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4737-457B-99FC-BC52C851A44F}\ = "IKeyboardLedsChangedEvent"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-4BA3-7903-2AA4-43988BA11554}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-2D12-4D7C-BA6D-CE51D0D5B265}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-0FF7-46B7-A138-3C6E5AC946B4}\TypeLib\Version = "1.3"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-8F30-401B-A8CD-FE31DBE839C0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-44A0-A470-BA20-27890B96DBA9}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-C8E9-466B-9660-45CB3E9979E4}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-3FF2-4F2E-8F09-07382EE25088}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-73A5-46CC-8227-93FE57D006A6}\NumMethods	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-F6D4-4AB6-9CBF-558EB8959A6A}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7F29-4AAE-A627-5A282C83092C}\NumMethods\ = "19"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-1C58-440C-BB7B-3A1397284C7B}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ldbk	LDPlayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-7006-40D4-B339-472EE3801844}\NumMethods\ = "13"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-AC97-4C16-B3E2-81BD8A57CC27}\ProxyStubClsid32\ = "{20191216-1807-4249-5BA5-EA42D66AF0BF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-44A0-A470-BA20-27890B96DBA9}\TypeLib	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-6679-422A-B629-51B06B0C6D93}\TypeLib	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-34B8-42D3-ACFB-7E96DAF77C22}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-1F04-4191-AA2F-1FAC9646AE4C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-DA7C-44C8-A7AC-9F173490446A}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-6588-40A3-9B0A-68C05BA52C4B}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{20191216-A1A9-4AC2-8E80-C049AF69DAC8}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-30E8-447E-99CB-E31BECAE6AE4}\TypeLib\ = "{20191216-1750-46f0-936e-bd127d5bc264}"	Ld9BoxSVC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-D545-44AA-8013-181B8C288554}\NumMethods	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20191216-CB8D-4382-90BA-B7DA78A74573}\ProxyStubClsid32	regsvr32.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

5268 reg.exe

pid	process
5268	reg.exe

NTFS ADS 2 IoCs

Processes:

chrome.exechrome.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Ransomware.WannaCry.zip:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier	chrome.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exeLDPlayer9_vn_1003_CjwKCAjw1emzBhB8EiwAHwZZxWtNl3IEA0x9sc31PjIzcdYfkNjH0wcWdDj2avCzD0lx7NJQYWFR7RoCn4kQAvD_BwE_ld.exeLDPlayer.exednrepairer.exepowershell.exepowershell.exepowershell.exemsedge.exemsedge.exeidentity_helper.exemsedge.exetaskhsvc.exechrome.exeMEMZ.exe

pid	process
2684	chrome.exe
2684	chrome.exe
4284	LDPlayer9_vn_1003_CjwKCAjw1emzBhB8EiwAHwZZxWtNl3IEA0x9sc31PjIzcdYfkNjH0wcWdDj2avCzD0lx7NJQYWFR7RoCn4kQAvD_BwE_ld.exe
4284	LDPlayer9_vn_1003_CjwKCAjw1emzBhB8EiwAHwZZxWtNl3IEA0x9sc31PjIzcdYfkNjH0wcWdDj2avCzD0lx7NJQYWFR7RoCn4kQAvD_BwE_ld.exe
4828	LDPlayer.exe
4828	LDPlayer.exe
4828	LDPlayer.exe
4828	LDPlayer.exe
4828	LDPlayer.exe
4828	LDPlayer.exe
4828	LDPlayer.exe
4828	LDPlayer.exe
5040	dnrepairer.exe
5040	dnrepairer.exe
4680	powershell.exe
4680	powershell.exe
4680	powershell.exe
3528	powershell.exe
3528	powershell.exe
3528	powershell.exe
4656	powershell.exe
4656	powershell.exe
4656	powershell.exe
4828	LDPlayer.exe
4828	LDPlayer.exe
4284	LDPlayer9_vn_1003_CjwKCAjw1emzBhB8EiwAHwZZxWtNl3IEA0x9sc31PjIzcdYfkNjH0wcWdDj2avCzD0lx7NJQYWFR7RoCn4kQAvD_BwE_ld.exe
4284	LDPlayer9_vn_1003_CjwKCAjw1emzBhB8EiwAHwZZxWtNl3IEA0x9sc31PjIzcdYfkNjH0wcWdDj2avCzD0lx7NJQYWFR7RoCn4kQAvD_BwE_ld.exe
2868	msedge.exe
2868	msedge.exe
2364	msedge.exe
2364	msedge.exe
4432	identity_helper.exe
4432	identity_helper.exe
5856	msedge.exe
5856	msedge.exe
5468	taskhsvc.exe
5468	taskhsvc.exe
5468	taskhsvc.exe
5468	taskhsvc.exe
5468	taskhsvc.exe
5468	taskhsvc.exe
5780	chrome.exe
5780	chrome.exe
4200	MEMZ.exe
4200	MEMZ.exe
4200	MEMZ.exe
4200	MEMZ.exe
4200	MEMZ.exe
4200	MEMZ.exe
4200	MEMZ.exe
4200	MEMZ.exe
4200	MEMZ.exe
4200	MEMZ.exe
4200	MEMZ.exe
4200	MEMZ.exe
4200	MEMZ.exe
4200	MEMZ.exe
4200	MEMZ.exe
4200	MEMZ.exe
4200	MEMZ.exe
4200	MEMZ.exe
4200	MEMZ.exe
4200	MEMZ.exe
4200	MEMZ.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

dnplayer.exe

pid process

2724 dnplayer.exe
Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid process

652
652
652
652
652
652

pid	process
2724	dnplayer.exe

pid	process
652
652
652
652
652
652

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

Processes:

chrome.exemsedge.exechrome.exe

pid	process
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exeLDPlayer.exe

description	pid	process
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeCreatePagefilePrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeCreatePagefilePrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeCreatePagefilePrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeCreatePagefilePrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeCreatePagefilePrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeCreatePagefilePrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeCreatePagefilePrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeCreatePagefilePrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeCreatePagefilePrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeCreatePagefilePrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeCreatePagefilePrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeCreatePagefilePrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeCreatePagefilePrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeCreatePagefilePrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeCreatePagefilePrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeCreatePagefilePrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeCreatePagefilePrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeCreatePagefilePrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeCreatePagefilePrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeCreatePagefilePrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeCreatePagefilePrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeCreatePagefilePrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeCreatePagefilePrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeCreatePagefilePrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeCreatePagefilePrivilege	2684	chrome.exe
Token: SeShutdownPrivilege	2684	chrome.exe
Token: SeCreatePagefilePrivilege	2684	chrome.exe
Token: SeTakeOwnershipPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe
Token: SeTakeOwnershipPrivilege	4828	LDPlayer.exe
Token: SeDebugPrivilege	4828	LDPlayer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exednplayer.exemsedge.exechrome.exe

pid	process
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2724	dnplayer.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2684	chrome.exe
5780	chrome.exe
5780	chrome.exe
5780	chrome.exe

Suspicious use of SendNotifyMessage 25 IoCs

Processes:

chrome.exednplayer.exemsedge.exe

pid	process
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2684	chrome.exe
2724	dnplayer.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe
2364	msedge.exe

Suspicious use of SetWindowsHookEx 23 IoCs

Processes:

@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]MiniSearchHost.exe@[email protected]mmc.exe@[email protected]@[email protected]MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
648	@[email protected]
648	@[email protected]
5344	@[email protected]
5344	@[email protected]
1624	@[email protected]
1624	@[email protected]
4616	@[email protected]
3456	@[email protected]
4660	MiniSearchHost.exe
720	@[email protected]
3472	mmc.exe
3472	mmc.exe
2696	@[email protected]
3648	@[email protected]
4200	MEMZ.exe
3948	MEMZ.exe
5432	MEMZ.exe
3904	MEMZ.exe
4200	MEMZ.exe
3948	MEMZ.exe
3904	MEMZ.exe
5432	MEMZ.exe
4200	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2684 wrote to memory of 1980	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 1980	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 5064	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 5064	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 5064	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 5064	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 5064	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 5064	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 5064	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 5064	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 5064	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 5064	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 5064	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 5064	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 5064	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 5064	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 5064	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 5064	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 5064	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 5064	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 5064	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 5064	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 5064	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 5064	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 5064	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 5064	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 5064	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 5064	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 5064	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 5064	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 5064	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 5064	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 5064	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 1616	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 1616	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 3480	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 3480	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 3480	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 3480	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 3480	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 3480	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 3480	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 3480	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 3480	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 3480	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 3480	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 3480	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 3480	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 3480	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 3480	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 3480	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 3480	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 3480	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 3480	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 3480	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 3480	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 3480	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 3480	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 3480	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 3480	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 3480	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 3480	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 3480	2684	chrome.exe	chrome.exe
PID 2684 wrote to memory of 3480	2684	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

5440 attrib.exe
5868 attrib.exe

pid	process
5440	attrib.exe
5868	attrib.exe

C:\Users\Admin\AppData\Local\Temp\LDPlayer9_vn_1003_CjwKCAjw1emzBhB8EiwAHwZZxWtNl3IEA0x9sc31PjIzcdYfkNjH0wcWdDj2avCzD0lx7NJQYWFR7RoCn4kQAvD_BwE_ld.exe
"C:\Users\Admin\AppData\Local\Temp\LDPlayer9_vn_1003_CjwKCAjw1emzBhB8EiwAHwZZxWtNl3IEA0x9sc31PjIzcdYfkNjH0wcWdDj2avCzD0lx7NJQYWFR7RoCn4kQAvD_BwE_ld.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4284

C:\LDPlayer\LDPlayer9\LDPlayer.exe
"C:\LDPlayer\LDPlayer9\\LDPlayer.exe" -silence -downloader -openid=1003 -language=vn -path="C:\LDPlayer\LDPlayer9\" -googleid=CjwKCAjw1emzBhB8EiwAHwZZxWtNl3IEA0x9sc31PjIzcdYfkNjH0wcWdDj2avCzD0lx7NJQYWFR7RoCn4kQAvD_BwE
2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\LDPlayer\LDPlayer9\dnrepairer.exe
"C:\LDPlayer\LDPlayer9\dnrepairer.exe" listener=524666
3⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5040

C:\Windows\SysWOW64\net.exe
"net" start cryptsvc
4⤵
PID:2832

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start cryptsvc
5⤵
PID:5112

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Softpub.dll /s
4⤵
- Manipulates Digital Signatures
PID:2408

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Wintrust.dll /s
4⤵
- Manipulates Digital Signatures
PID:1984

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" Initpki.dll /s
4⤵
PID:1060

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\system32\regsvr32" Initpki.dll /s
4⤵
PID:1444

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" dssenh.dll /s
4⤵
PID:3892

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" rsaenh.dll /s
4⤵
PID:3792

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" cryptdlg.dll /s
4⤵
- Manipulates Digital Signatures
PID:4024

C:\Windows\SysWOW64\takeown.exe
"takeown" /f "C:\LDPlayer\LDPlayer9\vms" /r /d y
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4904

C:\Windows\SysWOW64\icacls.exe
"icacls" "C:\LDPlayer\LDPlayer9\vms" /grant everyone:F /t
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1396

C:\Windows\SysWOW64\takeown.exe
"takeown" /f "C:\LDPlayer\LDPlayer9\\system.vmdk"
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2236

C:\Windows\SysWOW64\icacls.exe
"icacls" "C:\LDPlayer\LDPlayer9\\system.vmdk" /grant everyone:F /t
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2776

C:\Windows\SysWOW64\dism.exe
C:\Windows\system32\dism.exe /Online /English /Get-Features
4⤵
- Drops file in Windows directory
PID:4436

C:\Users\Admin\AppData\Local\Temp\16920458-8FA5-442C-9C8D-D76D91F76D3F\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\16920458-8FA5-442C-9C8D-D76D91F76D3F\dismhost.exe {D5578CBD-A9FB-43D7-BED2-B01977BCAA50}
5⤵
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
PID:3060

C:\Windows\SysWOW64\sc.exe
sc query HvHost
4⤵
- Launches sc.exe
PID:4476

C:\Windows\SysWOW64\sc.exe
sc query vmms
4⤵
- Launches sc.exe
PID:568

C:\Windows\SysWOW64\sc.exe
sc query vmcompute
4⤵
- Launches sc.exe
PID:3760

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" /RegServer
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1060

C:\Windows\SYSTEM32\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\VBoxC.dll" /s
4⤵
- Loads dropped DLL
PID:4804

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxClient-x86.dll" /s
4⤵
- Loads dropped DLL
PID:1036

C:\Windows\SYSTEM32\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\VBoxProxyStub.dll" /s
4⤵
- Loads dropped DLL
- Modifies registry class
PID:4688

C:\Windows\SysWOW64\regsvr32.exe
"regsvr32" "C:\Program Files\ldplayer9box\x86\VBoxProxyStub-x86.dll" /s
4⤵
- Loads dropped DLL
- Modifies registry class
PID:800

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" create Ld9BoxSup binPath= "C:\Program Files\ldplayer9box\Ld9BoxSup.sys" type= kernel start= auto
4⤵
- Launches sc.exe
PID:4936

C:\Windows\SysWOW64\sc.exe
"C:\Windows\system32\sc" start Ld9BoxSup
4⤵
- Launches sc.exe
PID:4008

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxSup" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe' -RemoteAddress LocalSubnet -Action Allow
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4680

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "Ld9BoxNat" -Direction Inbound -Program 'C:\Program Files\ldplayer9box\VBoxNetNAT.exe' -RemoteAddress LocalSubnet -Action Allow
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3528

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" New-NetFirewallRule -DisplayName "dnplayer" -Direction Inbound -Program 'C:\LDPlayer\LDPlayer9\dnplayer.exe' -RemoteAddress LocalSubnet -Action Allow
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4656

C:\LDPlayer\LDPlayer9\driverconfig.exe
"C:\LDPlayer\LDPlayer9\driverconfig.exe"
3⤵
- Executes dropped EXE
PID:4180

C:\Windows\SysWOW64\takeown.exe
"takeown" /f C:\LDPlayer\ldmutiplayer\ /r /d y
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4680

C:\Windows\SysWOW64\icacls.exe
"icacls" C:\LDPlayer\ldmutiplayer\ /grant everyone:F /t
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/vn.ldplayer
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff7ff33cb8,0x7fff7ff33cc8,0x7fff7ff33cd8
3⤵
PID:956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2012,18082489614307061864,8724572083196805793,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2020 /prefetch:2
3⤵
PID:4816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2012,18082489614307061864,8724572083196805793,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2012,18082489614307061864,8724572083196805793,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1972 /prefetch:8
3⤵
PID:5164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,18082489614307061864,8724572083196805793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
3⤵
PID:5484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,18082489614307061864,8724572083196805793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
3⤵
PID:5492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2012,18082489614307061864,8724572083196805793,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
3⤵
PID:5824

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2012,18082489614307061864,8724572083196805793,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4664 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2012,18082489614307061864,8724572083196805793,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4628 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5856

C:\LDPlayer\LDPlayer9\dnplayer.exe
"C:\LDPlayer\LDPlayer9\\dnplayer.exe"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2724

C:\Windows\SysWOW64\sc.exe
sc query HvHost
3⤵
- Launches sc.exe
PID:4780

C:\Windows\SysWOW64\sc.exe
sc query vmms
3⤵
- Launches sc.exe
PID:4476

C:\Windows\SysWOW64\sc.exe
sc query vmcompute
3⤵
- Launches sc.exe
PID:3952

C:\Program Files\ldplayer9box\vbox-img.exe
"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\..\system.vmdk" --uuid 20160302-bbbb-bbbb-0eee-bbbb00000000
3⤵
- Executes dropped EXE
PID:552

C:\Program Files\ldplayer9box\vbox-img.exe
"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\data.vmdk" --uuid 20160302-cccc-cccc-0eee-000000000000
3⤵
- Executes dropped EXE
PID:4068

C:\Program Files\ldplayer9box\vbox-img.exe
"C:\Program Files\ldplayer9box\vbox-img.exe" setuuid --filename "C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk" --uuid 20160302-dddd-dddd-0eee-000000000000
3⤵
- Executes dropped EXE
PID:5308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff82d3ab58,0x7fff82d3ab68,0x7fff82d3ab78
2⤵
PID:1980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1500 --field-trial-handle=1800,i,5789875336623999582,9270191431281300053,131072 /prefetch:2
2⤵
PID:5064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=1800,i,5789875336623999582,9270191431281300053,131072 /prefetch:8
2⤵
PID:1616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2176 --field-trial-handle=1800,i,5789875336623999582,9270191431281300053,131072 /prefetch:8
2⤵
PID:3480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3032 --field-trial-handle=1800,i,5789875336623999582,9270191431281300053,131072 /prefetch:1
2⤵
PID:1536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3060 --field-trial-handle=1800,i,5789875336623999582,9270191431281300053,131072 /prefetch:1
2⤵
PID:5100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4268 --field-trial-handle=1800,i,5789875336623999582,9270191431281300053,131072 /prefetch:1
2⤵
PID:4952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4116 --field-trial-handle=1800,i,5789875336623999582,9270191431281300053,131072 /prefetch:8
2⤵
PID:4268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4160 --field-trial-handle=1800,i,5789875336623999582,9270191431281300053,131072 /prefetch:8
2⤵
PID:4692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4624 --field-trial-handle=1800,i,5789875336623999582,9270191431281300053,131072 /prefetch:8
2⤵
PID:4732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4700 --field-trial-handle=1800,i,5789875336623999582,9270191431281300053,131072 /prefetch:8
2⤵
PID:2776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4576 --field-trial-handle=1800,i,5789875336623999582,9270191431281300053,131072 /prefetch:8
2⤵
PID:2408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4124 --field-trial-handle=1800,i,5789875336623999582,9270191431281300053,131072 /prefetch:1
2⤵
PID:3520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3320 --field-trial-handle=1800,i,5789875336623999582,9270191431281300053,131072 /prefetch:1
2⤵
PID:2828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2484 --field-trial-handle=1800,i,5789875336623999582,9270191431281300053,131072 /prefetch:8
2⤵
PID:3672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3028 --field-trial-handle=1800,i,5789875336623999582,9270191431281300053,131072 /prefetch:8
2⤵
- NTFS ADS
PID:4688

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3464

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2756

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004F0 0x00000000000004EC
1⤵
PID:1712

C:\Program Files\ldplayer9box\Ld9BoxSVC.exe
"C:\Program Files\ldplayer9box\Ld9BoxSVC.exe" -Embedding
1⤵
- Executes dropped EXE
- Modifies registry class
PID:3152

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
2⤵
- Executes dropped EXE
PID:5440

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
2⤵
- Executes dropped EXE
PID:5628

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
2⤵
- Executes dropped EXE
PID:5756

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
2⤵
- Executes dropped EXE
PID:5840

C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe
"C:\Program Files\ldplayer9box\Ld9BoxHeadless.exe" --comment leidian0 --startvm 20160302-aaaa-aaaa-0eee-000000000000 --vrde config
2⤵
- Executes dropped EXE
PID:5916

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5148

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5248

C:\Users\Admin\Downloads\Ransomware.WannaCry\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\Downloads\Ransomware.WannaCry\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
PID:5192

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- Views/modifies file attributes
PID:5440

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3572

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:3472

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 213581719377793.bat
2⤵
PID:5960

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
3⤵
PID:5748

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
2⤵
- Views/modifies file attributes
PID:5868

C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
@[email protected] co
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:648

C:\Users\Admin\Downloads\Ransomware.WannaCry\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5468

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
2⤵
PID:6128

C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
@[email protected] vs
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5344

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
PID:1920

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
PID:5592

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2280

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
2⤵
- Executes dropped EXE
PID:1556

C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
@[email protected]
2⤵
- Sets desktop wallpaper using registry
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1624

