redline | 106445763c386e992ded6aa68f37f2dd77272d6ea3c6fff34eb70c5ef094aa34

max time kernel
469s
max time network
472s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
25-02-2023 14:57

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

106445763c386e992ded6aa68f37f2dd77272d6ea3c6fff34eb70c5ef094aa34.exe
Size

1.2MB
MD5

5b3b6822964b4151c6200ecd89722a86
SHA1

ce7a11dae532b2ade1c96619bbdc8a8325582049
SHA256

106445763c386e992ded6aa68f37f2dd77272d6ea3c6fff34eb70c5ef094aa34
SHA512

2f0d99af35c326cf46810c7421325deb55ae7ca36a8edc2716a3d32d9e6769e0d374581a98912e22fceeb6973e972463ed8b2fa4d4399043c443fa100dfd17b0
SSDEEP

24576:5yY4YriuQJ5X4SuIcmuBLahxwUzN1YyqoVKucvTNLF9:sY4FuIahGxRMoobNLF

Score

10^/10

redline wannacry ronur discovery evasion infostealer persistence ransomware trojan worm

Malware Config

Extracted

Family

redline

Botnet

ronur

193.233.20.20:4134

Attributes

auth_value
f88f86755a528d4b25f6f3628c460965

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@Please_Read_Me@.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

iwN36Rn.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	iwN36Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	iwN36Rn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	iwN36Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	iwN36Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	iwN36Rn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	iwN36Rn.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 26 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4332-249-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral2/memory/4332-250-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral2/memory/4332-252-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral2/memory/4332-254-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral2/memory/4332-256-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral2/memory/4332-258-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral2/memory/4332-260-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral2/memory/4332-262-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral2/memory/4332-264-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral2/memory/4332-266-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral2/memory/4332-268-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral2/memory/4332-270-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral2/memory/4332-272-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral2/memory/4332-274-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral2/memory/4332-276-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral2/memory/4332-278-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral2/memory/4332-280-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral2/memory/4332-282-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral2/memory/4332-284-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral2/memory/4332-286-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral2/memory/4332-288-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral2/memory/4332-290-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral2/memory/4332-292-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral2/memory/4332-294-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral2/memory/4332-296-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline
behavioral2/memory/4332-298-0x0000000004BA0000-0x0000000004BDE000-memory.dmp	family_redline

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

Endermanch@WannaCrypt0r.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\ExitRequest.png.WNCRYT	Endermanch@WannaCrypt0r.exe
File renamed	C:\Users\Admin\Pictures\ExitRequest.png.WNCRYT => C:\Users\Admin\Pictures\ExitRequest.png.WNCRY	Endermanch@WannaCrypt0r.exe
File opened for modification	C:\Users\Admin\Pictures\ExitRequest.png.WNCRY	Endermanch@WannaCrypt0r.exe

Drops startup file 2 IoCs

Processes:

Endermanch@WannaCrypt0r.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDAC5D.tmp	Endermanch@WannaCrypt0r.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDAC84.tmp	Endermanch@WannaCrypt0r.exe

Executes dropped EXE 33 IoCs

Processes:

sbO31En07.exesmS09II74.exeslc39Ad82.exesko86jV13.exeiwN36Rn.exekLG98Ei.exetaskdl.exe@WanaDecryptor@.exe@WanaDecryptor@.exetaskhsvc.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exe@WanaDecryptor@.exetaskse.exe@WanaDecryptor@.exetaskdl.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe

pid	process
3576	sbO31En07.exe
5096	smS09II74.exe
1280	slc39Ad82.exe
224	sko86jV13.exe
5080	iwN36Rn.exe
4332	kLG98Ei.exe
1052	taskdl.exe
4908	@WanaDecryptor@.exe
4152	@WanaDecryptor@.exe
1536	taskhsvc.exe
1516	taskdl.exe
2064	taskse.exe
460	@WanaDecryptor@.exe
1256	taskdl.exe
2384	taskse.exe
2396	@WanaDecryptor@.exe
4568	taskse.exe
4148	@WanaDecryptor@.exe
4024	taskdl.exe
4184	taskse.exe
576	@WanaDecryptor@.exe
2212	taskdl.exe
1292	taskse.exe
1900	@WanaDecryptor@.exe
1840	taskdl.exe
2576	@WanaDecryptor@.exe
2244	taskse.exe
4184	@WanaDecryptor@.exe
1872	taskdl.exe
3260	@WanaDecryptor@.exe
3392	@WanaDecryptor@.exe
2200	@WanaDecryptor@.exe
1960	@WanaDecryptor@.exe

Loads dropped DLL 7 IoCs

Processes:

taskhsvc.exe

pid process

1536 taskhsvc.exe
1536 taskhsvc.exe
1536 taskhsvc.exe
1536 taskhsvc.exe
1536 taskhsvc.exe
1536 taskhsvc.exe
1536 taskhsvc.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

5108 icacls.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

iwN36Rn.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" iwN36Rn.exe

pid	process
1536	taskhsvc.exe
1536	taskhsvc.exe
1536	taskhsvc.exe
1536	taskhsvc.exe
1536	taskhsvc.exe
1536	taskhsvc.exe
1536	taskhsvc.exe

pid	process
5108	icacls.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	iwN36Rn.exe

Adds Run key to start application 2 TTPs 13 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

smS09II74.exesko86jV13.exereg.exechrome.exeslc39Ad82.exe106445763c386e992ded6aa68f37f2dd77272d6ea3c6fff34eb70c5ef094aa34.exesbO31En07.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	smS09II74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	smS09II74.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	sko86jV13.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	slc39Ad82.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	sko86jV13.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\urfnhjtdlojhzxx574 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_WannaCrypt0r.zip\\tasksche.exe\""	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	106445763c386e992ded6aa68f37f2dd77272d6ea3c6fff34eb70c5ef094aa34.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	106445763c386e992ded6aa68f37f2dd77272d6ea3c6fff34eb70c5ef094aa34.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	sbO31En07.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	sbO31En07.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	slc39Ad82.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Sets desktop wallpaper using registry 2 TTPs 4 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Endermanch@WannaCrypt0r.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@WanaDecryptor@.bmp"	Endermanch@WannaCrypt0r.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@WanaDecryptor@.bmp"	@WanaDecryptor@.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@WanaDecryptor@.bmp"	@WanaDecryptor@.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@WanaDecryptor@.bmp"	@WanaDecryptor@.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

Processes:

LogonUI.exechrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "241"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133218142664849420"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 7 IoCs

Processes:

taskmgr.exechrome.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	taskmgr.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2805025096-2326403612-4231045514-1000\{489B0DA5-C9B0-47E5-9B76-73E7199E9A6F}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000_Classes\Local Settings	chrome.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4584 reg.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

5116 NOTEPAD.EXE

pid	process
4584	reg.exe

pid	process
5116	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

iwN36Rn.exechrome.exechrome.exetaskhsvc.exetaskmgr.exe

pid	process
5080	iwN36Rn.exe
5080	iwN36Rn.exe
5080	iwN36Rn.exe
4484	chrome.exe
4484	chrome.exe
2452	chrome.exe
2452	chrome.exe
1536	taskhsvc.exe
1536	taskhsvc.exe
1536	taskhsvc.exe
1536	taskhsvc.exe
1536	taskhsvc.exe
1536	taskhsvc.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

@WanaDecryptor@.exetaskmgr.exe@WanaDecryptor@.exe

pid process

460 @WanaDecryptor@.exe
4924 taskmgr.exe
3260 @WanaDecryptor@.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

chrome.exe

pid process

4484 chrome.exe
4484 chrome.exe
4484 chrome.exe
4484 chrome.exe
4484 chrome.exe
4484 chrome.exe
4484 chrome.exe
4484 chrome.exe
4484 chrome.exe

pid	process
460	@WanaDecryptor@.exe
4924	taskmgr.exe
3260	@WanaDecryptor@.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exeiwN36Rn.exekLG98Ei.exe

description	pid	process
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeDebugPrivilege	5080	iwN36Rn.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeDebugPrivilege	4332	kLG98Ei.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe
4924	taskmgr.exe

Suspicious use of SetWindowsHookEx 19 IoCs

Processes:

@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exeLogonUI.exe

pid	process
4908	@WanaDecryptor@.exe
4908	@WanaDecryptor@.exe
4152	@WanaDecryptor@.exe
4152	@WanaDecryptor@.exe
460	@WanaDecryptor@.exe
460	@WanaDecryptor@.exe
2396	@WanaDecryptor@.exe
4148	@WanaDecryptor@.exe
576	@WanaDecryptor@.exe
1900	@WanaDecryptor@.exe
1900	@WanaDecryptor@.exe
2576	@WanaDecryptor@.exe
4184	@WanaDecryptor@.exe
3260	@WanaDecryptor@.exe
3260	@WanaDecryptor@.exe
3392	@WanaDecryptor@.exe
2200	@WanaDecryptor@.exe
1960	@WanaDecryptor@.exe
1792	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

106445763c386e992ded6aa68f37f2dd77272d6ea3c6fff34eb70c5ef094aa34.exesbO31En07.exechrome.exesmS09II74.exeslc39Ad82.exesko86jV13.exe

description	pid	process	target process
PID 2156 wrote to memory of 3576	2156	106445763c386e992ded6aa68f37f2dd77272d6ea3c6fff34eb70c5ef094aa34.exe	sbO31En07.exe
PID 2156 wrote to memory of 3576	2156	106445763c386e992ded6aa68f37f2dd77272d6ea3c6fff34eb70c5ef094aa34.exe	sbO31En07.exe
PID 2156 wrote to memory of 3576	2156	106445763c386e992ded6aa68f37f2dd77272d6ea3c6fff34eb70c5ef094aa34.exe	sbO31En07.exe
PID 3576 wrote to memory of 5096	3576	sbO31En07.exe	smS09II74.exe
PID 3576 wrote to memory of 5096	3576	sbO31En07.exe	smS09II74.exe
PID 3576 wrote to memory of 5096	3576	sbO31En07.exe	smS09II74.exe
PID 4484 wrote to memory of 1152	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 1152	4484	chrome.exe	chrome.exe
PID 5096 wrote to memory of 1280	5096	smS09II74.exe	slc39Ad82.exe
PID 5096 wrote to memory of 1280	5096	smS09II74.exe	slc39Ad82.exe
PID 5096 wrote to memory of 1280	5096	smS09II74.exe	slc39Ad82.exe
PID 1280 wrote to memory of 224	1280	slc39Ad82.exe	sko86jV13.exe
PID 1280 wrote to memory of 224	1280	slc39Ad82.exe	sko86jV13.exe
PID 1280 wrote to memory of 224	1280	slc39Ad82.exe	sko86jV13.exe
PID 224 wrote to memory of 5080	224	sko86jV13.exe	iwN36Rn.exe
PID 224 wrote to memory of 5080	224	sko86jV13.exe	iwN36Rn.exe
PID 4484 wrote to memory of 1704	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 1704	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 1704	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 1704	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 1704	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 1704	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 1704	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 1704	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 1704	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 1704	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 1704	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 1704	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 1704	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 1704	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 1704	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 1704	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 1704	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 1704	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 1704	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 1704	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 1704	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 1704	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 1704	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 1704	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 1704	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 1704	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 1704	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 1704	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 1704	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 1704	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 1704	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 1704	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 1704	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 1704	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 1704	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 1704	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 1704	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 1704	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3612	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3612	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3684	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3684	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3684	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3684	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3684	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3684	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3684	4484	chrome.exe	chrome.exe
PID 4484 wrote to memory of 3684	4484	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

4716 attrib.exe

pid	process
4716	attrib.exe

C:\Users\Admin\AppData\Local\Temp\106445763c386e992ded6aa68f37f2dd77272d6ea3c6fff34eb70c5ef094aa34.exe
"C:\Users\Admin\AppData\Local\Temp\106445763c386e992ded6aa68f37f2dd77272d6ea3c6fff34eb70c5ef094aa34.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2156

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sbO31En07.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sbO31En07.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3576

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\smS09II74.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\smS09II74.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5096

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\slc39Ad82.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\slc39Ad82.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sko86jV13.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sko86jV13.exe
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:224

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iwN36Rn.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iwN36Rn.exe
6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5080

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kLG98Ei.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kLG98Ei.exe
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ff81bdb9758,0x7ff81bdb9768,0x7ff81bdb9778
2⤵
PID:1152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1772 --field-trial-handle=1800,i,17864270176648191334,13177686279931573240,131072 /prefetch:2
2⤵
PID:1704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1800,i,17864270176648191334,13177686279931573240,131072 /prefetch:8
2⤵
PID:3612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 --field-trial-handle=1800,i,17864270176648191334,13177686279931573240,131072 /prefetch:8
2⤵
PID:3684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3172 --field-trial-handle=1800,i,17864270176648191334,13177686279931573240,131072 /prefetch:1
2⤵
PID:3304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3208 --field-trial-handle=1800,i,17864270176648191334,13177686279931573240,131072 /prefetch:1
2⤵
PID:3192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4492 --field-trial-handle=1800,i,17864270176648191334,13177686279931573240,131072 /prefetch:1
2⤵
PID:3708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4668 --field-trial-handle=1800,i,17864270176648191334,13177686279931573240,131072 /prefetch:8
2⤵
PID:4932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4800 --field-trial-handle=1800,i,17864270176648191334,13177686279931573240,131072 /prefetch:8
2⤵
PID:4852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4696 --field-trial-handle=1800,i,17864270176648191334,13177686279931573240,131072 /prefetch:8
2⤵
PID:5108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 --field-trial-handle=1800,i,17864270176648191334,13177686279931573240,131072 /prefetch:8
2⤵
PID:2900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 --field-trial-handle=1800,i,17864270176648191334,13177686279931573240,131072 /prefetch:8
2⤵
PID:2124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5104 --field-trial-handle=1800,i,17864270176648191334,13177686279931573240,131072 /prefetch:1
2⤵
PID:4852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=1052 --field-trial-handle=1800,i,17864270176648191334,13177686279931573240,131072 /prefetch:1
2⤵
PID:1576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5288 --field-trial-handle=1800,i,17864270176648191334,13177686279931573240,131072 /prefetch:8
2⤵
PID:3900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 --field-trial-handle=1800,i,17864270176648191334,13177686279931573240,131072 /prefetch:8
2⤵
PID:2204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3772 --field-trial-handle=1800,i,17864270176648191334,13177686279931573240,131072 /prefetch:8
2⤵
- Modifies registry class
PID:4876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4984 --field-trial-handle=1800,i,17864270176648191334,13177686279931573240,131072 /prefetch:1
2⤵
PID:4212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5432 --field-trial-handle=1800,i,17864270176648191334,13177686279931573240,131072 /prefetch:1
2⤵
PID:3988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5636 --field-trial-handle=1800,i,17864270176648191334,13177686279931573240,131072 /prefetch:8
2⤵
PID:5036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5668 --field-trial-handle=1800,i,17864270176648191334,13177686279931573240,131072 /prefetch:8
2⤵
PID:1628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=6036 --field-trial-handle=1800,i,17864270176648191334,13177686279931573240,131072 /prefetch:1
2⤵
PID:688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5372 --field-trial-handle=1800,i,17864270176648191334,13177686279931573240,131072 /prefetch:1
2⤵
PID:948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3912 --field-trial-handle=1800,i,17864270176648191334,13177686279931573240,131072 /prefetch:8
2⤵
PID:4372

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 --field-trial-handle=1800,i,17864270176648191334,13177686279931573240,131072 /prefetch:8
2⤵
PID:3752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 --field-trial-handle=1800,i,17864270176648191334,13177686279931573240,131072 /prefetch:8
2⤵
PID:4780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5524 --field-trial-handle=1800,i,17864270176648191334,13177686279931573240,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2452

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4212

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4ec 0x324
1⤵
PID:2260

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4408

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\Endermanch@WannaCrypt0r.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\Endermanch@WannaCrypt0r.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Sets desktop wallpaper using registry
PID:3988

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- Views/modifies file attributes
PID:4716

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:5108

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 293711677340797.bat
2⤵
PID:1976

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
3⤵
PID:4780

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @WanaDecryptor@.exe vs
2⤵
PID:1904

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
@WanaDecryptor@.exe vs
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4152

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
PID:3696

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
PID:3896

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
@WanaDecryptor@.exe co
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4908

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1536

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
PID:2064

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1516

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "urfnhjtdlojhzxx574" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\tasksche.exe\"" /f
2⤵
PID:2472

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "urfnhjtdlojhzxx574" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\tasksche.exe\"" /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:4584

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:460

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1256

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2396

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
PID:2384

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
PID:4568

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4024

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4148

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:576

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
PID:4184

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2212

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
PID:1292

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:1900

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1840

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
PID:2244

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4184

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1872

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3260

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3392

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2200

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1960

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1648

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4924

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2576

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@Please_Read_Me@.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:5116

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3969055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1792

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

File Deletion

T1107

File Permissions Modification

T1222

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@WanaDecryptor@.exe.lnk
Filesize
1KB

MD5
c8ea9ce31aa8da17edde6a7200fa7a46

SHA1
fb119655c3f5f62eea5bab485000a0f710ca44f8

SHA256
d4972964d8c0726d65c35a217f9645a0f7580cd3eb0c3fa1e55a0f9e712438d1

SHA512
33b745d609c50d1f970526c5dea06853b816c10c3ffe78f1218c671a8366f15a2dde82d3a9f03a5b8265d86aa122a658f3cec8a4055f1681f52e92b9c02b2799

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000017
Filesize
50KB

MD5
b885c7f53e3588fd2e91997ab700ab1f

SHA1
b3ce441b0a5560a70e74dc0377c4a08acda17dc2

SHA256
73f7f3db6c7622dabd91efd46daae12237882a1b31e0cff78d621511ab9e9c39

SHA512
bb284d4ee2831de9f87b192c8dc8504f066cf6ac3683adbb1c2bd648f462938dd710f6b6cdcce80c01e0c021c369cce61df188628b8766c98f347dc95ec544eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
984B

MD5
231148b872930123d8a3580591a34323

SHA1
4e42a698b39dca753686177b5fec78ca4f6b02e5

SHA256
f8db21a780df27aaf207ab788bba14075fd09e2a3225d890c587b596c7810199

SHA512
64f72de9dce5a1468cc681dabbae7d2c6f44a03634d10003665ffb7b44ee5467ada44c7b0ce02693c348cf4b913195af1e1c342db62218893e043ffe24ab2498

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
235e553d6e77c8c2514dd74cceb808a4

SHA1
e2acc93ff7de23b96560eefd70e27b8bd8e796f3

SHA256
aba255061f08bbe43f91adad920b8081e70d2b3937fe0906cd134862efebedd4

SHA512
9cfa3fa9d2313c1e696dcb74f6126fbd6103975b061dd365d0ff9ab7e99da678e803039d842858f85a3d9323dec2b72db1e58d5fab2d30b441d0689b333bb2a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
e551d0fb3104c7ad14ce138914eaa1c9

SHA1
8c7fd437eeade693ef6ad972fe0064f45c35a942

SHA256
ba4330cfe463425a5756d721bbbc56c8f249335cbd19c71fdbe6c5de2f56d09e

SHA512
85f503572240c80eaf7e9a323ab432e2801286e45d40935fb2b0eb41acdcdd88b0f08da86f3ebe348975b9fede57e21b5bab9a66e8d1c719eaede4c36960ca34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
3d14b57d68ce31134c6d9872f0f70dfa

SHA1
aa164e3fe4e6f586f4b20432e8f01a19ba58a4ea

SHA256
b9d764cd47512b960fc0203e2b88ddb4ecedee57eb0c471a04b6b57d6106b1e1

SHA512
1449083ebecc9b4cf6fc87b1638243ef26a71fb84f862919966980d1ee709b056e3dec37c5810bf88dcdd1c045bbd6f3ff7f9e1f20f4dd05ee12d5c524bd5c68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1
Filesize
264KB

MD5
0be1a5c52b65e43103c953eda2b6f512

SHA1
1afd0e92b344661a393215af54c5cc5c8057fcdb

SHA256
8314f424ac3cf5f9262f6fe633e435d2599d8f063ae37c28efae2b682da39392

SHA512
1ec30475d7886d1ac2aafa58e60c8862701db3020fe8a9e0ed80fe0b3640b8aa5510a81896c8763c45aea4e389d0b8d194c1268da7cef5cb3cc94e1392579193

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
1e30c9d409a39703a3fda5d6c789db70

SHA1
6cae16408d650d4d389b4492a0fcc1cf1c7146ae

SHA256
4fee83c4567b07981d729d7e625130ac3e6310eb349a853ef5a9124d8e127d12

SHA512
60c1a9e53981392bc1c06129f7e620ba3d2fbd603f46256baef0a6d5f2b430156670bfa9ef6ccf1da9f4ae02fefb8277e2a7152e33c77f83e20576eae0ad717a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
6KB

MD5
4964af6084783d48700fa0b835f70e0b

SHA1
034c21840d46443cdd336802c4e896fadb9829c3

SHA256
7baca73d577c656fcc5934be75b49ad5b4fe1476446b66f2d59a43e70c3a8ec7

SHA512
e99ce63c89068d3c062027bfb97d40ae15aca45e78ffdfb92cf0679b0e7bcf9f2fdd5df8021c15ea405168c3f5c2aedc90e66f4ca3f2488cf0e53c832f304699

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
6KB

MD5
68d99c19e2fb1c5b4594ac7112e03c3b

SHA1
52930da3ed2c0b05ddcd47d30e894d39b7876f78

SHA256
5c71468f9a408254829dd9a9d57579bf4a2b7d368d9739eceaaa0738b519f1be

SHA512
292d69d69357151c4b396516f06fa66dff9a1eb1ad2999c62e422ab84bd6f07a55c40a4fbd068a80d7df1d36919cf45aa7c143fe55cbedb515d14ec0b78ad26d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
0c53a95d6fe07b0cc3d0f40eed82eec6

SHA1
29cfdc6208cfa63742fe32a43c3fedd3d9b14fc3

SHA256
06098161111dcafd5f1c69e7387baac6b3e5e80664b6f867b744349f48b171a8

SHA512
36987850427fa4d4cbaf3787f96ce19f3e6f1beb91ce5b922ff0d7963e9c9e0449a78e1dbb1eba7bd38ec9c31d3fbf9fa47e792cd57e146a4b8922bb624de37d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
371B

MD5
e41d838d5a6d36e88fe4b16b65ac9709

SHA1
76b890b961c8192511416de58e46c427ea5c4af7

SHA256
6da16418b419ccb3792d79d7aebaf9783cadfacbd04bee42dd6cc9d0750070d3

SHA512
e9bf4ee1aff464462a665f5718247edcd57a679dbbc5e6caa6781c735378d532ad8892778ca1480b44c5b014064cf8f6b07a1e9d7e9f379a3b731d5474835349

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
371B

MD5
f5c48b3d8bf2ac26d757c1830567241f

SHA1
f96a65265031c1499cc7f9ff91d75279758d3cba

SHA256
44efbb523de59eac823320789761a982875ca5753162c6a5f9ad78974520d297

SHA512
fdc148652041cd9573ed735c26511d3da0a862273099f8f0a12f713b689153a3a47aa76701a19062a5d15afa462d593419c0b0343f28774bbdc73c900b703379

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
371B

MD5
04221d5635abe08ab014a4ca906885e8

SHA1
b196f272df44051a20810b87692369e0b1698426

SHA256
dedb8d300fcf969eb65919cb4d66f6f55bae1c3aa015e1f855a99c371309c6e9

SHA512
a9407f5e56773f5289c8f1b1ffc97381ab269f4d98e4468702a57ca3af39e13e36e7f2910955764e26b1ab652a0bd7d9805edb50a1a05d9062b3e6fc62a14d09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
874B

MD5
454b0cf4852051491aae0e7917c15649

SHA1
d60d717e65a98351ff8ab8134f50dbc1e5b21206

SHA256
a148b807cfb416cc4c42cf02960575f0e56839c78cfb5c48e12bd3fe746f210c

SHA512
db3257790910504f567970af1a9553eec8d30ceb2b381fe860b510842a24731f84bcc95f16657810454e49f9976a4e09d13d07766ae0139b7adf8d160a7d049b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
370df5db6e6eb956f4e0d2d404adf8aa

SHA1
0f57e246cf1358eb01fdbc72ae6c1ef12993ff8a

SHA256
685ba9db65ce9b2860de8cd71f16ddec4e32130df8f55b46368eb833e0a4933b

SHA512
6529a1e15fa990d8f5cc365cce1b0d5fde440129ffb889e6425b6e0d59a88e32b91429d3faea6cb7d524d9cdbcce69978f1cbf12023253686573a9b5f6b17fb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
176e89fb1856f88b74540579b2c5f22b

SHA1
2e80223d4b567f6509c9a7db9e9aaff3ea712d6c

SHA256
ca503aa0bcbc213efcdc55a1269cfa6979380aed478b78c34aec9437c2fbc49f

SHA512
214c96ce0864433bca879b6b81401df8242822f99165810e96a02574d44d2e18f72f610774f87a71f4e0629e1de15585d01553e7dc44c4668cf0beb46dd673ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
3a121c67021eb87ec94207bb3dfb0255

SHA1
f8c8ee39eb6cb0352659bab477342457e93eac8b

SHA256
f9467da3c3e29d821a58b9dcd0dc9381a0c456e84bbfa4c42a16034ff6ef24cf

SHA512
0f4f3e8b332ab5cd75447178e6e44a282d3a8dc2bdd91bb646630fb4d30cdb2c32a4e11667b75da1dfa7b1058009fcd43a0b05145e1c9ad3621b82073c42611f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
f0aeb564720aaca0bb70a3fe9e0dc027

SHA1
e0260cdc9f5c8236b648b16c0f69986c279a70d7

SHA256
cde5d1413fe3f919b4a9f6bc5aede0827416509221faaf35606fe4965cc88a79

SHA512
c8bd53435ded10c1df7532a6d7446a0609ddcfb61488e417e9f3ff773fba8e35d1b37ec9b1101658cea8316bd70c86c6abae840b0e3d396dc05aa9bba5027575

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
5f5643bbfdc0d92b891830fe055d951c

SHA1
aca4d004f2664d07218318f99624a4a26ced50ca

SHA256
269edc113ea343cedae4d53aaa846941bdbce61a47c65b0e6ba1fc4a901461b6

SHA512
3a3d4e270c6d288e5130e4d5b60bff6722b879f809dc044edd583f472b276c2360f3f47c1fc42c994abe7fdc4d3e12dd00aef1dc522fe81cd854a685c534d1c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
510f30778e1028d9c6153211f286fd02

SHA1
3a849c10292d29a191e862f17cdd2d84034bf326

SHA256
d1d091b4fe19fc3b2d978658085349fdc4cd6a8c09f03c16991ed6dee419c6fe

SHA512
91626148b12f79fa4a47c8d74cca12105855beb80c6d7ce630dffc824fcfee519113cceb12f220a16a8bfb0322d31465eeb05cfc65a9fe4e602640062ca12a20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
8ebfba217de706efd7a6e7d6ffc71833

SHA1
ae963fb3165d8141a3e3286514ad476e05dab656

SHA256
1c0042e1945cace8be17d9e1f2f200a5bd2314719565aff36b05b6b131c3b33e

SHA512
cbd36ee5fbd7924c4e669268774a7460976afbbf3c0fdb04bccdbd601efa7709e22457c84a3e268de0a2e2066a2e735dc87320c74ee18478d979e3335273d3dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
effa3746554cd5d8d6addd89dce275e7

SHA1
f9bbe8e4103f0a3c96d79f831e6809ab9673f828

SHA256
4453ae186c8f1a57da294ea0a38c0eff3b5e833937289007ef12389cd7119c91

SHA512
991d7a3d28e61acd9b715a697dd6af9ea5539440a61cda5daba63e13bf11511a2eda4735c395c285dd3ad1060b9269446a648ea2929c22228a1b8e12a0c26fa6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
6567b20c3dda2db893645a31ab193b1d

SHA1
cf942574a0a5db589c8703f108bb3f291fba3cf2

SHA256
d82eb605463dc2b4c37b9cba1741265764b70bb7cd48b4e4fdca435be3eef960

SHA512
eb1edb483733e87b5731eb6e99759d40e4f810671b28c5bb9868f875afb3195983c54a77b832d7b519195b68e0eea32dae44c1b5b09686ea17cd0c253d23ceab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
ccaa22c3feef89a6bf14798d6d945ce5

SHA1
b9c65263cc02b4d87e1dee07e070236021333999

SHA256
c51f553548befeedfcac93f4946c9807750aa5de6b448f34eeed9a3b34607828

SHA512
29d347768dc6fb030fa678de746c7be80300f861edf0ba09bbb2480a451bb30bff181a3916ea2e8397e735758f1c207c4e57218d88cdfca6029c648c7d3e8c24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
77a31abd66a8bd773a5a0641174e5a8d

SHA1
f688a63ee2dc9345c7b7b58a6663ccde33b31653

SHA256
d617897e1003630260a77a9efa0df0a0ac0cd16729c1f79b51248c9ec7e49919

SHA512
319ff79a74bd182d5de49306d85530f85caec9cdb3fe697fc1d3d2e802c24b63a4d7f341daafd0ac283e0c8bf53ff7de63dcf2e96893835811e4a63534010b22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
f0ea988ed51873ae93469d96197f96a3

SHA1
b066000d2315638d98c3f0e16ae08d1127b9421a

SHA256
4e1019d8b3d40dab1e76c1345e3bb9ac1c8f99d30d6888bab5333083be709755

SHA512
6ebd1fbad5ba308316a172b51d01cd108da273447f1b60d499c4791abb9a14a1726315ecd51a0f5cf79942f64a3707c7e4c24abbb14b4ab4dd4722a55774b03f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
73f9a1a99f488dafbf49b1914c56879e

SHA1
ecc444ad6824eaa08add068f953f842440082129

SHA256
ba4e3bea3cbc9dd2b18adfdd64d861123bfbbbb19d2b0ad4c8962391a6b5cfe9

SHA512
16684d3990c17cd696940dd6d5e2cac928a7bc1229b148fda7c78fa4b19fe7fececab6732a3243048beea3b093cee1ef4372d5453ce26f79395189d6c346b51e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
9e59304a8ef6ec849dbdf49083cef891

SHA1
707a08d484b1fd508ba89fd185356b533e1a63c0

SHA256
c5f125da7e9d93169a61bb0ca180888d9d7240858f2e7cde6e7a6a18bb98a4f2

SHA512
1a80105b2fa23542d3ae24bb951d07feadea2b35eaa219af7aa49b423d54bc99a1568b6baefdbc5b9c6cae412b280aa4da7d9c105b01fc190eb7edeb0d888336

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\10f83316-c2b3-41f1-99ba-c64d6cc5e932\index-dir\the-real-index
Filesize
624B

MD5
3932a90cf777c5d81e326627c4317030

SHA1
deb3363d88530c40752429a5db68f1963beef3b1

SHA256
ff0c0f087defc7624d414d1727f72262a01e841c6420de60ba9458dcdb723dcc

SHA512
ab4313f3a43c796f48abfa4e57c2fec6a0a8730b6a672455ff50b9693756b8187eacd86cb729a2841098dde0e18900b24b84b6277d98edd0e7b2abb0ad342a65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\10f83316-c2b3-41f1-99ba-c64d6cc5e932\index-dir\the-real-index~RFe5797fa.TMP
Filesize
48B

MD5
14675d4d4800391157e96bbbc6fd3319

SHA1
4152a0a3be3e9a5079fc56a43397642735b5d6ca

SHA256
7edd9464334745849e11238df68210cc63e5a8548a42a0bfdf33eee8d01e2229

SHA512
d7030ecc536ad80d957c0e29fbae11e4a31eed2e9045e05b0e91adaa3e91791247c94c83a75c4f0a2e82c601a8f55208fed117aae49a1669aca47624677a8575

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
56B

MD5
ae1bccd6831ebfe5ad03b482ee266e4f

SHA1
01f4179f48f1af383b275d7ee338dd160b6f558a

SHA256
1b11047e738f76c94c9d15ee981ec46b286a54def1a7852ca1ade7f908988649

SHA512
baf7ff6747f30e542c254f46a9678b9dbf42312933962c391b79eca6fcb615e4ba9283c00f554d6021e594f18c087899bc9b5362c41c0d6f862bba7fb9f83038

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
129B

MD5
797181568924183159eb7d5b9c3c5d47

SHA1
553f7c4e11b0d43bb2b729e1f6916772a2199050

SHA256
910808a6e2696ee81783f8f02c53addb6e2a2f738277490e6e401667f57e107f

SHA512
2fa58b7c657fdd165797fbfac7b9c36b09d124a8b1e58c53655387ac4176198f9cb779c541fcb410aa19c4d49793194822d96fe429cb0fc0ca50400bf7a3cc94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
189B

MD5
a924a41213eacb532e951ba043eceaa6

SHA1
39db399243f33996c1b17c4c69123995e2ca97c0

SHA256
4895dae2723a8a08c7629d9d53b7938f688f2b1552ba4a7acbf5b6ed44155a12

SHA512
149d1944262540c0968bca8d02b4e34bb9d9cdf2f8d2bf8369ba17a4176a418d478cb4d92ba5279c20cd0d871fd3d6f3a6d001efb35d1d7f71e4d36bce550c96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
125B

MD5
7b42256c53fb46d9e57d546f8466c311

SHA1
9baa32fae087f733aa6d0550cb5d8fcf55e0b1c0

SHA256
bc6bae3bfc3cebb4f965c2270824149fd80651d8c9c9ef28c1a455e39f979782

SHA512
c579a5328ccc1ccd3f46bf6dbd1a0b3f4518a621132e57e3cd5969e7d9060eb2d40db6c2d1d6ee8429739c0a1bd1f2cb10f290b87263d276afa723764dc7d332

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe57373c.TMP
Filesize
120B

MD5
554ddda9d2af554525825842f5f6dcb2

SHA1
0dcc26f3db19d3e1dff6c6f85b93c85a8fae2d3c

SHA256
685183769464f7e4e360ec9d37fc1ec2f09845f81f149e708dd579dc595817d2

SHA512
e2a736c0877a555f66da6d5a38930ceec78564f0daaca8a7fee1b06cb7603a34f2d519f3e67545a580c174c7a8c4196903bce62fed5c06eb0d1b35ab3cf3e9cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
96B

MD5
e4f5b0154a0255eea84a3e2377b6a48a

SHA1
e42e06ae4fb51819753a57de076d9585f3f2cede

SHA256
2e3e5982c318a27c9fdd10927a2115d92674bfbde76d4ef12a29ed3a561467ec

SHA512
2bc737f4a65b512b6b8d2a8a4f6e0738ac8f268d33fdb3e3ed6cabc7c68a68c588c7152ccde5a45cad3491ed10876e14e45c842d81f579851d709868893ac41c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe578b19.TMP
Filesize
48B

MD5
9d209194f3f0438db28c2f579a8e59e3

SHA1
03766a5c9db2ff08d50d7ad1adc9b30400618103

SHA256
3a2d8812fa32449b00092e4148d5bb7731f3b6b0f8a6334d17585150739e44ae

SHA512
a3ebcf29e60400a81c16bd5998caf41afd8783bb2db3ee6bab5e01384fcd06aa3d78b8d3f2a21ff4ba0fea1628817ab989daedbe754e04980b84df0ba8bc3ee0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir4484_1117132789\Icons Monochrome\16.png
Filesize
216B

MD5
a4fd4f5953721f7f3a5b4bfd58922efe

SHA1
f3abed41d764efbd26bacf84c42bd8098a14c5cb

SHA256
c659d57841bb33d63f7b1334200548f207340d95e8e2ae25aac7a798a08071a3

SHA512
7fcc1ca4d6d97335e76faa65b7cfb381fb722210041bdcd3b31b0f94e15dc226eec4639547af86ae71f311f52a956dc83294c2d23f345e63b5e45e25956b2691

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir4484_161264621\Shortcuts Menu Icons\Monochrome\0\512.png
Filesize
2KB

MD5
12a429f9782bcff446dc1089b68d44ee

SHA1
e41e5a1a4f2950a7f2da8be77ca26a66da7093b9

SHA256
e1d7407b07c40b5436d78db1077a16fbf75d49e32f3cbd01187b5eaaa10f1e37

SHA512
1da99c5278a589972a1d711d694890f4fd4ec4e56f83781ab9dee91ba99530a7f90d969588fa24dce24b094a28bdecbea80328cee862031a8b289f3e4f38ce7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir4484_161264621\Shortcuts Menu Icons\Monochrome\1\512.png
Filesize
10KB

MD5
7f57c509f12aaae2c269646db7fde6e8

SHA1
969d8c0e3d9140f843f36ccf2974b112ad7afc07

SHA256
1d5c9f67fe93f9fcc1a1b61ebc35bda8f98f1261e5005ae37af71f42aab1d90f

SHA512
3503a0f4939bed9e1fd5e086b17d6de1063220dffdab2d2373aa9582a2454a9d8f18c1be74442f4e597bdba796d2d69220bd9e6be632a15367225b804187ea18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
140KB

MD5
d08d535d0bc421f65c7919ff5388165f

SHA1
c7f7c8c3e8431980ca21a6c5bed3432573323df8

SHA256
d73a7a36ac0a4dae0f4fe8cd5c1059ea2f073147d2f07242c3b691aa15d98afa

SHA512
88f718f3fd732f49ab4888f70ab8ec0f695fc3858d91e996434e92e0ee9c502c956625aaecc8edadcb2303d090e2a2999ca8aa12242970a6ac0ca4b7eccf9aa6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
140KB

MD5
7203cda219f0954d217663d244f78d7a

SHA1
814db839c7fda9221cd512d5459bcfbfa1ce8986

SHA256
f36d44f45ea134645a7072f88bb35a3f297a16fa9e63fdb3d7ecef5f04878a7f

SHA512
c1fc6ee87937eda7f23f57d7667d92a69c2070402de438f72b1f76a68f3e7c107e5464b8f0f994748c845f4d56fc1070422f362199ae4e4b7756901f30830b77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
140KB

MD5
b1b76595ea3f82143e3616eeeb3d712e

SHA1
e0422370e81269fddf5cd759e2fcaf64ac901d9a

SHA256
3d16dbc31bb0c86789eb443258bb6aa7995e1541a437f4369ee850f3beac859b

SHA512
1f1db6ac055131423d7c7aa89674c5a29da03ce0df71c022b4bff37a233183011eca4c4f4c44faea228e16f40bae0ab05850db80c87b7d2fe4cdb9358bbd2e7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
98KB

MD5
6e2da7b28eb6693911b21840a1b433de

SHA1
c85f8251229d79169ca3897b0f966b0778109de1

SHA256
b3b0508b10ca381937dabb7024fdfa6595484a7e86eb3d242027765d219d4b55

SHA512
68785ffcec3e7a6e61319b2a0d81edf40e73986296e125dcf0faea3be04099df23acfb82688f7f450e9bd7d1cbf9fa7b808fe8b8c4543d9a1b9e15731006a21f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
106KB

MD5
fa39235aa4dacf02bda73eb8fc85932b

SHA1
1a0ad1600ec7b1e4b4798998c7efb4d8aaca67f3

SHA256
11e5c0c9b11a7cdac9b5a1870d1a9259de99ef11a7c38628d5d9b3d38c1966b1

SHA512
c20e02a8309cd0573e60145ca1f01f63419ed5288400decdf02f4fa3381bbf824fcebc4886835f6bc679caeef834fe41f2dba51e64a0775df32f7e173495db6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57612b.TMP
Filesize
96KB

MD5
225b74de746154d749e670fbea90eb8f

SHA1
49290ea4ef957d24771c043f72fc64e336be5474

SHA256
8d043c6fcbded8657298ba0fddb2c5e9c2cec0a9e0b8572a71d9a9e487881e4a

SHA512
6e0862db4a5bf5a734d14b01e2e80c002fbef413735d7638875d525b5f70fec2ad16d77b603d555dbbb413ec7ba8f7e6edbaace86b0eb9337979670055dc4022

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sbO31En07.exe
Filesize
1010KB

MD5
f8d3a0a73fbee1e94dcd0fedf9a31c4e

SHA1
71ef31102516e25e3b3aa347b5c697a85d237b16

SHA256
ad974386b5f8a42a0ff8d77d4f6e1919f2bfbe3f4008320acb1bc327e6f4947c

SHA512
81337186639f964ed048b288be37575ffaa989d9d6c6a91a27db8d6bfe5c4fb42f11d63ab32008e485f921bcb774304a6f96cb4e17778dcc38f1e4b072deca28

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\sbO31En07.exe
Filesize
1010KB

MD5
f8d3a0a73fbee1e94dcd0fedf9a31c4e

SHA1
71ef31102516e25e3b3aa347b5c697a85d237b16

SHA256
ad974386b5f8a42a0ff8d77d4f6e1919f2bfbe3f4008320acb1bc327e6f4947c

SHA512
81337186639f964ed048b288be37575ffaa989d9d6c6a91a27db8d6bfe5c4fb42f11d63ab32008e485f921bcb774304a6f96cb4e17778dcc38f1e4b072deca28

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\smS09II74.exe
Filesize
869KB

MD5
5739bc2cafd62977daa950a317be8d14

SHA1
f7f582e1863642c4d5a8341e2005c06c0f3d9e74

SHA256
b3cad94dc96473ea46e9af91de2a2126ee2345d47a2d1a926182db447de2ecc9

SHA512
f55320fdf0383e3c7f8a9841c3444b58f9551d879d89ad1ee44388e9621b4b5f0f7e504915012e3acf24b3aa45a3d0f1e692ddee89a38d3987f95fe97d5bae8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\smS09II74.exe
Filesize
869KB

MD5
5739bc2cafd62977daa950a317be8d14

SHA1
f7f582e1863642c4d5a8341e2005c06c0f3d9e74

SHA256
b3cad94dc96473ea46e9af91de2a2126ee2345d47a2d1a926182db447de2ecc9

SHA512
f55320fdf0383e3c7f8a9841c3444b58f9551d879d89ad1ee44388e9621b4b5f0f7e504915012e3acf24b3aa45a3d0f1e692ddee89a38d3987f95fe97d5bae8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\slc39Ad82.exe
Filesize
651KB

MD5
e12e7b53183d3b1c6cd53ef42aa815f8

SHA1
9dedb739590a02e37c82e54cc8eb3e0ce57248ee

SHA256
63ac9bdbd61a661f5bc96825ad4408df1312b18f455472b63c66f6e5efb05e63

SHA512
5e4a61453476d524cf3b96743e2f5163c01f3ae1d8f05653d9ed3ffd0614b43afa013554e6c0b0294763e80beca5081fc088ad6e595a2af67115a62f4cce410c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\slc39Ad82.exe
Filesize
651KB

MD5
e12e7b53183d3b1c6cd53ef42aa815f8

SHA1
9dedb739590a02e37c82e54cc8eb3e0ce57248ee

SHA256
63ac9bdbd61a661f5bc96825ad4408df1312b18f455472b63c66f6e5efb05e63

SHA512
5e4a61453476d524cf3b96743e2f5163c01f3ae1d8f05653d9ed3ffd0614b43afa013554e6c0b0294763e80beca5081fc088ad6e595a2af67115a62f4cce410c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sko86jV13.exe
Filesize
383KB

MD5
7c29db2ac66b846cc00ca802838c116b

SHA1
23f9d79f7cf7d5fb41111bf4896645d3989b4f11

SHA256
e4519665ce98d8426aceadad26a6bbe92b455f59f6261a8240dcba5b40e6a51b

SHA512
a46c3d3a3e7ff2ae24cf67eed51367cd5b422cc793911d59de19d2ba0c763c29f569b9876ef41ad74ec3e9977ab280100c09755abdc6908e269bce4a1b761cb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\sko86jV13.exe
Filesize
383KB

MD5
7c29db2ac66b846cc00ca802838c116b

SHA1
23f9d79f7cf7d5fb41111bf4896645d3989b4f11

SHA256
e4519665ce98d8426aceadad26a6bbe92b455f59f6261a8240dcba5b40e6a51b

SHA512
a46c3d3a3e7ff2ae24cf67eed51367cd5b422cc793911d59de19d2ba0c763c29f569b9876ef41ad74ec3e9977ab280100c09755abdc6908e269bce4a1b761cb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iwN36Rn.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\iwN36Rn.exe
Filesize
11KB

MD5
7e93bacbbc33e6652e147e7fe07572a0

SHA1
421a7167da01c8da4dc4d5234ca3dd84e319e762

SHA256
850cd190aaeebcf1505674d97f51756f325e650320eaf76785d954223a9bee38

SHA512
250169d7b6fcebff400be89edae8340f14130ced70c340ba9da9f225f62b52b35f6645bfb510962efb866f988688cb42392561d3e6b72194bc89d310ea43aa91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kLG98Ei.exe
Filesize
275KB

MD5
ef9dd5707f37f0e2f802b3d7856e7bbc

SHA1
e9cbeca90f2edece7174b0fcffe65f311b5b3689

SHA256
de4cdd6ab46f28034be20c1a3231035ac3dc1aafbb443e0ccaaadd3ccdf0fadf

SHA512
24d042eb4715e4a9ed98609fe264bbd1aded094c2efa410e59a3bd800fc36561242c1433e8573de9581bea6e38b9f269dcd6b2eba20e4548e5cdd893c9334b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kLG98Ei.exe
Filesize
275KB

MD5
ef9dd5707f37f0e2f802b3d7856e7bbc

SHA1
e9cbeca90f2edece7174b0fcffe65f311b5b3689

SHA256
de4cdd6ab46f28034be20c1a3231035ac3dc1aafbb443e0ccaaadd3ccdf0fadf

SHA512
24d042eb4715e4a9ed98609fe264bbd1aded094c2efa410e59a3bd800fc36561242c1433e8573de9581bea6e38b9f269dcd6b2eba20e4548e5cdd893c9334b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\kLG98Ei.exe
Filesize
275KB

MD5
ef9dd5707f37f0e2f802b3d7856e7bbc

SHA1
e9cbeca90f2edece7174b0fcffe65f311b5b3689

SHA256
de4cdd6ab46f28034be20c1a3231035ac3dc1aafbb443e0ccaaadd3ccdf0fadf

SHA512
24d042eb4715e4a9ed98609fe264bbd1aded094c2efa410e59a3bd800fc36561242c1433e8573de9581bea6e38b9f269dcd6b2eba20e4548e5cdd893c9334b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@Please_Read_Me@.txt
Filesize
933B

MD5
7a2726bb6e6a79fb1d092b7f2b688af0

SHA1
b3effadce8b76aee8cd6ce2eccbb8701797468a2

SHA256
840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

SHA512
4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\TaskData\Tor\tor.exe
Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\b.wnry
Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\c.wnry
Filesize
780B

MD5
8124a611153cd3aceb85a7ac58eaa25d

SHA1
c1d5cd8774261d810dca9b6a8e478d01cd4995d6

SHA256
0ceb451c1dbefaa8231eeb462e8ce639863eb5b8ae4fa63a353eb6e86173119e

SHA512
b9c8dfb5d58c95628528cc729d2394367c5e205328645ca6ef78a3552d9ad9f824ae20611a43a6e01daaffeffdc9094f80d772620c731e4192eb0835b8ed0f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_bulgarian.wnry
Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_chinese (simplified).wnry
Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_chinese (traditional).wnry
Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_croatian.wnry
Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_czech.wnry
Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_danish.wnry
Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_dutch.wnry
Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_english.wnry
Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_filipino.wnry
Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_finnish.wnry
Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_finnish.wnry
Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_french.wnry
Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_german.wnry
Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_greek.wnry
Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_indonesian.wnry
Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_italian.wnry
Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_japanese.wnry
Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_korean.wnry
Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_latvian.wnry
Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_norwegian.wnry
Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_polish.wnry
Filesize
38KB

MD5
e79d7f2833a9c2e2553c7fe04a1b63f4

SHA1
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

SHA256
519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

SHA512
e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_portuguese.wnry
Filesize
37KB

MD5
fa948f7d8dfb21ceddd6794f2d56b44f

SHA1
ca915fbe020caa88dd776d89632d7866f660fc7a

SHA256
bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66

SHA512
0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_romanian.wnry
Filesize
50KB

MD5
313e0ececd24f4fa1504118a11bc7986

SHA1
e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d

SHA256
70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1

SHA512
c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_russian.wnry
Filesize
46KB

MD5
452615db2336d60af7e2057481e4cab5

SHA1
442e31f6556b3d7de6eb85fbac3d2957b7f5eac6

SHA256
02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078

SHA512
7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_slovak.wnry
Filesize
40KB

MD5
c911aba4ab1da6c28cf86338ab2ab6cc

SHA1
fee0fd58b8efe76077620d8abc7500dbfef7c5b0

SHA256
e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729

SHA512
3491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_spanish.wnry
Filesize
36KB

MD5
8d61648d34cba8ae9d1e2a219019add1

SHA1
2091e42fc17a0cc2f235650f7aad87abf8ba22c2

SHA256
72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1

SHA512
68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
Filesize
6.0MB

MD5
f50f20e069090a7d0ee1ee0757256b02

SHA1
db520eaca55a7833908f98852bf19f6518447e83

SHA256
8ee5ea75192fa1c5d4776fd25978d47e8659a61ae084c4b58fac15b954da2d89

SHA512
b1005bbc2c0793841a45fd8a02773f5d98d4a1a912c565e8e7ea0778a7a12085d227226cc545cef145b28828ea80a4684b0ce7e2817bc45b93fbafc3a02c5082

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r.zip.crdownload
Filesize
3.3MB

MD5
e58fdd8b0ce47bcb8ffd89f4499d186d

SHA1
b7e2334ac6e1ad75e3744661bb590a2d1da98b03

SHA256
283f40e9d550833bec101a24fd6fd6fbd9937ed32a51392e818ffff662a1d30a

SHA512
95b6567b373efa6aec6a9bfd7af70ded86f8c72d3e8ba75f756024817815b830f54d18143b0be6de335dd0ca0afe722f88a4684663be5a84946bd30343d43a8c

Download Submit
C:\Users\Public\Desktop\@WanaDecryptor@.bmp
Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
\??\pipe\crashpad_4484_RKVCEXIDHSAFLGWK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1704-172-0x00007FF839690000-0x00007FF839691000-memory.dmp

Filesize
4KB

Download
memory/4332-276-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/4332-266-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/4332-298-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/4332-296-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/4332-1161-0x0000000005830000-0x000000000593A000-memory.dmp

Filesize
1.0MB

Download
memory/4332-1162-0x0000000005970000-0x0000000005982000-memory.dmp

Filesize
72KB

Download
memory/4332-1163-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/4332-294-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/4332-292-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/4332-290-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/4332-288-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/4332-286-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/4332-284-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/4332-282-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/4332-280-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/4332-278-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/4332-1186-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/4332-274-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/4332-272-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/4332-270-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/4332-268-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/4332-1160-0x00000000051C0000-0x00000000057D8000-memory.dmp

Filesize
6.1MB

Download
memory/4332-264-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/4332-262-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/4332-260-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/4332-258-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/4332-256-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/4332-254-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/4332-252-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/4332-250-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/4332-249-0x0000000004BA0000-0x0000000004BDE000-memory.dmp

Filesize
248KB

Download
memory/4332-248-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/4332-247-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/4332-1164-0x0000000005990000-0x00000000059CC000-memory.dmp

Filesize
240KB

Download
memory/4332-246-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/4332-239-0x0000000000590000-0x00000000005DB000-memory.dmp

Filesize
300KB

Download
memory/4332-240-0x0000000004C10000-0x00000000051B4000-memory.dmp

Filesize
5.6MB

Download
memory/4332-1181-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/4332-1179-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/4332-1180-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/4932-197-0x00007FF83A2E0000-0x00007FF83A2E1000-memory.dmp

Filesize
4KB

Download
memory/4932-198-0x00007FF839DE0000-0x00007FF839DE1000-memory.dmp

Filesize
4KB

Download
memory/5080-169-0x0000000000070000-0x000000000007A000-memory.dmp

Filesize
40KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads