wannacry | hxxp://krnl[.]place

Analysis

max time kernel
1799s
max time network
1791s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2023, 10:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://krnl.place

Score

10^/10

wannacry discovery persistence ransomware worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 13 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File created	C:\Users\Admin\Pictures\SwitchAdd.tiff.WNCRYT	WannaCrypt0r.exe
File opened for modification	C:\Users\Admin\Pictures\SwitchAdd.tiff.WNCRY	WannaCrypt0r.exe
File created	C:\Users\Admin\Pictures\UnblockReceive.tif.WNCRYT	WannaCrypt0r.exe
File renamed	C:\Users\Admin\Pictures\UnblockReceive.tif.WNCRYT => C:\Users\Admin\Pictures\UnblockReceive.tif.WNCRY	WannaCrypt0r.exe
File opened for modification	C:\Users\Admin\Pictures\UnblockReceive.tif.WNCRY	WannaCrypt0r.exe
File renamed	C:\Users\Admin\Pictures\UseExport.raw.WNCRYT => C:\Users\Admin\Pictures\UseExport.raw.WNCRY	WannaCrypt0r.exe
File opened for modification	C:\Users\Admin\Pictures\UseExport.raw.WNCRY	WannaCrypt0r.exe
File renamed	C:\Users\Admin\Pictures\ResolveMeasure.raw.WNCRYT => C:\Users\Admin\Pictures\ResolveMeasure.raw.WNCRY	WannaCrypt0r.exe
File opened for modification	C:\Users\Admin\Pictures\SwitchAdd.tiff	WannaCrypt0r.exe
File opened for modification	C:\Users\Admin\Pictures\ResolveMeasure.raw.WNCRY	WannaCrypt0r.exe
File renamed	C:\Users\Admin\Pictures\SwitchAdd.tiff.WNCRYT => C:\Users\Admin\Pictures\SwitchAdd.tiff.WNCRY	WannaCrypt0r.exe
File created	C:\Users\Admin\Pictures\UseExport.raw.WNCRYT	WannaCrypt0r.exe
File created	C:\Users\Admin\Pictures\ResolveMeasure.raw.WNCRYT	WannaCrypt0r.exe

Drops startup file 10 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD87B2.tmp	WannaCrypt0r.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD96E3.tmp	WannaCrypt0r.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD8DC2.tmp	WannaCrypt0r.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD8DD9.tmp	WannaCrypt0r.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD8E34.tmp	WannaCrypt0r.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD87C9.tmp	WannaCrypt0r.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD96EA.tmp	WannaCrypt0r.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD45B5.tmp	WannaCrypt0r.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD45BC.tmp	WannaCrypt0r.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD8E2D.tmp	WannaCrypt0r.exe

Executes dropped EXE 64 IoCs

pid	Process
5896	taskdl.exe
5976	@[email protected]
4852	@[email protected]
5172	taskhsvc.exe
5268	taskdl.exe
5084	taskse.exe
5092	@[email protected]
6120	taskdl.exe
5624	@[email protected]
408	taskse.exe
5416	taskdl.exe
4264	taskse.exe
1304	@[email protected]
5800	taskdl.exe
1168	taskse.exe
4532	@[email protected]
5908	taskdl.exe
3472	taskse.exe
5792	@[email protected]
872	taskdl.exe
488	taskse.exe
1132	@[email protected]
5560	taskdl.exe
5452	taskse.exe
3052	@[email protected]
5316	taskdl.exe
5512	taskse.exe
5296	@[email protected]
2104	taskdl.exe
2548	taskse.exe
5776	@[email protected]
1804	taskdl.exe
2744	taskse.exe
5668	@[email protected]
4264	taskdl.exe
6060	taskse.exe
5060	@[email protected]
3632	taskdl.exe
980	taskse.exe
5572	@[email protected]
5880	taskdl.exe
5500	taskse.exe
5928	@[email protected]
4516	taskdl.exe
6024	taskse.exe
5044	@[email protected]
5100	taskdl.exe
5396	taskse.exe
5204	@[email protected]
5312	taskdl.exe
3476	taskse.exe
4916	@[email protected]
4620	taskdl.exe
4852	taskse.exe
4944	@[email protected]
2772	taskdl.exe
4448	taskse.exe
5952	@[email protected]
5596	taskdl.exe
2596	taskse.exe
1796	@[email protected]
2300	taskdl.exe
4400	taskse.exe
1784	@[email protected]

Loads dropped DLL 8 IoCs

pid	Process
5172	taskhsvc.exe
5172	taskhsvc.exe
5172	taskhsvc.exe
5172	taskhsvc.exe
5172	taskhsvc.exe
5172	taskhsvc.exe
5172	taskhsvc.exe
5172	taskhsvc.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5960	icacls.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qpzmehtw499 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_WannaCrypt0r.zip\\tasksche.exe\""	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCrypt0r.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
2448	taskkill.exe
2568	taskkill.exe
5256	taskkill.exe
2640	taskkill.exe
4456	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133290599613780027"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2275444769-3691835758-4097679484-1000\{A4B11689-CA7F-4D96-BDB8-D38370A8ABB8}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
5652	reg.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2920	chrome.exe
2920	chrome.exe
4492	chrome.exe
4492	chrome.exe
1640	chrome.exe
1640	chrome.exe
2612	msedge.exe
2612	msedge.exe
4456	msedge.exe
4456	msedge.exe
5172	taskhsvc.exe
5172	taskhsvc.exe
5172	taskhsvc.exe
5172	taskhsvc.exe
5172	taskhsvc.exe
5172	taskhsvc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2920	chrome.exe
Token: SeCreatePagefilePrivilege	2920	chrome.exe
Token: SeShutdownPrivilege	2920	chrome.exe
Token: SeCreatePagefilePrivilege	2920	chrome.exe
Token: SeShutdownPrivilege	2920	chrome.exe
Token: SeCreatePagefilePrivilege	2920	chrome.exe
Token: SeShutdownPrivilege	2920	chrome.exe
Token: SeCreatePagefilePrivilege	2920	chrome.exe
Token: SeShutdownPrivilege	2920	chrome.exe
Token: SeCreatePagefilePrivilege	2920	chrome.exe
Token: SeShutdownPrivilege	2920	chrome.exe
Token: SeCreatePagefilePrivilege	2920	chrome.exe
Token: SeShutdownPrivilege	2920	chrome.exe
Token: SeCreatePagefilePrivilege	2920	chrome.exe
Token: SeShutdownPrivilege	2920	chrome.exe
Token: SeCreatePagefilePrivilege	2920	chrome.exe
Token: SeShutdownPrivilege	2920	chrome.exe
Token: SeCreatePagefilePrivilege	2920	chrome.exe
Token: SeShutdownPrivilege	2920	chrome.exe
Token: SeCreatePagefilePrivilege	2920	chrome.exe
Token: SeShutdownPrivilege	2920	chrome.exe
Token: SeCreatePagefilePrivilege	2920	chrome.exe
Token: SeShutdownPrivilege	2920	chrome.exe
Token: SeCreatePagefilePrivilege	2920	chrome.exe
Token: SeShutdownPrivilege	2920	chrome.exe
Token: SeCreatePagefilePrivilege	2920	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe
Token: SeShutdownPrivilege	4492	chrome.exe
Token: SeCreatePagefilePrivilege	4492	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4704	msedge.exe
4492	chrome.exe
4492	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
2920	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe
4492	chrome.exe

Suspicious use of SetWindowsHookEx 52 IoCs

pid	Process
5976	@[email protected]
5976	@[email protected]
4852	@[email protected]
4852	@[email protected]
5092	@[email protected]
5092	@[email protected]
5624	@[email protected]
1304	@[email protected]
4532	@[email protected]
5792	@[email protected]
1132	@[email protected]
3052	@[email protected]
5296	@[email protected]
5776	@[email protected]
5668	@[email protected]
5060	@[email protected]
5572	@[email protected]
5928	@[email protected]
5044	@[email protected]
5204	@[email protected]
4916	@[email protected]
4944	@[email protected]
5952	@[email protected]
1796	@[email protected]
1784	@[email protected]
1804	@[email protected]
2120	@[email protected]
4332	@[email protected]
1988	@[email protected]
5936	@[email protected]
5928	@[email protected]
5704	@[email protected]
5984	@[email protected]
4916	@[email protected]
5264	@[email protected]
2184	@[email protected]
3788	@[email protected]
4824	@[email protected]
6004	@[email protected]
6120	@[email protected]
4244	@[email protected]
2152	@[email protected]
1256	@[email protected]
2648	@[email protected]
556	@[email protected]
5744	@[email protected]
6060	@[email protected]
3844	@[email protected]
2032	@[email protected]
5156	@[email protected]
5396	@[email protected]
5772	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2920 wrote to memory of 3716	2920	chrome.exe	85
PID 2920 wrote to memory of 3716	2920	chrome.exe	85
PID 2920 wrote to memory of 1696	2920	chrome.exe	86
PID 2920 wrote to memory of 1696	2920	chrome.exe	86
PID 2920 wrote to memory of 1696	2920	chrome.exe	86
PID 2920 wrote to memory of 1696	2920	chrome.exe	86
PID 2920 wrote to memory of 1696	2920	chrome.exe	86
PID 2920 wrote to memory of 1696	2920	chrome.exe	86
PID 2920 wrote to memory of 1696	2920	chrome.exe	86
PID 2920 wrote to memory of 1696	2920	chrome.exe	86
PID 2920 wrote to memory of 1696	2920	chrome.exe	86
PID 2920 wrote to memory of 1696	2920	chrome.exe	86
PID 2920 wrote to memory of 1696	2920	chrome.exe	86
PID 2920 wrote to memory of 1696	2920	chrome.exe	86
PID 2920 wrote to memory of 1696	2920	chrome.exe	86
PID 2920 wrote to memory of 1696	2920	chrome.exe	86
PID 2920 wrote to memory of 1696	2920	chrome.exe	86
PID 2920 wrote to memory of 1696	2920	chrome.exe	86
PID 2920 wrote to memory of 1696	2920	chrome.exe	86
PID 2920 wrote to memory of 1696	2920	chrome.exe	86
PID 2920 wrote to memory of 1696	2920	chrome.exe	86
PID 2920 wrote to memory of 1696	2920	chrome.exe	86
PID 2920 wrote to memory of 1696	2920	chrome.exe	86
PID 2920 wrote to memory of 1696	2920	chrome.exe	86
PID 2920 wrote to memory of 1696	2920	chrome.exe	86
PID 2920 wrote to memory of 1696	2920	chrome.exe	86
PID 2920 wrote to memory of 1696	2920	chrome.exe	86
PID 2920 wrote to memory of 1696	2920	chrome.exe	86
PID 2920 wrote to memory of 1696	2920	chrome.exe	86
PID 2920 wrote to memory of 1696	2920	chrome.exe	86
PID 2920 wrote to memory of 1696	2920	chrome.exe	86
PID 2920 wrote to memory of 1696	2920	chrome.exe	86
PID 2920 wrote to memory of 1696	2920	chrome.exe	86
PID 2920 wrote to memory of 1696	2920	chrome.exe	86
PID 2920 wrote to memory of 1696	2920	chrome.exe	86
PID 2920 wrote to memory of 1696	2920	chrome.exe	86
PID 2920 wrote to memory of 1696	2920	chrome.exe	86
PID 2920 wrote to memory of 1696	2920	chrome.exe	86
PID 2920 wrote to memory of 1696	2920	chrome.exe	86
PID 2920 wrote to memory of 1696	2920	chrome.exe	86
PID 2920 wrote to memory of 2348	2920	chrome.exe	87
PID 2920 wrote to memory of 2348	2920	chrome.exe	87
PID 2920 wrote to memory of 3888	2920	chrome.exe	88
PID 2920 wrote to memory of 3888	2920	chrome.exe	88
PID 2920 wrote to memory of 3888	2920	chrome.exe	88
PID 2920 wrote to memory of 3888	2920	chrome.exe	88
PID 2920 wrote to memory of 3888	2920	chrome.exe	88
PID 2920 wrote to memory of 3888	2920	chrome.exe	88
PID 2920 wrote to memory of 3888	2920	chrome.exe	88
PID 2920 wrote to memory of 3888	2920	chrome.exe	88
PID 2920 wrote to memory of 3888	2920	chrome.exe	88
PID 2920 wrote to memory of 3888	2920	chrome.exe	88
PID 2920 wrote to memory of 3888	2920	chrome.exe	88
PID 2920 wrote to memory of 3888	2920	chrome.exe	88
PID 2920 wrote to memory of 3888	2920	chrome.exe	88
PID 2920 wrote to memory of 3888	2920	chrome.exe	88
PID 2920 wrote to memory of 3888	2920	chrome.exe	88
PID 2920 wrote to memory of 3888	2920	chrome.exe	88
PID 2920 wrote to memory of 3888	2920	chrome.exe	88
PID 2920 wrote to memory of 3888	2920	chrome.exe	88
PID 2920 wrote to memory of 3888	2920	chrome.exe	88
PID 2920 wrote to memory of 3888	2920	chrome.exe	88
PID 2920 wrote to memory of 3888	2920	chrome.exe	88
PID 2920 wrote to memory of 3888	2920	chrome.exe	88

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
5944	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" http://krnl.place
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffac9dc9758,0x7ffac9dc9768,0x7ffac9dc9778
  2⤵
  PID:3716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 --field-trial-handle=1860,i,6779620711286290620,2974816688595641892,131072 /prefetch:2
  2⤵
  PID:1696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1860,i,6779620711286290620,2974816688595641892,131072 /prefetch:8
  2⤵
  PID:2348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2156 --field-trial-handle=1860,i,6779620711286290620,2974816688595641892,131072 /prefetch:8
  2⤵
  PID:3888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1860,i,6779620711286290620,2974816688595641892,131072 /prefetch:1
  2⤵
  PID:3332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1860,i,6779620711286290620,2974816688595641892,131072 /prefetch:1
  2⤵
  PID:1080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4500 --field-trial-handle=1860,i,6779620711286290620,2974816688595641892,131072 /prefetch:1
  2⤵
  PID:2432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3224 --field-trial-handle=1860,i,6779620711286290620,2974816688595641892,131072 /prefetch:1
  2⤵
  PID:1472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4840 --field-trial-handle=1860,i,6779620711286290620,2974816688595641892,131072 /prefetch:1
  2⤵
  PID:4212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4916 --field-trial-handle=1860,i,6779620711286290620,2974816688595641892,131072 /prefetch:8
  2⤵
  PID:836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5168 --field-trial-handle=1860,i,6779620711286290620,2974816688595641892,131072 /prefetch:8
  2⤵
  PID:4168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5304 --field-trial-handle=1860,i,6779620711286290620,2974816688595641892,131072 /prefetch:8
  2⤵
  PID:4932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5460 --field-trial-handle=1860,i,6779620711286290620,2974816688595641892,131072 /prefetch:8
  2⤵
  PID:3584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5752 --field-trial-handle=1860,i,6779620711286290620,2974816688595641892,131072 /prefetch:1
  2⤵
  PID:1428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3936 --field-trial-handle=1860,i,6779620711286290620,2974816688595641892,131072 /prefetch:8
  2⤵
  PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3476 --field-trial-handle=1860,i,6779620711286290620,2974816688595641892,131072 /prefetch:8
  2⤵
  PID:4380

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4876

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffac9dc9758,0x7ffac9dc9768,0x7ffac9dc9778
  2⤵
  PID:684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1932,i,3162611082765767260,16490298884063593042,131072 /prefetch:8
  2⤵
  PID:2840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3020 --field-trial-handle=1932,i,3162611082765767260,16490298884063593042,131072 /prefetch:1
  2⤵
  PID:3232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3012 --field-trial-handle=1932,i,3162611082765767260,16490298884063593042,131072 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2304 --field-trial-handle=1932,i,3162611082765767260,16490298884063593042,131072 /prefetch:8
  2⤵
  PID:4236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 --field-trial-handle=1932,i,3162611082765767260,16490298884063593042,131072 /prefetch:2
  2⤵
  PID:4152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3728 --field-trial-handle=1932,i,3162611082765767260,16490298884063593042,131072 /prefetch:8
  2⤵
  PID:2724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4672 --field-trial-handle=1932,i,3162611082765767260,16490298884063593042,131072 /prefetch:1
  2⤵
  PID:2400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4524 --field-trial-handle=1932,i,3162611082765767260,16490298884063593042,131072 /prefetch:8
  2⤵
  PID:5088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4920 --field-trial-handle=1932,i,3162611082765767260,16490298884063593042,131072 /prefetch:1
  2⤵
  PID:3196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4636 --field-trial-handle=1932,i,3162611082765767260,16490298884063593042,131072 /prefetch:8
  2⤵
  PID:2508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5116 --field-trial-handle=1932,i,3162611082765767260,16490298884063593042,131072 /prefetch:8
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5212 --field-trial-handle=1932,i,3162611082765767260,16490298884063593042,131072 /prefetch:8
  2⤵
  PID:4076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 --field-trial-handle=1932,i,3162611082765767260,16490298884063593042,131072 /prefetch:8
  2⤵
  PID:4584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5468 --field-trial-handle=1932,i,3162611082765767260,16490298884063593042,131072 /prefetch:8
  2⤵
  PID:2356
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:4124
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff6b4b37688,0x7ff6b4b37698,0x7ff6b4b376a8
    3⤵
    PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 --field-trial-handle=1932,i,3162611082765767260,16490298884063593042,131072 /prefetch:8
  2⤵
  PID:4664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5368 --field-trial-handle=1932,i,3162611082765767260,16490298884063593042,131072 /prefetch:1
  2⤵
  PID:2904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=3956 --field-trial-handle=1932,i,3162611082765767260,16490298884063593042,131072 /prefetch:1
  2⤵
  PID:1304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3152 --field-trial-handle=1932,i,3162611082765767260,16490298884063593042,131072 /prefetch:1
  2⤵
  PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4656 --field-trial-handle=1932,i,3162611082765767260,16490298884063593042,131072 /prefetch:8
  2⤵
  PID:1232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5864 --field-trial-handle=1932,i,3162611082765767260,16490298884063593042,131072 /prefetch:1
  2⤵
  PID:636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5912 --field-trial-handle=1932,i,3162611082765767260,16490298884063593042,131072 /prefetch:8
  2⤵
  PID:2836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6060 --field-trial-handle=1932,i,3162611082765767260,16490298884063593042,131072 /prefetch:8
  2⤵
  PID:5104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4572 --field-trial-handle=1932,i,3162611082765767260,16490298884063593042,131072 /prefetch:8
  2⤵
  PID:480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=5512 --field-trial-handle=1932,i,3162611082765767260,16490298884063593042,131072 /prefetch:1
  2⤵
  PID:3964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=3128 --field-trial-handle=1932,i,3162611082765767260,16490298884063593042,131072 /prefetch:1
  2⤵
  PID:2392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=3132 --field-trial-handle=1932,i,3162611082765767260,16490298884063593042,131072 /prefetch:1
  2⤵
  PID:4832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=5696 --field-trial-handle=1932,i,3162611082765767260,16490298884063593042,131072 /prefetch:1
  2⤵
  PID:1544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=3832 --field-trial-handle=1932,i,3162611082765767260,16490298884063593042,131072 /prefetch:1
  2⤵
  PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5864 --field-trial-handle=1932,i,3162611082765767260,16490298884063593042,131072 /prefetch:8
  2⤵
  PID:4112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5700 --field-trial-handle=1932,i,3162611082765767260,16490298884063593042,131072 /prefetch:8
  2⤵
  - Modifies registry class
  PID:4548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4752 --field-trial-handle=1932,i,3162611082765767260,16490298884063593042,131072 /prefetch:8
  2⤵
  PID:4148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=5896 --field-trial-handle=1932,i,3162611082765767260,16490298884063593042,131072 /prefetch:1
  2⤵
  PID:3796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6176 --field-trial-handle=1932,i,3162611082765767260,16490298884063593042,131072 /prefetch:8
  2⤵
  PID:2612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5808 --field-trial-handle=1932,i,3162611082765767260,16490298884063593042,131072 /prefetch:8
  2⤵
  PID:3092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3048 --field-trial-handle=1932,i,3162611082765767260,16490298884063593042,131072 /prefetch:8
  2⤵
  PID:5080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5984 --field-trial-handle=1932,i,3162611082765767260,16490298884063593042,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3920 --field-trial-handle=1932,i,3162611082765767260,16490298884063593042,131072 /prefetch:8
  2⤵
  PID:5216

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4920

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x470 0x474
1⤵
PID:4844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault5b7cac8chabf5h464aha5e3h769339ca3306
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffac12c46f8,0x7ffac12c4708,0x7ffac12c4718
  2⤵
  PID:3816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,3684169393969678862,14682230555317984402,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
  2⤵
  PID:2400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,3684169393969678862,14682230555317984402,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2436 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,3684169393969678862,14682230555317984402,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
  2⤵
  PID:5200

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffac12c46f8,0x7ffac12c4708,0x7ffac12c4718
1⤵
PID:5600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultb71801adh58b8h4497haefeh73c8ef3c4ffb
1⤵
PID:5564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,16058093778860382717,5050347760196308301,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,16058093778860382717,5050347760196308301,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
  2⤵
  PID:5244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,16058093778860382717,5050347760196308301,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
  2⤵
  PID:5756

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\WannaCrypt0r.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\WannaCrypt0r.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Sets desktop wallpaper using registry
PID:696
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - Views/modifies file attributes
  PID:5944
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:5960
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5896
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 199411684586725.bat
  2⤵
  PID:6040
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    PID:5656
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5976
- - C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:5172
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  PID:5908
- - C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4852
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      PID:4620
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        
        PID:4680
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5268
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "qpzmehtw499" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\tasksche.exe\"" /f
  2⤵
  PID:5108
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "qpzmehtw499" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:5652
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - Suspicious use of SetWindowsHookEx
  PID:5092
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:6120
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:408
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5624
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5416
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:4264
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1304
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5800
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:1168
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4532
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5908
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:3472
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5792
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:872
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:488
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1132
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5560
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:5452
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3052
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5316
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:5512
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5296
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5776
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5668
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:4264
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:6060
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5060
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:3632
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:980
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5572
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5880
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:5500
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5928
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:4516
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:6024
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5044
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5100
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:5396
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5204
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5312
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:3476
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4916
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:4620
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:4852
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4944
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:4448
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5952
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5596
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:2596
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1796
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2300
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:4400
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1784
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  PID:5004
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  PID:3712
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1804
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  PID:5664
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  PID:4216
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2120
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  PID:4304
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  PID:4292
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4332
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  PID:2800
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  PID:3936
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1988
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  PID:4244
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  PID:5624
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5936
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  PID:2740
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  PID:2612
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5928
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  PID:6024
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  PID:1760
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5704
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  PID:4456
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5984
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  PID:5396
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  PID:3488
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  PID:4584
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4916
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  PID:4224
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  PID:5524
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5264
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  PID:1296
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  PID:3092
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2184
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  PID:3168
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  PID:1264
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3788
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  PID:5440
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  PID:2596
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4824
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  PID:5388
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  PID:4008
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:6004
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  PID:4648
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  PID:2976
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:6120
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  PID:3024
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  PID:4728
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4244
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  PID:4436
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  PID:1132
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2152
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  PID:2612
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  PID:5972
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1256
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  PID:2356
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  PID:2296
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2648
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im Microsoft.Exchange.*
  2⤵
  - Kills process with taskkill
  PID:2448
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im MSExchange*
  2⤵
  - Kills process with taskkill
  PID:2568
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im sqlserver.exe
  2⤵
  - Kills process with taskkill
  PID:5256
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im mysqld.exe
  2⤵
  - Kills process with taskkill
  PID:2640
- C:\Windows\SysWOW64\taskkill.exe
  taskkill.exe /f /im sqlwriter.exe
  2⤵
  - Kills process with taskkill
  PID:4456
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  PID:5792
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  PID:5644
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:556
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  PID:1720
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  PID:5388
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5744
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  PID:2480
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:6060
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  PID:520
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  PID:2012
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  PID:5668
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3844
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  PID:840
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2032
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  PID:4852
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  PID:5384
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  PID:5224
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5156
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  PID:452
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  PID:5740
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5396
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  PID:3224
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  PID:5512
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:5772

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:8

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

Filesize
1KB

MD5
73a647242290173a93ae80cc446b845c

SHA1
52bb95efd4c1460ef01e3131bf90c84b78968fbe

SHA256
e6ef3f9fe53a46208315e645d71809979d423384e99f123d4fb507138f3ace39

SHA512
8987f0bb6e889bc51a8280f4b38635ef8a203745719eecac529fc68aff5aae4afbdef1f9a4130a1ed30333770eac828969b18e81aba4f73c5ff09ac5c67bb101

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
52957d4bf2f5b79a0cf7b42e9eb1a954

SHA1
c6ca0bc3ebd37a4a7a99b3ec8b4cc29368c5fac5

SHA256
373963e79b7dd7a50576b9bf92f1a5c356e30bad53e25c44d245dfcc2f869d6b

SHA512
90f957c13fe611b314c501d6cff5fa6d747ce1bb67d32b73997292c6c846c516e509ca76351f827bfaefe80960d4ba8ee89ac7a2a9330f4741f6dce9b4170036

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
52957d4bf2f5b79a0cf7b42e9eb1a954

SHA1
c6ca0bc3ebd37a4a7a99b3ec8b4cc29368c5fac5

SHA256
373963e79b7dd7a50576b9bf92f1a5c356e30bad53e25c44d245dfcc2f869d6b

SHA512
90f957c13fe611b314c501d6cff5fa6d747ce1bb67d32b73997292c6c846c516e509ca76351f827bfaefe80960d4ba8ee89ac7a2a9330f4741f6dce9b4170036

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
ad0f6b8960c91498c71ce6dd8e45ad7c

SHA1
7f064ec08c0f73431dd985a5097ea534eafd409d

SHA256
003c502163a27c222484ad8008ad9f6436355525639cab3e27fa3499262d8942

SHA512
35fda95b9f39d82cd3b1a637473c2e7d1786396801d957de7e8bc605393c4a0aa992d1fd453b78d0ba5067e33d18b8eb25019daa6bffba35f3227f983961010e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
78cdbd9f021789acc3de3ab18ae7f096

SHA1
d3a26f7b8408d3268ffcdf1dffceeb1f42d03a43

SHA256
ad5c1bc3fd557e85d5c507f84cf075aa6f7a7554d0cb5c9422f14b16b6fcac6a

SHA512
b9d921e4310ee3b08864e586347ce0e9b9acf6bbc66ad1eafe2ae21df403227ac7b49b3a053ee93d6555d123db8c53b674222938f82488ffaf43949f7aa4ead5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_2

Filesize
1.0MB

MD5
e96f14bb4b224407fe52626bf6bbf051

SHA1
73c13a50f76a16ce6a5f23282d12f25315d61e71

SHA256
0538b07325bd853d298ace957637ed4f2b823ab22c444a8cd38e52b1bda1eb45

SHA512
0e46e22e294a9c94104cb7237a9b80b8be020af43ca5a29ebdf58de4c311f458570ed0fbb051e612d61a09c75e12ac12096d0deb19ae058a1f21926d625eed5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\data_3

Filesize
4.0MB

MD5
0e98d3692b5fe2c699a1f25da07c52e2

SHA1
5cc86c46b10c25e19a977e0e8e8be327624ef314

SHA256
2dc8ec9476c9c95c411cb983cbdd0ff18a09bd8344bbf1f75587e3d446081d98

SHA512
477a3f555f49645595d8e9b17c15ff64c17a46ae6e31b9c42e7d626ad6ec457207cc5587bbc0037cd78e0ac379e1036773acbf30f3399cd45150c77639459e50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000004

Filesize
65KB

MD5
e731b720ea9a573bb26b4b363104ca03

SHA1
a0830c8eca6c105abd5c5b4c3d95200859c30414

SHA256
353bddb52a2403e089aa9eaec8b74db94de3f05518f65ecb52e4058f66dc1757

SHA512
ed34dbab31bead77578861679ef660a80017ac659b5b7fbb61ac2026bdeb6409465f02c6f63140edc7a28432ddf8737a17e112063dd15e3912dd26a8a71854ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
37KB

MD5
a2bcac5f9df8bbce899c64726d2dd964

SHA1
f25e76845287a3634209dd791e25aab94a39d3a0

SHA256
a69bb6d34deb7dcfb178d58439ccdf98035e1ca37c12077f151171a901f4d77e

SHA512
20bec4b9b8a5767eb1a5b5eea177ad1026b6892fc9421d6ec2f6df28ff453732b22e04ca94608ba8585225811ddff689d3fe678d8f99605889742cee95d7e13e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
49KB

MD5
641ac5a852435c36b8108111385a6bab

SHA1
49c85a1d6af7499e401a346a5ca8fbfdf0bfbd94

SHA256
fbdfe8059ee169b92b61c02d06cf084b54b91bef36180f866c56015d72194135

SHA512
59b7b37613ffec195d0249695a288f6a6820313dcb62cc250e3753128da002a7ee457649d97c01da77458fe57d57adbf4be061cf9afbafe4fe864bac09bc7a35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
37KB

MD5
519005befdbc6eedc73862996b59a9f7

SHA1
e9bad4dc75c55f583747dbc4abd80a95d5796528

SHA256
603abe3532b1cc1eb1c3da44f3679804dd463d07d4430d55c630aba986b17c44

SHA512
b210b12a78c6134d66b14f46f924ebc95328c10f92bfed22a361b2554eca21ee7892f7d9718ae7415074d753026682903beba2bd40b35a4eeb60bf186dcdf589

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000008

Filesize
64KB

MD5
94455949757768f6308ca2d3e20d61f7

SHA1
0b10a1ee72960317c4a586032cfcdb93f74b8565

SHA256
8a748c5e27bb66b7f4c7419f2f6c7ebea14946a8a9b94e2d357381c6516f3ca4

SHA512
30b2ba8657ca35f6c5303abfbe3dc1187c51d7c3cf8a5dd63559382070c60e93e22ff1975963da1fdad3b5586af006fb393b41a033553e92fae4dd43cac9f255

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009

Filesize
93KB

MD5
03c458ca0e7e1f90dcd9d962e13acb46

SHA1
bb934bca119b6b07e558c645d039f9c1f5981539

SHA256
c80b7a6dcae01fad6366e9f720c5f5edb85d965806b37a6c6e7b8819c1f695fe

SHA512
fc6e42db82e63269f3fe1f0a3c2c1e75195c43bac988b19f9997cc6eb25f9c2151e66e4764bddd1806aa84512547b198a68260f7e8b5605aba6225c1804c2aec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a

Filesize
21KB

MD5
7d75a9eb3b38b5dd04b8a7ce4f1b87cc

SHA1
68f598c84936c9720c5ffd6685294f5c94000dff

SHA256
6c24799e77b963b00401713a1dbd9cba3a00249b9363e2c194d01b13b8cdb3d7

SHA512
cf0488c34a1af36b1bb854dea2decfc8394f47831b1670cab3eed8291b61188484cc8ab0a726a524ecdd20b71d291bcccbc2ce999fd91662aca63d2d22ed0d9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000017

Filesize
37KB

MD5
519005befdbc6eedc73862996b59a9f7

SHA1
e9bad4dc75c55f583747dbc4abd80a95d5796528

SHA256
603abe3532b1cc1eb1c3da44f3679804dd463d07d4430d55c630aba986b17c44

SHA512
b210b12a78c6134d66b14f46f924ebc95328c10f92bfed22a361b2554eca21ee7892f7d9718ae7415074d753026682903beba2bd40b35a4eeb60bf186dcdf589

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000023

Filesize
22KB

MD5
9f1c899a371951195b4dedabf8fc4588

SHA1
7abeeee04287a2633f5d2fa32d09c4c12e76051b

SHA256
ba60b39bc10f6abd7f7a3a2a9bae5c83a0a6f7787e60115d0e8b4e17578c35f7

SHA512
86e75284beaff4727fae0a46bd8c3a8b4a7c95eceaf45845d5c3c2806139d739c983205b9163e515f6158aa7c3c901554109c92a7acc2c0077b1d22c003dba54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000024

Filesize
1.6MB

MD5
ca9f086314c24e5af33c2461a2499ed5

SHA1
bc3fcab93991e7d9005ad913dbc404296d0a6e5c

SHA256
f88e0d148c129bbd2df7b93944cf7ab30bb1aa29e42f0da186b0fcb4bde58c7a

SHA512
ec25286fd7227ba10e1bbfdd26c133503272b0701bd3d447191914fe7abdce22de9b16b4bfe30149457c0537cd6b3a56b7a722c885ce22e7b6767065a916e760

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002e

Filesize
739KB

MD5
5f8dd8fd4ac304487f85ecd4f2ca10a0

SHA1
2b0f9b91b410578d52e549810e2cffb1af6a6481

SHA256
b7b001b3a004813a31376ec3b9434a27148bc1985303ec7bf532502abb26ec09

SHA512
6199e5ed0ba4d91bbf755a4212e0885fe099022c6490560f6ef0112d951b15f05202a2962133f1bebbe3f20380631b60ef87706a871c612b68fd14467bf621d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000034

Filesize
47KB

MD5
70388d1d15f80f0ddbe58dd2a9095949

SHA1
1f6a1d916905e2dd0347b22085cc1da0fb646a5e

SHA256
395c789048e6fbf5c98ba7562a8b8265885ddd0eec339de55173ab83d3aee618

SHA512
8bdbd091852af9cbca6f9e1c69727a067361c2718cf575f7c543e88bef92da71979ff073d8071386ecfc6be3d7d5ad53253da7f5a830fdeff5ecf6a2b6f43843

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000036

Filesize
32KB

MD5
c7a6a78339c9ff2eebb5c5ae5490c232

SHA1
889e8618172d9dbd21ad8e380b07c510500af108

SHA256
52d98810c25135040dd0d432aaa1d1c8fbcac19f641f0a2b8dbfc0ff48ff44b7

SHA512
fa84b5f10aeceea3252c8e26d5dbb1e7a9706dd6605f49b93912ef3858501fe8178729ebc9a17ea9e236ed1160edd35abf924d1bda29e5a1a9859f6854385019

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
87c543ae8880874bd3fa5921957369b5

SHA1
cf442bc4a78298a27b954f89b71c8e108261b250

SHA256
fd00e84aec8e1dea6b0e34ee1fb1324b93c7909f11d3e582a2c46259e1e12518

SHA512
79961188c59d6634bcef20d10f587e9c73da2a5602c79fccbeaf3e14ee2297a574464de3af551172435efd3d6b5743fe61356b67b636430304840d5ded941255

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
9097b59bbb9892529aadce5cefe02b7b

SHA1
09d554a148c953ae50e1fa4f521b20d8d6016014

SHA256
acb2200561664961cb88084d73a20588b89e52d6d78211861f619dfe8d19423b

SHA512
7180eb100bb919a14831a44607d8d31328deb3d9fb2dc99acae20cb4def48d885fb465a4f842718ed167926be3cedbc6bbea52a867c1edb903e9b12e8cd6f153

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
79678573296505011d5b8d1a6f8be647

SHA1
14b61b3253b95bca918c873296e268adcf807f28

SHA256
81ddd2265f47dcc27428b75697c95113917f0c19db2dcced93587ac7daeb6cd5

SHA512
e624748e0d1f2bdd0ef4ebf45feea83f6a3959344c837534261cd264c53fb9cf20791104e1f973f556c24a6c60bcbc300bb4456788ec22ed3c64dc6a595ab060

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
b97b4007d077b3e7286dbcb68a382593

SHA1
06657fe73950752a544c9f28dd61d0210b86125b

SHA256
8e726e750013b2441cea27c6133aec2d30413a41cf0dcae6600cb13f2f2ad34c

SHA512
8691c165f91b2a2607fe617bbf71eb985afe21e6598f3f92fdc5fa3c8996f942a1afe2f25940b5d009b3007aa64c79baf279b22f8d85719769c6debedcbe34b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
b97b4007d077b3e7286dbcb68a382593

SHA1
06657fe73950752a544c9f28dd61d0210b86125b

SHA256
8e726e750013b2441cea27c6133aec2d30413a41cf0dcae6600cb13f2f2ad34c

SHA512
8691c165f91b2a2607fe617bbf71eb985afe21e6598f3f92fdc5fa3c8996f942a1afe2f25940b5d009b3007aa64c79baf279b22f8d85719769c6debedcbe34b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\LOG

Filesize
314B

MD5
8ea187e9f796beb6d3f0ffa21c5fa31e

SHA1
a9bbae1c98a0033bf7ff8f04d8c2560b37a09751

SHA256
3a50c0d03ad15ee09136096100c0374af98d5d47f8e7acb0acf3461b2f6227d8

SHA512
fdb67064a8a93acde43dffd653d8d67395c9eb61ccc42e62cc557af18afceeb9539f67b07dd8c95f8713c6bad18d9ef5106ae75086af825f5909a6f1454be360

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
148KB

MD5
fe3f4b59b554f21dba35701877f4a95e

SHA1
105cd4b886f84af3f2e35671be1fd94622e30fdb

SHA256
4193346da1dff8727248ab29437793b98d90e4b64e9181a138ced6b1b9bbabe1

SHA512
6b7e9353ddac13145d4f37e052cee31de80e862a97ebe9c19d0bfd5f5723e78ed103016a396bede979a576a4247b6b8a7122b30f64bdb33b43e9f588219886d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG

Filesize
329B

MD5
702642851a8b7808ac1c2b506610a121

SHA1
1c4ed9e2004930b7a2aedab30af474caf3917ae1

SHA256
bf2508d124acb541ad57f9bfebf19c944fba7ae53085855b7a5fa904822f72e0

SHA512
4ff4b8581d8ab0048048352fe4e125d91fccddb5886e131a06bfe4058e87c7d985c8a5ea554d615e5e8a22d55d4f08b7a5cef28cc92cfa021473466ba3752d39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
e7af82918f78cc3e5f8895c48f7e70e8

SHA1
be124b41e42226dd8e9c5d937624c7fb27c8309f

SHA256
5b604c793e120d7ffffa92ffbd9e2de27748bb6c5cce50fb9780223b0ddf6dd5

SHA512
1488d79f64baf6aefb8849dc9265912f982a9b04f3baf285417cb00683f1ff9252985a5642dcd5d5d813d0e340f528d43055ff30a725ca6d5859b82ea7bd2726

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
f6819be00cc0d194fa6245265df934bd

SHA1
85bb201d066ac10f94c42547d6fd352b903fda45

SHA256
279f891b52dfe49362585a216e08960025d9bda2919b0065005eb09c51f45cc5

SHA512
50519149d73f90794ba924a73a81404c4f465062ea08bc7e9d89e030fa76c6b2792f4c86c4d5df987e3a8c4f9c9e6388710cd875227f5b71b4b2273ffc463b96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
34d29f7082dcee4b8ec04a0eaf7d4800

SHA1
6d1674b7e872f5a5c0b53c157dfd2a8b3c44bbce

SHA256
e74c045ec73bacc0d6fdc32d7da783ce5352b709354eb68e7e5b886a3af3c149

SHA512
46967ef378cf0880be71169de272f9f6bc53cf3b45bc57679c6046a2fbdcc3e065867953f0eceb27d065804d6a32a343102bb3fbd9a45459893de946b797ea26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
542230512caaaae33df322e72f652650

SHA1
f7b36382a99f0a79e3760bbf0382aa9be543c8df

SHA256
bc744bf3c246d455a89f5fa224c518b4eb9fdb166ab5cd6fdf1f979acf399d43

SHA512
a9e4837e9438ba2021b3f581539d26f0ce328a150a63aa23ed9986768e5e9f887f02f9056ab3310176229d88b32180cd182522c806a29040f7f338360191e0bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
542230512caaaae33df322e72f652650

SHA1
f7b36382a99f0a79e3760bbf0382aa9be543c8df

SHA256
bc744bf3c246d455a89f5fa224c518b4eb9fdb166ab5cd6fdf1f979acf399d43

SHA512
a9e4837e9438ba2021b3f581539d26f0ce328a150a63aa23ed9986768e5e9f887f02f9056ab3310176229d88b32180cd182522c806a29040f7f338360191e0bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
29a405b0dd0cd670e31bfa07ae672f4a

SHA1
9e52264820c5cdb968de40e944667ec0717fa945

SHA256
f0ae6b329f7210062762c29456681cd2498cbfc7ec101b3af5b5d5f20769cbb0

SHA512
706f3429f9a08732faebe2e35963bc63cc972ea3c4c7ce068986146401d2ce293a96d725d380fc5a8db29daa10836dcfc744b8a15fc685e3f7b8e4e91301b5c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
9fbd4b8e3ac4e6babf23bc73ac74b006

SHA1
32ad07e0a61cae31778df7548672aad74255a04e

SHA256
e6700418f4344b90066367a94298e8965789499c7b61bfe879be6b36ff7635ba

SHA512
a5ce019ff94ab4a325a6b0298151d665a25ebb5ae13d5107c581472398f15981ad3480c9123978db0fe98b98e5e31dd50c39f6797dd91ec45eacd399c92cc2b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Reporting and NEL

Filesize
36KB

MD5
65586edc4841606bed989684a0bc5184

SHA1
138b30fdcf4aadbb74b840a2798ef45bb9303b3e

SHA256
0e9e07d295861fbad9070454de50f2390fbad9e6b6bf1adbb965b0557c8b9104

SHA512
94fb26a6ede77f026e070746b7e23b09da0365dea19d2360abadb72e1dccf7f51d6bdfbf977455539dbc8318af4e43a08008c975d5d13e10720152e5c1496bfe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
790f9f75c1ff986242088d2354ba5617

SHA1
c29deae83ee7939cb8a534c04d4be89c668721e9

SHA256
a43c5fa2eb297e5ea5576ee8cd9fdd7afc1c0e4f5631ff13060beb44d9423d8b

SHA512
d3f11b2a5a0be74eeede031e8d8f7468ae346a0ebaa9a3212d625ecbbcb7ba7f529be76be77f8f8543e317a3ea81a6b761c7b1de09e319ababc6810498350455

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
790f9f75c1ff986242088d2354ba5617

SHA1
c29deae83ee7939cb8a534c04d4be89c668721e9

SHA256
a43c5fa2eb297e5ea5576ee8cd9fdd7afc1c0e4f5631ff13060beb44d9423d8b

SHA512
d3f11b2a5a0be74eeede031e8d8f7468ae346a0ebaa9a3212d625ecbbcb7ba7f529be76be77f8f8543e317a3ea81a6b761c7b1de09e319ababc6810498350455

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
869B

MD5
8b11644984a809b7a591e776f2e720f7

SHA1
944f2aa1e5e7f803c6a3a5050840e17f80a721f8

SHA256
ced3a547a007b5b3d740f5bf2c725b039f36cb67412ad794978619a1f578a0b1

SHA512
cbd855234042026a99d0add33c5342d470417bd706c84e799efba5d2d97b1c1729c9a435acc81307364be5cad57a6daaaa5145c44b31e2818413c4c6ffee217f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7ab21a5d43f26cb4d1dfc3b5d43cca4f

SHA1
5a469984d918105dff68f50666018f49e8fb31e5

SHA256
d7592595ce56b11440355dd7e60c99122d42e506f7489f242fc02e26f502fec4

SHA512
d52deef07dc61c3ab8d2a27d707e341b68d1ce88ba08b365124eca8c0d8c6b8c18f28129ecb40ae59d2361492cf33a15eafa88405cad018bccbece61c6ff0f7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
703B

MD5
452726bfbaa15a257725745de68b4a75

SHA1
4b45ae4338a6414254c2249bc1f555591f5772c0

SHA256
9fe82a38214fe9000e9aa595ea479ad625508e4b8324c60c1da3913e87d3d36e

SHA512
72d90340c1f2af9bcc659a68be8b6f2894bb869ec616db6126c4563059c81ea7b9e2a8a9024078d34b2233d2d7de11c143d762c3b719359175451eb25332c569

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
869B

MD5
f97f03dd5d4a630b7870ce57ed624d99

SHA1
f1b46759d306a0662b9d56a20f5bcd9c3d97da3f

SHA256
f27be60f578787c68c6fa46b3a3978e3d6781ad51b66ba84556a0166a71cea21

SHA512
2b2d8ada303e697b0cb253768dd0d8e80263f32513b6ed482c5dc7548d73aac8749c57bb73c9cecb745c88906165bd1cc9089f8da185dbf6b2e02f1731fe2762

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
484a0ed31a67ad77382f65370c8f625a

SHA1
c26b916c78d3d7d11d8d190428d665c418a98134

SHA256
cb07b2f17d896d2453a699e772e680f1a7a50de1b598c9ce9d4d5fad5b88b14b

SHA512
80328466959ce24a58d51a41588c71283ec8b48876d03e80d1a56f807e56bd6007b4c0603de15e71e6647df4f80b9594d8fbe71021efd77d03f797f1d4712bbd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c068ea02326a4eeb89ddfba3922d0165

SHA1
a24686982603a3546da142ee6f7cbd823e967cb4

SHA256
68f258857b09a0d3a29e8b2ab7e27bde585e5a69d6dc33b0b82905db0735cbd6

SHA512
c3fceda10df67d3ddaf6ceb3f978f43576913cc9b8bd6be08507edbc2143e72c6f22c223319538550fc47d9baa5dc58c103b55f10ba7202229f41d74126b27a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
6011b46dfc9f02102128b3482d400a4b

SHA1
585329aac71cfb89c0a1db3cd79114d6c517b84d

SHA256
676f936314c333bf4d4ebb67828b4c4e049674ab05464984ef955526244eca55

SHA512
94590f805a43971d4d69d9f6b612f51431a84a250c369152dfee4b5f5d8ee51f5eb19393e1f44cd85995ed651a2f7a14c898cb73c2cd2f05dd68e6dda10b849b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ef6d8d33ca156bf6b01621f13fe34142

SHA1
40c4d37f43df8664c9029433428867ceb4a056bf

SHA256
c955e486fef0e6ba167ba18186e70e3f5a1f8063e7e20be4574f8764184445eb

SHA512
e295076272bb044e266bb9067fe7dd5d799c85401d1021861c5cd40a952e3ebabaa76b309d2f28db76fa5be8e9331b42b9077a9ddd4f7278171b9ce681258a0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7fb2854e6bf55b5efe18d793ef6e2244

SHA1
629c120c7009ce1033ae1020dc060d5b15aa7446

SHA256
fc7f662f7733ae9371f3d4507b4ba3da3594fe3b206f12275667b9915548823f

SHA512
8f85911032c44fb796f7936356b5e919df5bd5b680eed1cfada6365539a86c1df1221abdaf4f0b2367313308cab23f100c9a8a05cb9fa1858e9450e5935de028

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2bab9f34fb0948e0e33ccbaf97582c5d

SHA1
a2ccaedb73d370432c09f879d7b3bbd2c180db76

SHA256
43036a6d82083cadaed746809ab58e9a10e875d1091b29ddacc43c8fd12f4948

SHA512
99a0503c9df9258cbc5e7029d9f8029ec27f5363a3d8225105e503a56a0b2ca1b740d1f5a2bcc3f1ab2c15d111e1785eb4dd87d4ed47fb94175e0f73c51274ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
702547d07706df91b663796ba6079454

SHA1
1b4102eaaebbe07c1338ade23ecf330951cd0182

SHA256
a3da1c876609cfde10e000b21d391425b889e908dbe51dcbdd25ede90be3dfaf

SHA512
0ca0bda5c745da0e1ff53b412748be45a292e1d4893ed91a629a5311962d54b54309e791a1d880c0607e687eba2a0ee2e0b25087c097609823534da423cff9b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
18c6063aa3209d9e42bf86497ea7716a

SHA1
bafc19f4e1d36a11bb4697a09c08fa0c8e1c48d6

SHA256
9cd70579c7b71d1a3484420c80b136944e4267e6351fa464b97e6a009290dd46

SHA512
4fc8c6135e6669055c57a7482d1535de2baa88be2f364ca28795807d63e7d2742d399013499d68b6b8d9c8b4ab5dfc44275fbe5d935c706e1c6f5e1fbb36a392

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
deac237b820750ebaf57263303a3db85

SHA1
146605ef913597dd80a7bcbc55ab39a471c8fe32

SHA256
513c65e33d0ec6028f90417496b5acafdbe3aa9a57b20ea911ef1fce221aaf01

SHA512
f6af56d97e3bc9898c2d6c90e84cbcaa605e7d51dc401a89dffca366b90044fdcda075bf6783d19702d6c7867ab8d432b887f9ec952485cebb9d07992c4d96f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
5e189894d1dbaf9a0b66dc396b6d5581

SHA1
9c7bc272abc03fb1255486b915f411be2c4ddb2a

SHA256
4940d376475f2445fa44a016890fa57a7a6456a9f04f48b22ca3c55bf89745f0

SHA512
39c757003325399ee956ea1d6d11cc036a6c4ff10cbf79ec7b32ce2511985a8c7afb529e8ae9b0da085937bd4f70e8c500df76977564fdcc1ed14cda8b87334e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
49d304a5b294d684ea33cb681ac5b2d6

SHA1
91aa6ec7576ff2ea2c667fe541c7829d02b8aa59

SHA256
db490c47fe75f0c323af96cc665f1461930212cb771a8904fae991d9f8b0cda4

SHA512
cb6ff0f488bd230ca6badb4c1eb9df51d217345f5d2ac5e89be916e6d3e7facf737a294f42bc1c50941355409f82bdac54ddac6e1c69a0f5f06d1e203f2bbea8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
fd9fac833658cceb6ef5c064413c1d45

SHA1
772924d776f4cf8a0dceba8ed101bf5d732b84cc

SHA256
6c07fab2f881aa6d0340b210b9c6bce1b53fbfa0c27fbd636aa9aaf2ba9493c0

SHA512
6dea756ad6303972b6fe8c486ba3a08c0da3c9568ad6c157cabcbf8fb79526c8d276314181f6706419e567aed790eabcc51a5d6bd56258c827de89ebf507dc66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
92c8b6a0f214c274840770d4a484acaf

SHA1
16a5fd665ade3a823a72c8e6197e3fd2b624d165

SHA256
1331473e7603feb0367cd0bec31f485fb549b0d42f671fe9288adcb206c1c84e

SHA512
020b1bef3d3dd4782b2d58acbc99691794bd48c866632d94e5b809b6654a1343571d0dd35bc895fd4d157bf0fd86959dd6c39b3d289998a23c6a2b08b99aa90b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
12bb2f5b1625ed3cfd985b77bdbbd792

SHA1
b85096694c3bbf37ccdad8d8acfec16ff8f91d46

SHA256
037fcfaee7db27618f615466859bd3968be1975def9816a47f599dfe652f0c67

SHA512
3119533f4d89248c4a9e7799717114adf3ca843d7cbb556322fa8a9c201e21af61bce30efa10662772d4bf1f3ef005b6c52adee571cca67543155b1aa34ab03d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
12bb2f5b1625ed3cfd985b77bdbbd792

SHA1
b85096694c3bbf37ccdad8d8acfec16ff8f91d46

SHA256
037fcfaee7db27618f615466859bd3968be1975def9816a47f599dfe652f0c67

SHA512
3119533f4d89248c4a9e7799717114adf3ca843d7cbb556322fa8a9c201e21af61bce30efa10662772d4bf1f3ef005b6c52adee571cca67543155b1aa34ab03d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
09dce6db9df8cd392be3df641b9c4bbf

SHA1
80ebad19596e7675bacbf6994a6298fd507ced6d

SHA256
c43bb52da2adb6a65aabe1a4999b84b2f5d61a0dd4344d2c08449e652bcf50b7

SHA512
0f7231d409f7821167bf844f513583d227f859b527ac7e74d4587c6012a9ede430f4902f62e53e161de0d285d4c863215bcf84e5ab422bbed4dc52678e43a0a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b47364bbcf27a458189375245a04c6e7

SHA1
2f3f163e3e3cbcf0fafdd39b83eda952a2da3450

SHA256
ef840a1949f3d963b1d3cb540b83933f47c277c400138540ad6c70fa2045b321

SHA512
17ab19bb242ff6744255001050a4ec9bd76e648455d5e3e1b758304bb1be59c9e5a0687a78efa498dd8213aca219d259267e93e3ab7d8595022877973b6de758

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Search Logos\logo

Filesize
33KB

MD5
49410c86a3ab3be8c177b58dae32d329

SHA1
dd0ade71c19a99389e53b11c959fe780e1dc6397

SHA256
2e72dc518efcc229c07c6721cecfe9be5c9fa5a525c09035b66a39f44b273c20

SHA512
3e2031069754c6f73a3433778b1f2424fc05d983d0fa9a186ab25b2a60231f457798a62f983f2de2e49152c0899d2cb5ae5a6518b1a399848c8340fe96cb118c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Search Logos\metadata

Filesize
1KB

MD5
fd7e0e41bcacc72cdf4eb2ba985aec22

SHA1
b8e920a15c9c2614dec2723e10b8d2b4d4fb7f84

SHA256
175bb846baa4905f0e5b937cc4d46ddc1b32de05bef586e9e5f015f1fe4addae

SHA512
51acd105118dc8a0c8e620c96c7fa93f321db3f5c90ed319b39c18528028eee1373899cc099fec90fc50161f284207825bba672bcc290e7b4ae6ed50a76035d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
88c4b2e204cc13106544adc932d25d2c

SHA1
1455382be61b7430c8c5732ed6e3b19adb0f367a

SHA256
f892e1700c9a3adbb9806c451e9927be111a30b3b39ac04bcb09e77d360cd9e0

SHA512
c3730d9ba7d95aa6a3b33c717fdde665c41fc8a41df4b2db71278a5e3d8497d5cce5523054d9fbfa5a4942af145342212133e0773bb624b2a844578eb82a4608

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
88c4b2e204cc13106544adc932d25d2c

SHA1
1455382be61b7430c8c5732ed6e3b19adb0f367a

SHA256
f892e1700c9a3adbb9806c451e9927be111a30b3b39ac04bcb09e77d360cd9e0

SHA512
c3730d9ba7d95aa6a3b33c717fdde665c41fc8a41df4b2db71278a5e3d8497d5cce5523054d9fbfa5a4942af145342212133e0773bb624b2a844578eb82a4608

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\c1911f23-ac7e-45a7-859e-53f3497c6f45\cddb2e2bea1a9f8f_0

Filesize
2KB

MD5
5fcf77296721d2168148cba2729dfdc3

SHA1
f5bf756a49a9ec28d8dee80c1c185519ce816271

SHA256
abca2e08fce7417b067ee12339aeeee9002120fb285992525ee47771bb82264c

SHA512
01a2a648388f3d5b6cedd1761c9d9bc2a18e83a5890fc5d2c07bdbc3bd422644a867cd87c7dcbc0d5379212cda206a0baa1a6626b7d4f202120f169a54cd14e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\c1911f23-ac7e-45a7-859e-53f3497c6f45\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\c1911f23-ac7e-45a7-859e-53f3497c6f45\index-dir\the-real-index

Filesize
624B

MD5
5bf2d3d765d651ea4a0f066ce5981460

SHA1
ddf4d332c47e9b76b012f01037e5dd6cd7be39d8

SHA256
5d50c705ff7730c7794676a40d8d2a3c6436d265d720dbe1111a49de07e22346

SHA512
a1c0c0bec422f69106bb7df6477768519231e3086bb3302117d33ada2dcb5ceed8e10241392a4e227859ff083a3042265342cae751f36fef3af79f175aa082e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\c1911f23-ac7e-45a7-859e-53f3497c6f45\index-dir\the-real-index~RFe58aef8.TMP

Filesize
48B

MD5
8a3c6445c5a552a8e95f6fcdf67e0133

SHA1
dd1e65ccdc2f9f59a7355c2f0a0a3995c52b8fe2

SHA256
f5eb3f3f1e0f8228429dbe2a24588c76bf71f1645e79451569b03d0b89ddc226

SHA512
b356a86f2710a8e48cfc4e26a6ca5c8a2af30edd5a0cb4a81d535f39bb9221ca2f6c8afa0137b298021ccec11e2c74253cadb015993c140cdb16727ad0863530

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
56B

MD5
ae1bccd6831ebfe5ad03b482ee266e4f

SHA1
01f4179f48f1af383b275d7ee338dd160b6f558a

SHA256
1b11047e738f76c94c9d15ee981ec46b286a54def1a7852ca1ade7f908988649

SHA512
baf7ff6747f30e542c254f46a9678b9dbf42312933962c391b79eca6fcb615e4ba9283c00f554d6021e594f18c087899bc9b5362c41c0d6f862bba7fb9f83038

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
129B

MD5
2b1447630950bb6cbb9d0c8c4eeebe49

SHA1
dbec83d594c1ac84d30f9b24e3efdae45e3f8864

SHA256
f933cf2049dd2c21961e5472788eff203d0ce32bca7f951abeb5c9857471d40b

SHA512
b6c58ec08ae5c3a8fdf58527d6ca1736878c4c2ab9096235b9e1b045c2a1019cf2e7fac135b52195285db50afdfe115091c7260a5767282707296d350532e7b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
125B

MD5
75828ab708671473024798637d4e24c2

SHA1
d8908eb3581aa23da17931bea73d7d2a7f0f9aa5

SHA256
eb3976bd2246ae680d7b02c4c787b2c86b81d57b1f18c2630d6ba0d06a8481f4

SHA512
c40ad20c890222f6b07df178bbf3465022dbee040ab34158a50a9f4667c027d0a6789215972be8670081872ac80fdae43e70605d939767bdcd35a010c9fd6be6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5853d8.TMP

Filesize
120B

MD5
37e50a61bf8399e51a3a92988b4738c3

SHA1
ae5d24bdf476e583f76b9976661b52afddbc3838

SHA256
e166278248eff0b44d5ff7db09490b1f6096d9dc9e87ba9ac57198f3fe81ebc7

SHA512
077df054ebfa83bfa2434040f7f173b96b449f9bfd1045462cba3eee764a26198c5bf783edbd3baf70974a9ad0ab878851b4d944793bbfba136741f23648892b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\000001.dbtmp

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
86a990a69262420b1b74e5e57a867ee9

SHA1
cfa647345d896370a082921f55782cb1d737181a

SHA256
fee9dd17d69d9ff5c16937d9140bc47f24de63243342ea05b184ecc79b51248f

SHA512
6371039e903b460096a3f89d00ed901eb9e517c0858574fc17624b92765c7d84d8f110005d627cee77b0adda6532bd5dcf6a170530f269862af0e0b82217e5d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58a3ad.TMP

Filesize
48B

MD5
6986184a495b5e7dd2b0c596b064e683

SHA1
71fc80280466c3420e6f6720bd231a092c47decd

SHA256
b44a97eed3d54bb4ae42da491f8464e88d45f23c889e6e1fbe8b9af013479a3b

SHA512
1b0298ccb84e67051b9cdb27983f1bb31ee38a67a2b61c78b7e5ffe3491eed6a56c8d98d7b7868753367d817fba8cae470789117c1d70b25d9c77bbf7ed3e09c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\000003.log

Filesize
565B

MD5
8b12e7f97363ba15fdd20fb5b0937375

SHA1
42ae0fc7e5b928938dc976a59b6b80824773e286

SHA256
8b563aa294590725e9fd67c47f2e98b24008f608d61decae0d38bab0ded694b9

SHA512
754967ff664e947fa9cbfddeb2e3667819dc7505bdee512db419d13c90e67fc791b7134028689d8a4b7e1c79941c26a54bb44004b37db79edde3f1c83df53112

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG

Filesize
317B

MD5
193020f5ad322297976c376a4aaa7e88

SHA1
0df01a7a31ece03ae516170a8f4f0621d6bf7ce7

SHA256
143c0918c18290a2f039ae4fe34ecdb2ce0fb06a6001e05cca8c8b29ae1d52af

SHA512
58a67c7493b7c4d88048989ee5a521124b6b91a3eba2a21fbb29acdc2ffbba9082e5e8b7dce09d192df8b8a00f8ec69c78583369726f892de034daed2730e248

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Tabs_13329059962085537

Filesize
945B

MD5
a9942039ec73137be6739286da2fdf9c

SHA1
d53438989f2c09c7d52ac81e1ecc09da7db0e46a

SHA256
a75b4c2faf21ded7f138edbdf16baab5dec40d3e2dfd3c2bbce4f60901ab0574

SHA512
c6330beb50c5c45feb3dbfd4985e82b2008e56ed1f57b4eaa664baf18c931015802c938d0d0aafda3d552370f885eb612523a792a8e1d59d1c4509ab6ac79354

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

Filesize
345B

MD5
ca604e4af48b0b7ce7534f756e6ac120

SHA1
8eb7de13b9982e1f1fdb017788e8534f8ea1887d

SHA256
51d9bcabc76be8e2a8956a62adb9920016b222861e309a8fdd72acd16d1016d2

SHA512
71095a6dc0d0edcbbaeac65ee36d3b0659b367825e825f92083ca2d10f68eb05cb36d94fe2d7d297b881d94779f8a5620c15ec6f2c5e3a16e3ce028024fbd23a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000003.log

Filesize
4KB

MD5
ace76bd27d8617f5a9693e240db421f3

SHA1
26d4c1a1c0e435b932f093426251734689c6fc0b

SHA256
3348972d79e05c75189385e6d62f24273a516eb517526cd1e94774e6b54a9ebc

SHA512
f1298e562f37d5ddcab2bde874e1e38cb938031c5a77f1e02786a212d2756c652cf5b038dc9fb78a1f45544861a09c6631f164b6c5e5a9b264dc8d1e5e709c09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

Filesize
321B

MD5
a2a4357faf18a262a8be30641841b0a2

SHA1
9c8e5e65389cde43f494dbe3d6cb996eceb808c3

SHA256
d75e95d598bf4abf76366c4ff27eea1a2758be8ea979b1bb0789241eb96060d6

SHA512
19b2483b993b00c91b3f297c4048eec7293127bc3c2ca6874dadc6d0100cd601c83b675887b97b3fc157eff4251be22f0f575411465f714f3f40417e38e9b51d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Visited Links

Filesize
128KB

MD5
b7fd886635d8fdf725cbba5a2edfb1c2

SHA1
b40960f84518a31216e694100cbeaa0e423868ba

SHA256
7e7e6a3bd3e0314efa430a9c6ac640eaca8ea69acdbb89e1147bbd461fafe377

SHA512
af04193e6b217d8f3b559e6d2fc290f0deb6a00ab285d8b96b5bcde28be99d67e6e40d5746a98a5b985326efb6828254f6c4a868e257ff8f43181928915fa961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000003.log

Filesize
713B

MD5
2ac1bad382da2eb3b7fdf21f9bfb191f

SHA1
09937a196133980d7a58ecdec220cc198a4521d2

SHA256
089bf1d977904c5c695180746985f7ad05bc281fb00260d047c5f22d46a2775c

SHA512
d5a999cef857222f3659f11308522301b39a06640291c06bb507083355593ec66f197400da1bae21cecc5eecb68c9213737ddaceb67c89c91524af705326e1f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG

Filesize
317B

MD5
d807664ac6b3a6fb6d8bec925cee65e0

SHA1
5078924f529e6d821f41c190405b2e3cd00273f4

SHA256
c2a77d18182c1f7cf6c2c52cf76cb51c3c94b239f46b75733d31ee0a1b0b68ff

SHA512
a427704d98b90f1a24daeb96b835fee324d8090215601ef310f5be244c5b0976fc584996657d34bf17ae863f7dcf0387c928c9625cea85f0477ec5a0eb3209f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
855B

MD5
a5d3d59c0816f8c964f6155187fd0c74

SHA1
f388e9a203520d1362930a3a58476d33e4714fac

SHA256
6b0ac1021ac96256b788a42802da0e2b416d43dfe4481334ecdc3fadd70310b9

SHA512
b788de4302201c8101540e581ad3a9c587903fb48e6168e5cf9963a850646dba93aa3f10c856abc4fa24acb6acf81f43d48ee84dd84d26ccdc5fb463872dbe9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG

Filesize
335B

MD5
f365bb2c5285e4bba187851544ab6d4f

SHA1
4a623b3436b7f65a876114703083759530dddea4

SHA256
e9c8172860551787043279f23a6baa4eb7e1cd2d3b7860385f572f360c78f97e

SHA512
5e30e91e7ad2878997d9258c334ab766916dd45079769ec9cbd6712e9055127c9623a071916825c29793cec4b7ec1abd03e6fc5bf105cd9729abaeb890c7e794

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
9eae63c7a967fc314dd311d9f46a45b7

SHA1
caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf

SHA256
4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d

SHA512
bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
83KB

MD5
78f7705185aa3197d14bac4e03b37a0e

SHA1
69211dbf5264c8b222dccbbfab019eb9dca81359

SHA256
4f9fa3a7e18050104c4c52c8950071f87d8e1a3ef6ce1c8919143046285117f8

SHA512
43f5b72a4a973f79c3085063b4157a87a895953e96a3323d482ad369a4c374c745661cabe6b720f9d5807c6defecdf729ac3998d1812777cb8d61eb854c950b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
83KB

MD5
13c9b345b6d5c3d7dbc807f6c77d9cff

SHA1
266c703aee8df63daf286fb38d8896082b877b58

SHA256
3cfc579836d4dc3b3b74058b8f9fc69ae01a6657df8a639e529c2f984b0c906e

SHA512
98e76cc280cf93ed199c2faa64b06dc5fe00a58c1e3bcdc30428513977daa170fdaba4e0c69ab3dcff8021ae8d95dce0eafafd763afbb41d359c502ec5880202

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
151KB

MD5
d457aeae5be781775ca5841fda3056ab

SHA1
bdbb3b3d3114101494aca54225b202dd76f0d6e6

SHA256
007da58ae5044de1f971b29d502ec561fc431609cef182584cde5683648ca1e1

SHA512
2a3ab974a3f7659eb659a783aa886f2b99689cee67b1cff2f990ab572b2a126ce87478b492bf422850c8faecfc251302c7f0616148b538d4152277d530f13389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
83KB

MD5
d20415d14b1cd8a86a0995d21ffd5b34

SHA1
8fb2e6a2e68e18a08baeb9b72570b0c70aeeeb24

SHA256
aee8f2647872c07af585e80e7094030263f8d5c707ce269cb7d9b802ac8dc0c6

SHA512
47665824faa4e71252ae057b0d52b03301409a0bd60960db27e1f4b58aa55dd83271377e0be8b4498211dfd7d122f1204b0c667eba0eeb4d3db7fbcdfd57e862

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
151KB

MD5
d457aeae5be781775ca5841fda3056ab

SHA1
bdbb3b3d3114101494aca54225b202dd76f0d6e6

SHA256
007da58ae5044de1f971b29d502ec561fc431609cef182584cde5683648ca1e1

SHA512
2a3ab974a3f7659eb659a783aa886f2b99689cee67b1cff2f990ab572b2a126ce87478b492bf422850c8faecfc251302c7f0616148b538d4152277d530f13389

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
111KB

MD5
27b0669a609623fac461ba87ab0c42e0

SHA1
03dbdb5559dab3a16af851c96f074bfc89613695

SHA256
cb9d5a318b3aaa074b09f308f6b3e6c47b8676332ac82380ea0184a8397975d7

SHA512
706d9fe93619155f943418f076ea8a96f391c4e16e3b314291521d263007b962062b4e27a2efc2e4a3eb51906a89412f8829cc9ccfe717caf8a738d2d825f025

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
99KB

MD5
68ba1156838cc8f38e053d0e3df14e94

SHA1
9f6f01f81a6b83c049adcbdfde6794870d946f22

SHA256
be6560d906ab15db5f4a4dd4a51ae05c10c35f9a3487ab1dc48eafe36563aa2d

SHA512
a3bde7ae97d21a9eda434f97524fa28293b080f99f7e30692a3bd2913648cc1326fdf3645d845cb9f0ee1e6871eefc9a4a1f4156649d04e1b98b148a103008d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
105KB

MD5
a77ef7b8207619da37d236f9628faa26

SHA1
673fec1d9b43511156902bbce4bcb8e60cddf0ab

SHA256
7f0ee709d10a066f015269c54cb69a87c8a49a9bb69e5a6e15bae2ae8419d067

SHA512
00d3da6420bf299b5a8cfa0b3a07936ed7b3ad8645f5d1dc5409fb1f7c5f817950d2fa3c5be580fe8c60105c63c6b1b28ac93e632bad36174314e0181ec410c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58bd6f.TMP

Filesize
98KB

MD5
7126a727aa7cade883d26a8adce05830

SHA1
b30eafe6edc52d61b70a2e49ee27f9a2fd120d52

SHA256
347e4f545b2518f0050200473fc5a0237c974bcca6555a1430a59da6e1a97d0c

SHA512
20caa234b18819ec78d83eba0f9e7eb72d9f3715d697af2cc3044b157dee044ce9bfa839a4330b7109c8bd18f023c2b58592d0b02f5414053e0690a71bd96b1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
78c7656527762ed2977adf983a6f4766

SHA1
21a66d2eefcb059371f4972694057e4b1f827ce6

SHA256
e1000099751602ae1adcec6f1c74e1d65f472936817b45239dfed4b043984296

SHA512
0a8e58ae95163b3cdf8e81b5085887761e73cb7c836a1a6a972e837fb3df69b2ac70cfd6311d06d40656344ec35eb48e512f007561480f0345486ac2b329be0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
099b4ba2787e99b696fc61528100f83f

SHA1
06e1f8b7391e1d548e49a1022f6ce6e7aa61f292

SHA256
cdb1db488e260ed750edfe1c145850b57ee8ab819d75237a167e673116a33ee8

SHA512
4309375e10785564ceb03e0127ced414e366a5b833f16a60d796471d871b479e4c044db5268902d9dfd14715ca577cb26042bab8f7b0f31fe8abf33947feb9d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
cfd154adba97a2abf6dc729ccee5ecf7

SHA1
afe372eb37ef917aa410bb98e4b5d0c7d124414c

SHA256
499c032cfe38fb698ce03d4834ba230a12ccac01c507399d0b2df9cab8237701

SHA512
64bfb836d0768b5a3b25fbc0c555f9b2d8724f68f81f16f2e91309de7cabac20f6caa15968404693f4483439bc57f307d2382e7c2fb07a97b940893ed59b5c59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
6077de56fb1fda678e6b598101e9b9c0

SHA1
4a974c31c9a9060aa30b450a0d60175fccaf12e1

SHA256
82e744914e9a640ac8e58a495a055fa900d1109f66533c58a5b00dce2c0e73ef

SHA512
2399922fd2a9c5c2658cb2dba990527f1ac3218c48e82b42ebfd19363b6384c8f7250ed1f98c3e402593ff61dd51fcff41ed1c82375348bcd324b76fa69b27f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\af66822f-d510-416b-bc21-83f7774f0996.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f97a6303-1c3b-449f-a421-2e712a0ab1d8.tmp

Filesize
3KB

MD5
4755a70fea1821042df5e1e3c7a49f03

SHA1
7f74bfadb3ed94253bcf67c5b4dcaf8b66505955

SHA256
43e055f05e8d858a1bc565ea229989782e38f8f9c57cf4bca287e1ea16c14125

SHA512
8585d456bd7ae07f8ca844a567d2aa82814c9a4e11c0f38dab60ded65f6cf99686cbfcc3c416d0a87e3bfe99f0a6614b9354eaaf2ee9dde0643b5d0d35b3cfaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
944a62361c4137f5b68c29bda82e1546

SHA1
bb7fc694070586c50cd04cd0757e0b15306a5bec

SHA256
b74f99ef2d7fffd2347ed538cf68c9cbd977a84fb563c1b5202d9f71ac8c7db2

SHA512
e07e0492503579d283ccc85018f002ff9fedb89e22b31918c4bb4e5c3058996233dc8f7693aef4ab030dde992fddb9a0b919de4e53af461348406bda14493841

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
651907d65f406708429e5cca5b3bb22a

SHA1
d78a0b17a3c90ab48c501427375296177410835f

SHA256
743a06544fc62e74ef206567516ae066be843029462a31cc876b922116feb2ef

SHA512
96e4372978d834181a49c9f3516926e544977c7b992c10539d7607b9e24d3daa008cf3296ee9a622ec17829c18c4f2db7ed5e7a6cab91f68ede35d166ea4ac65

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]

Filesize
933B

MD5
7a2726bb6e6a79fb1d092b7f2b688af0

SHA1
b3effadce8b76aee8cd6ce2eccbb8701797468a2

SHA256
840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

SHA512
4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
6.9MB

MD5
cf5ccf91459708fa118ee7ac613ad51f

SHA1
25b1dfff99dc03f5faca0a035a4a97e5e8774ef8

SHA256
127747d34c9a473552defd509f2bf86372f563a7e2aef6b60ea61b73b719783f

SHA512
e9844f8bc926a0de92ee4caecdae723c10963b3533c62a845de9d3a5156af225bf259ad989264f6db00f115ed5be0f50b48ca69a84e1ee69cd164fd183e64def

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r.zip.crdownload

Filesize
3.4MB

MD5
25b35814c2073a617647a851eff5ef2c

SHA1
a9cebe92e74f4fe0d75307d76032398398075dcc

SHA256
b1d6b2e9e56e2c5b9ccf073f8dda14139abef8264ae083c87549edfab86f3729

SHA512
1beb0c8a12e0ca11b5de77e5c7ff38d59132c8ec1c3371d63c09b0c6b02b7516dd4f1730814a4f76d5f831e738259f9eedb9d1d5643caffa68867e12f50b81e5

Download Submit
C:\Users\Default\Desktop\@[email protected]

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
memory/696-1386-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/5172-2712-0x0000000000D30000-0x000000000102E000-memory.dmp

Filesize
3.0MB

Download
memory/5172-2739-0x0000000000D30000-0x000000000102E000-memory.dmp

Filesize
3.0MB

Download
memory/5172-2710-0x0000000074430000-0x00000000744B2000-memory.dmp

Filesize
520KB

Download
memory/5172-2724-0x0000000000D30000-0x000000000102E000-memory.dmp

Filesize
3.0MB

Download
memory/5172-2725-0x00000000744E0000-0x0000000074562000-memory.dmp

Filesize
520KB

Download
memory/5172-2727-0x0000000074430000-0x00000000744B2000-memory.dmp

Filesize
520KB

Download
memory/5172-2726-0x00000000744C0000-0x00000000744DC000-memory.dmp

Filesize
112KB

Download
memory/5172-2728-0x0000000074400000-0x0000000074422000-memory.dmp

Filesize
136KB

Download
memory/5172-2729-0x0000000074380000-0x00000000743F7000-memory.dmp

Filesize
476KB

Download
memory/5172-2730-0x0000000074110000-0x000000007432C000-memory.dmp

Filesize
2.1MB

Download
memory/5172-2732-0x0000000000D30000-0x000000000102E000-memory.dmp

Filesize
3.0MB

Download
memory/5172-2711-0x0000000074400000-0x0000000074422000-memory.dmp

Filesize
136KB

Download
memory/5172-2745-0x0000000074110000-0x000000007432C000-memory.dmp

Filesize
2.1MB

Download
memory/5172-2773-0x0000000000D30000-0x000000000102E000-memory.dmp

Filesize
3.0MB

Download
memory/5172-2779-0x0000000074110000-0x000000007432C000-memory.dmp

Filesize
2.1MB

Download
memory/5172-2709-0x0000000074110000-0x000000007432C000-memory.dmp

Filesize
2.1MB

Download
memory/5172-2802-0x0000000000D30000-0x000000000102E000-memory.dmp

Filesize
3.0MB

Download
memory/5172-2808-0x0000000074110000-0x000000007432C000-memory.dmp

Filesize
2.1MB

Download
memory/5172-2809-0x0000000000D30000-0x000000000102E000-memory.dmp

Filesize
3.0MB

Download
memory/5172-2815-0x0000000074110000-0x000000007432C000-memory.dmp

Filesize
2.1MB

Download
memory/5172-2818-0x0000000000D30000-0x000000000102E000-memory.dmp

Filesize
3.0MB

Download
memory/5172-2824-0x0000000074110000-0x000000007432C000-memory.dmp

Filesize
2.1MB

Download
memory/5172-2829-0x0000000000D30000-0x000000000102E000-memory.dmp

Filesize
3.0MB

Download
memory/5172-2708-0x00000000744E0000-0x0000000074562000-memory.dmp

Filesize
520KB

Download