wannacry | hxxps://github[.]com/Endermanch/MalwareDatabase/blob/master/ransomwares/WannaCrypt0r[.]zip

Resubmissions

24-06-2023 15:22

230624-sr5rmacf9z 6

24-06-2023 15:18

230624-sp28qacf9v 10

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2023 15:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase/blob/master/ransomwares/WannaCrypt0r.zip

Score

10^/10

wannacry discovery persistence ransomware worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@Please_Read_Me@.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 23 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

Endermanch@WannaCrypt0r.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\FormatCompress.raw.WNCRYT	Endermanch@WannaCrypt0r.exe
File created	C:\Users\Admin\Pictures\ReadRestart.tiff.WNCRYT	Endermanch@WannaCrypt0r.exe
File renamed	C:\Users\Admin\Pictures\RestartEnter.raw.WNCRYT => C:\Users\Admin\Pictures\RestartEnter.raw.WNCRY	Endermanch@WannaCrypt0r.exe
File created	C:\Users\Admin\Pictures\UnregisterSuspend.raw.WNCRYT	Endermanch@WannaCrypt0r.exe
File renamed	C:\Users\Admin\Pictures\UnregisterSuspend.raw.WNCRYT => C:\Users\Admin\Pictures\UnregisterSuspend.raw.WNCRY	Endermanch@WannaCrypt0r.exe
File opened for modification	C:\Users\Admin\Pictures\MergeRepair.tiff	Endermanch@WannaCrypt0r.exe
File opened for modification	C:\Users\Admin\Pictures\FormatCompress.raw.WNCRY	Endermanch@WannaCrypt0r.exe
File created	C:\Users\Admin\Pictures\GetReceive.raw.WNCRYT	Endermanch@WannaCrypt0r.exe
File renamed	C:\Users\Admin\Pictures\ReadRestart.tiff.WNCRYT => C:\Users\Admin\Pictures\ReadRestart.tiff.WNCRY	Endermanch@WannaCrypt0r.exe
File opened for modification	C:\Users\Admin\Pictures\RestartEnter.raw.WNCRY	Endermanch@WannaCrypt0r.exe
File opened for modification	C:\Users\Admin\Pictures\ReadRestart.tiff	Endermanch@WannaCrypt0r.exe
File renamed	C:\Users\Admin\Pictures\MergeRepair.tiff.WNCRYT => C:\Users\Admin\Pictures\MergeRepair.tiff.WNCRY	Endermanch@WannaCrypt0r.exe
File opened for modification	C:\Users\Admin\Pictures\MergeRepair.tiff.WNCRY	Endermanch@WannaCrypt0r.exe
File created	C:\Users\Admin\Pictures\RestartEnter.raw.WNCRYT	Endermanch@WannaCrypt0r.exe
File created	C:\Users\Admin\Pictures\MergeRepair.tiff.WNCRYT	Endermanch@WannaCrypt0r.exe
File opened for modification	C:\Users\Admin\Pictures\ReadRestart.tiff.WNCRY	Endermanch@WannaCrypt0r.exe
File created	C:\Users\Admin\Pictures\SendMerge.tif.WNCRYT	Endermanch@WannaCrypt0r.exe
File renamed	C:\Users\Admin\Pictures\SendMerge.tif.WNCRYT => C:\Users\Admin\Pictures\SendMerge.tif.WNCRY	Endermanch@WannaCrypt0r.exe
File opened for modification	C:\Users\Admin\Pictures\SendMerge.tif.WNCRY	Endermanch@WannaCrypt0r.exe
File renamed	C:\Users\Admin\Pictures\FormatCompress.raw.WNCRYT => C:\Users\Admin\Pictures\FormatCompress.raw.WNCRY	Endermanch@WannaCrypt0r.exe
File renamed	C:\Users\Admin\Pictures\GetReceive.raw.WNCRYT => C:\Users\Admin\Pictures\GetReceive.raw.WNCRY	Endermanch@WannaCrypt0r.exe
File opened for modification	C:\Users\Admin\Pictures\GetReceive.raw.WNCRY	Endermanch@WannaCrypt0r.exe
File opened for modification	C:\Users\Admin\Pictures\UnregisterSuspend.raw.WNCRY	Endermanch@WannaCrypt0r.exe

Drops startup file 2 IoCs

Processes:

Endermanch@WannaCrypt0r.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD7255.tmp	Endermanch@WannaCrypt0r.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD726B.tmp	Endermanch@WannaCrypt0r.exe

Executes dropped EXE 10 IoCs

Processes:

taskdl.exe@WanaDecryptor@.exe@WanaDecryptor@.exetaskhsvc.exetaskse.exe@WanaDecryptor@.exetaskdl.exe@WanaDecryptor@.exetaskse.exetaskdl.exe

pid	process
3256	taskdl.exe
3348	@WanaDecryptor@.exe
2836	@WanaDecryptor@.exe
4812	taskhsvc.exe
5104	taskse.exe
2188	@WanaDecryptor@.exe
620	taskdl.exe
3620	@WanaDecryptor@.exe
3088	taskse.exe
1940	taskdl.exe

Loads dropped DLL 8 IoCs

Processes:

taskhsvc.exe

pid process

4812 taskhsvc.exe
4812 taskhsvc.exe
4812 taskhsvc.exe
4812 taskhsvc.exe
4812 taskhsvc.exe
4812 taskhsvc.exe
4812 taskhsvc.exe
4812 taskhsvc.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

4420 icacls.exe

pid	process
4812	taskhsvc.exe
4812	taskhsvc.exe
4812	taskhsvc.exe
4812	taskhsvc.exe
4812	taskhsvc.exe
4812	taskhsvc.exe
4812	taskhsvc.exe
4812	taskhsvc.exe

pid	process
4420	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uzksofnqjey370 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_WannaCrypt0r.zip\\tasksche.exe\""	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Endermanch@WannaCrypt0r.exe@WanaDecryptor@.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@WanaDecryptor@.bmp"	Endermanch@WannaCrypt0r.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@WanaDecryptor@.bmp"	@WanaDecryptor@.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\f0bf071d-3745-414d-81db-36fa3e1a1034.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230624152134.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133320935624943329"	chrome.exe

Modifies registry class 2 IoCs

Processes:

chrome.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4129409437-3162877118-52503038-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4656 reg.exe

pid	process
4656	reg.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

chrome.exetaskhsvc.exechrome.exemsedge.exemsedge.exeidentity_helper.exe

pid	process
1976	chrome.exe
1976	chrome.exe
4812	taskhsvc.exe
4812	taskhsvc.exe
4812	taskhsvc.exe
4812	taskhsvc.exe
4812	taskhsvc.exe
4812	taskhsvc.exe
1164	chrome.exe
1164	chrome.exe
3540	msedge.exe
3540	msedge.exe
2820	msedge.exe
2820	msedge.exe
5280	identity_helper.exe
5280	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

chrome.exemsedge.exe

pid	process
1976	chrome.exe
1976	chrome.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe
Token: SeShutdownPrivilege	1976	chrome.exe
Token: SeCreatePagefilePrivilege	1976	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

Processes:

chrome.exe@WanaDecryptor@.exemsedge.exe

pid	process
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
2188	@WanaDecryptor@.exe
2820	msedge.exe
2820	msedge.exe
2820	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe
1976	chrome.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe

pid	process
3348	@WanaDecryptor@.exe
2836	@WanaDecryptor@.exe
2836	@WanaDecryptor@.exe
3348	@WanaDecryptor@.exe
2188	@WanaDecryptor@.exe
2188	@WanaDecryptor@.exe
3620	@WanaDecryptor@.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1976 wrote to memory of 1612	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 1612	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 2416	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 2416	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 2416	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 2416	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 2416	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 2416	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 2416	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 2416	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 2416	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 2416	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 2416	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 2416	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 2416	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 2416	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 2416	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 2416	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 2416	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 2416	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 2416	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 2416	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 2416	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 2416	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 2416	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 2416	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 2416	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 2416	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 2416	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 2416	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 2416	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 2416	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 2416	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 2416	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 2416	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 2416	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 2416	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 2416	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 2416	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 2416	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 4472	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 4472	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 1108	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 1108	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 1108	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 1108	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 1108	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 1108	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 1108	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 1108	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 1108	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 1108	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 1108	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 1108	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 1108	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 1108	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 1108	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 1108	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 1108	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 1108	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 1108	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 1108	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 1108	1976	chrome.exe	chrome.exe
PID 1976 wrote to memory of 1108	1976	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

4944 attrib.exe
3244 attrib.exe

pid	process
4944	attrib.exe
3244	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://github.com/Endermanch/MalwareDatabase/blob/master/ransomwares/WannaCrypt0r.zip
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff816ca9758,0x7ff816ca9768,0x7ff816ca9778
2⤵
PID:1612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1688 --field-trial-handle=1836,i,12609078690471859970,6460910129132603681,131072 /prefetch:2
2⤵
PID:2416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1836,i,12609078690471859970,6460910129132603681,131072 /prefetch:8
2⤵
PID:4472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2092 --field-trial-handle=1836,i,12609078690471859970,6460910129132603681,131072 /prefetch:8
2⤵
PID:1108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3188 --field-trial-handle=1836,i,12609078690471859970,6460910129132603681,131072 /prefetch:1
2⤵
PID:1568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3200 --field-trial-handle=1836,i,12609078690471859970,6460910129132603681,131072 /prefetch:1
2⤵
PID:4088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5104 --field-trial-handle=1836,i,12609078690471859970,6460910129132603681,131072 /prefetch:8
2⤵
PID:900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 --field-trial-handle=1836,i,12609078690471859970,6460910129132603681,131072 /prefetch:8
2⤵
PID:2484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 --field-trial-handle=1836,i,12609078690471859970,6460910129132603681,131072 /prefetch:8
2⤵
PID:2492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 --field-trial-handle=1836,i,12609078690471859970,6460910129132603681,131072 /prefetch:8
2⤵
PID:2028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=952 --field-trial-handle=1836,i,12609078690471859970,6460910129132603681,131072 /prefetch:8
2⤵
PID:4572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2768 --field-trial-handle=1836,i,12609078690471859970,6460910129132603681,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1164

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3732

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3260

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\Endermanch@WannaCrypt0r.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\Endermanch@WannaCrypt0r.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Sets desktop wallpaper using registry
PID:2164

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- Views/modifies file attributes
PID:4944

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:4420

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:3256

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 12751687620015.bat
2⤵
PID:5080

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
3⤵
PID:4804

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
2⤵
- Views/modifies file attributes
PID:3244

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
@WanaDecryptor@.exe co
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3348

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4812

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @WanaDecryptor@.exe vs
2⤵
PID:4868

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
@WanaDecryptor@.exe vs
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2836

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
PID:4408

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
PID:1060

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=how+to+buy+bitcoin
3⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:2820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8179f46f8,0x7ff8179f4708,0x7ff8179f4718
4⤵
PID:5104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,2813603126810031976,972872737047568609,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
4⤵
PID:4176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,2813603126810031976,972872737047568609,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2432 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,2813603126810031976,972872737047568609,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
4⤵
PID:4376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2813603126810031976,972872737047568609,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:1
4⤵
PID:4508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2813603126810031976,972872737047568609,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3652 /prefetch:1
4⤵
PID:4984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2813603126810031976,972872737047568609,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
4⤵
PID:1564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2813603126810031976,972872737047568609,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2784 /prefetch:1
4⤵
PID:4768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2120,2813603126810031976,972872737047568609,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3820 /prefetch:8
4⤵
PID:1736

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,2813603126810031976,972872737047568609,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5944 /prefetch:8
4⤵
PID:4144

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
4⤵
- Drops file in Program Files directory
PID:4720

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff70fbf5460,0x7ff70fbf5470,0x7ff70fbf5480
5⤵
PID:1036

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,2813603126810031976,972872737047568609,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5944 /prefetch:8
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:5280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2813603126810031976,972872737047568609,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
4⤵
PID:5532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2813603126810031976,972872737047568609,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
4⤵
PID:5524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2813603126810031976,972872737047568609,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
4⤵
PID:5728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,2813603126810031976,972872737047568609,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:1
4⤵
PID:5720

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "uzksofnqjey370" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\tasksche.exe\"" /f
2⤵
PID:1136

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "uzksofnqjey370" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\tasksche.exe\"" /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:4656

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
PID:5104

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:620

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
PID:3088

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
@WanaDecryptor@.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3620

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1940

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3000

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x520 0x51c
1⤵
PID:1956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

File Deletion

T1107

File Permissions Modification

T1222

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@WanaDecryptor@.exe.lnk
Filesize
1KB

MD5
2ba9d43230d2c2ab3d521e9346fdeaab

SHA1
34181d0dbc16177f15eda226782d7eef79057b80

SHA256
46eaf2567bfd49920f59d62d0cec5dea8131ad9abf3ee5136c32dc3157484f06

SHA512
cf868658a007015619b2e89fa18032150268e7ec915f1e39bf323e778f5d14c4702bf33b8db509b2078df328e60cd8feca2f477cd324e48d9ceb9930d5d6917c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
27df2e3aed05724495aa6a8b92413493

SHA1
388783af2eec1b36b526232bdc1982996fc9c5d9

SHA256
d2966d6fdc88d56e440302b2b20c4ab5ec60c79ae63ec051059dd5daebf4d793

SHA512
5c0ca673ae6a6dfaf2e6500bd8032edebe2370d72329e6d26769b886e5c9d9b96ce397aa7ae7e0b6d4e7bc044eacbf847e2ca7f6849dde540fe567a011777079

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
bf00e3ebaa71bddcb9adeb15f62683dd

SHA1
162e68edae03b71cf387296430da4a8987b982c6

SHA256
9ab1388947eb948cf9f3f3bf8e979758345a2635cf1e021871f56e0e0877f2c2

SHA512
bf2a7e545c083be3fc06157f921c46b68f619d9ef2d11dac1e9e0106fe8f22b84cb4cda23e403245e5b417709e8f9104d154d257df3deae7ffd4d30f3e3caa05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
ff0a4c4f0b8081fa615d4d60265590e1

SHA1
3fdb7105b0bf99b98c1c6f2389c3c36a1e681101

SHA256
9d9159131cf85b48f9c2a48f6c17fc692b0de207899e53276c700e8d4db5bd5a

SHA512
6d45c15f5841646430428c42a3066eeb9a7af49b94ec7ba42a48f87530486eea8e7132a069103efbcbd9aab3381c177cc22cae1c7ac8975377b6ee342e01f760

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
b7ff0f95560732e16e26eb84b1973ca4

SHA1
8ceccf18d69ff20bd78d4bd961ecd805b5900ca0

SHA256
b4b551bbc2da1b36247b3bf38e42be24b2fedcfdacc112f01035f1ba63c285d2

SHA512
9e1acb5e2b9686a04dd514b36a92acbdd48d2d0bea6ad64d60a970a1eb6b9bd9597fa550e8542af83199ab036386f1b134344759f39437d77fab9d9ddca1aab8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
61d336eeeb4111b2819b77d93827d8a2

SHA1
20cdc410109c71c885d0bbf9578b192b8b796c34

SHA256
5b1793df6085f31635a9abefa89991b01730dd00298f6b9766334049ea5a2d50

SHA512
cb30f1f49d888e38ff505f15b2420875dbff96efa838689ea76b67a15322364f8601fc6b918bbeb6edae13eb8e864c581a448b40a83ebd7356f3b63848ae8407

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
b5dde2f2b0632c3be0e89992bdedd93c

SHA1
ba956f4fad17d3b6dc5f692ce8bb25505067ec42

SHA256
1782df5497f6bdc7c64be2f43c5ee5c9e206395a78579d2e711e9b4da793252d

SHA512
8e6d04b1f631de0d47bb40f80f560798a1ba04cbe43dfaf0f506f0b7ef0b3586e38a41cba1bd33f5ed315274f9825078846275eaef27914ab4c2e28d51f22d97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
15KB

MD5
574be4666f6fb4ff104ab421705c1cf8

SHA1
7dec262b0fb6c8c4afe166174180ceb654ae4dd8

SHA256
baa774f189714e861ec718ac62a729bb57a53d60778ae813073c93c0da26ef59

SHA512
9c6931d1e2c1f3b3756ff9962c2bc078b1c7c36e972030cc9a5e92ccc03ec5981b5da9b26705f101a96f43506bd834912357dbc3f698161bed8e1dce1e053492

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
174KB

MD5
6381615f19c4286b12363ca9d26e3bb4

SHA1
973a4f996475378ec18ae3022ef4bc29b433bf7f

SHA256
9d564c326fbb2a728959ff357d4853981cd2efdef0b8d14c41af952c622dfd01

SHA512
a12a483995050dbba52c7b08d26a89e4e6912bf0c7454dc864236216fd0631abc1f3e767525bc871502f37833bc41330fe6f4289ec25e7060b9260e6d0f1f7e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
106KB

MD5
7a08eb57a75f87f4e11bba2628d85483

SHA1
ba4ac151d699a316fe894b8d84fbdfdada311075

SHA256
054c24c5ae5426757385fbccbcd8e2248e1f6abfeaba328d4655e86b2277950d

SHA512
09f0779efb25528745c17c4d26ddd6eb9c544686e79ece7bd7646fe0e7f77ad930ba495673dec891cf94440b1658ed3bf96fabfadc22a361f55f84c7b6b24396

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe572357.TMP
Filesize
103KB

MD5
16a90a93615ad623519e7ce143e20ed7

SHA1
aad55698652c201caaad99294cf5ef5228b2b22e

SHA256
9e370f2f5a45cca8f2636afa7d32ef1f993da021a3565c2fce2626b38cbbeb0b

SHA512
6d649121504bd966afe4e406ea18eb03e0f7e0a256631a821b00ac31701c3328474bc320f474278d07612131de862749417c633f6e6fafec1fd065330f89033e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c032c944f0c68db2f9bc2541ba822212

SHA1
a829f6cf1e7f3f796eeb68ef3525d7f3d177a38a

SHA256
1b4b0d7b255a79089375c9c200df8f48c8536ec99752f877e9090af9dd8e4127

SHA512
cc22cf70c068f1b5c518a8d3302cbb5a79a66929488cd34939f7743aaa999cba091f182701cdda5872b6b93cf89d396b809b0b7f6f2d5f6e7ad1b5102623cf7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
e0db402062b0af9ebbf6385372ca8d0b

SHA1
af778006b22dbafed0ffc708c2a08c75866173ef

SHA256
3496117f92c5f4f895aa007bdb10496eaf20edbc77be2abeef611fbc082c1827

SHA512
a38b4bcac17c451d7a34a90f3612436adf0d896e5c074de11af59fb1a8abe1bb4536b3efd3e00565fbfba296a59fa46415b7d0468ba6f00110ca605c9760eae0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\5c421824-3a07-4c38-a4e2-b8ec9fda6740.tmp
Filesize
24KB

MD5
d5f6e43b9bb30966d0bc507edaa766af

SHA1
f55430cdf8aac488b7e726277ff47551de8f6b3c

SHA256
26c3c700f69edb0a1ef22ad9cabc4c126967093a008638d4b9e91aea558f7053

SHA512
580548318c413a964558422b0cbd1b05cc46f9cba53b59e2818f768f8ee9f8e3838981d686b2e82f24b3b62145cb7f1240c7602adddfabef6356730413310713

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk
Filesize
2KB

MD5
797ab1fc260a2824f325a65199fe392b

SHA1
22b41fc43a59537107e97b373512174d5f8f61d0

SHA256
8b420ddc351351243ba73cf178745d9ab6bb58f0fd2df265de83a94c1afdd485

SHA512
d490e1f1153c1797f09bf27c8f3782cb0fb063796f701c97359d191c5480d3bfe1397b03f134ed8079a3d76530911e54840f913bb340128e0035b95d917d6060

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
0b41145b0b36996908cbe50e78653213

SHA1
8b6f99a43d3a141014b438c68f500f023705f964

SHA256
d25a91dfe4c857dbe0ed2f0e8abb4ce3a57a4d3c475aa751cd53209e0bbffd0f

SHA512
3f86f07ae8ee838f73f007d7991d54955627febc4f4a2fd3c85ebe1c9f7289d24d065176d74648eb807a64bcdb94904f027456ca90ca80d5d91c360128a034d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
bbb0fa4fa02cd627dfba3630d5394bfc

SHA1
498dc59b601a14e9f986d1bc89652af098bb7c44

SHA256
5a80451cf0463e9a627929c3cf10bda4f0efbb4be82ebffc34146cb086e52971

SHA512
aae6eb9487c3912b2c63c7d4cea9f04ac8b2cf7bc1de336901a3e865b3e7bb971dda64ef2edaf302a57cae2d8625db56610fd807853616d9eec0feb7db0b42c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
2f8e23dd1877d95a3433727f2a60f67c

SHA1
df5e1996632ddbe202b99c6903297a071a714bf4

SHA256
a5a6e82e693f9e814a238af1d73aaad7038e2eb3b10a24caedb57083599cf949

SHA512
56219483216dee9e51fc55c516c5c54cb2a2ff4e4e1a7636ad615d868a1ef9aed42712d5b2d7c3071af8002741c827e74c8a4b80d6a3cdec165513481816e54a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
08ec5969be8e3995de1976a77b350ccc

SHA1
938c9a5df356d118c9e435ced818d217d55f70ee

SHA256
3eba1c53e369cbeee335d13b78116c4a74b4d4ca79531e89f6250324ca253b0b

SHA512
34c17b46774153ee3e5d0598d5300f2b336afb1d5ebd472b8da831f6dde0efd2137bd0a95a034c98e11953bbc9b06f076a8e25239f516bd5a46b06be37a90f53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
9KB

MD5
b4d09e1aa65546f5bbd415a989be0f2b

SHA1
b687489392f89dd31bdff97bcce8524d793b7c50

SHA256
fa95f254c2426cd3ef012aa2336843b0b9b26468a8912eaea3fed5019256e65a

SHA512
6b9d3c06b80351614c89a0d4fa09f21ae52d9412d426a2031435599baf7b912decf1984eddb6e85bb18f5ddc262e9b69d8f4711678f1a7a8c32542cfc2bb26ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
718df8d679bbbb4d8914249e2d7e108c

SHA1
50c5f3913279ceb06bdcb9f7e29adda9a20c62c2

SHA256
4c5bbc448a1f7b29b1c0335d19edee1205504ccd51d202e615c2b95ca02d2824

SHA512
e9612cecfd0555b7f716c43b92d4a08fb5cb7057e39c49346ea180faef984c9b1dc67219ef05eebee8b4d3db3c044d188c31b75cdc5407ab5a5f14a96951ab31

Download Submit
C:\Users\Admin\AppData\Local\Temp\2618673320
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdobeSFX.log
Filesize
1KB

MD5
a2b4a025fbe45e3ff7890db121fb760c

SHA1
63d1c8205dba3686e0a57a5285c5c7d62bdb02ab

SHA256
06133893d848a694aa440c91f1a148792789853aadc510e95d5fa87aa8bc0438

SHA512
7eafef1bdecb7cf1ced26a51e1ed4974c7c4da58976d561da3a274fbf4032fa6beefdb54925eed03ac8f8b1f92d16290b3bc711c89871562f37081a668b43a6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log
Filesize
25KB

MD5
24a0bf1c9066f842051647fb31efc328

SHA1
1cf2dccba6f73f6aea0769a075210dbacde1cd0a

SHA256
32987205bd53a0092e762f9a13898a987a05c6f312fd714f77570bee287447dc

SHA512
a1ed9035bc5e2f915f3e429aa50fd868c7548ec3aba990baec733b32f8fb370f001360531fea86cebbc789cef283388f7b6f6658edf4e4e50886dc8fbdab8665

Download Submit
C:\Users\Admin\AppData\Local\Temp\Low
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20230621_063933552.html
Filesize
93KB

MD5
2df33b7a051652ebb510fb40663f9049

SHA1
06eb2b559ad0bc73416a58b36062410cdaf5a331

SHA256
be3bf81ffb3c965424dec196c7bb4f3b8d57a22e8788e8d81e38691afe835333

SHA512
9fdc6283a5a065858b8f515d054174050e56244ff3a4371161df120435f78d45f838e817c86a7cf7698d8efa57a97a1e11c1a3e0ee1524c8bff0cf6dc9023aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x64 Redistributable Setup_10.0.40219
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_10.0.40219
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NMFRSYJN-20230621-0645.log
Filesize
56KB

MD5
3885774f37dcaca79f78861e3d9c391f

SHA1
2246a5447e9cb33b10880fd22a987912e0371f91

SHA256
9c31ece9f68b051e8ba8bce31a0c3ade25ae585e4b4d9b8364815e3d5ebe7f5c

SHA512
094e64ba1104e87efdcf9188e1be45832ce58a163bad9bce5ffc3aaafb4153aef64f7a465e3270527d2d8e49bc134b82e9eb7c95823d968cb4d172197d273aa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\NMFRSYJN-20230621-0645a.log
Filesize
185KB

MD5
b5f8a9d97e3b3de328b6458b083b586c

SHA1
a11a933a70cb1f35f05d686041b2b10bc5ec0ede

SHA256
fca2b80d40a4b6cb10f6d7ba98e71b0748177a570e9dcb05a376cf43b8d18353

SHA512
b8be7c15f709ba45d0221f71705d9090b2148c9dbd8c46870bdc5445e00babda070ba8dbd53d324c592671f0106fb3a4a63084d2f571166596740e1933918a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\OneNote
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@Please_Read_Me@.txt
Filesize
933B

MD5
7e6b6da7c61fcb66f3f30166871def5b

SHA1
00f699cf9bbc0308f6e101283eca15a7c566d4f9

SHA256
4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e

SHA512
e5a56137f325904e0c7de1d0df38745f733652214f0cdb6ef173fa0743a334f95bed274df79469e270c9208e6bdc2e6251ef0cdd81af20fa1897929663e2c7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@WanaDecryptor@.exe
Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\TaskData\Tor\tor.exe
Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\b.wnry
Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\c.wnry
Filesize
780B

MD5
93f33b83f1f263e2419006d6026e7bc1

SHA1
1a4b36c56430a56af2e0ecabd754bf00067ce488

SHA256
ef0ed0b717d1b956eb6c42ba1f4fd2283cf7c8416bed0afd1e8805ee0502f2b4

SHA512
45bdd1a9a3118ee4d3469ee65a7a8fdb0f9315ca417821db058028ffb0ed145209f975232a9e64aba1c02b9664c854232221eb041d09231c330ae510f638afac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_bulgarian.wnry
Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_chinese (simplified).wnry
Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_chinese (traditional).wnry
Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_croatian.wnry
Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_czech.wnry
Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_danish.wnry
Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_dutch.wnry
Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_english.wnry
Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_filipino.wnry
Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_finnish.wnry
Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_finnish.wnry
Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_french.wnry
Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_german.wnry
Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_greek.wnry
Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_indonesian.wnry
Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_italian.wnry
Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_japanese.wnry
Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_korean.wnry
Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_latvian.wnry
Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_norwegian.wnry
Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_polish.wnry
Filesize
38KB

MD5
e79d7f2833a9c2e2553c7fe04a1b63f4

SHA1
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

SHA256
519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

SHA512
e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\acrocef_low
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\aria-debug-5056.log
Filesize
470B

MD5
12836edeec56a8f2fda8c8ca8bb325e0

SHA1
de54a11ae85d7e650bcb9b1797297bc34baececd

SHA256
1a0097a6b88e0811dbdbad8211fc89fa804f9d635c1ea5d056dd30488e506b5f

SHA512
b75f891873fd2cebae94d398a367b66d7880a0aba360629dc4d77c0f6b86704db7f3ed798723e7036267b86d289c06de77ed0532a18b172d66b554b7fb03337b

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
6KB

MD5
2c3e386567bdaef084fe40e325fbbc5c

SHA1
e71b4b47836ef8ba5cb1fa94b7dc205740750acc

SHA256
7f2927470cdb026262661c69f69a416e93f510c84b1bbb23781a6b82f0644648

SHA512
27f8953582bc1068cbcc25a246b1dad733ef1c8bbf50660611c053804370c026c9419da3546be4879ae5c4660fdc67848b68351cf7ee3bddcf4561708a17add9

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt
Filesize
1KB

MD5
ae48214a6524a64dc343556860d54267

SHA1
32abbf9a4d9023fd1fb2b20b446d0c757a1a9f08

SHA256
06144717ce1f0bc576a969a4f6135bb9524aff5ae37173b8e91ffec6153f7a57

SHA512
0805e770154d7bec9a2dcc75cc70e98b5c3e08bad1ef389791d2e6b5ca14543ae092cdd741f0ce5de2818793fcc6f758d2a85cae94c7c9f78ba7b631cc8a2e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI13DD.txt
Filesize
427KB

MD5
e3c12043b48d402acfc0b45b17e7536d

SHA1
383bacc9b504d90f627e6d4c5e937023ff605e39

SHA256
e5cd3a5366b7bc4dd278b84545b3e668ca8b1da3bda912a91cc3676a359e068f

SHA512
862c4246ce76b06f32e16596bf5fd32bf3eaac4500a20adf7467bbfb5bd396a05dabd4fdace3e86c01beb5df9dd7dfddce08c8df16df4907c8bce26b3c157df5

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI140B.txt
Filesize
415KB

MD5
9e9551d0b78b1e245ee9582b0aee316e

SHA1
4c1ae297d322e8513d2de457c22daefe68ff2ffe

SHA256
f07853241b006ffbef9d3e72cd913e40720abfa5ab8e1252a326b0cfe62f1433

SHA512
2d0800c179093b3d7feeef8941213bb358969cfcce458fd2831782939e3fe2c361c42968b9372712036999d7a13c45f67473a9b17bc096fa8eac81b1a80632a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI13DD.txt
Filesize
11KB

MD5
cf86c4fe056ec8d4368d29ff91269282

SHA1
dcfb938484b8fe640ca0ecb908b0b6b384063c40

SHA256
965c3aa31ac4e8d3619e198c4443868e61b27c35302cf72bae8d6b3c3a66193e

SHA512
490b55c34e9254471014bc72cf7772789e9bf3c665b77eb5de066bcba0689c067b9c4c315087fdff1874b579a08df678691fb82a4c08799b3040e48cee412c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI140B.txt
Filesize
11KB

MD5
6424390a66837ef1b06d4d53bb7276d3

SHA1
c47bb210be9a51a18e4d45d1c64c4262bedd9ce0

SHA256
b9bf002059fec3aeadd14a2f4a835b4d6cb23acb5e8edcab589c3b59fc82397e

SHA512
2134b4855c4bf623023191c4c0477e4ee1c7eae513f6f0d21ea069da354e7ee120be1775922d9da97e7b5750078617f5dadaabbd60573096db07682b4a03bae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hsperfdata_Admin
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\jawshtml.html
Filesize
13B

MD5
b2a4bc176e9f29b0c439ef9a53a62a1a

SHA1
1ae520cbbf7e14af867232784194366b3d1c3f34

SHA256
7b4f72a40bd21934680f085afe8a30bf85acff1a8365af43102025c4ccf52b73

SHA512
e04b85d8d45d43479abbbe34f57265b64d1d325753ec3d2ecadb5f83fa5822b1d999b39571801ca39fa32e4a0a7caab073ccd003007e5b86dac7b1c892a5de3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log
Filesize
266KB

MD5
247a3b82640531fbc260124355aa1590

SHA1
632323bc0ef359c123ca1553eed34ccf51285ebf

SHA256
8c48cf3fb6d509f8cfaeb1df6a16045dbdc5253f4fbf2efd795f2a1ea11059eb

SHA512
38d826006b33502d8c25405b9c8098f6d899b9890e9195c001953f6c912d3034d1727a59d17772829d34cb36f9faecba88843824bebfcc84d1203720c9aba2a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\msedge_installer.log
Filesize
3KB

MD5
bc3c6ad42401570bd3cf114e467bd67d

SHA1
1d073649f1626d16dcd091d38f79e59a7cffaaf3

SHA256
29f3f19fb4e51fde249a186fc85f46b92ebd1371f165677f6ea80fb2fb55b99f

SHA512
549cfd0c2d6efba8b11893840984fece0c3f15ce669a321296c31cabb583c4d12b66def2a89e4cd0d079917cf191e4422cd52333dff9be220249e5b478d3a381

Download Submit
C:\Users\Admin\AppData\Local\Temp\sa.9NCBCSZSJRSB_0__.Public.InstallAgent.dat
Filesize
53KB

MD5
1194a72041d7e0ea20fb18520c85b682

SHA1
c92759b586f5728b3791b3355bb3fcf0d3c184ef

SHA256
056c9ac0af361f8861267b2641130f02f69fe35bc1326b1058719525cbac6876

SHA512
b8d8a0a04b15dee403eef91442929f1c0c6a08cccd1f05218ab93020989f64e592ada728a9145c78f7b7e4d103e0c651561a9f9496a978ce5033885427d8379f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEBE2.tmp
Filesize
25.9MB

MD5
bd2866356868563bd9d92d902cf9cc5a

SHA1
c677a0ad58ba694891ef33b54bb4f1fe4e7ce69b

SHA256
6676ba3d4bf3e5418865922b8ea8bddb31660f299dd3da8955f3f37961334ecb

SHA512
5eccf7be791fd76ee01aafc88300b2b1a0a0fb778f100cbc37504dfc2611d86bf3b4c5d663d2b87f17383ef09bd7710adbe4ece148ec12a8cfd2195542db6f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEE62.tmp
Filesize
25.9MB

MD5
bd2866356868563bd9d92d902cf9cc5a

SHA1
c677a0ad58ba694891ef33b54bb4f1fe4e7ce69b

SHA256
6676ba3d4bf3e5418865922b8ea8bddb31660f299dd3da8955f3f37961334ecb

SHA512
5eccf7be791fd76ee01aafc88300b2b1a0a0fb778f100cbc37504dfc2611d86bf3b4c5d663d2b87f17383ef09bd7710adbe4ece148ec12a8cfd2195542db6f27

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct249A.tmp
Filesize
63KB

MD5
e516a60bc980095e8d156b1a99ab5eee

SHA1
238e243ffc12d4e012fd020c9822703109b987f6

SHA256
543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

SHA512
9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct65ED.tmp
Filesize
63KB

MD5
e516a60bc980095e8d156b1a99ab5eee

SHA1
238e243ffc12d4e012fd020c9822703109b987f6

SHA256
543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

SHA512
9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\wctC18A.tmp
Filesize
40.2MB

MD5
fb4aa59c92c9b3263eb07e07b91568b5

SHA1
6071a3e3c4338b90d892a8416b6a92fbfe25bb67

SHA256
e70e80dbbc9baba7ddcee70eda1bb8d0e6612dfb1d93827fe7b594a59f3b48b9

SHA512
60aabbe2fd24c04c33e7892eab64f24f8c335a0dd9822eb01adc5459e850769fc200078c5ccee96c1f2013173bc41f5a2023def3f5fe36e380963db034924ace

Download Submit
C:\Users\Admin\AppData\Local\Temp\wctC41.tmp
Filesize
63KB

MD5
e516a60bc980095e8d156b1a99ab5eee

SHA1
238e243ffc12d4e012fd020c9822703109b987f6

SHA256
543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

SHA512
9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\wctE913.tmp
Filesize
63KB

MD5
e516a60bc980095e8d156b1a99ab5eee

SHA1
238e243ffc12d4e012fd020c9822703109b987f6

SHA256
543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

SHA512
9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\wctFA6D.tmp
Filesize
63KB

MD5
e516a60bc980095e8d156b1a99ab5eee

SHA1
238e243ffc12d4e012fd020c9822703109b987f6

SHA256
543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

SHA512
9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
Filesize
697B

MD5
7cf1f7e1275113618ad8702feb2fbdff

SHA1
b4b737411131cae19946803ff83e98cc5571cc72

SHA256
b5e6fab87fe8c71d2eb33d7cc55146a923e2f7a70e9b6dc6a0722d03a5a25631

SHA512
0d7fe86b5eed384cb73fdc6934463109cf44d548ca9171911d7f9c98d530c1aaf4a8a4b48ae9d2b5d521ef2f0197889865d6927a219b8c5dd4f66d508745773a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
3KB

MD5
6fd899aa033babfc81af65db787998cc

SHA1
7be0dfa004142225518f00e14b126e00b71217f4

SHA256
7df6faa59c1ebb676ada7caa3c7c00775f33e1813a60f1ddcee9ecec37daf905

SHA512
618a124acb7b093ba260c51100ef5caebb965358c7ca9206eeef37d611ea8504268eebfe7250c227f09c07acdcfa751975c98e11a6a665bfc8e5735444a47ef1

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
Filesize
11.7MB

MD5
e43e3aece03a7a9fbc10581005d54b29

SHA1
70758ed6a463ee92bf68db7869659b1fbd5b30fb

SHA256
b34f1574179aed35adbb86095148f3bdc41f0f54dc8791f537787d67d8b2d5cd

SHA512
1d551081a37314a5805aae84ff0f778e6a906a5253e87c1453727f0777c707ccce9ac30ccef885717282815492634c259780714825d98b32d5b10783268d26a5

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r.zip.crdownload
Filesize
3.3MB

MD5
e58fdd8b0ce47bcb8ffd89f4499d186d

SHA1
b7e2334ac6e1ad75e3744661bb590a2d1da98b03

SHA256
283f40e9d550833bec101a24fd6fd6fbd9937ed32a51392e818ffff662a1d30a

SHA512
95b6567b373efa6aec6a9bfd7af70ded86f8c72d3e8ba75f756024817815b830f54d18143b0be6de335dd0ca0afe722f88a4684663be5a84946bd30343d43a8c

Download Submit
C:\Users\Default\Desktop\@WanaDecryptor@.bmp
Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
\??\pipe\crashpad_1976_HTKLIAMJUKVNBKUT
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2164-378-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/4812-1794-0x00000000003A0000-0x000000000069E000-memory.dmp

Filesize
3.0MB

Download
memory/4812-1977-0x0000000073560000-0x000000007377C000-memory.dmp

Filesize
2.1MB

Download
memory/4812-1760-0x00000000003A0000-0x000000000069E000-memory.dmp

Filesize
3.0MB

Download
memory/4812-1759-0x0000000073810000-0x0000000073832000-memory.dmp

Filesize
136KB

Download
memory/4812-1758-0x0000000073780000-0x0000000073802000-memory.dmp

Filesize
520KB

Download
memory/4812-1757-0x0000000073560000-0x000000007377C000-memory.dmp

Filesize
2.1MB

Download
memory/4812-1756-0x0000000073840000-0x00000000738C2000-memory.dmp

Filesize
520KB

Download
memory/4812-1842-0x00000000003A0000-0x000000000069E000-memory.dmp

Filesize
3.0MB

Download
memory/4812-1809-0x0000000073560000-0x000000007377C000-memory.dmp

Filesize
2.1MB

Download
memory/4812-1805-0x00000000003A0000-0x000000000069E000-memory.dmp

Filesize
3.0MB

Download
memory/4812-1973-0x00000000003A0000-0x000000000069E000-memory.dmp

Filesize
3.0MB

Download
memory/4812-1846-0x0000000073560000-0x000000007377C000-memory.dmp

Filesize
2.1MB

Download
memory/4812-1798-0x0000000073560000-0x000000007377C000-memory.dmp

Filesize
2.1MB

Download
memory/4812-1786-0x00000000734E0000-0x0000000073557000-memory.dmp

Filesize
476KB

Download
memory/4812-1784-0x0000000073780000-0x0000000073802000-memory.dmp

Filesize
520KB

Download
memory/4812-1782-0x0000000073560000-0x000000007377C000-memory.dmp

Filesize
2.1MB

Download
memory/4812-1781-0x0000000073810000-0x0000000073832000-memory.dmp

Filesize
136KB

Download
memory/4812-1780-0x0000000073840000-0x00000000738C2000-memory.dmp

Filesize
520KB

Download
memory/4812-2162-0x00000000003A0000-0x000000000069E000-memory.dmp

Filesize
3.0MB

Download
memory/4812-2166-0x0000000073560000-0x000000007377C000-memory.dmp

Filesize
2.1MB

Download
memory/4812-1779-0x00000000738D0000-0x00000000738EC000-memory.dmp

Filesize
112KB

Download
memory/4812-1778-0x00000000003A0000-0x000000000069E000-memory.dmp

Filesize
3.0MB

Download