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "oiaderoeworuv893" /t REG_SZ /d "\"C:\Users\Admin\Downloads\Ransomware.WannaCry\tasksche.exe\"" /f
2⤵
PID:5128

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "oiaderoeworuv893" /t REG_SZ /d "\"C:\Users\Admin\Downloads\Ransomware.WannaCry\tasksche.exe\"" /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:5268

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1568

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
2⤵
- Executes dropped EXE
PID:5860

C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4616

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
2⤵
- Executes dropped EXE
PID:5720

C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3456

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:5676

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
2⤵
- Executes dropped EXE
PID:3092

C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:720

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1396

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
2⤵
- Executes dropped EXE
PID:1768

C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2696

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:5080

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
2⤵
- Executes dropped EXE
PID:4912

C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3648

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:3804

C:\Users\Admin\Downloads\Ransomware.WannaCry\taskse.exe
taskse.exe C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
2⤵
PID:976

C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
@[email protected]
2⤵
PID:5808

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:6016

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2000

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\diskmgmt.msc"
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:3472

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2388

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:3268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:5780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xe0,0x104,0x108,0xb8,0x10c,0x7fff82d3ab58,0x7fff82d3ab68,0x7fff82d3ab78
2⤵
PID:1472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=1684,i,15440612967196259988,7576226313483073340,131072 /prefetch:2
2⤵
PID:5496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1684,i,15440612967196259988,7576226313483073340,131072 /prefetch:8
2⤵
PID:3164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2188 --field-trial-handle=1684,i,15440612967196259988,7576226313483073340,131072 /prefetch:8
2⤵
PID:3476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2992 --field-trial-handle=1684,i,15440612967196259988,7576226313483073340,131072 /prefetch:1
2⤵
PID:3732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3248 --field-trial-handle=1684,i,15440612967196259988,7576226313483073340,131072 /prefetch:1
2⤵
PID:2060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4220 --field-trial-handle=1684,i,15440612967196259988,7576226313483073340,131072 /prefetch:1
2⤵
PID:3060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4368 --field-trial-handle=1684,i,15440612967196259988,7576226313483073340,131072 /prefetch:8
2⤵
PID:1716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4516 --field-trial-handle=1684,i,15440612967196259988,7576226313483073340,131072 /prefetch:8
2⤵
PID:4276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4556 --field-trial-handle=1684,i,15440612967196259988,7576226313483073340,131072 /prefetch:8
2⤵
PID:5340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4716 --field-trial-handle=1684,i,15440612967196259988,7576226313483073340,131072 /prefetch:8
2⤵
PID:5448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4720 --field-trial-handle=1684,i,15440612967196259988,7576226313483073340,131072 /prefetch:8
2⤵
PID:5724

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
2⤵
PID:2088

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x7ff67bedae48,0x7ff67bedae58,0x7ff67bedae68
3⤵
PID:3748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3996 --field-trial-handle=1684,i,15440612967196259988,7576226313483073340,131072 /prefetch:1
2⤵
PID:1440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4140 --field-trial-handle=1684,i,15440612967196259988,7576226313483073340,131072 /prefetch:1
2⤵
PID:2776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4120 --field-trial-handle=1684,i,15440612967196259988,7576226313483073340,131072 /prefetch:1
2⤵
PID:5136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4720 --field-trial-handle=1684,i,15440612967196259988,7576226313483073340,131072 /prefetch:8
2⤵
PID:4268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5084 --field-trial-handle=1684,i,15440612967196259988,7576226313483073340,131072 /prefetch:8
2⤵
PID:4296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4720 --field-trial-handle=1684,i,15440612967196259988,7576226313483073340,131072 /prefetch:8
2⤵
- NTFS ADS
PID:2604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4580 --field-trial-handle=1684,i,15440612967196259988,7576226313483073340,131072 /prefetch:8
2⤵
PID:5168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5196 --field-trial-handle=1684,i,15440612967196259988,7576226313483073340,131072 /prefetch:8
2⤵
PID:4644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 --field-trial-handle=1684,i,15440612967196259988,7576226313483073340,131072 /prefetch:8
2⤵
PID:5628

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe"
2⤵
- Executes dropped EXE
PID:6080

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4200

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5432

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3904

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3948

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
PID:2588

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe" /main
3⤵
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
PID:1492

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
4⤵
PID:5068

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:5708

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Windows Management Instrumentation

T1047

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

Modify Registry

Pre-OS Boot

Bootkit

Hide Artifacts

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LDPlayer\LDPlayer9\MSVCP120.dll
Filesize
444KB

MD5
50260b0f19aaa7e37c4082fecef8ff41

SHA1
ce672489b29baa7119881497ed5044b21ad8fe30

SHA256
891603d569fc6f1afed7c7d935b0a3c7363c35a0eb4a76c9e57ef083955bc2c9

SHA512
6f99d39bfe9d4126417ff65571c78c279d75fc9547ee767a594620c0c6f45f4bb42fd0c5173d9bc91a68a0636205a637d5d1c7847bd5f8ce57e120d210b0c57d

Download Submit
C:\LDPlayer\LDPlayer9\MSVCR120.dll
Filesize
947KB

MD5
50097ec217ce0ebb9b4caa09cd2cd73a

SHA1
8cd3018c4170072464fbcd7cba563df1fc2b884c

SHA256
2a2ff2c61977079205c503e0bcfb96bf7aa4d5c9a0d1b1b62d3a49a9aa988112

SHA512
ac2d02e9bfc2be4c3cb1c2fff41a2dafcb7ce1123998bbf3eb5b4dc6410c308f506451de9564f7f28eb684d8119fb6afe459ab87237df7956f4256892bbab058

Download Submit
C:\LDPlayer\LDPlayer9\crashreport.dll
Filesize
51KB

MD5
19dae6362eb73913f7947f719be52516

SHA1
e157307ae8e87c9a6f31bc62ecdf32d70f8648d9

SHA256
ae0eba69019294d03e11d68fea0ee72e77bfe156803f1b83bc8566a0a4d3584d

SHA512
f5eb5771eb03f7f2067e32573397814ff3ef54dc7fae0abadad6bfdcafef6a4a5bf6f3ab9874c0530cb70cb995f6716ca8fa1cba175ed5a1d298c700f6e59ad2

Download Submit
C:\LDPlayer\LDPlayer9\dnmultiplayer.exe
Filesize
1.2MB

MD5
330013a714c5dc0c561301adcccd8bc8

SHA1
030b1d6ac68e64dec5cbb82a75938c6ce5588466

SHA256
c22a57cd1b0bdba47652f5457c53a975b2e27daa3955f5ef4e3eaee9cf8d127a

SHA512
6afb7e55a09c9aac370dff52755b117ad16b4fc6973665fce266ea3a7934edfb65f821f4f27f01f4059adb0cf54cc3a97d5ff4038dc005f51ecee626fd5fadd1

Download Submit
C:\LDPlayer\LDPlayer9\dnplayer.exe
Filesize
3.6MB

MD5
2061141f3c490b5b441eff06e816a6c2

SHA1
d24166db06398c6e897ff662730d3d83391fdaaa

SHA256
2f1e555c3cb142b77bd72209637f9d5c068d960cad52100506ace6431d5e4bb0

SHA512
6b6e791d615a644af9e3d8b31a750c4679e18ef094fea8cd1434473af895b67f8c45a7658bfedfa30cc54377b02f7ee8715e11ee376ed7b95ded9d82ddbd3ccc

Download Submit
C:\LDPlayer\LDPlayer9\dnrepairer.exe
Filesize
41.9MB

MD5
4def56a3500d5a4dec3ff797a88c5751

SHA1
1a53c9c6f3d1e27ac8532e09f87990505c8090de

SHA256
c09b51bdc9039b976a55eb8dc7c517d65d8d5f6eadda92d2de27ceee7845b0e4

SHA512
a96322ca61f45875bfdb7b514ce1a95bbc1faba3fc0b7bc7c0af3f05d68c14e47fddff64e595f6bf053df7e1efad3e5f9e33f3bc2e09501c3c20de62864ae1d8

Download Submit
C:\LDPlayer\LDPlayer9\dnresource.rcc
Filesize
5.0MB

MD5
d4d2fd2ce9c5017b32fc054857227592

SHA1
7ee3b1127c892118cc98fb67b1d8a01748ca52d5

SHA256
c4b7144dd50f68ca531568cafb6bb37bf54c5b078fbac6847afa9c3b34b5f185

SHA512
d2f983dde93099f617dd63b37b8a1039166aaf852819df052a9d82a8407eb299dac22b4ffe8cab48331e695bf01b545eb728bec5d793aeb0045b70ea9ceab918

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\7za.exe
Filesize
652KB

MD5
ad9d7cbdb4b19fb65960d69126e3ff68

SHA1
dcdc0e609a4e9d5ff9d96918c30cb79c6602cb3d

SHA256
a6c324f2925b3b3dbd2ad989e8d09c33ecc150496321ae5a1722ab097708f326

SHA512
f0196bee7ad8005a36eea86e31429d2c78e96d57b53ff4a64b3e529a54670fa042322a3c3a21557c96b0b3134bf81f238a9e35124b2d0ce80c61ed548a9791e7

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\cximagecrt.dll
Filesize
1.5MB

MD5
66df6f7b7a98ff750aade522c22d239a

SHA1
f69464fe18ed03de597bb46482ae899f43c94617

SHA256
91e3035a01437b54adda33d424060c57320504e7e6a0c85db2654815ba29c71f

SHA512
48d4513e09edd7f270614258b2750d5e98f0dbce671ba41a524994e96ed3df657fce67545153ca32d2bf7efcb35371cae12c4264df9053e4eb5e6b28014ed20e

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcrypto-1_1.dll
Filesize
2.0MB

MD5
01c4246df55a5fff93d086bb56110d2b

SHA1
e2939375c4dd7b478913328b88eaa3c91913cfdc

SHA256
c9501469ad2a2745509ab2d0db8b846f2bfb4ec019b98589d311a4bd7ac89889

SHA512
39524d5b8fc7c9d0602bc6733776237522dcca5f51cc6ceebd5a5d2c4cbda904042cee2f611a9c9477cc7e08e8eadd8915bf41c7c78e097b5e50786143e98196

