wannacry | hxxp://Google[.]com

Analysis

max time kernel
663s
max time network
664s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
22-05-2024 16:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://Google.com

Score

10^/10

wannacry bootkit persistence ransomware worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\uh oh\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry

Drops startup file 2 IoCs

Processes:

Ransomware.WannaCrypt0r.v1.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD6770.tmp	Ransomware.WannaCrypt0r.v1.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD6776.tmp	Ransomware.WannaCrypt0r.v1.exe

Executes dropped EXE 18 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid	process
1588	!WannaDecryptor!.exe
1876	!WannaDecryptor!.exe
2148	!WannaDecryptor!.exe
5096	!WannaDecryptor!.exe
4860	!WannaDecryptor!.exe
856	!WannaDecryptor!.exe
1184	!WannaDecryptor!.exe
1044	!WannaDecryptor!.exe
2852	!WannaDecryptor!.exe
4000	!WannaDecryptor!.exe
1100	!WannaDecryptor!.exe
2052	!WannaDecryptor!.exe
1856	!WannaDecryptor!.exe
4576	!WannaDecryptor!.exe
4888	!WannaDecryptor!.exe
3156	!WannaDecryptor!.exe
5084	!WannaDecryptor!.exe
2976	!WannaDecryptor!.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Ransomware.WannaCrypt0r.v1.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\uh oh\\Ransomware.WannaCrypt0r.v1.exe\" /r"	Ransomware.WannaCrypt0r.v1.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

Processes:

flow	ioc
67	camo.githubusercontent.com
68	camo.githubusercontent.com
69	camo.githubusercontent.com
70	camo.githubusercontent.com
112	raw.githubusercontent.com
66	camo.githubusercontent.com
65	camo.githubusercontent.com
113	raw.githubusercontent.com
64	camo.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

Ransomware.Mischa.exe

description ioc process

File opened for modification \??\PhysicalDrive0 Ransomware.Mischa.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	Ransomware.Mischa.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

!WannaDecryptor!.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

4652 taskkill.exe
540 taskkill.exe
4532 taskkill.exe
96 taskkill.exe

pid	process
4652	taskkill.exe
540	taskkill.exe
4532	taskkill.exe
96	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133608691777181318"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings chrome.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid process

3612 chrome.exe
3612 chrome.exe
3612 chrome.exe
3612 chrome.exe
1996 chrome.exe
1996 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

3612 chrome.exe
3612 chrome.exe
3612 chrome.exe
3612 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe
Token: SeShutdownPrivilege	3612	chrome.exe
Token: SeCreatePagefilePrivilege	3612	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe7zG.exe7zG.exe7zG.exe

pid	process
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
1916	7zG.exe
4560	7zG.exe
1500	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe
3612	chrome.exe

Suspicious use of SetWindowsHookEx 20 IoCs

Processes:

pid	process
1588	!WannaDecryptor!.exe
1588	!WannaDecryptor!.exe
1876	!WannaDecryptor!.exe
1876	!WannaDecryptor!.exe
2148	!WannaDecryptor!.exe
5096	!WannaDecryptor!.exe
4860	!WannaDecryptor!.exe
856	!WannaDecryptor!.exe
1184	!WannaDecryptor!.exe
1044	!WannaDecryptor!.exe
2852	!WannaDecryptor!.exe
4000	!WannaDecryptor!.exe
1100	!WannaDecryptor!.exe
2052	!WannaDecryptor!.exe
1856	!WannaDecryptor!.exe
4576	!WannaDecryptor!.exe
4888	!WannaDecryptor!.exe
3156	!WannaDecryptor!.exe
5084	!WannaDecryptor!.exe
2976	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3612 wrote to memory of 236	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 236	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4340	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4340	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4340	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4340	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4340	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4340	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4340	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4340	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4340	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4340	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4340	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4340	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4340	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4340	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4340	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4340	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4340	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4340	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4340	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4340	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4340	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4340	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4340	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4340	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4340	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4340	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4340	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4340	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4340	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4340	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4340	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4340	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4340	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4340	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4340	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4340	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4340	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4340	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4552	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4552	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4828	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4828	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4828	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4828	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4828	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4828	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4828	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4828	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4828	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4828	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4828	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4828	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4828	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4828	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4828	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4828	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4828	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4828	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4828	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4828	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4828	3612	chrome.exe	chrome.exe
PID 3612 wrote to memory of 4828	3612	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://Google.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff8cbe39758,0x7ff8cbe39768,0x7ff8cbe39778
2⤵
PID:236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1536 --field-trial-handle=1832,i,18054868423758902981,1820570053750736305,131072 /prefetch:2
2⤵
PID:4340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1832,i,18054868423758902981,1820570053750736305,131072 /prefetch:8
2⤵
PID:4552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1708 --field-trial-handle=1832,i,18054868423758902981,1820570053750736305,131072 /prefetch:8
2⤵
PID:4828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2680 --field-trial-handle=1832,i,18054868423758902981,1820570053750736305,131072 /prefetch:1
2⤵
PID:2360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2688 --field-trial-handle=1832,i,18054868423758902981,1820570053750736305,131072 /prefetch:1
2⤵
PID:2780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4396 --field-trial-handle=1832,i,18054868423758902981,1820570053750736305,131072 /prefetch:1
2⤵
PID:4432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4688 --field-trial-handle=1832,i,18054868423758902981,1820570053750736305,131072 /prefetch:8
2⤵
PID:2252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3636 --field-trial-handle=1832,i,18054868423758902981,1820570053750736305,131072 /prefetch:8
2⤵
PID:3056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3820 --field-trial-handle=1832,i,18054868423758902981,1820570053750736305,131072 /prefetch:8
2⤵
PID:4804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4816 --field-trial-handle=1832,i,18054868423758902981,1820570053750736305,131072 /prefetch:8
2⤵
PID:848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4920 --field-trial-handle=1832,i,18054868423758902981,1820570053750736305,131072 /prefetch:1
2⤵
PID:724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4520 --field-trial-handle=1832,i,18054868423758902981,1820570053750736305,131072 /prefetch:8
2⤵
PID:464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=692 --field-trial-handle=1832,i,18054868423758902981,1820570053750736305,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1996

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 --field-trial-handle=1832,i,18054868423758902981,1820570053750736305,131072 /prefetch:8
2⤵
PID:4436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=768 --field-trial-handle=1832,i,18054868423758902981,1820570053750736305,131072 /prefetch:8
2⤵
PID:4348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4544 --field-trial-handle=1832,i,18054868423758902981,1820570053750736305,131072 /prefetch:8
2⤵
PID:464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 --field-trial-handle=1832,i,18054868423758902981,1820570053750736305,131072 /prefetch:8
2⤵
PID:2816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 --field-trial-handle=1832,i,18054868423758902981,1820570053750736305,131072 /prefetch:8
2⤵
PID:4316

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=1832,i,18054868423758902981,1820570053750736305,131072 /prefetch:8
2⤵
PID:4488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 --field-trial-handle=1832,i,18054868423758902981,1820570053750736305,131072 /prefetch:8
2⤵
PID:1112

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1292

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:856

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Ransomware.Jigsaw\" -ad -an -ai#7zMap19186:96:7zEvent27520
1⤵
- Suspicious use of FindShellTrayWindow
PID:1916

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Ransomware.Locky\" -ad -an -ai#7zMap12357:94:7zEvent22819
1⤵
- Suspicious use of FindShellTrayWindow
PID:4560

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Ransomware.Locky\" -ad -an -ai#7zMap16686:94:7zEvent31147
1⤵
- Suspicious use of FindShellTrayWindow
PID:1500

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Ransomware.Mischa.v2\" -ad -an -ai#7zMap5328:102:7zEvent11755
1⤵
PID:4152

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Ransomware.Mischa.v2\" -ad -an -ai#7zMap21645:102:7zEvent24812
1⤵
PID:4280

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Ransomware.Mischa\" -ad -an -ai#7zMap16829:96:7zEvent28648
1⤵
PID:1460

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Ransomware.WannaCrypt0r.v1\" -ad -an -ai#7zMap29420:114:7zEvent237
1⤵
PID:4848

C:\Users\Admin\Downloads\uh oh\Ransomware.WannaCrypt0r.v1.exe
"C:\Users\Admin\Downloads\uh oh\Ransomware.WannaCrypt0r.v1.exe"
1⤵
- Drops startup file
- Adds Run key to start application
PID:392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 287491716396159.bat
2⤵
PID:3132

C:\Windows\SysWOW64\cscript.exe
cscript //nologo c.vbs
3⤵
PID:5096

C:\Users\Admin\Downloads\uh oh\!WannaDecryptor!.exe
!WannaDecryptor!.exe f
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1588

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im MSExchange*
2⤵
- Kills process with taskkill
PID:4652

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Microsoft.Exchange.*
2⤵
- Kills process with taskkill
PID:96

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlserver.exe
2⤵
- Kills process with taskkill
PID:4532

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlwriter.exe
2⤵
- Kills process with taskkill
PID:540

C:\Users\Admin\Downloads\uh oh\!WannaDecryptor!.exe
!WannaDecryptor!.exe c
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2148

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b !WannaDecryptor!.exe v
2⤵
PID:252

C:\Users\Admin\Downloads\uh oh\!WannaDecryptor!.exe
!WannaDecryptor!.exe v
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5096

C:\Users\Admin\Downloads\uh oh\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4860

C:\Users\Admin\Downloads\uh oh\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:856

C:\Users\Admin\Downloads\uh oh\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1184

C:\Users\Admin\Downloads\uh oh\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1044

C:\Users\Admin\Downloads\uh oh\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2852

C:\Users\Admin\Downloads\uh oh\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4000

C:\Users\Admin\Downloads\uh oh\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1100

C:\Users\Admin\Downloads\uh oh\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2052

C:\Users\Admin\Downloads\uh oh\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1856

C:\Users\Admin\Downloads\uh oh\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4576

C:\Users\Admin\Downloads\uh oh\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4888

C:\Users\Admin\Downloads\uh oh\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3156

C:\Users\Admin\Downloads\uh oh\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5084

C:\Users\Admin\Downloads\uh oh\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2976

C:\Users\Admin\Downloads\uh oh\!WannaDecryptor!.exe
"C:\Users\Admin\Downloads\uh oh\!WannaDecryptor!.exe"
1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:1876

C:\Users\Admin\Downloads\uh oh\Ransomware.WannaCrypt0r.v1.exe
"C:\Users\Admin\Downloads\uh oh\Ransomware.WannaCrypt0r.v1.exe"
1⤵
PID:1504

C:\Users\Admin\Downloads\uh oh\Ransomware.Mischa.exe
"C:\Users\Admin\Downloads\uh oh\Ransomware.Mischa.exe"
1⤵
- Writes to the Master Boot Record (MBR)
PID:3656

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\40889016-d36d-4d2e-b0ec-afb749ec2b0c.tmp
Filesize
98KB

MD5
d81d7e434da6a31b69aaeb1117bf937b

SHA1
d7e18f7722aa58a0c5701797168c563e3efc35f1

SHA256
22608dc73402f6da04aa10247914aa9dfdf6d02590ec55923372fafe403562cb

SHA512
51a4fd0ccf875f802c37ffd708217c56e4e56df0b85544322e22229f88458ad0a4feba97edc34a56ed923da4f50811caa04c594a33f2b8a4cb297c8e0929fd08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
45ece464364bce8bf90e9cd05cfe61e9

SHA1
7e0223b7a8ac66f4c2c0a86b4bd27e2c7c5dc32b

SHA256
e86f8d56a88d22d2ef550b13b8e6cc2f4041c99e5ae8e2a7dae8e1111800fa0c

SHA512
2c25940526ea3309754ce63411e48842ffc54808345279600210a318ce50617001167ca19511b031940a0897092423c5e336dc906fdcaa0b81bcab0153285179

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
efebd4ec325421348731e70c66217e51

SHA1
351a03fee9a3507eb0a53790f9ec0cc7bfdf0e23

SHA256
e613a9d9ebb30ae9eb7a992bb6d54e1c9dc415900134685464bf2c03937025f4

SHA512
77fce6e058723ad3724a73b2dd109815686fbb300f6c11b7c98db1e82d622fb6fea63aa9bc8e45382fd262b28f3e90479cbccc12531abd7cd6d77079bfbeda5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
216B

MD5
39f91994b90e2ef9cf1b6f0d2c69d4d9

SHA1
cd1fed7efb9aa53dc8eea43bac1b2e1dbf723e08

SHA256
9bd82562f7cb092efa481e03ec0e3a59e08d220f183f7381a445053806966b9c

SHA512
2319e2d82d5f8006ae9a4095bf436ef7095fdf368260753e1c75a9490e019cd50974d8bf079a341c9518c58665b2e6c37da357ff202c006a201527adcf05bd2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
a763a23eaa824dba872d62619bdced96

SHA1
295bce95a29a69690e6be61328d571945a76a836

SHA256
f54967bd99e09511a379ace434751c584ef625ee7223088751fb2a1e2b318217

SHA512
42baacb90afd0dd22437276bae0df94288a1237dad7a8696de036cdf8bc08e08d09969e080f2234ff8e5d68f02f9e4ba6017ded6749b927f4138e131cade94c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
3KB

MD5
7b6c76a6fe1cd6cc2f9454b52fe11844

SHA1
230dfa3a294ee09856b0a6b7cbb2297876c8bd6c

SHA256
8e001cb69c4610a367f5749a6085f04e14eff0084fc45fa857136d7a47217992

SHA512
ceeb38292898f4b8aa4c1957f823e8ff08002963323dda7c7d62c7ce3bd2f1a49b6dee1fba806bdefe0cd231142fd130eaf4b20cf55c3221d06b24a0b9b3cbe3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
4658a776eb04210347ac4204cd65bea2

SHA1
46c08941d0c13ec365847c419f14301a269980d4

SHA256
a2f5a27dcde0c2fd803d423f6c27a0a9603fbcc406888c26b980b6de5c46a722

SHA512
fefc2e6e0b62e6bd8cb6788d4524dce369fcc9636254e2a522a5097e40b621cb1d3451fbed9c996e18b8e9bb0d6696c9593238ca733d897238fbb5419183abc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
cfb15d34f13e641c9f6cbab2f4c4457c

SHA1
6ae6b3286c786367f8373bd75b8fb19f70d07a12

SHA256
97498b43b4d6efe9bf68262e7473c7d4b61fa52392134ee48b793358edc5616f

SHA512
036793550876a8338995c9380cba2070b4877abe8b88821760293a54305e12735eb4bef972c0c809eefef9b2899fa933ea08dabf4af2ef195e9d51c70d12fc28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
371B

MD5
bb889eabef91d451c77add097755d95a

SHA1
33b23a32cb932b45d28853af1423e9723261d0c8

SHA256
3cbb720701a39add0a929b258f9dfbabb71603b19f680eed0cc9f0396318b0a5

SHA512
9b40592d31cbb8eb6f075e62043bbf6a5ba5bd9ba9e7a4f953147a704f4486e33b6aba669fc70f5aa296c4e778d495fa114fbae8cc29ef5f55ca1d6cd5db46c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
950dbda5f8c5c5b75d64fabe880d9d42

SHA1
a2937c61723dcf18840111bd41049459f5df9582

SHA256
0417e2f674091d807131fec88c2f5adc5e3f09320241190062e98b9e4b0b4bd4

SHA512
151bd0555fdef5207874784b82468f8d32789b2358bd95b76cf1d0d858c010aa27a0421b56daaea0db4c66c1c6c254137f14c2d88216574bd4d932246aac3a15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
b1336cb88d2797610ecab9503ed1261f

SHA1
677da6c8496a92c291db58a31d47f60d09057f0b

SHA256
2f0fc01eaaf8728d39a9ba6795eecec39848f73cc330e52ba27898d6a5676ca0

SHA512
73f18ee806dcedfe6e322029dddbb47d3cd3c37bcca499d1585090234e921b2adca3de926305ebe9132fa6e6c75fe6f1ba3723cb643eaffb99bf6724e7ffa34e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
d7cfb68d5a801e3b78e97885db899eec

SHA1
5934bbb03bea8f735300370e5cd34df928c9910c

SHA256
ba62463a3c9d49e7949d60f67143e4647d61b09df0a97a47828071ed2c5f298c

SHA512
3f3505d0cd2a7a274e6e99c3fb1c770f6792d90bfa8917fa2a47c0f347ffefdd2ae6495770ba3ea85cb03ff82fd92568676b931ce2d751490074f521eb0293f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
057d045a8188c2d593098b133c64c89e

SHA1
de18eb014f3fd38ebdada3c78c78a3c05a45ce60

SHA256
552bef68a3aaafae76ccf7360118878f20a4541cfa18eb68ce7989b395f8a903

SHA512
ce696eacc498a4a9be535408a8b13fc9581caa2421d511aea910bd2a418ccf9bf01fa5b983fb1af6ded596856d14138b9dcc658e56b340167f504fcf1d8e4b30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
be344e06c6ae6f73f716eb59c083bbe8

SHA1
2e8f73cb99c1617c6d0671d081abb2e729ab84b3

SHA256
6ded082911d601ea34f878f5cb6b18e7ff192ecf2f81db2f8695b8329209e4f1

SHA512
553413f9ad96fb17e0897a51e934c479fe2b57db2abafe74eef1320a6a4b1d489e686fd694233effa9e5f9a33804140775ad11f4b3bec8f973b25d3083200dad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
371B

MD5
5067f75456f8ef116b11a632a430007a

SHA1
bd084744ad3a25d0a01f47e39bfa35a94160ffe6

SHA256
d8cd0f7cad1348838eb8221296021071e40136df9527c2ec3167436278793702

SHA512
8a56d44c9e51c2251ef86ca189ab94553dea921e210f21bb5373c08b20e086c8dbfc141ff6bdbc0b2b9a618d54b8aeb5aa476a30c73d45ec8b94ace182e7274e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
0b987109f866537a4ee7c95f71d7dcca

SHA1
6614404345f752fc5e702e0fe7e016b0ded7d9f8

SHA256
ade90c5c991a900d6d6bbc009892520602163037611075a75e67b4b28e41cffe

SHA512
1efad949e66db25833f625fe20a8d009963c1c2ecb6ab898d53dd158fa054175094c236c4d1d477effd704843bada4f2c0effee95b7b6630207b19c09f3010f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
68799bf00a6ce00ca3ffd61b1ab16079

SHA1
99ebae856e4cb4171adc5c647a6f7205ceff62a6

SHA256
506112ccdfa33700114ed4eff4334015d93ab746728498da099e4097bbe587b1

SHA512
2ee3e1579c905f9cd4fa269ffce2521cd8e3b9c005ce34ef3deb5ec6f1fd2f2dc727ce1ac721699bec0cf1671690dd41a363837215d9cb34a00a17c5d68cf13b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
78f41b7cbf43647cd5f9930d4224e01b

SHA1
122bf39b6fc7f8de6068752e8b78b00afa627116

SHA256
77c9fbb97e7f68470ccb8865158f7002c596273073a23270382b111d6bc62e53

SHA512
28059e9747210d680a36ae13fc903c33523e5c27db92f85d30faad77a2b6fb1b4f0dda0bbd8446ff916a0cb492423497fbeb3544bf8eb8aa8c33cdb18a14a02b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
21f4de50a0ce032790a84a280b78748f

SHA1
5a9ce8c30598222aa366a93129a07c9ea9f1e03d

SHA256
8192312e7f672cc82ec187539bbe01803048192fb6b7f2a8933482ba1afc8730

SHA512
df6887e05ba7e6c7111aa0d808ba04d15d26e5b11c3d29a3557425148862f700b9d78471fc73666736c93bc92de45f2d6030277c257e8904088161783c21848e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
0e744bfaa2a7155bde59ac15b1523a83

SHA1
3d51102425a98661115fca93147c49d3f1d3584b

SHA256
03a6df520fd8c3a80587051845509eb982fe8468737abc1a5b20508024359e7a

SHA512
63e10e355aa9bdbc9442da59ffe3ffe246b37a58e3c2110279ffaa3b51a3b96e97d6d4369a4f8d07747cf899f1798d16d3853f596c7e0bfa63258dbb9e71d61f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
075cef113abc28f6b65a930bbddeb29b

SHA1
682eb2feab61cbed5f11141ab86ac20f267987c5

SHA256
94bc1557cbd933781f6b94d5688a0fbf0aaf61fa0f7b991f446f9f52cdbe0a46

SHA512
5648c27a34fc46ee5a65fc2f4b05e1f8700be233af3518278fcf8436afd4f372985c0dac9dc3879b84cee1f491db26e2d28e102e540f2ce8ee6e3c7717fbafb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
d05ddb6e5483bbf948d7a0f32d353f54

SHA1
5de7b42dce199289ce4ebe7fa70b94942c04b1eb

SHA256
b3af02f8b3bf1b1b05e42de69c393f4965b5b5c99571f8ab74e1dccd4c166acc

SHA512
690abdf4d290ab523e1ee1f1a41f27e3f032901ac7a11aad8724400314aec9804be03010a3149e2258d01f4af760ccb58ae8517d0ac07694961d310eebc292d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
157KB

MD5
16ae6fc61dbec331c14152b8d254138a

SHA1
b889f00d808c79c5f8a9fd05b7d5dc61d808f637

SHA256
3b4bcb76e6f323259a5b83e972d7facc939ad8e2fd5f50e15ccde69797e19817

SHA512
7cea19eca81e981f81897db387ea326abe2ae9c71c934149e7b92cde80c8ea860a24f76fb8bd2528af78432efa6d7e762555fdda1082490c89d0bd3cd63fc4e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
138KB

MD5
acfc0ddf2409145215b585452146e05a

SHA1
55c82df028e93bd57bc1af45f86ebd62bed7119f

SHA256
38ddc270be80cb89de5f041ca9cce403fc6d23c8a09c3b6c423360eb19454a86

SHA512
da86c0535a1e5e2a951be61d023ac2028d1b84e0b76de7aa57ce9e9d85ede0e2d99b542d65c2e1e98f3ac19569e550be7fd18137941bf121e2756275b643a8de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
137KB

MD5
63490651f61c321cc4c5e16d7e75e489

SHA1
e2e15fa664563078f2ab17626a029745dbdcdacf

SHA256
92829ae4c858df840e24d9fad68441d93a96fa5136c2b9679968c8cfd2e1b9b9

SHA512
a3c547ddd4f0b421f23e3df0c16281dbfd8abc9853a1ed46fdf78d733540e619273ceb1c01bad07ee687144f7224cca1f78351ba0954a03312e8f1eacdc77ecc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
138KB

MD5
fed2c6ad70d9ae4bad843202984c3df7

SHA1
fb6dd14af87c4f1a6f7b0a394eaf599beba093b0

SHA256
263122cbe8db9b5730fcb71f5ed446d9b3a3e6d965929fc7e979c5d32c989afe

SHA512
ccfc435bc296aa21b761df14e3b9f11f780be14a59f20d800501afce1d01de45c4397f5424da72e3e28c17798119134b091524fe19a9b8f16c4344b80c633b0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
105KB

MD5
21e69d679d42368a18430d66a9b1702f

SHA1
f3ec321e0fdc6cecd755fb76e71de010a1a0f61f

SHA256
c8b55384ab776c8c8c64e65393775487167607df546ce10e06ebd0c4ea456dbf

SHA512
b1fd12dd3bdf3df3e4ace69d7f7f7d8aa05c24fc3842e7b3273b7e8e20c35725f0b767086302b8587b77546f6fd9c3e89c3836c3130ecac44577cad212a1860e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
109KB

MD5
337d5950a71f374887be4c3fd4d37280

SHA1
02f7a83dfa6d8599484b85046e380f34c20a5b68

SHA256
c5f6ba5ba3b0a91440bbf86ce8354c13eb6a181422d9db0eac1379d57414b694

SHA512
c76e8c515197fdc35d167786c386b607b6b2bd7c5ce7f10f01a90f0727dd67608b8f1a1a4f5cf637d95e80ad8fb401f72bbceef47d98d0acdfb7115958ee6859

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58b1e6.TMP
Filesize
93KB

MD5
f7ed3d76393bfa3cd81c739cfccd7c1e

SHA1
a48d3cb412eb8587da8481b144158c1217656449

SHA256
de0a089a9a2151e84b0186b108879332026f9dd3caba63275fb1f8e238e036b2

SHA512
ba4e36ee1ec1d70bed65ee13b451f1ee14dbb57986658e66381c1584143d54e9f3b3546a40351c36e49f3282683bae865ddb0be4b327fb8a77dbabddeed29241

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\Ransomware.Jigsaw.zip
Filesize
239KB

MD5
4161238e76dc9ae69c0c96fade43b0bd

SHA1
bf51e618d59253075d33461a353d20018ad177a6

SHA256
bc6c2a22cf086bb9f18e100866c83377a2c8cfb4f3b9cbc0330194d58edde7df

SHA512
2e93a58e3ef51d210ae16e56e745eb60056a86ebfb86b34f15e1d66a86997aa48f6091e4e0829144295cf4ad08f36a0a60c45726ccfaa440fb80217fb18697d7

Download Submit
C:\Users\Admin\Downloads\Ransomware.Locky.zip
Filesize
118KB

MD5
e3fea234f1f009000cc0b4e4c5155d21

SHA1
cd411b66e0d9dce9fbcf10372b53ccfe3bc9b66f

SHA256
072f9dd14596aa211bb2282a2512936b0af7cd71c9b44abff86d8c652f843e67

SHA512
989ba42691687c438f6cc1073d4a2712996b492ee65ab3810aea4fbe2ff8ae9d10c8bccb161912af19627af3593b1d633a66fbe985da3878e1cec1ad5c9b5636

Download Submit
C:\Users\Admin\Downloads\Ransomware.Locky\Locky.exe
Filesize
180KB

MD5
b06d9dd17c69ed2ae75d9e40b2631b42

SHA1
b606aaa402bfe4a15ef80165e964d384f25564e4

SHA256
bc98c8b22461a2c2631b2feec399208fdc4ecd1cd2229066c2f385caa958daa3

SHA512
8e54aca4feb51611142c1f2bf303200113604013c2603eea22d72d00297cb1cb40a2ef11f5129989cd14f90e495db79bffd15bd6282ff564c4af7975b1610c1c

Download Submit
C:\Users\Admin\Downloads\Ransomware.Mischa.v2.zip
Filesize
165KB

MD5
9f3ca0e1d356ccf73463d5b7cc1ef865

SHA1
bd0cfbb6889070164fc70b88de704efe62618b72

SHA256
e68204caf9924bd6ff9da3b1252592b46ee6f19887713d8f563cf152148764d9

SHA512
f6c514891598acf16e50caf7caddae2fbfb175de37b296b884bf0a75f782a89b52b9e276dd85e13345a19f88b06076b9ab1909ac085775b6bd54393e2a28cbde

Download Submit
C:\Users\Admin\Downloads\Ransomware.Mischa.v2\Ransomware.Mischa.v2.exe
Filesize
279KB

MD5
c8623aaa00f82b941122edef3b1852e3

SHA1
1785230107633bf908034ef0d5403367765bcafb

SHA256
ecc5cc62c8200954079191e586123522f88aa1414ae98908380176d75d2e7eab

SHA512
4223cdb0734ba3d9055503b73e1c69a94299c345c19aca52ef85d5eefcb7715756b8ebb92c9c462030d503af47653cd6182e1e14d04cc32309c6200db458b3d6

Download Submit
C:\Users\Admin\Downloads\Ransomware.Mischa.zip
Filesize
460KB

MD5
345ba22c4bb00ab0a6c7da0cc0e078a2

SHA1
68ab257016c5371de698c1f4672b12b5ecf3b666

SHA256
f0751b28e194d1f1d7535ca7eeb9a79554fdba9760adc0da687447e10c52a208

SHA512
d7f012247713eb4253d869a768292d990c815af3434c45dc1c83166dc4db4781dd45447199d7e42d671e8384e6e85c61c0286343c74e914c8e3b98fc7fbfa736

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCrypt0r.v1.zip
Filesize
191KB

MD5
04d2762c440097c67cef47fcba96ce3c

SHA1
6ecf78935809ea1699a9dd075b489ef27bd00c02

SHA256
593a4b3fb31a25c433f4c04fe6a9bdacfc30771ac41e3f394b81b0a13f6e5df8

SHA512
c00118b7fb2ef8c386c49cb95fc0e0e9d39d90eb9b1cdd10145ce2bc5d99bb6361daf90b9b5e5de42464583c9ee864b29de5d87aaeb8f82f610342fc6fd13bfd

Download Submit
C:\Users\Admin\Downloads\uh oh\!Please Read Me!.txt
Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\uh oh\!WannaDecryptor!.exe.lnk
Filesize
678B

MD5
6aa5ae0379a161070d12799d3a88bfc9

SHA1
568acff53301fdf35c540154ce272061ceb8a87b

SHA256
aec9e0e05b8b3cc62743966bbe12c2530017cae55f28b910f1c1d70a5686f3be

SHA512
8b75621281aad19838b363733f09cca65aa3664e90c7d33af8ecd0e22ce7d41b0595b9802f36d044e9bbadd956f1e347119dbcb84bacbaf58701e5919e7954fa

Download Submit
C:\Users\Admin\Downloads\uh oh\00000000.res
Filesize
136B

MD5
30fdef81ab443bcaf7b9596e31fe7494

SHA1
e372e91461ac8e8dce6694acbf59019aa4b0d6c7

SHA256
512392bbfaed0343d2ca2610e012e632bc4a0441bcb91cbd2f91d8cb2b49b994

SHA512
051d8cbe0b9815ad5c6d92a1ac86a0cffbc1a6ffc69353f3dde6c671fad9c212de08106b9f52e13af50f15cb0f86e306cd31d22bc09b46f067c19a2cfaccfa49

Download Submit
C:\Users\Admin\Downloads\uh oh\00000000.res
Filesize
136B

MD5
848c9c12a5a61cedb30e8820aef5d54c

SHA1
5135c8ebddc63fb2dd4fc2219a92639e504e873a

SHA256
584455cd7223af1b1f46af94427cca11d3d416fdf9f7fe4d7d55e1f92a3a27d9

SHA512
9f556404951fa64f53b6138d1f76eb07b66dd19772739e896cd7719bc8abf085c753580e658cb88a3a160f26e61ff6cd51193518b730bca78ef87cc0e9f5755e

Download Submit
C:\Users\Admin\Downloads\uh oh\287491716396159.bat
Filesize
330B

MD5
b869e90578978c5fdc0da3e60969c600

SHA1
5962563497a4f16ab4d6333ff1784379c7ab4cda

SHA256
8ef1e632415fac8fdde0f4392f8d47775769ffcc7e707b14a97c0d0c3f688a4f

SHA512
2cc9443c89536c762a44e61642b3d811b0a40a0a07e30c839a61d8b9097789b5c7bf22f0ef6359684e4f79fee90d208908cf57e9de6eb18fddf79e8bdbce8e5f

Download Submit
C:\Users\Admin\Downloads\uh oh\c.vbs
Filesize
213B

MD5
c3e8c423b7a9b2099dc168d515183b1b

SHA1
00249ed6d0f1c010c2feeb80f2b215b165f21240

SHA256
6e57f075c0de026ded13f372e8771c7dd5c9c2a764cf61000e131011b6177e8c

SHA512
dad99837ec70195afa5938f585d1e304eabc186b45c6fc3841fb0c00fd8efab383212572a1bce2427898e5f34a65e7da8ee72c8c8fd9668c6bd397f90b296a84

Download Submit
C:\Users\Admin\Downloads\uh oh\c.wry
Filesize
628B

MD5
663e55df21852bc8870b86bc38e58262

SHA1
1c691bf030ecfce78a9476fbdef3afe61724e6a9

SHA256
bf22e8e18db1638673f47591a13d18ee58d8c6019314bab5a90be82ae3dc9538

SHA512
6a54be1fa549633a2fd888c559207437b8f6efda98bb18d491c8749f39e9754f1e680fa8e2d623777b5f665b2c04d19385c75ce4e61fb251db16018963a9a6f9

Download Submit
C:\Users\Admin\Downloads\uh oh\c.wry
Filesize
628B

MD5
d17bec17c6ead167d92a04034de445ff

SHA1
d1908c50066e24d7591b4111cc72e4aac12868b6

SHA256
bf6e59c1086c7e48375d928c17f72706a1b8e113fda74a94e15338c207731ff6

SHA512
4e771ab3081c10f6c9d53c95da341c91b7c20836340f856a0e12e6528496c67a02cdf1ea56a367842cf347c0da0329e52dd93ffa7985ace72c59cfaddf01f9a3

Download Submit
C:\Users\Admin\Downloads\uh oh\m.wry
Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Downloads\uh oh\r.wry
Filesize
729B

MD5
880e6a619106b3def7e1255f67cb8099

SHA1
8b3a90b2103a92d9facbfb1f64cb0841d97b4de7

SHA256
c9e9dc06f500ae39bfeb4671233cc97bb6dab58d97bb94aba4a2e0e509418d35

SHA512
c35ca30e0131ae4ee3429610ce4914a36b681d2c406f67816f725aa336969c2996347268cb3d19c22abaa4e2740ae86f4210b872610a38b4fa09ee80fcf36243

Download Submit
C:\Users\Admin\Downloads\uh oh\t.wry
Filesize
68KB

MD5
5557ee73699322602d9ae8294e64ce10

SHA1
1759643cf8bfd0fb8447fd31c5b616397c27be96

SHA256
a7dd727b4e0707026186fcab24ff922da50368e1a4825350bd9c4828c739a825

SHA512
77740de21603fe5dbb0d9971e18ec438a9df7aaa5cea6bd6ef5410e0ab38a06ce77fbaeb8fc68e0177323e6f21d0cee9410e21b7e77e8d60cc17f7d93fdb3d5e

Download Submit
C:\Users\Admin\Downloads\uh oh\u.wry
Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
\??\pipe\crashpad_3612_HPAZYVCXHXLUHMBK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/392-590-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download