wannacry | hxxp://discord[.]com

Analysis

max time kernel
1799s
max time network
1752s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
16-04-2024 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://discord.com

Score

10^/10

wannacry discovery persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Drops startup file 2 IoCs

Processes:

[email protected]

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD8F67.tmp	[email protected]
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD8F7E.tmp	[email protected]

Executes dropped EXE 64 IoCs

Processes:

taskdl.exe@[email protected]@[email protected]taskhsvc.exetaskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]@[email protected]taskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exe@[email protected]taskse.exe

pid	process
3388	taskdl.exe
3512	@[email protected]
3216	@[email protected]
2580	taskhsvc.exe
1844	taskdl.exe
3504	taskse.exe
3020	@[email protected]
4916	taskdl.exe
4172	taskse.exe
4992	@[email protected]
908	@[email protected]
344	taskse.exe
192	@[email protected]
3320	taskdl.exe
2884	taskse.exe
4860	@[email protected]
3184	taskdl.exe
4636	taskse.exe
4384	@[email protected]
8	taskdl.exe
2400	taskse.exe
2248	@[email protected]
748	taskdl.exe
4936	taskse.exe
2152	@[email protected]
1004	taskdl.exe
4920	taskse.exe
4420	@[email protected]
1448	taskdl.exe
4472	taskse.exe
1512	@[email protected]
4972	taskdl.exe
1008	taskse.exe
4624	@[email protected]
4224	taskdl.exe
2900	taskse.exe
4780	@[email protected]
4696	taskdl.exe
1684	taskse.exe
424	@[email protected]
4052	taskdl.exe
1936	taskse.exe
1660	@[email protected]
4272	taskdl.exe
660	taskse.exe
3488	@[email protected]
2248	taskdl.exe
4268	taskse.exe
3972	@[email protected]
4848	taskdl.exe
4112	taskse.exe
1020	@[email protected]
852	taskdl.exe
652	taskse.exe
4168	@[email protected]
4896	taskdl.exe
604	taskse.exe
688	@[email protected]
1416	taskdl.exe
2516	taskse.exe
2092	@[email protected]
2984	taskdl.exe
4484	@[email protected]
3608	taskse.exe

Loads dropped DLL 8 IoCs

Processes:

taskhsvc.exe

pid process

2580 taskhsvc.exe
2580 taskhsvc.exe
2580 taskhsvc.exe
2580 taskhsvc.exe
2580 taskhsvc.exe
2580 taskhsvc.exe
2580 taskhsvc.exe
2580 taskhsvc.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

1444 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2580	taskhsvc.exe
2580	taskhsvc.exe
2580	taskhsvc.exe
2580	taskhsvc.exe
2580	taskhsvc.exe
2580	taskhsvc.exe
2580	taskhsvc.exe
2580	taskhsvc.exe

pid	process
1444	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qyrzxkvzsxw219 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_WannaCrypt0r.zip\\tasksche.exe\""	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

2 discord.com
7 discord.com
252 camo.githubusercontent.com
253 raw.githubusercontent.com
254 raw.githubusercontent.com

flow	ioc
2	discord.com
7	discord.com
252	camo.githubusercontent.com
253	raw.githubusercontent.com
254	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

[email protected]@[email protected]

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

344 vssadmin.exe

pid	process
344	vssadmin.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133577496825579825"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings chrome.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4340 reg.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

3768 vlc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	chrome.exe

pid	process
4340	reg.exe

pid	process
3768	vlc.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

chrome.exechrome.exetaskhsvc.exe

pid	process
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
4348	chrome.exe
4348	chrome.exe
2580	taskhsvc.exe
2580	taskhsvc.exe
2580	taskhsvc.exe
2580	taskhsvc.exe
2580	taskhsvc.exe
2580	taskhsvc.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

@[email protected]vlc.exe

pid process

3020 @[email protected]
3768 vlc.exe

pid	process
3020	@[email protected]
3768	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

Processes:

chrome.exe

pid	process
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe
Token: SeShutdownPrivilege	2584	chrome.exe
Token: SeCreatePagefilePrivilege	2584	chrome.exe

Suspicious use of FindShellTrayWindow 38 IoCs

Processes:

chrome.exe7zG.exevlc.exe

pid	process
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
1640	7zG.exe
3768	vlc.exe
3768	vlc.exe
3768	vlc.exe
3768	vlc.exe

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

chrome.exevlc.exe

pid	process
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
2584	chrome.exe
3768	vlc.exe
3768	vlc.exe
3768	vlc.exe

Suspicious use of SetWindowsHookEx 50 IoCs

Processes:

pid	process
3512	@[email protected]
3512	@[email protected]
3216	@[email protected]
3216	@[email protected]
3020	@[email protected]
3020	@[email protected]
4992	@[email protected]
908	@[email protected]
192	@[email protected]
3768	vlc.exe
4860	@[email protected]
4384	@[email protected]
2248	@[email protected]
2152	@[email protected]
4420	@[email protected]
1512	@[email protected]
4624	@[email protected]
4780	@[email protected]
424	@[email protected]
1660	@[email protected]
3488	@[email protected]
3972	@[email protected]
1020	@[email protected]
4168	@[email protected]
688	@[email protected]
2092	@[email protected]
4484	@[email protected]
4208	@[email protected]
3308	@[email protected]
2868	@[email protected]
3524	@[email protected]
4000	@[email protected]
4452	@[email protected]
1360	@[email protected]
2156	@[email protected]
960	@[email protected]
3340	@[email protected]
3504	@[email protected]
1436	@[email protected]
4340	@[email protected]
4384	@[email protected]
4344	@[email protected]
4372	@[email protected]
1344	@[email protected]
2204	@[email protected]
1256	@[email protected]
4772	@[email protected]
4748	@[email protected]
1192	@[email protected]
3176	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2584 wrote to memory of 3832	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 3832	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 4536	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 4536	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 4536	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 4536	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 4536	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 4536	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 4536	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 4536	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 4536	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 4536	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 4536	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 4536	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 4536	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 4536	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 4536	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 4536	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 4536	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 4536	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 4536	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 4536	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 4536	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 4536	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 4536	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 4536	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 4536	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 4536	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 4536	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 4536	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 4536	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 4536	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 4536	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 4536	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 4536	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 4536	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 4536	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 4536	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 4536	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 4536	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 4540	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 4540	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 5032	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 5032	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 5032	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 5032	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 5032	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 5032	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 5032	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 5032	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 5032	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 5032	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 5032	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 5032	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 5032	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 5032	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 5032	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 5032	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 5032	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 5032	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 5032	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 5032	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 5032	2584	chrome.exe	chrome.exe
PID 2584 wrote to memory of 5032	2584	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 3 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exe

pid process

4392 attrib.exe
4548 attrib.exe
2652 attrib.exe

pid	process
4392	attrib.exe
4548	attrib.exe
2652	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://discord.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffd30309758,0x7ffd30309768,0x7ffd30309778
2⤵
PID:3832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1608 --field-trial-handle=1784,i,5958235386987825399,2830063736163281532,131072 /prefetch:2
2⤵
PID:4536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1828 --field-trial-handle=1784,i,5958235386987825399,2830063736163281532,131072 /prefetch:8
2⤵
PID:4540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2076 --field-trial-handle=1784,i,5958235386987825399,2830063736163281532,131072 /prefetch:8
2⤵
PID:5032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2616 --field-trial-handle=1784,i,5958235386987825399,2830063736163281532,131072 /prefetch:1
2⤵
PID:5072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2624 --field-trial-handle=1784,i,5958235386987825399,2830063736163281532,131072 /prefetch:1
2⤵
PID:3464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4392 --field-trial-handle=1784,i,5958235386987825399,2830063736163281532,131072 /prefetch:1
2⤵
PID:3128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4556 --field-trial-handle=1784,i,5958235386987825399,2830063736163281532,131072 /prefetch:8
2⤵
PID:3192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3052 --field-trial-handle=1784,i,5958235386987825399,2830063736163281532,131072 /prefetch:8
2⤵
PID:2356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2988 --field-trial-handle=1784,i,5958235386987825399,2830063736163281532,131072 /prefetch:8
2⤵
PID:3140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 --field-trial-handle=1784,i,5958235386987825399,2830063736163281532,131072 /prefetch:8
2⤵
PID:1824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 --field-trial-handle=1784,i,5958235386987825399,2830063736163281532,131072 /prefetch:8
2⤵
PID:4980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3060 --field-trial-handle=1784,i,5958235386987825399,2830063736163281532,131072 /prefetch:8
2⤵
PID:4864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 --field-trial-handle=1784,i,5958235386987825399,2830063736163281532,131072 /prefetch:8
2⤵
PID:520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5148 --field-trial-handle=1784,i,5958235386987825399,2830063736163281532,131072 /prefetch:1
2⤵
PID:748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5512 --field-trial-handle=1784,i,5958235386987825399,2830063736163281532,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5480 --field-trial-handle=1784,i,5958235386987825399,2830063736163281532,131072 /prefetch:1
2⤵
PID:3740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=988 --field-trial-handle=1784,i,5958235386987825399,2830063736163281532,131072 /prefetch:1
2⤵
PID:3580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=1488 --field-trial-handle=1784,i,5958235386987825399,2830063736163281532,131072 /prefetch:1
2⤵
PID:2320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5628 --field-trial-handle=1784,i,5958235386987825399,2830063736163281532,131072 /prefetch:1
2⤵
PID:1064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5148 --field-trial-handle=1784,i,5958235386987825399,2830063736163281532,131072 /prefetch:8
2⤵
PID:1512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5536 --field-trial-handle=1784,i,5958235386987825399,2830063736163281532,131072 /prefetch:8
2⤵
PID:2840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=2976 --field-trial-handle=1784,i,5958235386987825399,2830063736163281532,131072 /prefetch:1
2⤵
PID:3060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5372 --field-trial-handle=1784,i,5958235386987825399,2830063736163281532,131072 /prefetch:1
2⤵
PID:2888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=6136 --field-trial-handle=1784,i,5958235386987825399,2830063736163281532,131072 /prefetch:1
2⤵
PID:4664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=5868 --field-trial-handle=1784,i,5958235386987825399,2830063736163281532,131072 /prefetch:1
2⤵
PID:2580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=3028 --field-trial-handle=1784,i,5958235386987825399,2830063736163281532,131072 /prefetch:1
2⤵
PID:4504

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=5600 --field-trial-handle=1784,i,5958235386987825399,2830063736163281532,131072 /prefetch:1
2⤵
PID:1276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=880 --field-trial-handle=1784,i,5958235386987825399,2830063736163281532,131072 /prefetch:8
2⤵
PID:3292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 --field-trial-handle=1784,i,5958235386987825399,2830063736163281532,131072 /prefetch:8
2⤵
PID:4108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6076 --field-trial-handle=1784,i,5958235386987825399,2830063736163281532,131072 /prefetch:8
2⤵
PID:3768

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1336

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1132

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\WannaCrypt0r\" -spe -an -ai#7zMap28900:86:7zEvent11267
1⤵
- Suspicious use of FindShellTrayWindow
PID:1640

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\[email protected]"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
PID:4260

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- Views/modifies file attributes
PID:4392

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1444

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:3388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 319341713276540.bat
2⤵
PID:2900

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
3⤵
PID:3612

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
2⤵
- Views/modifies file attributes
PID:4548

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected] co
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3512

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2580

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
2⤵
PID:1288

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected] vs
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3216

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
PID:4896

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:344

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
PID:4980

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1844

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:3504

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3020

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "qyrzxkvzsxw219" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\tasksche.exe\"" /f
2⤵
PID:3500

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "qyrzxkvzsxw219" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\tasksche.exe\"" /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:4340

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4916

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:4172

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4992

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:344

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:192

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:3320

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:2884

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4860

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:3184

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:4636

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4384

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:8

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:2400

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2248

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:748

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:4936

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2152

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1004

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:4920

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4420

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1448

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:4472

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1512

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4972

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:1008

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4624

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4224

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:2900

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4780

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4696

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:1684

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:424

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4052

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:1936

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1660

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4272

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:660

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3488

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2248

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:4268

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3972

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4848

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:4112

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1020

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:852

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:652

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4168

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4896

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:604

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:688

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1416

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:2516

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2092

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2984

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:3608

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4484

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
PID:4964

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
PID:1436

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:4208

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
PID:2088

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
PID:4684

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:3308

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
PID:2060

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:2868

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
PID:5020

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
PID:1460

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:3524

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
PID:2312

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
PID:2700

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:4000

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
PID:404

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
PID:5072

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:4452

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
PID:1356

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
PID:852

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:1360

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
PID:4348

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
PID:2204

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:2156

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
PID:4404

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
PID:2280

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:960

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
PID:2288

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
PID:3536

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:3340

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
PID:2148

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
PID:1680

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:3504

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
PID:4232

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
PID:3780

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:1436

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
PID:2956

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
PID:4108

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:4340

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
PID:2080

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
2⤵
- Views/modifies file attributes
PID:2652

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
PID:1660

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:4384

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
PID:4272

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
PID:1376

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:4344

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
PID:1944

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
PID:4000

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
PID:2208

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
PID:908

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
PID:2752

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:4372

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
PID:2176

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
PID:4420

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:1344

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
PID:1120

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
PID:4168

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:2204

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
PID:512

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
PID:960

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:1256

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
PID:2624

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
PID:1896

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:4772

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
PID:1768

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
PID:1932

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:4748

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
PID:1632

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
PID:2408

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:1192

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
PID:4228

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
2⤵
PID:4216

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
@[email protected]
2⤵
- Suspicious use of SetWindowsHookEx
PID:3176

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
taskdl.exe
2⤵
PID:4664

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3060

C:\Users\Public\Desktop\@[email protected]
"C:\Users\Public\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:908

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]
Filesize
1KB

MD5
4e3b437159f34650161e14b12b6aba95

SHA1
68dca8e9403becf641a36861f567369dfcb77b1e

SHA256
9f8618fa7de00893a284097727427ceec1efde77d0afcf09ca02a4a95f0cb1d5

SHA512
cbc5ddef3e62ba5add3b93d766bc9d137c3402507443dfb7c238b762b895ea936327cd6369d897561657cc1a8dd8fb01af7a57eaa06ba885ca7bcdfedc7b38b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000027
Filesize
106KB

MD5
c32068cc5af65c3041ba5d1169c21877

SHA1
4916b1ecb06fc8dae881723edce23c15f992c425

SHA256
d2236b94ac1e28588be6609b6320fd429146a70e97f37e2a4d70410cb15990ff

SHA512
f6ee1f788ea0ab74538c9661df557b9f1f81465f098a9021d73703a7fb5fa81e849b89ce6a4af8377972b3a39179860483eed32cf7277c414aa96b48344ce3e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000028
Filesize
223KB

MD5
9e63218a7213df6f50e75938acc317d2

SHA1
2c50a8828ea42fd73c7fd9cee8beecfe6a42a9af

SHA256
501845a1f485d68741b5f5e99afe73580e7dc1457c9b4ebcacb8f236e0a18a54

SHA512
1476a7bd334c00ac23c38f1895ec32b6f07f3376928316c543f97b07ea83b9d2e56944cb53b241f3e41a7a675c913dcc8de29c8098ca68fea035ec16f5a1377e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00004c
Filesize
323KB

MD5
b5a61a18872e3218fa2db9bc7c80de4c

SHA1
09944d5c8e6a9ff314da8be811c0abedaaee89f6

SHA256
f26872c0e61c513d44b3715056b4143186a831d87fffb649eaae7e18a0bba2ba

SHA512
622808e51c04ba2451da02adeb99639a73c5e58053e56544b9e086796ba49dba4aa54dbc6d3e603007866a098c4b9baf2e759698952efe28c8d2b3dba4f542f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00004d
Filesize
136KB

MD5
74023dd7e1298f9499eabad99575e738

SHA1
405f3833ea55b5cc863701d051268d5ad6e08758

SHA256
638a642107e49e51181c89cabc191ec70dfda7416a73b45e6cdcc02d972f3dad

SHA512
e8732d5bcf5b530e57b572e6a15ce00ac4302cc0a5410c1851128b05e5cb1e6635f7aa6d7a9ff8d0792cdee4faeb2c6fd5f1c2c66074070990b21de64b366b50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index
Filesize
2KB

MD5
be00a3fa1b0e10586405ddd49f21205e

SHA1
1801499e0226da995da99b2adcdd58ea0d134161

SHA256
b991c7a66c9e082fffba7097eedffa41a0242c7013653753a5f496e84a25eb11

SHA512
b66445103f0820ad4dedede0c1c9de8e6173952274c83771a5c3e9b42256caed57d0876d0cca014ec0d99fa189f731798c82ae58cb83e7cbdb6dadb2024260b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
c2db3a1b5bbf422b35bebb729a6eda71

SHA1
5f53b4bd41340379cda7e5d41f22ab06c4258ef9

SHA256
19dccc83e704572d1211a5391c052981d5c4f98d61df3cf8e053709a34a59652

SHA512
e2c8e605cc516e6d725a71a918edce182e19b2887f378e44c60ebf6ff5bc527486eed444fc6aa3a931b896631a229013c026cf5ac41c96f43feddac79ffe8632

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
e8a41601213e72813413bf96159653dc

SHA1
631fb708eb6ecb85a52833ad3f4f8acf372f9325

SHA256
017958d10a45ee85a598945b1c3ed7c9a85cb83a4c09fba9d2ea1087b2f21835

SHA512
cb924e8cfa230f409fa66c6f45d4b6de3225b3a0bb26db32d151ad5591e535b922cb626e71ea8c7ca2a50360aa6513d085f16e2eda0a12311aff6868a5827090

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
447acab003583a629e9d22faaa92df6d

SHA1
304008572a1c366648a6e4744a82491622b30117

SHA256
1b0af4a2a18d69670befe93848350ab00510250eb464dd31b59a274ac1587db7

SHA512
ab177fb1f7b7ca74c3414c683591a14db2493f20815797d19ad9b5d2d1200218e458ed8689482a61455f6ab1aca76bb36d8e0e49cc12d486e5b61ab474837f5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
5KB

MD5
d958936f4b58b4f4e5c9334cb3b332b9

SHA1
56a408b786b3b7ac3fcb5bd4ffc228d49c5e188f

SHA256
c13e0a2f795b322845457a39691cce68b18b35bb68a72e91e1b78a67ef605a0d

SHA512
6ed2dfc96f4ef3ae619ec4872c0a7731580d2706b20f760fba462b7dffeb9c07c6cbe36383b107b1fb9b115394cf1d2264053332f60982369ea7bb9c22effdd3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
4KB

MD5
b12d8e885ba5baa4c94cd43b1278c40a

SHA1
538a873a9475af98c98ebdc854ade6ce1ac92f6e

SHA256
09d21f6c04536924e643917c4dbffc20d0b06011cb9d4893feec9886ab703da1

SHA512
c6d7f24564ae0044cbb6cab18d7050dc59353c8b5044da7d320cd6b3b635975f77140a5fc9d1296f199063ccd552c74a4a76399a76379e36660394b2849f171f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
ff2d20039bffe4160154ad2df6a390d6

SHA1
ed7a242805ca9267a4c1e2a848b4223926f11a90

SHA256
d4859914d495a826a3e12c1c4e928ce2d3d2b6f42156d0fa8961776a6da66ea5

SHA512
e3869871b545eca765aeb4e4422a5d6a79543a5c44b5d46e415ec76f5a1efaf328cb951ea6ba210a8f4f951ffb9713ffaad5dfff035abe0f4a3c9b1d46dd1f86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
6d5346088dcdceaf59f7376a9b4cdd0d

SHA1
6ef4c232f41f3cece84c76a89bbc1dd9c1de0b69

SHA256
329a3da418419aaff33999a70505b0255832d0c72b2bda1b41a0469049234848

SHA512
28676b7084fc322cdc9ea11f1516b59c1b9c72d48cc29757dd501ff75d162476e9e296cc76dd31a06bbc16d16d744cb1b9fc1b6e8a9b9abc8e5a0b3403214537

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\MANIFEST-000001
Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
2df7aa9a201448747f672c679971941e

SHA1
2d919fd6376cdcad199b24debf6ade8fe3720979

SHA256
2479ee063045dc0a4e091d1b84d7e59b964b9647f2e58653b5a68b419625f8b0

SHA512
7aeef0af075f0138e895d706e66c8743c59d63610acdde45c64895bfac53e4d849bdf38abb626efecfdf3ed212e6a05dde77ec9772172295dd1ccd62734d54e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
5KB

MD5
b1c4d8b2ef7487704f24a749e04c873f

SHA1
6ce5e5164670140797f64e71d336c49f77b8d7e2

SHA256
ef1690a9b5f66e3e548124b8958fc101bd3b1c4d733782ca0997218bf2f23ed1

SHA512
2f42d2361cd835a02ed8da471283280c41acf194fc5c76ef5d49281e79963760d25da5f6e50d9bc0485d0d1ebb7daab245f82d59bc55940e3ff25e8db4db63fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
6281d536053fffb25d185aff7d0aa4a2

SHA1
5f8d8cef7a99e1f48691f8c42ddb4a9362e71e7f

SHA256
e6a2fcd3525c7e2990b8cada9ca93713adc34c401b6e54d6769a7753b104d247

SHA512
7bb83ade8461687c6935beac7e9ea45a391fb2c5967cd24682b9ca3c1a9858d6295feed828b9262954de1679e1e4c6ada292489db472a8f97c86ea1b20ac20c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
8KB

MD5
1b5e00d2ded2f112fda298a73826017a

SHA1
bb6dbf9774e92a638501153977f112c00c8c8f47

SHA256
2b7d982f370ec3bea76f5ad98e578867c8588c26df0cedecb44ce47224332ae2

SHA512
cf88ac4df6cbe96675f8b6eee2634ab01479d3590037deba5dd3011d39b0fbbaa920e86762c44d718d30bd69b33f2d7a208a5bd716229ff2b583810c21457a80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
7KB

MD5
05cc76b60ea641f6ef7a437401cd336f

SHA1
773d5f23c06d6fc0d1bf056399d6153424297bd2

SHA256
a93b333516ed19d8a828b2bd394fd63cd9306b1513b13e4ebc1498d2a87116ce

SHA512
8625601a0ae70b6e8bcea80343448aa1952b991c80dc4d3de17f0cae7fc09de098575cf72e7500b1f51abc00c4feb20e2283ac0de3b0a122fd9d72c6e4db5a3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
4KB

MD5
be5a39b2201f6772424cef0570262539

SHA1
47af8f6767d93d18cedc5f8bcd8b61f42f20c04a

SHA256
c31341eb83225c3e360cc4ff07987f842b9a6f3cdcee11bf8033f5a8fc2c9196

SHA512
5cc04432f0ec9292b3dba007762edf06d216be5767c59e0f0fb4cfaa5c3288c9bef55403db0b72e436c4382b3fc2dc92d3280266d752c56f7aceec03ca9c44be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
ed99a4ed78323daa363f5c567b86a4c3

SHA1
a148dcb5df6840087bfa5d53da53e8eef112e1a0

SHA256
e34a41a2fb22d61e79ca8e018d4584dd66b97f4f0dbcca1c41fba34e60632000

SHA512
a482a25887767166f822b3efd3d5a73bb729ed52a5958a61e75a4b4e0ce02d10a7fe181d6ad50221453352fc3314ba57ed540bd3f5aa9c44ec17d2010d6ff128

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
75808f87b40bc213ff1fdfbd86db9f15

SHA1
263ac0d1d3f6171a62eb6bc06ee5ad8c7454c4e0

SHA256
2d82e2707cd058167cffc4ea1a9f5a27c282a5ff19567a65323f1477c367a4d5

SHA512
95ac56aa0a2d63d3c89b86a62cfdc39e415a9c7364d7a03e835fe4d7f202da7cd8774d56538f66df6008423309ba1d645c19708d64112a2db754b57e61ae3586

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
1241d1fc444ae2c9dfbf4316418f9605

SHA1
427ef41cb03d64f5e5ddecb049df2e39e313fba5

SHA256
7df266e17016e5d9faf1cdf995fa12370c5a6de698e457a23829112b8ece7303

SHA512
9723523466c641143cd9b517d490ba1a50c73a03d3c1a01b6d8d4d63d927ef15a17dcf3e802561a4a2216136a65d1835833f6cc8d6949a45486c136696c36295

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
012fe8144de33fdcba854040f001e227

SHA1
085ee16a2c1e3af5701c9ffbcf4fee24f9ba331a

SHA256
2819e2a76f4a32ab6298a25a06cf9cb3f7dd5657d8362ec1cf62f469e6b88a3e

SHA512
c001625bf0df6ceafe0460115227186f4ac79519771c58d519100cb5e86fb2ff1f4d1f6ae5be9594ca8cb2050f64bd38be78a9c0cb770c2e8a65600ddd75134f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
f3fac6ae6d96ecadea52f66ed8638fa3

SHA1
c57b350012a8ddd92ee588f5a72acd706235d44e

SHA256
4284c7d6528526a66cafac24eefa040fd73e5aadf35cd2c5a56102bea9d9df01

SHA512
b0a9c8b1e384d5f334973230f7c2e0e68dc5ae01813a4cdd56deacfa2fd017506918f29581faf7f9ab003bb91a604e63bb3ae4d08af573d561d6a38ef2e4a760

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
969dc8cc928d5ab1a3c4009ea1318e72

SHA1
c12b6efaaf3ebe8715a34d28e885000b9c829709

SHA256
39968c64d835c9431cc217b441e35f8400566b2d721637aba51529caeef465ce

SHA512
126210803eefc00303d82b4d4d851c186ab4353e34fda6d1b90ae6e53f2000b532e635950085c07da229739a86f9e4ea5f99c1db9f4e3913c43317c57b0e137b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
ee3012f1949d2c5a4b5dff073ac404b8

SHA1
1fc8e71d88b977acaf3900e312d9e47de3c0505c

SHA256
e2c76b3a2d99bb1fe6409b2ca137e03283438ce792925bc05004715a218fe05d

SHA512
275608fca77454152d61d649e4e39935b6473f11bb2f086914d985394ddc08d6bb3ac42103d692e5a26ef5710991cb89047ea5f8f67f7692a557e5f425a6b0d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
3KB

MD5
b95b395b96933f4c83c1f928d25d57eb

SHA1
e884e44569a748b7dff593eff9a9cd05300d43a4

SHA256
9a47d3e46638bb4820d8f3520f7a1e7e21a30642428ca3de08f698eaa7c87200

SHA512
ec56847265d17ad3b461ab5af28b1a1de225fcd7e0d7f2f270fca882a03ba8a161ec0896c352188be1c1e2da5883686094fe00f96e2c618ed176fe224578371d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
3KB

MD5
bda98b5ddda54680574815b24c548dbb

SHA1
9fe71e2426acc0215579030804247fd265dc286c

SHA256
9e5b541efd4142caa61c601cc06fdadce6d9a44d5eeedcc804eda67622b06d8a

SHA512
4bc2434cc678d38a378826af2f87984369396dbc9c6e42bb97d8223dc368eab3923e7a8c18f4a1195e85c51b9368577a3073471abecb8929fdc71470452be977

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
993d37d8fb7f345868e05c724c8e5d97

SHA1
7218807081479e7e150e65f741f73e10948546cb

SHA256
3ff058aef280fad2e1dc41d1f4f5553c90e91637697e819bed66c16073392260

SHA512
4e09596979d6b947f7990a5b7f3726a664c0d3ba614ba1f2d7f82595fc0b660f99c739c422f5545e6d5ea8bdd30c106dd2a3d71c84875365ae8b7270b7541034

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
94d2f9e3496671d12a464d0428e83b0a

SHA1
25feb4b7f103faddf54d9b472ccc703721516e22

SHA256
e743126cc3e69a96c23b015f88322a28b30a145f59ee10c459abbe7b0715d986

SHA512
4e740501be893b095992821f9ef879e244bb4fd20115867000919d02c4c7b7c798f2aa1c20549293bace02641dd12b4eca4e2b58f67909016a365658b5a9689d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
96289a67c267b1aa37b055df8130d542

SHA1
e0983402065e9a35c662233065ef780d74c9ec33

SHA256
7c85124385aa6c560903a643ffb79f4a66858bddf138e7fa4358da5efdff9bd2

SHA512
7749da947e2505f684165a9818bb99f2759aaf0d1fbb97428b1f4ceeabea0bd26f461bcd0b3b0a3b955ad735ca92894e0ac6b2f11c238979ac546ec99cc544d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
71136ef15b1e5316254550d788fe8bea

SHA1
0cea61ce5f2b60c747250a18d78815e8ac250af0

SHA256
02ca19b1d39608d4b3b06b3a29601c4b5c6e14ded362a1702611753756317da6

SHA512
d27ea0e4f59ce766e1fb513665bcd883acf2551b1702a84f086a52ac8616608126949e22429d76fd311317ab38dd9b6227aa389012f0879c36fe794272ee866d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
ff66d5e295969fedec687a1eb2dd1625

SHA1
3ae0bc8ea3404921d5a3054919e5454d5ba337e2

SHA256
46410df4dfde5049fa3311902b7fd9181898790b62b5c5cd94baae472b9cb964

SHA512
215bc6fe2762fc717cd37299b2a22532484497eb1432699fc875659a06e95a1b3b75fcd7c8062844a282796ba15b02306e8113ce28c589ecaeeb516e335aa318

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
9710bf0504aec1a62c356adf78bcf147

SHA1
37a9051c1df38e1133db5cb576a151a80b8379c4

SHA256
c703582f71740c3b78474d2ba5c4cf6aa5b38c33d324f6e5d10a23f21dd6f065

SHA512
deb53ca768c63043c82a883521dc945f01c16c714f781a833755d3d0acfd2cc0fd558f27c5aa7cfc00bfe0a75ec18c506e4593b3d177185dd0f45e1d0539914a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
3feb6621affd0bd15c80e19f5dee2a81

SHA1
a60d6c6713625d684331fc917f03c9797eb7f410

SHA256
250b7ee766141811668e9ee35c6be441187fc7a983e5afd93a7da7bf08558c97

SHA512
118db121d9d0baf2bf358aeaf8d2d53a3e6fb6f9334968776c1c72dc8c4eb93437b8a9f90f5724322ad65ef158f9a585480a923452a94f0830b7768f82694401

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
23d76ddca1df7e591ebca45cbc8f692d

SHA1
baacd3be4a3bca04ddd6b7e3ff3d92769a4cf0ea

SHA256
8997a942eaefaf2cb936b8e4c81b875835212edcdc31a7e4d3c7bc5527d5a2a1

SHA512
e47adaa9fefb0244e4e58d2be6c9ef0d9df0d1bb842358de41ab7089309ff7c28057c4aac0caff879f274fb345917c45d8cded75fc403e155178acfc08c5d3b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
5a9a34ab55e6f0d8e1f2c8fd7185aae0

SHA1
851afc4c51dae762e017e0f7c2ef91160094eec6

SHA256
0ae33044e8b76681eb4e0753bee0f0488c523780445a22acf2513d2b9e08a92a

SHA512
bd940e9a04ff26c934aa3fe03ca678d01fdf2d421ae8547e39c96703f22d5b6313bd4433f45cf672ce942928264fc44746a1f5b8cd7a54bf40e71a0fda0ee5a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
406c13af534e4a49f46b4967e8767522

SHA1
a0bfef2a62ac9bfffb15e1bf84758606dbd56417

SHA256
3f2dbf0fe3698192d43cb30077099a3864cd75352d067eae607682873564d9a7

SHA512
d683e30a864f265846ad82285d676e7656a8693ffc993fbf44f872c937029da6e961dbdcd8826fc2d3b24dd6bda844ca9dd168de18c221d4565392e2d15b7925

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
3KB

MD5
34be0f329c77abbfdd0a4826f973e315

SHA1
ba9026c4a34a75f50b7a006d84664bdd9df42ee8

SHA256
f36a5770f8eae0a81949590152069cd20f960e9774c22a3df2671371d0e591de

SHA512
640f19dab22d5d1d5b544467404aaf453e07e455128445b4d55ced52c266a7180408047b49f3862f9afe3350e1720b5c927ddc6f5236de7190ab04d16ffc6a76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
4e16dfa99ec2f6206d39ba3802728804

SHA1
0f11cc9664a25d2e3c3dde431946e92d70a86b43

SHA256
d8852b00e13c621f2fbc4ba4cdf96ebb0bafe55333177258600e0099a4b89c03

SHA512
110254e255e7ccf8d07fad89c7864dc473be96c754267953ba0db2432860c23664ea42ae0cb016004dc529cc3671a7db6f526fba004bbcb49522bc41cbbbc31e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
3KB

MD5
9a6c0b4495c1af982c93c93775a0ed10

SHA1
dc7e83e2e3e19ee6f21a8d1e43b453f156323373

SHA256
aa52c1d58b0a830641b9c785b564692f23049d1dfdeb6777c813e168d4ee895b

SHA512
5cc2ef9203a5c2bbb6db8409a83b332f8ad8633753e874c57b48554c67da24d8ce9fea3f05d929e7432d610478c0b8c62b5d8784308500ddd394c6cb7fcff527

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
2KB

MD5
de2705309777f2d25efbf468d07e4c8b

SHA1
22e419e99212833f86a2ed39b6045ac376594cba

SHA256
5ad1d99009b93a77f9f60304761430490da264e2216ecc01a2b02c1dea9e21f8

SHA512
0a5140890079eb204852f6357f35eafa9441ebbde4b10fd3cf510894098a76647923072ad5596b023435bf7d75540858a1ea81647f2979ca9b66f5fa024722fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
904e426450eb679cfcf97585a1adbc74

SHA1
e12e141b20de76a2e74ff049b99d441ba7219d7f

SHA256
793672ebeaffe20e83ea88a5437c00d554364a556873c5ffd1f0502d775396a1

SHA512
c828ea0aa40b8116f1be395c4d524bbf254a6e29628e6d8fa16a0c2307842be6334c90d38ab7b8e91b4fbe7857d58f107d2b0e49ccd354a930bf7d421ea53ce6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
963f92fb1c4ef4289110a128264a7438

SHA1
6ff1d441cca6785cdf34c602a295f5a7fa80b2b3

SHA256
a566168c31dd5afb24fba17dccf7fb159bcd2f177d1ac2dfac6c0daab571df74

SHA512
3973167ede50f4df936eee4f1d72759462c6c053970a907248547e71cbbe895f13b785eed72fe5c76766f4bcff9d05f6b32f200f4c8e16ea37bea8ac452e9c43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
b283c17a3fa4846aa2c2d8904611dec9

SHA1
798756c2b6fbe8c9213de706bf8168d13c43ab91

SHA256
f5bcc0c09fe4801dacba1a6b12b6c806958a7d5203397177f78aad5687f32675

SHA512
82ee1db0af7d5728db1dd82b9f6242cb27ec06fc63c619a9502a178c51102cce8654a7a69fbfb332de21baec511951e012cfe6edefc71fc8ff4fe7f618ffb2ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
1ce56d450f646496eb89689c33fbc547

SHA1
1c77d078d384dd1bc7bd6a2720741ca62c872131

SHA256
414515c91cdc19f3f6d01e61695221ba4195dfc46a8fee1a592400ecf929fe6b

SHA512
48200418fd050709ceb5d541b8ee067afc919c704f03b94d7cc62c87e525e0ed7c5079350a2fc1d39addc37f811c8a83074a727a3dbbaf188991fd12ac1bf78f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
1bf2d765c11e66402d4630f49e45a9ec

SHA1
14e9080b829c656485ebc9aa9ac4e0f207a675d3

SHA256
e5f00748c2f576ea7bd3c245376761ddf9bdd50a20a2a6d207cb254e5f15d674

SHA512
57422d7f00541e6d2211d1358f65fdcd77bd23f524fb1394dfb2aa9d0703bd9a76884726e0dd4873a5cd601fe806f5390bd3aea4baaaa8ce6cecf79b36875954

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
45bfc4d273e1bb10d46f8550d9228de6

SHA1
0652524a42ba3381bea8124b83e58f03d3366a21

SHA256
b0a41995c0c034c1cd591101f0de7988fc9757aac261c99530cf190234a0b1fc

SHA512
8ab0b1db6fc151e37e29d6b79f8d2566403dd905f0162ed57d4423f4ee3db538d07a72ded2da9ec95065a316c5d5a9cd0ecee97ff4614e3279f50f5f1b921845

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
03a18c74d26a9930639c7511263287aa

SHA1
18d74bba68f1feac631ceb49d0f8faca6b2b49d1

SHA256
f0f2800349689123f4c105f89661317e51c90822d77f72318983a58558ca234b

SHA512
2c72e2295b0262d1d2dc3f970552163ff8d37c625f841384c7302d7c0f65b8757e227280d9441d6a42c684284c706f5c5b7eeba8504567dc724f32abdd386f96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
f77089dbc8f37c9d60f0ee353de0b7aa

SHA1
f2dbe88544874270ba8281e537f0804970a178d8

SHA256
4861430e17d6cde65a0b9a1345cb0f05f555f1b361bebcde892d4bab2e746b99

SHA512
3e910a1d863b6f20f9d4d356f20e5569e4ce840f8cdc2b71bdf9ecd1cb225dc206517f574fe86696d842804a676a23c229c3c57e847a0a0db67c02862bf4cc59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
7dbbe851a9b6de1c0b53578f74873c5a

SHA1
3a3d943f744328d2bfbc78139817b7d18fb9bea7

SHA256
e65f8135294f30280142d4ed56dadc63dc6a575c06a16915958d5d1999509025

SHA512
ec658eadeee32a3736e9df1ecc5348c1cb9e07818651ae3443d7b03dff00db615dd8a2d0998bf2d349e2dca802b8d8ae49efc1064cb8d9f6e2cb19fdd5dd7e8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
e2595b1515b39924d0a78572f9194b1b

SHA1
52dbc6ca79226ee2f5783bf995a21989a2980163

SHA256
55d775211f06bd51e69993785f8164caaca859699c429421ea55e026ff96f15b

SHA512
d98e8e86ff306f5cd6fd780ad87438787c68367100fe836abc6cbbb8ec9a0edd9fe7c91b09c5fc3cd3cd305cd60485acca952696764734eda502469bf3531059

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
8KB

MD5
1965011dce49b130da455b62bf846881

SHA1
f87bb2a39be688c75b6ba8824ab63b784530ebab

SHA256
b5af3c536d7fe667a6d24f49fe7702f4167e9b3939a3f05f8127aee325d457f3

SHA512
e5b22c14524b77ac52e3167f1d6fb1759318a5c602d3553169afa27cac91757e9d5f6fc74db8d5bbb29ec9c45be7b5cee6208eaf95b8bae581cfd7acaf86711a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
56fc60abd67ba6051c56f2f586cbc896

SHA1
a46b602f4d2785896e1a29383ae99c5e8461a428

SHA256
f022f61dc3c0e925c0ca54973f3457ca10722c8ab4a07ef4548c80f5cd3d8ed9

SHA512
93ec9b05ef182957da5f56126444e7179050e3ca14e9a86b83b59240cc246f0915868d2db6b7bde18467f9488410e5cc21f35637fe88500b244a4442d12199bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
56B

MD5
ae1bccd6831ebfe5ad03b482ee266e4f

SHA1
01f4179f48f1af383b275d7ee338dd160b6f558a

SHA256
1b11047e738f76c94c9d15ee981ec46b286a54def1a7852ca1ade7f908988649

SHA512
baf7ff6747f30e542c254f46a9678b9dbf42312933962c391b79eca6fcb615e4ba9283c00f554d6021e594f18c087899bc9b5362c41c0d6f862bba7fb9f83038

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt
Filesize
120B

MD5
c9ef4ba1810d8956d61763754fcb0342

SHA1
b62cfcb2a7f164ff81a4b536673187645a9ff66c

SHA256
af6f055dff9f0f152baecbb8eabacd5d9cad76d6a5d3bd12c04a4b9e9c37c4bb

SHA512
9923db276f5994cac5b34d3354727ceeac52e9f3607cf05a95ca02928d89d1c79d940a1143c752fa269184c99c6a58ef42758b1a098e633d0f82bf446fd9d592

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5b98d1.TMP
Filesize
120B

MD5
a687b783ef4577d51527d8d8fcc829a4

SHA1
7b9ea7e5147d022e62b2ee3513b879a954d60435

SHA256
dcec9a5a9bbd971b949f52ebc906a3a466f93dfa5218d2a2772e8597789a71ba

SHA512
a4426927913dc327d6dbd7a2bf67162437ccaec2b3391dfecb0a0f5551bfbc7aaeeddddff279ef355a8d006e7f037ad66a810f020709bdc0b0da536b09c0a0b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
138KB

MD5
08f38b4eaeac499421414a6a9010610e

SHA1
9fcb7d5393bdb93dd554cac0eda02642ee67a65b

SHA256
7cca420e8e19e286fc5891fdbd09c839554db5fcdd6030b000cd3a8ccbfcd072

SHA512
4b253eb58e5a39a5eff2ac8a3012275ecca5572782e2a71a484c8ece71b438351bb778eb346546e91286890cde0a0eaff4ad14ed132a58f923b9e66db4365854

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
138KB

MD5
38ed0b163426e9866dd6240145d01500

SHA1
53bec9f39a23598d5375c9fda862c06017baf363

SHA256
dd0409ec638386b1be34912d553c4da7ffe88e655d812592b4f5b6bb5d867811

SHA512
8822f3f6a567f8dc8c1032741009cdeebe52651dd0f98090d6a65febe2af3fbdaca9d92beb2b914f31068169de4d7b91abe07a8c215bda3beeb8adf652b6c7d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
137KB

MD5
2f3ce51d085110ce07825f8d4519d4d4

SHA1
aae29ccaa051747ffff0413684cb01ee48345851

SHA256
e42853cc532eea828fa56a8546c26582cb29d779122fc81e82026a87110aaeb6

SHA512
3e20f42df382700d562de9269972bfe3da4dc92ff5f89c927e6f6c93a84fba6feebf5bfbeebbe48f8ff582b7da4d35ac363d75c818b4ca40bb4dc7f0abb14f62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
157KB

MD5
f8971da44d2f124dc5adced154700b1b

SHA1
84b27b30343d8112e46697ba34f75477b81e7308

SHA256
44d5a907a1f75fb48e480cc8a3e370d60eec12f28abfef228e0995567b6fc70f

SHA512
0deb2a8e0645791e49586fbbcd4a117adb046f6ee67a3a33fa22e9acde2f4cf7cb56a9330e47e56e22766c0e2d47f9ae8d864ad3c7132f19bf8328c6237f258b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
138KB

MD5
5c200f29d42f1e147153357438b3cb57

SHA1
00a29ca5bc5655916bd1b1eba04548f45c26de8e

SHA256
a44c6575cb485bd41d3623270d11d2d8589e10512245535b760581b42e630b63

SHA512
94d8853454e057a2f7d120eed5b8078971cbfdfa42ccb2c3a34a9e24b654343d1919b309e8b4d380b5506bb0b964d2f75b18166abece3f85a9348dabf311b1e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
112KB

MD5
5a683995459b86f64e4a6576decc574a

SHA1
568d168ff9c05a0f75a74518d0ca1fcfce2ceda3

SHA256
9038cedd718532bb9e2e1325ae3ed0f62a022246b5c0f7416d73bd69bd72069c

SHA512
a529c673494e95a2a2746b5edee310dbe942fc131c0b1ad185b9663902d80260d17a8ff63865c41102813b57488dbc602f9361a434a18c148151563124136433

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
101KB

MD5
7ff6d40ea74605a45ed056bf9a1411cf

SHA1
fa2a788c56a26ea60d3266045c7f1c03b3a6c14e

SHA256
764f0c63fe768373dcf41bc588f13e17875dee79ba82d7d4d99910d25bacc542

SHA512
52972c2929cca4d5cee9fdbf1d25d0473c14b379ef3e00b01875b63661820bd05477a58bb4d239acba14ebb9f3c98b0cb44c8e5a56405d91844c899e10dce152

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe581299.TMP
Filesize
99KB

MD5
f2c24be8ed4dd9bf444f309e370c8473

SHA1
998fd8a58156b73fc2671064318077af1c60deb4

SHA256
1a8113a1972c49cb45776ef5b8e252092f413b1ad3f4ff8a3e94be134950c885

SHA512
947e237fef4ddc0a5c9aee64be0dd1134f37fecd4896bb3ba7f28549c80f526f07838875da6071f955f12b91fe2c037c1aa1fedaa8488e3ee83cdd5fb0a73b7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
Filesize
933B

MD5
7e6b6da7c61fcb66f3f30166871def5b

SHA1
00f699cf9bbc0308f6e101283eca15a7c566d4f9

SHA256
4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e

SHA512
e5a56137f325904e0c7de1d0df38745f733652214f0cdb6ef173fa0743a334f95bed274df79469e270c9208e6bdc2e6251ef0cdd81af20fa1897929663e2c7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\TaskData\Tor\tor.exe
Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\b.wnry
Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\c.wnry
Filesize
780B

MD5
93f33b83f1f263e2419006d6026e7bc1

SHA1
1a4b36c56430a56af2e0ecabd754bf00067ce488

SHA256
ef0ed0b717d1b956eb6c42ba1f4fd2283cf7c8416bed0afd1e8805ee0502f2b4

SHA512
45bdd1a9a3118ee4d3469ee65a7a8fdb0f9315ca417821db058028ffb0ed145209f975232a9e64aba1c02b9664c854232221eb041d09231c330ae510f638afac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_bulgarian.wnry
Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_chinese (simplified).wnry
Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_chinese (traditional).wnry
Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_croatian.wnry
Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_czech.wnry
Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_danish.wnry
Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_dutch.wnry
Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_english.wnry
Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_filipino.wnry
Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_finnish.wnry
Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_french.wnry
Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_german.wnry
Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_greek.wnry
Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_indonesian.wnry
Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_italian.wnry
Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_japanese.wnry
Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_korean.wnry
Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_latvian.wnry
Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_norwegian.wnry
Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_polish.wnry
Filesize
38KB

MD5
e79d7f2833a9c2e2553c7fe04a1b63f4

SHA1
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

SHA256
519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

SHA512
e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_portuguese.wnry
Filesize
37KB

MD5
fa948f7d8dfb21ceddd6794f2d56b44f

SHA1
ca915fbe020caa88dd776d89632d7866f660fc7a

SHA256
bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66

SHA512
0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_romanian.wnry
Filesize
50KB

MD5
313e0ececd24f4fa1504118a11bc7986

SHA1
e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d

SHA256
70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1

SHA512
c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_russian.wnry
Filesize
46KB

MD5
452615db2336d60af7e2057481e4cab5

SHA1
442e31f6556b3d7de6eb85fbac3d2957b7f5eac6

SHA256
02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078

SHA512
7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_slovak.wnry
Filesize
40KB

MD5
c911aba4ab1da6c28cf86338ab2ab6cc

SHA1
fee0fd58b8efe76077620d8abc7500dbfef7c5b0

SHA256
e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729

SHA512
3491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_spanish.wnry
Filesize
36KB

MD5
8d61648d34cba8ae9d1e2a219019add1

SHA1
2091e42fc17a0cc2f235650f7aad87abf8ba22c2

SHA256
72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1

SHA512
68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_swedish.wnry
Filesize
37KB

MD5
c7a19984eb9f37198652eaf2fd1ee25c

SHA1
06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae

SHA256
146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4

SHA512
43dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_turkish.wnry
Filesize
41KB

MD5
531ba6b1a5460fc9446946f91cc8c94b

SHA1
cc56978681bd546fd82d87926b5d9905c92a5803

SHA256
6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415

SHA512
ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_vietnamese.wnry
Filesize
91KB

MD5
8419be28a0dcec3f55823620922b00fa

SHA1
2e4791f9cdfca8abf345d606f313d22b36c46b92

SHA256
1f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8

SHA512
8fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\r.wnry
Filesize
864B

MD5
3e0020fc529b1c2a061016dd2469ba96

SHA1
c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade

SHA256
402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c

SHA512
5ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\s.wnry
Filesize
2.9MB

MD5
ad4c9de7c8c40813f200ba1c2fa33083

SHA1
d1af27518d455d432b62d73c6a1497d032f6120e

SHA256
e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b

SHA512
115733d08e5f1a514808a20b070db7ff453fd149865f49c04365a8c6502fa1e5c3a31da3e21f688ab040f583cf1224a544aea9708ffab21405dde1c57f98e617

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\t.wnry
Filesize
64KB

MD5
5dcaac857e695a65f5c3ef1441a73a8f

SHA1
7b10aaeee05e7a1efb43d9f837e9356ad55c07dd

SHA256
97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6

SHA512
06eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
Filesize
20KB

MD5
4fef5e34143e646dbf9907c4374276f5

SHA1
47a9ad4125b6bd7c55e4e7da251e23f089407b8f

SHA256
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

SHA512
4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
Filesize
5.7MB

MD5
7f05a5d0f7a03c870463335f98064e35

SHA1
563a3d17ee6420fd0febc1e6e0eed7a8379bfdf7

SHA256
cf6b1eb40d2b0fdee542b686288e4a12653f7dba82c08a4fe7fa4b525c88adb5

SHA512
6add14dfe1bf0dcdea17e576a7962d3906fc18afd41ccf330e9ffec0977f01c61646c2808e2cd9ac8431890123fc43f025204cd643949a824d84f085ebc60a6f

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r.zip.crdownload
Filesize
3.3MB

MD5
e58fdd8b0ce47bcb8ffd89f4499d186d

SHA1
b7e2334ac6e1ad75e3744661bb590a2d1da98b03

SHA256
283f40e9d550833bec101a24fd6fd6fbd9937ed32a51392e818ffff662a1d30a

SHA512
95b6567b373efa6aec6a9bfd7af70ded86f8c72d3e8ba75f756024817815b830f54d18143b0be6de335dd0ca0afe722f88a4684663be5a84946bd30343d43a8c

Download Submit
\??\pipe\crashpad_2584_YRLNZGQOQWADSTOU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2580-2832-0x0000000073120000-0x000000007333C000-memory.dmp

Filesize
2.1MB

Download
memory/2580-2843-0x00000000011B0000-0x00000000014AE000-memory.dmp

Filesize
3.0MB

Download
memory/2580-2818-0x0000000073120000-0x000000007333C000-memory.dmp

Filesize
2.1MB

Download
memory/2580-2820-0x0000000073370000-0x00000000733F2000-memory.dmp

Filesize
520KB

Download
memory/2580-2819-0x00000000011B0000-0x00000000014AE000-memory.dmp

Filesize
3.0MB

Download
memory/2580-2821-0x00000000011B0000-0x00000000014AE000-memory.dmp

Filesize
3.0MB

Download
memory/2580-2822-0x0000000073340000-0x0000000073362000-memory.dmp

Filesize
136KB

Download
memory/2580-2826-0x00000000011B0000-0x00000000014AE000-memory.dmp

Filesize
3.0MB

Download
memory/2580-2827-0x00000000734A0000-0x0000000073522000-memory.dmp

Filesize
520KB

Download
memory/2580-2828-0x0000000073480000-0x000000007349C000-memory.dmp

Filesize
112KB

Download
memory/2580-2829-0x0000000073400000-0x0000000073477000-memory.dmp

Filesize
476KB

Download
memory/2580-2830-0x0000000073370000-0x00000000733F2000-memory.dmp

Filesize
520KB

Download
memory/2580-2815-0x0000000073120000-0x000000007333C000-memory.dmp

Filesize
2.1MB

Download
memory/2580-2817-0x0000000073340000-0x0000000073362000-memory.dmp

Filesize
136KB

Download
memory/2580-2850-0x00000000011B0000-0x00000000014AE000-memory.dmp

Filesize
3.0MB

Download
memory/2580-2816-0x0000000073370000-0x00000000733F2000-memory.dmp

Filesize
520KB

Download
memory/2580-2814-0x00000000734A0000-0x0000000073522000-memory.dmp

Filesize
520KB

Download
memory/2580-2871-0x00000000011B0000-0x00000000014AE000-memory.dmp

Filesize
3.0MB

Download
memory/2580-2877-0x0000000073120000-0x000000007333C000-memory.dmp

Filesize
2.1MB

Download
memory/2580-2879-0x00000000011B0000-0x00000000014AE000-memory.dmp

Filesize
3.0MB

Download
memory/2580-2885-0x0000000073120000-0x000000007333C000-memory.dmp

Filesize
2.1MB

Download
memory/2580-2886-0x00000000011B0000-0x00000000014AE000-memory.dmp

Filesize
3.0MB

Download
memory/2580-2892-0x0000000073120000-0x000000007333C000-memory.dmp

Filesize
2.1MB

Download
memory/2580-2936-0x00000000011B0000-0x00000000014AE000-memory.dmp

Filesize
3.0MB

Download
memory/2580-2942-0x0000000073120000-0x000000007333C000-memory.dmp

Filesize
2.1MB

Download
memory/2580-2944-0x00000000011B0000-0x00000000014AE000-memory.dmp

Filesize
3.0MB

Download
memory/2580-2963-0x00000000011B0000-0x00000000014AE000-memory.dmp

Filesize
3.0MB

Download
memory/4260-1414-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download