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libcurl.dll
Filesize
442KB

MD5
2d40f6c6a4f88c8c2685ee25b53ec00d

SHA1
faf96bac1e7665aa07029d8f94e1ac84014a863b

SHA256
1d7037da4222de3d7ca0af6a54b2942d58589c264333ef814cb131d703b5c334

SHA512
4e6d0dc0dc3fb7e57c6d7843074ee7c89c777e9005893e089939eb765d9b6fb12f0e774dc1814f6a34e75d1775e19e62782465731fd5605182e7984d798ba779

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libeay32.dll
Filesize
1.2MB

MD5
ba46e6e1c5861617b4d97de00149b905

SHA1
4affc8aab49c7dc3ceeca81391c4f737d7672b32

SHA256
2eac0a690be435dd72b7a269ee761340099bf444edb4f447fa0030023cbf8e1e

SHA512
bf892b86477d63287f42385c0a944eee6354c7ae557b039516bf8932c7140ca8811b7ae7ac111805773495cf6854586e8a0e75e14dbb24eba56e4683029767b6

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssh2.dll
Filesize
192KB

MD5
52c43baddd43be63fbfb398722f3b01d

SHA1
be1b1064fdda4dde4b72ef523b8e02c050ccd820

SHA256
8c91023203f3d360c0629ffd20c950061566fb6c780c83eaa52fb26abb6be86f

SHA512
04cc3d8e31bd7444068468dd32ffcc9092881ca4aaea7c92292e5f1b541f877bdec964774562cb7a531c3386220d88b005660a2b5a82957e28350a381bea1b28

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\libssl-1_1.dll
Filesize
511KB

MD5
e8fd6da54f056363b284608c3f6a832e

SHA1
32e88b82fd398568517ab03b33e9765b59c4946d

SHA256
b681fd3c3b3f2d59f6a14be31e761d5929e104be06aa77c883ada9675ca6e9fd

SHA512
4f997deebf308de29a044e4ff2e8540235a41ea319268aa202e41a2be738b8d50f990ecc68f4a737a374f6d5f39ce8855edf0e2bb30ce274f75388e3ddd8c10b

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcp110.dll
Filesize
522KB

MD5
3e29914113ec4b968ba5eb1f6d194a0a

SHA1
557b67e372e85eb39989cb53cffd3ef1adabb9fe

SHA256
c8d5572ca8d7624871188f0acabc3ae60d4c5a4f6782d952b9038de3bc28b39a

SHA512
75078c9eaa5a7ae39408e5db1ce7dbce5a3180d1c644bcb5e481b0810b07cb7d001d68d1b4f462cd5355e98951716f041ef570fcc866d289a68ea19b3f500c43

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\msvcr110.dll
Filesize
854KB

MD5
4ba25d2cbe1587a841dcfb8c8c4a6ea6

SHA1
52693d4b5e0b55a929099b680348c3932f2c3c62

SHA256
b30160e759115e24425b9bcdf606ef6ebce4657487525ede7f1ac40b90ff7e49

SHA512
82e86ec67a5c6cddf2230872f66560f4b0c3e4c1bb672507bbb8446a8d6f62512cbd0475fe23b619db3a67bb870f4f742761cf1f87d50db7f14076f54006f6c6

Download Submit
C:\LDPlayer\LDPlayer9\ldmutiplayer\ssleay32.dll
Filesize
283KB

MD5
0054560df6c69d2067689433172088ef

SHA1
a30042b77ebd7c704be0e986349030bcdb82857d

SHA256
72553b45a5a7d2b4be026d59ceb3efb389c686636c6da926ffb0ca653494e750

SHA512
418190401b83de32a8ce752f399b00c091afad5e3b21357a53c134cce3b4199e660572ee71e18b5c2f364d3b2509b5365d7b569d6d9da5c79ae78c572c1d0ba0

Download Submit
C:\LDPlayer\LDPlayer9\vms\config\leidian0.config
Filesize
641B

MD5
95bfc18a8a765491b04692f6b4bdb1de

SHA1
97368f2bb78aa06e19ba87318405460cb602e17c

SHA256
e0cd70894cad83ea758fc70a3e4e6a587e62ad7c8fa7b30190bd6b81393e2e3b

SHA512
07ffa0f4b57671f794bef18a455b052cf99581aa90cbf8f1f1ed99c21f0c2524b6a64dc7a24b726ca386bfaa05bd2b04f24016c0d1c6736c6e039278dab6034b

Download Submit
C:\LDPlayer\LDPlayer9\vms\leidian0\sdcard.vmdk
Filesize
35.1MB

MD5
4d592fd525e977bf3d832cdb1482faa0

SHA1
131c31bcff32d11b6eda41c9f1e2e26cc5fbc0ef

SHA256
f90ace0994c8cae3a6a95e8c68ca460e68f1662a78a77a2b38eba13cc8e487b6

SHA512
afa31b31e1d137a559190528998085c52602d79a618d930e8c425001fdfbd2437f732beda3d53f2d0e1fc770187184c3fb407828ac39f00967bf4ae015c6ba77

Download Submit
C:\LDPlayer\ldmutiplayer\fonts\NotoSans-Regular.otf
Filesize
17.4MB

MD5
93b877811441a5ae311762a7cb6fb1e1

SHA1
339e033fd4fbb131c2d9b964354c68cd2cf18bd1

SHA256
b3899a2bb84ce5e0d61cc55c49df2d29ba90d301b71a84e8c648416ec96efc8b

SHA512
7f053cec61fbddae0184d858c3ef3e8bf298b4417d25b84ac1fc888c052eca252b24f7abfff7783442a1b80cc9fc2ce777dda323991cc4dc79039f4c17e21df4

Download Submit
C:\LDPlayer\ldmutiplayer\fonts\Roboto-Regular.otf
Filesize
103KB

MD5
4acd5f0e312730f1d8b8805f3699c184

SHA1
67c957e102bf2b2a86c5708257bc32f91c006739

SHA256
72336333d602f1c3506e642e0d0393926c0ec91225bf2e4d216fcebd82bb6cb5

SHA512
9982c1c53cee1b44fd0c3df6806b8cbf6b441d3ed97aeb466dba568adce1144373ce7833d8f44ac3fa58d01d8cdb7e8621b4bb125c4d02092c355444651a4837

Download Submit
C:\ProgramData\Microsoft\AppV\Setup\@[email protected]
Filesize
721B

MD5
09d6086c245487fe6bb3961df853eb13

SHA1
eebc847bf20bb0a998e5309363460d13472b5806

SHA256
4babd7b3e6b2ac073e6685b41bc723756cd44f6e7651e9f0222df4b160b0bdcc

SHA512
ce1a7159a083f3e7f8ef8943fdb4c75c869597076836bc588a8e14b365983f97a855b82fc3a546e5acf43d9231bfd4bcef765cfb05d16534ecb5992aae80b8db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
80faf8da59c87e3470d7e5c39570965e

SHA1
5591d926f085ec3f70dd7d6642628eea139ee1ef

SHA256
ec406d96ded7030cc2a179d2a179d9497c5eadeb93ee7296dc182c210890617d

SHA512
4cfe38bf7eb4b0b6c5660e06482f8981e5b2205318167eb420296deb3b33724943a25e2818e869cc960c49b484895448ec3423c4b238dd217fd63a64be68f3bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
37a4f07a59c73a8cc930206d6348bb13

SHA1
4ccaaf16214d1bb631cbafb1c00707f28b2aba27

SHA256
0e4cac08573ccadfcd31f7ddbb7d4bf72510046096b2959dda344af346ce034e

SHA512
7b23846e32a81b197b0f1840c70e0864307cfdb80de71a6975c9578a860acdecc0ad6df369fb611de0f840b629cf8fc0c0ff2d6c7a7c5fd34704131eef6901b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
86894ac1f2f342e713f2bcf9d18534b5

SHA1
2faa913531a45f68cf54768f7e7b094a50396dbb

SHA256
15681a417d224cb39e2cfd5c3d02fc92ff66f54cba24cc16e4df599315fdafb4

SHA512
d896b5f2824dc114d43b4e5343a9aefeaffa3eb55d55f12bcc50cf54fcd133d533be03a36c30046bf33eab67cd8ab814b5788c55f22bf304ee21bc4b50379abf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5c480d.TMP
Filesize
2KB

MD5
7e33bb2930218b1dfcbc1cd7f3adb3be

SHA1
9b821fa675861f50a73f2121f4e3858c56a7b74a

SHA256
1d9a6e39a39324505dd70cef9d06c255a67f0366064a542b8bdc5c5a62859228

SHA512
8ea6e8d554ec3d4c30f5d1d4463a24f61202fc6905ab92ac4c515f3dd19fa1472c0b0c87af6914da328ece8a279168caeb30b32e62569374eaf438f6815858f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
c05de9317348b27f674bec859013b66f

SHA1
4acac2495703281ae742973733ffc3a0ba511dc5

SHA256
ad4e67c62a139f32dc7a16f7f133f52342aeb1d1085b5459f9515d0dbf3d0a30

SHA512
23646d12d149ae47d33e51d1b9724ba8c4e95c5392c0e96832a9ece26a4576864f178d2544ff55df5a0362e283939acab279dc9dd16454c6569035312b705548

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
243e78263855b485d8463e1e1e17ffe1

SHA1
d73977511c2319e58019f42e7bd8e29a5c663f6f

SHA256
f2b3a2816e67cb1d2d81a81e65ebb8e8ee624484ee9cc1ae083bc0b978fc07a1

SHA512
906d5923653cd4b6a27e96fdf4da85ff82a690c8c4a8fec9aefc6a70d068f3f8848f30098b1bf64cfa3347c83d0885f9323508a5316e9b88ddd95534d1ae8c43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
4145d7c741b4e2e2d50306ec8a953ad5

SHA1
c49b225fa5e33c8961e4cd1d618ff8f46b2ff321

SHA256
3385750425309fc791c267bcc08340632db10b4494ab401b2e9a256cc75f6a45

SHA512
4c72ea7e2abc7ae1aa8c191e44318f7ededef1a686ca6e4148508b634972f4915187b5b1d5fa55a4139fb9c6a1d722f37f2b0b5cf1f16eee52273e29cb70335c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
22c651bccbac36842361130cd871ab41

SHA1
619d297acaf97f5e624551f90bf377f79111e22f

SHA256
948a8af9303edae0f947b7db8a5c9440e4aec52dd8e6b0d5ad53330932de5976

SHA512
225b864ec33ecd06cfe1be4ec8bc7250702a2a9ec72bd3df3fd09ce1b08d94b1e414e2757b62136f33fd1a54c2e0989d282e5d20691f0e0ddd8679c79242f30a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
bc1b4d63eb956cc99809da0c4a524be4

SHA1
1639b7522d00ba2de7e23ffa21712769cbcf7005

SHA256
d2f22be0b00b3dfc684897e941f8fa2b8f4876f52cf9f8688b099c24c4157fd5

SHA512
3631da56e5d3a80fe9ad93ed02fb649f18380364f58ad5b5d8348bf340fef5f296a4d4686155bcb6fb5a1cdf235156e389505f7ebcbdf81003e04ce367b06405

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
e3984b1a0fdff782d18c6a4bfbd7df0f

SHA1
23375c777ec8f7087747acb5981a9dedca16cd00

SHA256
4d3c91063dab4b0f08d6ac64dcddd70b00abe361dd9c89084ab25558dad8a7d2

SHA512
d4e45487ea532d21520a68d9b08c8420d508d64d92d720666971c04dd6e40d6d9f7693e5353db5fb227a7e9cdfb1f94f1c2964a870d09a040ec5a26df697568a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
5d51af1289e6392c439574d526836a1b

SHA1
941207a3da9f02dfa6d75b278bc6bdbb9507e9db

SHA256
1392d9c93c475c27f00fc607686f91ccc795786f3b4c1e5419dce74ce3187c68

SHA512
4e0ada97cd77a3ea4f93e7d376ee30fbce45bb1d924edff15777294517bc9a1ad86435c5d3f5b6ceff9cf10c0096c5e2e5e072c6372d28eadf63f62fbed261bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
877b810a82d92873ab13982156e307fe

SHA1
c1fbf612516fe4775e0b0afb3a1e7a34e0b9e18b

SHA256
f70b123bab935a941950518235a2c1debfc5651edee781b0650ab9c4b29c8b1e

SHA512
c76cf96168145036d5cd9ae206dca5f8bdfaed3dff21ac81a3562edac148d4d856dac59803a16af04b671e9a7baae4a6a5a10a6c7745fafcc9c9301edc331443

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
2f6925a398741ce0ac994532ca645c25

SHA1
d9157818aafac920c0642fa7a3e689c1326a93eb

SHA256
eeeaa949a68b55d384d96c00a0b59ac9c5c29df0fc4c83bec59183f51b0a9aa9

SHA512
8feebd93ff90c054ae943119ee0bbc3618b5520ae97f5c4ccf1f754667908602286a4649000825ecb15ca1832a90410e6f3a1c942ef8f2bca9d10886e047a3f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
4405c5543d1f1dbc32d1f9ffb312272b

SHA1
6d30b2a3d15a6709c396932c9c9cfcafc147e30e

SHA256
0e26c605bbe8d539efe34cb2f271aeb2f39a9a3b40686e14c470c95be7a47a0f

SHA512
24c43a60c0c5ad24998c4f59bbb0af5ddc489f8d966fbb6b45e2a3f48e7b9d5b54fbfae8b38eac1831312fba401dbaa4caa0ebf0aedbf73a1eae9054fd8e81c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
8fd3b2ea08ff050d4e20110035de2a95

SHA1
6f9799afbbddc9546ab6c5351d6d7e5d29d311ab

SHA256
a02ed93efa4cfc1881d51f240be9a235d9e809c9260bd514f8b6ef81fc6a3da8

SHA512
b3430dcc4f1021996eb126085b3d19b6670480821b8f062e441cbc0bb11a6716819b44f84d1c50b339ad6d113cbfcb3e83d64d3188c6386a62c9d499c8e31681

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
52f1c8e530105cbf48040a3eb419c4e9

SHA1
cbcf86ef2980f1c0ea2470787c60c2dfdc9ff266

SHA256
e5f91c0771f3c913b428a80afd12087c8d0a21b90be68dbdef97c9282ac85a01

SHA512
5a1ec80b47ec0150b1bd3e365e8b6bd1f308b20663220b80d8f4e8a6ff7901092ea4a4b937bb05c5d71d20887b9f85a04638591102da54784f89a3e962a3f0f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
c2199b0845cac185fc23bd839b8dc2bc

SHA1
4521501cae2e484b41d9c3c641b6c34b5580e9f1

SHA256
5b93a6d22741ee09d1f7f87cf414c8ac57464c4960e437dd03a714f821d365e3

SHA512
277b7f6897396e44ce118f91b2329eb838a1c799ae99e5353bd3fbd0713765705c9c449c54c9b438401c21d39a25e7ada0c57673aaac6f3b0a706eb432402dc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
cb271268b782bce9486ad5c6e2d5e9ea

SHA1
9781d9ab06c66e5196bba06a1b817106258bcaab

SHA256
d1cdeeec11a079cbe0f358b90bc8bac6740c19354afbe06b1f5ba006b2b5255c

SHA512
9e0669b042f17b465540974074c8719ac1b08daafd8ceb418f577be4f6ceeb9909831f3816f7773c1deaa529fbe04a7efb99f248cedfee31681304eb1abbd6b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
9c1b26a15e7d12b1858d8e4d1f00da22

SHA1
40dfbb62f0910908f7667881a9eda23539019736

SHA256
e5b19bf469fc05aa77a6182c5ecfeeba5fa772bc648402a8b8825f2dd914dc77

SHA512
dc41c4775fd926608d4e5bee0a92f0a4fd862cff2e11d5ee9ca7b164b11c5d62525c33d7a7c6932f444c1675fac34f0023d3ba780d8447bb73b12ae305294667

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
779d9b421efd97fd47adf81e48a55737

SHA1
b7fb28c33ead16648e7adef8c9c53e4b24b77e3d

SHA256
a4f0c63706a98981584a04963bb7b0a6d1ff9959eb5c8f285391ecfe8feca63a

SHA512
6ff147808c4ade029914b2eb4390a020a051447c0ad60a33265afff1811e601508d3564e7a844f765be724a65df96e4c567592294cd455f5572ecc2fbb998076

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
c126299b0dc6ade35b73901bccb52422

SHA1
4b9e6cd26fdd26f98b621f0dfb895ce66878bec6

SHA256
d51c1cabea96db33401e2af471daa6745f155f9e7aebe7e02f2cba5653139ce4

SHA512
c247613a5bf3f565973014ef5dac1976b9cf3826835d670cea09ca205d26183a18c6b788cb4ce972571bfab955a4aa5c13e20806e00ba0804eeacf6689be762f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
8ccbf0b27c192ef80463a608ce631fa5

SHA1
a5dcd54565eda7ba113fba05dd6e77b59ebede73

SHA256
8a54211b9806ec9c3cdb11ee1e652b5dee72d1d3b6077fb0bca63760142f4552

SHA512
53d20db69a5516f8bf61f34f7ea5217401dffbf630b407b473881fb6c39c53a93dae72cd6d5784cebe6f8d1dbac89e260117382f8e446e712d46230b174a2a97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
481115d51d3c85ca035c07a4c73d90f0

SHA1
8d0197386ec46759abd3259126032670b9901f20

SHA256
05d5fede7ea8b2f90e71317c6499820ef49075da811f5de047b62e8b2f0b2528

SHA512
004e68c33b5196037f5fc6b5f75a1c02165483f89392772945b915a9746246cd5c22b077ac9a93d9a884d0d273a379caeba96335e2ecd7db01b4624f4b144caa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
0eeb706af867c08c4bda97507131c482

SHA1
438af8ee51fae2673abcae0a62bf9e68a114b272

SHA256
e1c5af0026f2619e92ad070b8af67454ddf5f7a1d8e084b691f7d99cc50f0768

SHA512
fd63092925a35190220f808b36b03fe06058c60fcc23249af982f29d080b87af6ff7ed9867285d4dddafdb0bad77a63069ffb13ba4b8db32b5e7865549e90025

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
56B

MD5
94275bde03760c160b707ba8806ef545

SHA1
aad8d87b0796de7baca00ab000b2b12a26427859

SHA256
c58cb79fa4a9ade48ed821dd9f98957b0adfda7c2d267e3d07951c2d371aa968

SHA512
2aabd49bc9f0ed3a5c690773f48a92dbbbd60264090a0db2fe0f166f8c20c767a74d1e1d7cc6a46c34cfbd1587ddb565e791d494cd0d2ca375ab8cc11cd8f930

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5be897.TMP
Filesize
120B

MD5
3e8f09c3a5d98b0efb5fa72d462a8cf8

SHA1
5691b3d0e7b8f6871c0097403bb3cc9459883982

SHA256
a8036a76f16368ddb458260445b0f54bd16ff14744e6c00d6a865aa0b6ae43d7

SHA512
070b4a4addfaa013ca785521474825513c70c9d1ca69bbf7c1d880efb6b15719912a2ac95a25d059fcb041bbd591f7589a0a5bdcd5a40f50fe8dec88801f8db2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\f0bd0389-d374-4298-974b-40620dac4b25.tmp
Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
146KB

MD5
d4e1d73985e3eedb978d181e99d0360e

SHA1
f3561fb115a7cbcdc07a2506578109a8d142ea82

SHA256
834dabb7c5600a944f02272b379f33b7795801c34e1a888692e1ae88f03c0310

SHA512
207c8e5fd68e8f3bd046317bb30ddd8d03115381efa2323e24d0c77ea45fc3e6084dd82d1725220ff9893390b0438e71786ff687a03b016fb9161f79583cf96c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
281KB

MD5
ad30f3f5ca170d5c4d465b0f28774737

SHA1
c6c0bb097ed092d9cb5607bbcb3b9f6f0c3eb00a

SHA256
16e6eb00adddb9ed000322eb6cebcb9b582e6b948aaafcca9ea41940c997b80b

SHA512
29f010b4af4759a2395292ca0ed4eab709282ad86f0d06ebe7fbaa768d3e76f82bba2762aed6e687113df20e12cf6e38af7f67d10192821958fe309af2f62e67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
281KB

MD5
b17f17b2b4b8d9b4204a7917112ffa06

SHA1
c00be27f900bdae5c4469892e7a7ac1b9877af2c

SHA256
0e0911a1f6953611aebb31f632eff253054f11af1e8dcb8e402d383c7a67a0e4

SHA512
94749dc073ff4fb64c2dc3ba3e0293e999de8a8b566d961fc92c136dc8ddbf36f5109c7e2b6b2e69e42ce3a501965c583a063307087525789aee69e022f4b939

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
88KB

MD5
f8701eba2f8ecdf71987964bbb3d9d1c

SHA1
889542f5604b0969bb8db3595e125463a026f341

SHA256
509a9f53be2bdae84844fd98bb32476da03a0b89bab694d8b04b42b0b5e384d3

SHA512
64aca46f5b4273b1bd442b16d095eda51d57816b17fbe9a3637cd8d207f18733196e2fbb21901da8620a22cc9b198b6662ea5375c2fa81815689df80a8b594a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
90KB

MD5
53cabb37345d254d223599ea83dc9aee

SHA1
2b9f8d1b7689ca62c0969cedb4c33aa3cabbf24a

SHA256
bf6f3e03734f73e81a59b0852073c97d8717ead0a5ba412f620dedb3652cfeeb

SHA512
8d9cd1956cc44dda186b56227ba2362b607a8f64c9d36e903e0357b645fbaad0f9be1bf5c157a9cf3f698c74a754ebe0e7cdf36211656082e0fdd32a3d7fd81a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
100KB

MD5
bfddac58d0e271cc25041c6c54b21a71

SHA1
3bbe29b6b404a5bb71653fde614af77e8191dca2

SHA256
4f724568f59837dd9f3a12a8344e6b0b1d98f09d03c4de266aa8d7369ca14f67

SHA512
7a8127a39d8299b4f95247d53d53d1bac2f974ce844bad28e3322a84c0555393bc4c995b884fbc9ca60287545315ef2ec18aab05d743900269f79922feda5352

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58a0df.TMP
Filesize
83KB

MD5
0ca530fcc8a88a47c331dd0cc5fb3aa8

SHA1
124c96d964fd478f93d8aac0469690cc4393ad69

SHA256
3263e4ce5cac31215b16942840f564ea45edcf5d22cfd97b5584d21b4259f29f

SHA512
913aa691149abe5a6248316e0cf9921be29de1729f1e7bbfc259db2105fc3be985508a57026f1578ece4667609d06ad35e2a824b820e8e7340a8a57346f0ff86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
Filesize
264KB

MD5
de56d29c4110a312895ce08d5fcf0324

SHA1
59070c1d414c666329e2371d333040c3cb89cd6f

SHA256
0d7e7434e4a820ca7e3447053f06c110df5e1c588d4302d492e1965733bfa614

SHA512
e0698c31a681f752fb3cd52a51fb54d10a19c64064d52df8579a877ff0969ad133b34244dde2638fa1116e2f138cd3e66870828c4b7e48750b05167e5d6bf062

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
bbfb66ff6f5e565ac00d12dbb0f4113d

SHA1
8ee31313329123750487278afb3192d106752f17

SHA256
165401ef4e6bbd51cb89d3f9e6dc13a50132669d5b0229c7db12f2ec3f605754

SHA512
8ea206daabc7895923f3df9798bfd96f459bf859c78f3e5640fad550678b5090539f2a1b590883cd9797efee999acccac16d499772f61f5390e91bcc44d60560

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
9a91b6dd57fc9c4880d34e9e7c6b760f

SHA1
77a09da6ef4343a8b232386e000cd2d6b9fc30a3

SHA256
0170297f0103d4e415653f86dedc31b0827580042f86862206fd3f6f135b543a

SHA512
9fc3b9be931b3edebc4a6809d62d805046bdceb4c27a7db21cfbbcb0e5e253ab529c54d64e465e60904a6ab3b83156e26b97f852c9526f46f037944f806a7f0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
744B

MD5
1e797f4eef77d748f23a98272a10924d

SHA1
756693ef840bb761831f1bdd98d47a9c7df26439

SHA256
500e8d4178c3d50db2cba772a2de2d3530b8ed42efb030bcfa82cc299ebe68a7

SHA512
a5eb42e177077c28144ca42902049252e0c3edc05e97e98dadc370f4cc922d04949d0dea86d4976bb6a17c52476b2c9ebd53b536052211949ec8c9818ab93625

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
684B

MD5
49370f4457ecb4d2873419c59e5be8da

SHA1
1b841bb035c1a304f4157655b785a94500e4afd7

SHA256
e2278e8d208e7e3c03ab7450c27cd642529f8d2e6b501a6687fc3c7862fe2151

SHA512
0a64afafb966658e7ccf732323e734d15e574c37456483e710781d7b28628decd01bb4b58721b8a5c8a229910a29e35821dacdfb7aa34c2b7c285985159f83da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
886c0c6cd52ce1ddd55747ecb79e2d14

SHA1
3fccadb37e3e4883438d288261a95f55873c7823

SHA256
9c784421e3bf2bc4b063c2f895e61a4187a68873a25d47dad1434ceaf6aff2f5

SHA512
733a333b5ece88a4f27a7363a04e14c4a03372f5879c59fbcdfd1d1febdea7f1a36a7017d2043b2bf38be4a650f95a66bb5375d46d799429bdbcbda03619f844

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
5786a8c3312d35b7e09d2a086a402d73

SHA1
66639c7966b10c0c173ae39a5a7886d64feb44c4

SHA256
023783f8c2184040f4b9060ff617772dcb1e5696e63211e5784437199f4a4787

SHA512
d707895153cb42779f936bf4492682bbfd26f2c30936f2e8729cafa4cd6346c4d40869b330cb4aa47e986aa892972a4abfafb3b6f58f1c8f11037f0e1190ef3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
216fa273cd6051861092bbcdc1430717

SHA1
5047e8c7d0a672a2406048c339f3561452b9257c

SHA256
21310552862717605ab6a576e92add5d4e6b948211dfdcd65e39b94029eadc5b

SHA512
41e65bbe351588200812138a463b43eddf1a65c68cf5089006bb3aaf3357539805515008476ba20c934615f6c26c60e63406a03b599d63017028156343e76d51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
371B

MD5
06bea2b07206c1fe5fe708b12d441d56

SHA1
ed6ad20da7926e397a91502258d33f6b922b6c09

SHA256
ab1efb2729e2eb1983d333b5abb2e01544407536bb83abbd9dcd7f10cf18817b

SHA512
df06d81577fe274e78449a4777b6b8c2ed983a4da8d3661cd6b990612f175109119315240a943f7a480d164295dd25a47d148fd7e41eb1049e62b68e986dbc01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe594f4f.TMP
Filesize
371B

MD5
fff3de24bf327f1eb09508d5cc86e3a3

SHA1
8f42147f8281cc75c27aa759ee24b7fd4523d28d

SHA256
2eb5fe7061461abfa8fa6744d5330b13dadf0fba84bb17ea0e4133102438acca

SHA512
194ee7a1d0493f3cdebb0aecef4a126fbf4a345165eafff9077680db36364e9b396ddc44e6935739b33f2dddf0d9f6fe7c60fee091e589fa799840f0b636cb30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
9408427cd427b28063a03bfc5f604ecc

SHA1
1d25f571675655bd42194783af0d981772e2bf2e

SHA256
ab6b79a1d17b791b48029dfe72cba638789ba2230b6091115aef3c3f80820501

SHA512
34ea8a64fc29c542792bf04e4163dfbf8783094010be985545e2e22d4a7f886eaf5956447535b0986aa7d0b3753f70e003a7e319b9483f6f9633168eed993f5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
101b17c352cbf3c732f6cdf592458c80

SHA1
89ef03df0789a030252ddeb2a1572c4f49770af7

SHA256
66e1231618122d6f8d4891ee2566b642e7f79b5cd8ff4220f9a6b466ba4718ad

SHA512
1ffe8e8c97d0ffd96bf46e6fefeaa4e0ca55d50e982a82d8c3f9941e7b6d1e1bac8b99c17e4e2baacc9fa62664a727e48ccd09b37955954f719a78f71db668a6

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize
10KB

MD5
1d89a492b7be156f3343cb595d937e33

SHA1
460e807b14f3172546c939d91194863d68949700

SHA256
c82d4e8b8208a3a22f0f6d700652d172c00b19ca508d71a35eadb0c953d23e96

SHA512
eefd2c107a14520a05032e93fdd153838b7417f37f55d71dcc4fdf7ac349c6db9bdbeb3199a9a1f03efe0864511a2df1c15169fe0af13cbfa3760babcd66c517

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SettingsCache.txt
Filesize
846KB

MD5
766f5efd9efca73b6dfd0fb3d648639f

SHA1
71928a29c3affb9715d92542ef4cf3472e7931fe

SHA256
9111e9a5093f97e15510bf3d3dc36fd4a736981215f79540454ce86893993fdc

SHA512
1d4bb423d9cc9037f6974a389ff304e5b9fbd4bfd013a09d4ceeff3fd2a87ad81fe84b2ee880023984978391daf11540f353d391f35a4236b241ccced13a3434

Download Submit
C:\Users\Admin\AppData\Local\Temp\16920458-8FA5-442C-9C8D-D76D91F76D3F\AssocProvider.dll
Filesize
136KB

MD5
702f9c8fb68fd19514c106e749ec357d

SHA1
7c141106e4ae8f3a0e5f75d8277ec830fc79eccc

SHA256
21ad24a767aeb22d27d356bc8381f103ab620de1a47e374b9f961e44b543a358

SHA512
2e7d403c89dacdda623ed1a107bac53aafde089fdd66088d578d6b55bcfe0a4fc7b54733642162bd62d0ca3f1696667a6f0cb4b572d81a6eefd6792d6003c0d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\16920458-8FA5-442C-9C8D-D76D91F76D3F\DismCorePS.dll
Filesize
200KB

MD5
7f751738de9ac0f2544b2722f3a19eb0

SHA1
7187c57cd1bd378ef73ba9ad686a758b892c89dc

SHA256
db995f4f55d8654fc1245da0df9d1d9d52b02d75131bc3bce501b141888232fc

SHA512
0891c2dedb420e10d8528996bc9202c9f5f96a855997f71b73023448867d7d03abee4a9a7e2e19ebe2811e7d09497bce1ea4e9097fcb810481af10860ff43dfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\16920458-8FA5-442C-9C8D-D76D91F76D3F\DismHost.exe
Filesize
168KB

MD5
17275206102d1cf6f17346fd73300030

SHA1
bbec93f6fb2ae56c705efd6e58d6b3cc68bf1166

SHA256
dead0ebd5b5bf5d4b0e68ba975e9a70f98820e85d056b0a6b3775fc4df4da0f6

SHA512
ce14a4f95328bb9ce437c5d79084e9d647cb89b66cde86a540b200b1667edc76aa27a36061b6e2ceccecb70b9a011b4bd54040e2a480b8546888ba5cc84a01b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\16920458-8FA5-442C-9C8D-D76D91F76D3F\EdgeProvider.dll
Filesize
200KB

MD5
c22cc16103ee51ba59b765c6b449bddb

SHA1
b0683f837e1e44c46c9a050e0a3753893ece24ad

SHA256
eb68c7d48f78b46933acba617cf3b5fcb5b8695c8a29295a9fa075f36910825b

SHA512
2c382aaddeca4efda63162584c4a2338ffcc1f4828362ce7e927e0b39c470f1f66a7933ae2210d63afb5a2ae25412266fde2ee6bdb896c3c030bdc08b67ec54e

Download Submit
C:\Users\Admin\AppData\Local\Temp\16920458-8FA5-442C-9C8D-D76D91F76D3F\Ffuprovider.dll
Filesize
680KB

MD5
a41b0e08419de4d9874893b813dccb5c

SHA1
2390e00f2c2bc9779e99a669193666688064ea77

SHA256
57ce7761531058f3c4289b1240bea6dc06355c9c4b4e88b9c9c0df8012edc5b3

SHA512
bd370e49da266148d50144c621f6415bdd5358e6274b1d471b8d4ee1888d93774331c3f75e6cb99782f1c8e772981cbc5a4baf5592c6400f340407dc670e547a

Download Submit
C:\Users\Admin\AppData\Local\Temp\16920458-8FA5-442C-9C8D-D76D91F76D3F\IBSProvider.dll
Filesize
84KB

MD5
f6b7301c18f651567a5f816c2eb7384d

SHA1
40cd6efc28aa7efe86b265af208b0e49bec09ae4

SHA256
8f4e3f600917d49ada481ff0ed125fef4a316b659bb1197dc3036fc8c21a5a61

SHA512
4087d819706c64a5d2eed546163c55caacc553b02dc4db0d067b8815d3a24fb06ea08de3de86aac058ff2907f200e4e89eef2357ca23328aaacbe29501ea3286

Download Submit
C:\Users\Admin\AppData\Local\Temp\16920458-8FA5-442C-9C8D-D76D91F76D3F\ImagingProvider.dll
Filesize
248KB

MD5
4c6d681704e3070df2a9d3f42d3a58a2

SHA1
a9f6286ac25f17b6b2acd1fce6459b0bc94c6c81

SHA256
f1bbab35b2602d04d096c8de060b2a5cf802499a937fd1ffe749ff7f54852137

SHA512
daa0c723312680256c24457162e0ef026b753ba267f3e2755f838e2864a163802c078d8668dd2c2064cb8887f4e382a73d6402a5533b6ac5c3cbf662ad83db86

Download Submit
C:\Users\Admin\AppData\Local\Temp\16920458-8FA5-442C-9C8D-D76D91F76D3F\IntlProvider.dll
Filesize
312KB

MD5
34035aed2021763bec1a7112d53732f1

SHA1
7132595f73755c3ae20a01b6863ac9518f7b75a4

SHA256
aac13ddb9ab5a165a38611f1b61229268a40d416f07740d4eefba1a8fcf7c731

SHA512
ea045aa46713133a5d0ad20514cc2a8c8fffb99b4e19c4d5262f86167cfce08a31d336222fd3c91e6efbfd90312bb2325337aa02a8489e047b616085fdf46c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\16920458-8FA5-442C-9C8D-D76D91F76D3F\LogProvider.dll
Filesize
108KB

MD5
c63f6b6d4498f2ec95de15645c48e086

SHA1
29f71180feed44f023da9b119ba112f2e23e6a10

SHA256
56aca41c62c8d0d1b26db3a01ef6c2da4a6a51fc963eb28411f8f7f029f1bfde

SHA512
3a634340d8c66cbc1bef19f701d8bdb034449c28afecce4e8744d18181a20f85a17af3b66c8853cecb8be53f69ae73f85b70e45deac29debab084a25eb3c69dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\16920458-8FA5-442C-9C8D-D76D91F76D3F\OSProvider.dll
Filesize
180KB

MD5
e9833a54c1a1bfdab3e5189f3f740ff9

SHA1
ffb999c781161d9a694a841728995fda5b6da6d3

SHA256
ec137f9caebcea735a9386112cf68f78b92b6a5a38008ce6415485f565e5cf85

SHA512
0b18932b24c0257c80225c99be70c5125d2207f9b92681fd623870e7a62599a18fa46bcb5f2b4b01889be73aeb084e1b7e00a4968c699c7fdb3c083ef17a49f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\16920458-8FA5-442C-9C8D-D76D91F76D3F\OfflineSetupProvider.dll
Filesize
213KB

MD5
3437087e6819614a8d54c9bc59a23139

SHA1
ae84efe44b02bacdb9da876e18715100a18362be

SHA256
8b247665218f5151f0d19f59ea902a7c28f745d67a5d51b63b77242ffb4bdd74

SHA512
018e88f6c121dd4ecaceb44794e2fa7a44b52ddb22e7a5a30a332905e02065cbc1d1dcddc197676277b22f741195c1b7c4c185d328b096b6560b84e9749d6dde

Download Submit
C:\Users\Admin\AppData\Local\Temp\16920458-8FA5-442C-9C8D-D76D91F76D3F\ProvProvider.dll
Filesize
800KB

MD5
2ef388f7769205ca319630dd328dcef1

SHA1
6dc9ed84e72af4d3e7793c07cfb244626470f3b6

SHA256
4915b0c9cd8dc8a29dd649739974d244f9105dc58725f1da0d592af3b546e2bf

SHA512
b465917424dd98125d080c135c7e222a9485ed7ec89004f9a70e335b800e5b9419fbc932c8069bae9ff126494174cf48e2790030dd22aa2d75b7b9d8ccff752b

Download Submit
C:\Users\Admin\AppData\Local\Temp\16920458-8FA5-442C-9C8D-D76D91F76D3F\ServicingCommon.dll
Filesize
944KB

MD5
07231bdae9d15bfca7d97f571de3a521

SHA1
04aec0f1afcf7732bc4cd1f7aab36e460c325ba6

SHA256
be75afbbc30cad7235adf03dcc07fcee3c0c330c89b00e326ebbef2e57df5935

SHA512
2a46e0657e84481faf5c9d3de410884cb5c6e7b35039f5be04183cdac6c088cc42b12d0097e27836af14699e7815d794ca1cec80960833ab093b8dc6d44e2129

Download Submit
C:\Users\Admin\AppData\Local\Temp\16920458-8FA5-442C-9C8D-D76D91F76D3F\SysprepProvider.dll
Filesize
820KB

MD5
4dfa1eeec0822bfcfb95e4fa8ec6c143

SHA1
54251e697e289020a72e1fd412e34713f2e292cf

SHA256
901cea68c7a158a1d9c030d3939f8f72057d1cf2f902aec1bc1b22a0000c0494

SHA512
5f3f710bef75da8cddb6e40686d6a19f59fbc7d8a6842eaceb9a002ab284a91ecf48c352171e13f6a75366610988e67710439f1dde579311ebbb3cd9e4751aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\16920458-8FA5-442C-9C8D-D76D91F76D3F\TransmogProvider.dll
Filesize
1.3MB

MD5
c1c56a9c6ea636dbca49cfcc45a188c3

SHA1
d852e49978a08e662804bf3d7ec93d8f6401a174

SHA256
b20b3eb2df22998fd7f9ff6898ba707d6b8833a8274719a5e09d5148d868faaf

SHA512
f6db05e4644d734f81c2461e4ad49c4e81880c9e4beee13dbbda923360ef6cf4821fccd9040671b86ab2cd8c85fc313c951c1a69e4df14d94268753ce7ae5b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\16920458-8FA5-442C-9C8D-D76D91F76D3F\UnattendProvider.dll
Filesize
256KB

MD5
7c61284580a6bc4a4c9c92a39bd9ea08

SHA1
4579294e3f3b6c03b03b15c249b9cac66e730d2a

SHA256
3665872e68264bbf3827c2bf0cfa60124ea1d87912728f2fc3685dce32855cb8

SHA512
b30b89d0d5e065042811d6ff397d226877ff698aeb1153681692aedabe3730e2f3746ad9d70e3120e336552bab880644f9ead0c91a451197a8f0977a2126a0fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\16920458-8FA5-442C-9C8D-D76D91F76D3F\Vhdprovider.dll
Filesize
596KB

MD5
8a655555544b2915b5d8676cbf3d77ab

SHA1
5a7529f8a6d50d3f4e13b2e3a0585f08eb0511a2

SHA256
d3a2dd7d47bfbb3897b927d1b7230b5b12e5fd7315d687458de15fbb08fb7e27

SHA512
c6da649ae3c3688065b37bccfb5525ade25ba7bc3b163ad7d61f3b3d1c4957c8fd6c9f2bf23b0dbc4fffe32e980acb5a5d3895b8a012c5ed086e3e38caee2e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\16920458-8FA5-442C-9C8D-D76D91F76D3F\WimProvider.dll
Filesize
672KB

MD5
bcf8735528bb89555fc687b1ed358844

SHA1
5ef5b24631d2f447c58b0973f61cb02118ae4adc

SHA256
78b742deddee8305ea06d77f296ad9fe0f4b4a27d71b34dcdff8ae199364790c

SHA512
8b2be4e9a4334a5fc7f7c58579c20974c9194b771f7a872fd8e411d79f45fc5b7657df4c57ad11acb915d5ea5d1f0583c8a981b2c05104e3303b3ee1469b93f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\16920458-8FA5-442C-9C8D-D76D91F76D3F\dismprov.dll
Filesize
292KB

MD5
2ac64cc617d144ae4f37677b5cdbb9b6

SHA1
13fe83d7489d302de9ccefbf02c7737e7f9442f9

SHA256
006464f42a487ab765e1e97cf2d15bfa7db76752946de52ff7e518bc5bbb9a44

SHA512
acdb2c9727f53889aa4f1ca519e1991a5d9f08ef161fb6680265804c99487386ca6207d0a22f6c3e02f34eaeb5ded076655ee3f6b4b4e1f5fab5555d73addfd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h53kiylb.phx.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\XuanZhi9\ldopengl32x.dll
Filesize
73KB

MD5
b001f88504c8c9973e9a3b4dc03e6d1a

SHA1
a54b3046a70a4f2c792ad6a382b637b599f1dc48

SHA256
8ee4cbed114a588e934b5043f95c9c06f40468c2300fa0d1d938d16c1d46a8fd

SHA512
390e53be657fc35fb2e9f41b76b3b07c161a860d72445a4b1425ca973a6d8c0f32f6de6844719c6e9813e8d949ab65263642dea01c800a00285bd45595bed4d8

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
Filesize
17.9MB

MD5
10fee8f62ccc54009e4507eab4c0b2c6

SHA1
93b34bddf0a6adb007c1d1b6b4e170a2e8d1d2af

SHA256
6dcbf629bb08bbd791cdf550cc3b9af0078bce4e50998e9458c44c719566ec0b

SHA512
11c33c0db2f7ad0d564cfdf049c8a70bb26cca1461423ad3636edbe307d509953623dcc72dc3fedde09ac6ba439a4180b59421b53217a165c54b2fe6666bf463

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry.zip.crdownload
Filesize
3.3MB

MD5
efe76bf09daba2c594d2bc173d9b5cf0

SHA1
ba5de52939cb809eae10fdbb7fac47095a9599a7

SHA256
707a9f323556179571bc832e34fa592066b1d5f2cac4a7426fe163597e3e618a

SHA512
4a1df71925cf2eb49c38f07c6a95bea17752b025f0114c6fd81bc0841c1d1f2965b5dda1469e454b9e8207c2e0dfd3df0959e57166620ccff86eeeb5cf855029

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
Filesize
933B

MD5
f97d2e6f8d820dbd3b66f21137de4f09

SHA1
596799b75b5d60aa9cd45646f68e9c0bd06df252

SHA256
0e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a

SHA512
efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\@[email protected]
Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\TaskData\Tor\tor.exe
Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry\msg\m_finnish.wnry
Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Default\Desktop\@[email protected]
Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Windows\Logs\DISM\dism.log
Filesize
19KB

MD5
27e2512216f6515313485c4a3684da5a

SHA1
617076a2e2619d614dab0bc050b4707d5ac05454

SHA256
f1e17be2f125dc52dea5e9ccef4aa91b4087fc60ecf77410413109879b50e6bd

SHA512
90f9d59fe994931a11d3222f641e1bdfc525ebd46696e035cd12e656afef7ef796d33093faa8c006a61b421c955976f67159c0eebf31877aaaa9b4de1e820f6f

Download Submit
C:\Windows\Logs\DISM\dism.log
Filesize
23KB

MD5
1004e396a9f3d8f8c3c32cf2791f616a

SHA1
eef6b512f8d199edf475d3f0506b1f074fadd0c9

SHA256
9fd35325a803eb82357b7e11d64a82fa1292089e9e88f1a6dd044c6c72827a09

SHA512
2feec06cdfa1d95a2b631c2e0b6894b2bea95dd8adfa7062a8f552c37d39cd37f0573f6636be940d530ffe6d1b47edd3d17a6ccaa350cb50d8c25fc22781d358

Download Submit
\??\pipe\crashpad_2684_PDTGAJZMIHTQSSDE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2724-1116-0x0000000000FE0000-0x0000000000FF6000-memory.dmp

Filesize
88KB

Download
memory/2724-1404-0x00000000707E0000-0x0000000070D86000-memory.dmp

Filesize
5.6MB

Download
memory/2724-1406-0x00000000706E0000-0x000000007075A000-memory.dmp

Filesize
488KB

Download
memory/2724-1407-0x0000000072B50000-0x0000000072BA9000-memory.dmp

Filesize
356KB

Download
memory/2724-1405-0x0000000070760000-0x00000000707DE000-memory.dmp

Filesize
504KB

Download
memory/2724-1408-0x0000000070D90000-0x000000007278B000-memory.dmp

Filesize
26.0MB

Download
memory/2724-1137-0x0000000035D10000-0x0000000035D20000-memory.dmp

Filesize
64KB

Download
memory/3528-977-0x000000006F360000-0x000000006F3AC000-memory.dmp

Filesize
304KB

Download
memory/3528-976-0x0000000005720000-0x0000000005A77000-memory.dmp

Filesize
3.3MB

Download
memory/4656-995-0x000000006F360000-0x000000006F3AC000-memory.dmp

Filesize
304KB

Download
memory/4680-960-0x0000000007BA0000-0x0000000007BBA000-memory.dmp

Filesize
104KB

Download
memory/4680-953-0x0000000007750000-0x00000000077F4000-memory.dmp

Filesize
656KB

Download
memory/4680-958-0x0000000007A80000-0x0000000007A91000-memory.dmp

Filesize
68KB

Download
memory/4680-954-0x0000000007EB0000-0x000000000852A000-memory.dmp

Filesize
6.5MB

Download
memory/4680-926-0x0000000002D00000-0x0000000002D36000-memory.dmp

Filesize
216KB

Download
memory/4680-927-0x0000000005960000-0x0000000005F8A000-memory.dmp

Filesize
6.2MB

Download
memory/4680-930-0x0000000006000000-0x0000000006066000-memory.dmp

Filesize
408KB

Download
memory/4680-959-0x0000000007AC0000-0x0000000007ACE000-memory.dmp

Filesize
56KB

Download
memory/4680-955-0x0000000007870000-0x000000000788A000-memory.dmp

Filesize
104KB

Download
memory/4680-941-0x0000000006550000-0x000000000659C000-memory.dmp

Filesize
304KB

Download
memory/4680-957-0x0000000007B00000-0x0000000007B96000-memory.dmp

Filesize
600KB

Download
memory/4680-940-0x0000000006520000-0x000000000653E000-memory.dmp

Filesize
120KB

Download
memory/4680-956-0x00000000078F0000-0x00000000078FA000-memory.dmp

Filesize
40KB

Download
memory/4680-952-0x0000000006AE0000-0x0000000006AFE000-memory.dmp

Filesize
120KB

Download
memory/4680-928-0x0000000005680000-0x00000000056A2000-memory.dmp

Filesize
136KB

Download
memory/4680-942-0x0000000006B00000-0x0000000006B34000-memory.dmp

Filesize
208KB

Download
memory/4680-943-0x000000006F360000-0x000000006F3AC000-memory.dmp

Filesize
304KB

Download
memory/4680-929-0x0000000005F90000-0x0000000005FF6000-memory.dmp

Filesize
408KB

Download
memory/4680-931-0x0000000006070000-0x00000000063C7000-memory.dmp

Filesize
3.3MB

Download
memory/5192-1390-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/5468-3242-0x0000000073650000-0x000000007386C000-memory.dmp

Filesize
2.1MB

Download
memory/5468-3413-0x0000000000AF0000-0x0000000000DEE000-memory.dmp

Filesize
3.0MB

Download
memory/5468-3400-0x0000000000AF0000-0x0000000000DEE000-memory.dmp

Filesize
3.0MB

Download
memory/5468-3375-0x00000000742B0000-0x0000000074332000-memory.dmp

Filesize
520KB

Download
memory/5468-3376-0x00000000743E0000-0x00000000743FC000-memory.dmp

Filesize
112KB

Download
memory/5468-3377-0x0000000074230000-0x00000000742A7000-memory.dmp

Filesize
476KB

Download
memory/5468-3378-0x00000000741A0000-0x0000000074222000-memory.dmp

Filesize
520KB

Download
memory/5468-3379-0x0000000074170000-0x0000000074192000-memory.dmp

Filesize
136KB

Download
memory/5468-3380-0x0000000073650000-0x000000007386C000-memory.dmp

Filesize
2.1MB

Download
memory/5468-3374-0x0000000000AF0000-0x0000000000DEE000-memory.dmp

Filesize
3.0MB

Download
memory/5468-3243-0x00000000741A0000-0x0000000074222000-memory.dmp

Filesize
520KB

Download
memory/5468-3245-0x0000000000AF0000-0x0000000000DEE000-memory.dmp

Filesize
3.0MB

Download
memory/5468-3244-0x0000000074170000-0x0000000074192000-memory.dmp

Filesize
136KB

Download
memory/5468-3241-0x00000000742B0000-0x0000000074332000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads