wannacry | hxxp://goo[.]gle

Resubmissions

26-05-2024 01:38

240526-b2c1xsah52 10

25-05-2024 09:47

240525-lsdafach9x 10

25-05-2024 09:43

240525-lqck5adc97 1

Analysis

max time kernel
1812s
max time network
1784s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 01:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://goo.gle

Score

10^/10

wannacry defense_evasion discovery evasion execution impact ransomware trojan worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tor-browser-windows-x86_64-portable-13.0.15.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	tor-browser-windows-x86_64-portable-13.0.15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	firefox.exe

Drops startup file 2 IoCs

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDE8C2.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDE8D9.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Executes dropped EXE 29 IoCs

Processes:

tor-browser-windows-x86_64-portable-13.0.15.exefirefox.exefirefox.exefirefox.exefirefox.exetor.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exetaskdl.exe@[email protected]@[email protected]taskhsvc.exe@[email protected]

pid	process
4500	tor-browser-windows-x86_64-portable-13.0.15.exe
4696	firefox.exe
1836	firefox.exe
2264	firefox.exe
576	firefox.exe
1172	tor.exe
1240	firefox.exe
5208	firefox.exe
5468	firefox.exe
6080	firefox.exe
6112	firefox.exe
6140	firefox.exe
5604	firefox.exe
2000	firefox.exe
900	firefox.exe
2304	firefox.exe
960	firefox.exe
5132	firefox.exe
3484	firefox.exe
6136	firefox.exe
1132	firefox.exe
4992	firefox.exe
2984	firefox.exe
1372	firefox.exe
5584	taskdl.exe
1344	@[email protected]
5488	@[email protected]
6140	taskhsvc.exe
1364	@[email protected]

Loads dropped DLL 64 IoCs

Processes:

tor-browser-windows-x86_64-portable-13.0.15.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exe

pid	process
4500	tor-browser-windows-x86_64-portable-13.0.15.exe
4500	tor-browser-windows-x86_64-portable-13.0.15.exe
4500	tor-browser-windows-x86_64-portable-13.0.15.exe
4696	firefox.exe
1836	firefox.exe
1836	firefox.exe
1836	firefox.exe
1836	firefox.exe
1836	firefox.exe
1836	firefox.exe
1836	firefox.exe
1836	firefox.exe
1836	firefox.exe
1836	firefox.exe
1836	firefox.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
576	firefox.exe
576	firefox.exe
576	firefox.exe
576	firefox.exe
1240	firefox.exe
1240	firefox.exe
1240	firefox.exe
1240	firefox.exe
5208	firefox.exe
5208	firefox.exe
5208	firefox.exe
5208	firefox.exe
576	firefox.exe
576	firefox.exe
1240	firefox.exe
1240	firefox.exe
5468	firefox.exe
5468	firefox.exe
5468	firefox.exe
5468	firefox.exe
5208	firefox.exe
5208	firefox.exe
6112	firefox.exe
6112	firefox.exe
6112	firefox.exe
6112	firefox.exe
5468	firefox.exe
5468	firefox.exe
6080	firefox.exe
6080	firefox.exe
6080	firefox.exe
6080	firefox.exe
6140	firefox.exe
6140	firefox.exe
6140	firefox.exe
6140	firefox.exe
6080	firefox.exe
6080	firefox.exe
6112	firefox.exe
6112	firefox.exe
6140	firefox.exe
6140	firefox.exe
5604	firefox.exe
5604	firefox.exe
5604	firefox.exe

Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4556 icacls.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

firefox.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA firefox.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

297 raw.githubusercontent.com
298 raw.githubusercontent.com

pid	process
4556	icacls.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	firefox.exe

flow	ioc
297	raw.githubusercontent.com
298	raw.githubusercontent.com

Drops file in System32 directory 11 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe@[email protected]

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exetaskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31108881"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0337bb011afda01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078f1237f04e5404da848d5bad8ef86260000000002000000000010660000000100002000000011ba1b89e01439cb9e40d52c660caab9a623965e373150568a0c66e4ec63aa58000000000e80000000020000200000000753b9d8cc975eab5aad8e85e19d021b5ead18d8efcc059d22f0ea8f26632c3e20000000c8af1f15095390e49b1c917adeea554b58855f5ff8c4122b1fbaa6c43ec1a4c44000000076e27d3dc1b96f91eebe6925291f672ce777796bef71bccc039efae9727bdae4cd7c98bc2915f2a97b8a1b9dd799023cd00bebab3f9a5282da505a920e9358d0	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d05f82b011afda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2945555112"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31108881"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{DB26AD50-1B04-11EF-9519-FE55E2F65CCF} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078f1237f04e5404da848d5bad8ef862600000000020000000000106600000001000020000000aa395a454066aae3f828d7df73beb1cc1c3dda9b51f84498afe4d3213b1783e3000000000e8000000002000020000000d902158e3b9b39bba20ac5a2ab449c6bcc1465f9ddae0a9462ae954f91c405502000000031ca1f638781de09c4261d5255ed7abe30261dd7d84ecbe7f2b51326ff3d637d400000002270fceff297e4de7c0ec76fd5f5659dec4395b25d8ad24d927351ff336b7939d6c620290a322f9c89208022620713440453d20ee16fc5915f0aa327e884aa9a	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2945555112"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133611611777192969"	chrome.exe

Modifies registry class 3 IoCs

Processes:

tor-browser-windows-x86_64-portable-13.0.15.exechrome.exemspaint.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	tor-browser-windows-x86_64-portable-13.0.15.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	mspaint.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exetaskmgr.exetaskhsvc.exe

pid	process
1920	chrome.exe
1920	chrome.exe
4344	chrome.exe
4344	chrome.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
6140	taskhsvc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

2936 taskmgr.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

chrome.exe

pid process

1920 chrome.exe
1920 chrome.exe
1920 chrome.exe
1920 chrome.exe
1920 chrome.exe
1920 chrome.exe
1920 chrome.exe

pid	process
2936	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe
Token: SeShutdownPrivilege	1920	chrome.exe
Token: SeCreatePagefilePrivilege	1920	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exefirefox.exetaskmgr.exe

pid	process
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1836	firefox.exe
1836	firefox.exe
1836	firefox.exe
1836	firefox.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exefirefox.exetaskmgr.exe

pid	process
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1920	chrome.exe
1836	firefox.exe
1836	firefox.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe
2936	taskmgr.exe

Suspicious use of SetWindowsHookEx 33 IoCs

Processes:

firefox.exe@[email protected]@[email protected]iexplore.exeIEXPLORE.EXEmspaint.exeOpenWith.exe@[email protected]

pid	process
1836	firefox.exe
1836	firefox.exe
1836	firefox.exe
1836	firefox.exe
1836	firefox.exe
1836	firefox.exe
1836	firefox.exe
1836	firefox.exe
1836	firefox.exe
1836	firefox.exe
1836	firefox.exe
1836	firefox.exe
1836	firefox.exe
1836	firefox.exe
1836	firefox.exe
1836	firefox.exe
1836	firefox.exe
1836	firefox.exe
1836	firefox.exe
1344	@[email protected]
5488	@[email protected]
5488	@[email protected]
1344	@[email protected]
4548	iexplore.exe
4548	iexplore.exe
2152	IEXPLORE.EXE
2152	IEXPLORE.EXE
2152	IEXPLORE.EXE
2152	IEXPLORE.EXE
4104	mspaint.exe
5104	OpenWith.exe
1364	@[email protected]
1364	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1920 wrote to memory of 4136	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 4136	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 1176	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 1176	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 1176	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 1176	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 1176	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 1176	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 1176	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 1176	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 1176	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 1176	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 1176	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 1176	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 1176	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 1176	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 1176	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 1176	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 1176	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 1176	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 1176	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 1176	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 1176	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 1176	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 1176	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 1176	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 1176	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 1176	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 1176	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 1176	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 1176	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 1176	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 1176	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 3576	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 3576	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 4124	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 4124	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 4124	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 4124	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 4124	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 4124	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 4124	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 4124	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 4124	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 4124	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 4124	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 4124	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 4124	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 4124	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 4124	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 4124	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 4124	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 4124	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 4124	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 4124	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 4124	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 4124	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 4124	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 4124	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 4124	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 4124	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 4124	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 4124	1920	chrome.exe	chrome.exe
PID 1920 wrote to memory of 4124	1920	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

1404 attrib.exe
2328 attrib.exe

pid	process
1404	attrib.exe
2328	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://goo.gle
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff12eeab58,0x7fff12eeab68,0x7fff12eeab78
  2⤵
  PID:4136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1672 --field-trial-handle=1756,i,2547682861933313005,10686024070525515205,131072 /prefetch:2
  2⤵
  PID:1176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1756,i,2547682861933313005,10686024070525515205,131072 /prefetch:8
  2⤵
  PID:3576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2216 --field-trial-handle=1756,i,2547682861933313005,10686024070525515205,131072 /prefetch:8
  2⤵
  PID:4124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2968 --field-trial-handle=1756,i,2547682861933313005,10686024070525515205,131072 /prefetch:1
  2⤵
  PID:4056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2976 --field-trial-handle=1756,i,2547682861933313005,10686024070525515205,131072 /prefetch:1
  2⤵
  PID:4100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4220 --field-trial-handle=1756,i,2547682861933313005,10686024070525515205,131072 /prefetch:1
  2⤵
  PID:1108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4140 --field-trial-handle=1756,i,2547682861933313005,10686024070525515205,131072 /prefetch:8
  2⤵
  PID:4588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4536 --field-trial-handle=1756,i,2547682861933313005,10686024070525515205,131072 /prefetch:8
  2⤵
  PID:3844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4552 --field-trial-handle=1756,i,2547682861933313005,10686024070525515205,131072 /prefetch:1
  2⤵
  PID:3876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4844 --field-trial-handle=1756,i,2547682861933313005,10686024070525515205,131072 /prefetch:8
  2⤵
  PID:2528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5084 --field-trial-handle=1756,i,2547682861933313005,10686024070525515205,131072 /prefetch:8
  2⤵
  PID:3680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5108 --field-trial-handle=1756,i,2547682861933313005,10686024070525515205,131072 /prefetch:8
  2⤵
  PID:2000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 --field-trial-handle=1756,i,2547682861933313005,10686024070525515205,131072 /prefetch:8
  2⤵
  PID:1092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4924 --field-trial-handle=1756,i,2547682861933313005,10686024070525515205,131072 /prefetch:8
  2⤵
  PID:3144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4164 --field-trial-handle=1756,i,2547682861933313005,10686024070525515205,131072 /prefetch:8
  2⤵
  PID:1240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 --field-trial-handle=1756,i,2547682861933313005,10686024070525515205,131072 /prefetch:8
  2⤵
  PID:1864
- C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.0.15.exe
  "C:\Users\Admin\Downloads\tor-browser-windows-x86_64-portable-13.0.15.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  PID:4500
- - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
    "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4696
  - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
      "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks whether UAC is enabled
      Checks processor information in registry
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:1836
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1836.0.2087863250\78210125" -parentBuildID 20240510150000 -prefsHandle 2800 -prefMapHandle 2792 -prefsLen 19248 -prefMapSize 243824 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {ca816947-cc4a-4c37-9a10-196ead0227bf} 1836 gpu
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2264
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1836.1.275477895\1328555346" -childID 1 -isForBrowser -prefsHandle 1808 -prefMapHandle 2148 -prefsLen 20081 -prefMapSize 243824 -jsInitHandle 1232 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {4bed2e3d-a65d-4098-aa06-cf3302b7c759} 1836 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:576
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Tor\tor.exe" --defaults-torrc "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc-defaults" -f "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\torrc" DataDirectory "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor" ClientOnionAuthDir "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\onion-auth" GeoIPFile "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip" GeoIPv6File "C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\geoip6" +__ControlPort 127.0.0.1:9151 HashedControlPassword 16:8a64b52a9108ef7e60396ff8bed82bfa01ec7160fe5db1e7d421542c0c +__SocksPort "127.0.0.1:9150 ExtendedErrors IPv6Traffic PreferIPv6 KeepAliveIsolateSOCKSAuth" __OwningControllerProcess 1836 DisableNetwork 1
        5⤵
        Executes dropped EXE
        
        PID:1172
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1836.2.432874891\1287634921" -childID 2 -isForBrowser -prefsHandle 3112 -prefMapHandle 3076 -prefsLen 20899 -prefMapSize 243824 -jsInitHandle 1232 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {1587f254-1363-4eb6-bc20-e99671e99b13} 1836 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1240
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1836.3.1238220457\1683626902" -childID 3 -isForBrowser -prefsHandle 3316 -prefMapHandle 3320 -prefsLen 20976 -prefMapSize 243824 -jsInitHandle 1232 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {36b54261-dd8b-43d9-afcc-be2ffeeb6a86} 1836 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5208
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1836.4.1677598699\36236246" -parentBuildID 20240510150000 -prefsHandle 3684 -prefMapHandle 3608 -prefsLen 22151 -prefMapSize 243824 -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {43c94596-d326-42a9-988c-aa7430a1f9db} 1836 rdd
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5468
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1836.5.1392223792\2014099616" -childID 4 -isForBrowser -prefsHandle 3764 -prefMapHandle 3768 -prefsLen 22199 -prefMapSize 243824 -jsInitHandle 1232 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {09d7b5ab-c302-4a2c-8cc3-77cea815af8d} 1836 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6080
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1836.6.353365556\704195685" -childID 5 -isForBrowser -prefsHandle 4216 -prefMapHandle 4220 -prefsLen 22199 -prefMapSize 243824 -jsInitHandle 1232 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {752601e5-facc-4cbd-a82b-9cd4e317d0ae} 1836 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6112
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1836.7.1038709664\1014932226" -childID 6 -isForBrowser -prefsHandle 4324 -prefMapHandle 4424 -prefsLen 22199 -prefMapSize 243824 -jsInitHandle 1232 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {febadae8-7513-4eb8-a2ba-526cc569088c} 1836 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:6140
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1836.8.2145094337\1606671599" -childID 7 -isForBrowser -prefsHandle 1636 -prefMapHandle 1632 -prefsLen 22522 -prefMapSize 243824 -jsInitHandle 1232 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {27597e60-e56b-4d5a-a7d3-4f1a09b8d7e2} 1836 tab
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5604
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1836.9.1137581875\1822335393" -childID 8 -isForBrowser -prefsHandle 3864 -prefMapHandle 4288 -prefsLen 22846 -prefMapSize 243824 -jsInitHandle 1232 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {1e51008f-31c5-4a80-bbf9-2283b28b818c} 1836 tab
        5⤵
        Executes dropped EXE
        
        PID:2000
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1836.10.2110746466\766505361" -childID 9 -isForBrowser -prefsHandle 4332 -prefMapHandle 4320 -prefsLen 22846 -prefMapSize 243824 -jsInitHandle 1232 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {8ad696c8-5fbb-4bbd-8639-ff38bb6c252f} 1836 tab
        5⤵
        Executes dropped EXE
        
        PID:900
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1836.11.130546788\1319617865" -childID 10 -isForBrowser -prefsHandle 4384 -prefMapHandle 4396 -prefsLen 22970 -prefMapSize 243824 -jsInitHandle 1232 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {305042d7-30e8-4565-8e38-c62c91773348} 1836 tab
        5⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2304
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1836.12.1124049853\1452048399" -childID 11 -isForBrowser -prefsHandle 4200 -prefMapHandle 3724 -prefsLen 22970 -prefMapSize 243824 -jsInitHandle 1232 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {aebbb1ef-1bbb-44f1-b0f5-82ec66301866} 1836 tab
        5⤵
        Executes dropped EXE
        
        PID:960
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1836.13.514373598\1987134469" -childID 12 -isForBrowser -prefsHandle 4644 -prefMapHandle 4872 -prefsLen 22970 -prefMapSize 243824 -jsInitHandle 1232 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {5004538a-f332-4534-bfc3-ae58676d03c3} 1836 tab
        5⤵
        Executes dropped EXE
        
        PID:5132
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1836.14.898668658\1616444048" -childID 13 -isForBrowser -prefsHandle 5276 -prefMapHandle 4220 -prefsLen 22970 -prefMapSize 243824 -jsInitHandle 1232 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {f65b8f83-7d10-4bb6-88f1-2b8a0ba34792} 1836 tab
        5⤵
        Executes dropped EXE
        
        PID:3484
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1836.15.1921000067\469712360" -childID 14 -isForBrowser -prefsHandle 5336 -prefMapHandle 5232 -prefsLen 22970 -prefMapSize 243824 -jsInitHandle 1232 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {2aefcc5b-b580-4da4-ba2d-898be67d57ef} 1836 tab
        5⤵
        Executes dropped EXE
        
        PID:6136
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1836.16.1824447061\243215167" -childID 15 -isForBrowser -prefsHandle 5496 -prefMapHandle 5492 -prefsLen 22970 -prefMapSize 243824 -jsInitHandle 1232 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {b81eb94d-0321-4d94-8127-47247510c5b3} 1836 tab
        5⤵
        Executes dropped EXE
        
        PID:1132
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1836.17.634874051\658842590" -childID 16 -isForBrowser -prefsHandle 5420 -prefMapHandle 5316 -prefsLen 22970 -prefMapSize 243824 -jsInitHandle 1232 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {025087d7-19e7-4b77-9ac4-6fdc03452ec0} 1836 tab
        5⤵
        Executes dropped EXE
        
        PID:4992
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1836.18.1908909646\1630316813" -childID 17 -isForBrowser -prefsHandle 5712 -prefMapHandle 5488 -prefsLen 22970 -prefMapSize 243824 -jsInitHandle 1232 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {299196b8-3979-434e-acd8-a4b67188e151} 1836 tab
        5⤵
        Executes dropped EXE
        
        PID:2984
    - - C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe
        
        "C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe" -contentproc --channel="1836.19.729825278\1457517207" -childID 18 -isForBrowser -prefsHandle 5416 -prefMapHandle 5132 -prefsLen 22970 -prefMapSize 243824 -jsInitHandle 1232 -jsInitLen 240916 -parentBuildID 20240510150000 -win32kLockedDown -appDir "C:\Users\Admin\Desktop\Tor Browser\Browser\browser" - {34be5a83-f5f6-469f-9721-23e0338bfdf1} 1836 tab
        5⤵
        Executes dropped EXE
        
        PID:1372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5284 --field-trial-handle=1756,i,2547682861933313005,10686024070525515205,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=736 --field-trial-handle=1756,i,2547682861933313005,10686024070525515205,131072 /prefetch:1
  2⤵
  PID:4120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=3184 --field-trial-handle=1756,i,2547682861933313005,10686024070525515205,131072 /prefetch:1
  2⤵
  PID:5920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=1660 --field-trial-handle=1756,i,2547682861933313005,10686024070525515205,131072 /prefetch:1
  2⤵
  PID:5480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4300 --field-trial-handle=1756,i,2547682861933313005,10686024070525515205,131072 /prefetch:8
  2⤵
  PID:4412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4340 --field-trial-handle=1756,i,2547682861933313005,10686024070525515205,131072 /prefetch:8
  2⤵
  PID:2664

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2368

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2936

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3716

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
PID:1828
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - Views/modifies file attributes
  PID:1404
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4556
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 74061716689185.bat
  2⤵
  PID:4440
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    PID:1560
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - Views/modifies file attributes
  PID:2328
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1344
- - C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:6140
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  PID:180
- - C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5488
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      PID:3796
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        
        PID:4644

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5100

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\OutRestore.gif
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4548
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4548 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2152

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\WaitDismount.jpg" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4104

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:2420

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5104

C:\Users\Public\Desktop\@[email protected]
"C:\Users\Public\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:1364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

Filesize
1KB

MD5
30b1527d46d0ea9b24828beae672a4bd

SHA1
b05cc3b02399bea80a8fd690ef92186ec007d2d6

SHA256
df053d98b69dceaf5c4498fae798b2fb6f9ca45586edfada0e50c9c2359b5c35

SHA512
ad770ac8aca4106b8dfddfaa27c96d3a5aafdc9aab453e3dd372b3a27f6e84f9a334b833adaa9739db3a5deac360dcd00895f47e1aea9e6d6a9677c73803546f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000029

Filesize
206KB

MD5
f998b8f6765b4c57936ada0bb2eb4a5a

SHA1
13fb29dc0968838653b8414a125c124023c001df

SHA256
374db366966d7b48782f352c78a0b3670ffec33ed046d931415034d6f93dcfef

SHA512
d340ae61467332f99e4606ef022ff71c9495b9d138a40cc7c58b3206be0d080b25f4e877a811a55f4320db9a7f52e39f88f1aa426ba79fc5e78fc73dacf8c716

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
720B

MD5
6e1e5d7010b4c25d37436e8219221ccc

SHA1
efed2462247aa5256ee3ccc4f9b9b8f51bae591b

SHA256
0d12a7386ea66f42bc0b5eb8d84ea0f5d0f3ffa712076f82816a442f006be71d

SHA512
021ee5f7267cf5df439dbd69798c2c1359979f1553e43012483e4f8e69a9287194214776906beac4144ef6df8ffdd511590c92159144154dd95f5e2d94a26f6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
9fd7bb49bbad5bbc4616333528f242b0

SHA1
eb06183cd994fb75af3e8aae8d6a212a42b15cf5

SHA256
5a1cc2dd8639c43c81eec4391bfb27b00edba594e937cb27853d06b31a73a7a8

SHA512
0ae393e05a6c94a93e07aa44a9de26b52201076c2f6f2e39ebb48d65b5c8d7d670e8ec69a9c622ef76da74557bca9bc70e47fc4ad3193e929efb5a5623f46d07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\8fa22e44-3123-4f2c-ae7d-1c3a113c35b6.tmp

Filesize
3KB

MD5
6ed89f72294805378a3fa44be1e8070c

SHA1
369098e9d6ac97ad3088bb2c8a2c861659e3c4b5

SHA256
aa871d31bff6eb220b4f5e0a943109eb5e2f4d93edb4e96d13e84eedb7fa0e39

SHA512
fbb8244a332be859391b5536fa38350fc7c1182182f57568415b90e28dcd66ff11c07f051f245527b5f907f48c070c5de40651c2eb736362eda47cdce9b7fdec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
5f57237ef170093233cb57615139d841

SHA1
315e5ecf16d032b60accf8d79f821f172a830795

SHA256
86c225514cf7337956d238a4d7f549ead12992f1bb90e433f75c169de5f542bf

SHA512
ebf1ed0ad843c9bc482cb25ffb429260579307f99755a5011167cf250c591616ae04fc848ab0c5d627c1d4080256de1650443eb5af0cb90e8f19dfce7529636c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
ea526b402a3ccf538c56851daa9c9456

SHA1
8428b33a0b878666396a604a7906743c6c29c2c3

SHA256
43ad1cd86178a55a7cfff6960361995be33facb510b4f108cf24354ce95a39f4

SHA512
be7e638742f19067e1fe08c07137408b2bb56762af1ec6d3d1a3436ec4928e2bf4c15733dd85808a3bec8e5004cd84efb7dc7fb32c40e9a92575d85db49857e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
4e57eae4950117a70efc86f99d3494b7

SHA1
9b0b31627aa5de81f21408243f48152dc45a6c1f

SHA256
7088c5bbf80ee19c80ae323e370b1a2ae8d947dc93f7a3ff970e1c948598c555

SHA512
6dbad6f14ade6b793f65f61c5b0a0b4db10c08b513d651cc5bda737d18ff4d4eb7d39936fbc7cf4474f6d7630cef11f4cac3c16ea5c409d35d7afe2275b726c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
7ff8ace0fc446aa36f84b1518b058e7d

SHA1
d635713e468573accea1f2e337089d1df8a603c1

SHA256
e6f6b6fb21ba2978cae1a70e73f7d3da639a431881616b5da5b7accd230dd7b6

SHA512
89102de6525d788dc926c685835422f52ccf9c0f2dabc6d9fb44ca8ac19a7c82e81fa536f9be3d0846ac57ba41f20cb00d5ac6909bab1454780cf03dd652b7ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
860B

MD5
d2474336cfc1fea0b872af6f91671b13

SHA1
a25ffd14a4eb2ac361f6ce64f01c4c59b3281061

SHA256
ff5163472419dc745630149afd4106fb4106d7e8b59d70e55d1aaaa0ebea65bb

SHA512
896e8da479d1b00ddb02de1c89511fad61dbf142a72de044af2b2d3e0bb73afd696e8ff4609abf6440ac48ad5e6e0daa0b35f546e3b5a1cb26aed95315d6bb5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
860B

MD5
7ff7250629d6bd84211219c39fc5c527

SHA1
653d1dce13aba698265ac5721f836ade48d18322

SHA256
b30a598612a96184b8fa617e07a4b0541fb90dd31b3def8c1221c88fdae41b93

SHA512
5cc0a9543c519fee555cebae1e72738a9b70f2f21ab14dd4a29ff7a7d1855bc53fcc29f4acd9c1630b54f4ebdcc110fb858da449476df8f7082891a9e2d9b1a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
632d791de4a36f962b29e2f7b25dafdf

SHA1
6301864c5bb8cfa843e5defa8a8eae60e39b8035

SHA256
7af7ac4dc08d78c3bb606e226cb3dadb9f011a2ffd4b7b2d523c460b21e9fe96

SHA512
4af7b3d31faed404d85aa2b13dbc39c0b7dc12ad88295c43e7fa17e45a689bd96fa078f6887bd7cf2cab48027b30f5101d401506d22b21b33bd10ccbfd69eb64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
84b5311302aa8dec7b1f090d188f1aba

SHA1
d6ce42d1e473bce1086e5c06c721de8085c88740

SHA256
eb2ef26b79c718b83abd7ddf3839f573ffb26f2e6143462686f47de612179b6b

SHA512
3f593e307fdf92b3f4ae56976749c7cb636fc35d1e903b234853939b26a5cc674d2e5f5c67ac9d64396640aa23b881d97b8e50927a5ca131db983d51a934154c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
6660b40819d7b175e7ee2a9407ee165c

SHA1
13e8591c28a41d87e96a06a6f3c3129d89911e63

SHA256
5c57eb827f2fdbb108d192a4c6d8f96903ea31bd9939cecb3afe2ea8c3036306

SHA512
4068e0cb09d0676ced0ef2f0dd3cebd8480cb998982c6fbc82685289068ee140ca463193e5039d7ea19d55e00d4792845fef9ce3a45b18b474594f926a623cae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
dd463df154b325fe0d4f640127aaaae2

SHA1
097bd618523299f613ad1e8e4582b31a7f27a13c

SHA256
b527ee02306cca9dd8bf29614198f7eccecb7b13dae2c943ab0d61654a20e29e

SHA512
ce54fb2f45f8e1864c565b5d223f4b504ddd93f4033f8195e93cd356af5bff7a952e0a126b138f35cce575cff8af01d6375512e858cde23b0a12344dc36eb1e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
5c399198d235ad4d817172f4b2712f52

SHA1
062f6cd2ff9787a8565f9fffb358cc5255319e6e

SHA256
b4a2014b247b9e6996f31c35e31e0880f60014af181d5a27d45b0dfa71f32d68

SHA512
0b0f64b1fb72721747ae7a6927ec7bdd67418a37517dae72f1e46534ee6d0c21f467d3baf72a6a798b1bf2278cf6b91dd769a932a5abe4a8cf35102525439175

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
d84a0229388589541242f00f416d472a

SHA1
b2e1c9a3f6c8207fa85a9b97a708865314903e78

SHA256
c2ef5ad8aa03dfd1cffe7c083a933a3682b9891102c4daf684c626f10972bc21

SHA512
f03d0269878d33021b8fd71b4600626fe985419ec3f7ae7c2922a90126b111ddb04e59a756d8f146f46d544f6de5aa45b2ae4c9ca9f5b9f0d985de0c61d697dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
d1bcdc4ea1032eaefcb03e58e78d74e2

SHA1
8da709a17cb993a9ced624bb01f52dcbddd9db71

SHA256
5f1bb02c51028f398d039877dfad452f7c0174cfd5660be4dba0ea8d899666b0

SHA512
2a477888f0c461da0953a56bfb969065415d43fd359144bd36fce67b768abe5d30cd92dfd3d48af2116ad64002765b71bf6ad27626fd3acfc8525309fa85bad5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
6378174b21ed8a63d4918e7b6f925c3a

SHA1
204228b73ce11e26e8cc941ace21802618414f79

SHA256
96670b8fe04a77d68314ffeb838fc3489425319e24ab77d970a93dfd362ce3d4

SHA512
a9390d177ddeb47a498fd7d641828d336d64228a15db926200d9b566cb2337c71c8c99f3676b16172c682b1a489befbd19d039c5104f41a91c93731a696ccfb1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
6c389e9a771149a3eac2abd238c1830a

SHA1
f191779f0c63c29425b74d79767bce0b4ce46b36

SHA256
c376c4558fdaac54e2bee69768900095cc5d607539053efbf54cc9d0d5ac3bce

SHA512
03705018b6b8d5b4c40941d0cbdcb9f15d353fac7f67009ebd911b0cf4ed3b74480620dfab2a1435c9c792a94940ce9088a0248daca1f07859acd2f91964632b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f4f4f3a79eaf4fd4bceff89829af8c50

SHA1
97a7482085a59f7db998e42fc3715a580ea99110

SHA256
b5f0aa55007e6b2c727e5a22f120c04cde496f0e27fbfda12e9ba0ab652f5207

SHA512
f5038f30e1b3e3ed6af2646ae83a2f72cd7a1230e349eafd504cdfe8c3887833538fab8e4446a233b51bb5cf0bb1226b07082c89da98acbd07e34b8e41f639ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
2377f9870094bca3f435a0c15cf0d738

SHA1
d60db1a734bd4570821ee4bc3bf8781de5c4a1b5

SHA256
1e671b91088d1963dd5476aa6f2026ab356a9c7773f2f08cfcc22d76ce09d7c2

SHA512
de0175b89bd567d499b719b94e9cd22abec151ecbf35694dcf835ed5a3286e8b7cd5a8dd859828589c227e8ac7ec0d69eb3a0b82eae56a5c60b3556fe5e2b1be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
8d32a2b42f760e9210087066ea994dd2

SHA1
d9e94681cf447a58423531fc9230eefcb892493a

SHA256
16f902ba6b31dd7805e61a6c2074e6bc2ceb4b73887856f59462e8fe3f0b78bb

SHA512
7fb8437ed096abd23bbd299f6e869df5aa79ee4719df7f961124db3edb1b623e83bc984efae863790775caacee299c7b6ba86b12bd822aa59bcc999ac07c6dd5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
a961489fa2d6822fa46e6a33ac0bc44d

SHA1
e92bb6bbcffd8fdb746c11f0cc7c1bca74658b5d

SHA256
cfa7a48a2bcdbd43249791c32388207e23c3db8b8edc40dec810b04854138dfa

SHA512
1fa3ef603e4af4d98a23a33b405d7faf41fe8cda92eef8c724a1003b0d2f58919148a3b8885dd6772015b84a90560b1452657aad1cdb83624e6fda07f7efa4f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
255KB

MD5
70bd3813e1d74c35be40f3fef1044b0a

SHA1
7bd9b8e554bf8401ee024ad4ddc5916c0a683cbf

SHA256
dd067f4b43828087b27c7f980e8c4ee2059347d063d0ca7d0200fc98bc9604b0

SHA512
935d495a94014f45f91f1ed15d88b935251f896b4ebafb31db91e8135046183b9a7e1b2e57b3cb20d1b402e9e38dee2895ab448d17744ad725ac838492f26bea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
101KB

MD5
62ee46ae1cfc598a29991d99b96f1b5b

SHA1
c2e4c471424668a530c2edf13954ff8837ac3bf0

SHA256
ecef336612df7ccaeff84e6fc5ae526669b3e2f0a644d4b175d5517902c4600b

SHA512
da2183ea4b9aeee8e06c7e08d29afbd094108324474d45339a9dc26724ad2869d91d86467fbd385f5f5819348a48d7eb0211046007304cbd7a5d3bb3af63321a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
94KB

MD5
71ba6fd4624687cdc79bf51c35e0cc29

SHA1
9d30bc5e40d72dfe2549da67b3bf8bcc371066f2

SHA256
78c73c8e1b57f0842e29a06117be9757f252d35b012d1b70d7fb93f2a67c602f

SHA512
5a026cce320e409d5152eed0fd017b1ed5365adc09e6209952d25dfcfe382e2c9ef0576b3bc65f1cd6fea7e331d4ffa7e6653745c12902cb5ad30331fca9e20f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
102KB

MD5
2b4b835c6abaab9c6fef9135d436eb30

SHA1
513263fd5a96726c6bdb287317ac9cb61afc06df

SHA256
1c6f6ac41abc57127c9f3064df03b1590f1e92644429dcb3f0538042397e523f

SHA512
1ef5cc03141ccaffb21fc45f219330ac7906c4e7251b33cc85632dcb000d5064fe691b3fefb916372dd7f4808c2bab54c0b697851418349fb001c6c22efaa218

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57d1a8.TMP

Filesize
88KB

MD5
9ffc3fa1578c4d7baee31417be49f322

SHA1
22f56276b0526364625e02a14d2d86db4cd6d234

SHA256
417b5f8726f99230ecc0b5acb9c88112f9fea81ad46e2086e5f4567d21a0f896

SHA512
7a1d1250fde03a6f240a63e20edac8955521e7d25d25685deaa02f0e7a8815a951660563f5201122927182e6a3abf649b725eccdc88f3d11568a9aa68c001c64

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]

Filesize
933B

MD5
f97d2e6f8d820dbd3b66f21137de4f09

SHA1
596799b75b5d60aa9cd45646f68e9c0bd06df252

SHA256
0e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a

SHA512
efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslD5EF.tmp\LangDLL.dll

Filesize
8KB

MD5
59888d7d17f0100e5cffe2aca0b3dfaf

SHA1
8563187a53d22f33b90260819624943204924fdc

SHA256
f9075791123be825d521525377f340b0f811e55dcec00d0e8d0347f14733f8a3

SHA512
d4ca43a00c689fa3204ce859fdd56cf47f92c10ba5cfa93bb987908a072364685b757c85febc11f8b3f869f413b07c6fcc8c3a3c81c9b5de3fba30d35495ff23

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslD5EF.tmp\System.dll

Filesize
25KB

MD5
480304643eee06e32bfc0ff7e922c5b2

SHA1
383c23b3aba0450416b9fe60e77663ee96bb8359

SHA256
f2bb03ddaeb75b17a006bc7fc652730d09a88d62861c2681a14ab2a21ef597ce

SHA512
125c8d2ccbfd5e123ce680b689ac7a2452f2d14c5bfbb48385d64e24b28b6de97b53916c383945f2ff8d4528fef115fbb0b45a43ffa4579199e16d1004cf1642

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslD5EF.tmp\nsDialogs.dll

Filesize
14KB

MD5
990eb444cf524aa6e436295d5fc1d671

SHA1
ae599a54c0d3d57a2f8443ad7fc14a28fe26cac3

SHA256
46b59010064c703fbaf22b0dbafadb5bd82ab5399f8b4badcc9eeda9329dbab8

SHA512
d1e4eb477c90803ddf07d75f5d94c2dacfdcd3e786a74ea7c521401e116abf036d9399e467d2d12bd1a7c1abda2f1d6d15b40c8039fd6ec79ba5fe4119674c27

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF593A695C7535715C.TMP

Filesize
16KB

MD5
44d78fa2cb425a7062fb70c0e95e3972

SHA1
9f77c2faa82c2e609eef6a09a1def73da00948c2

SHA256
90a164daa05830ef693c879b58a9a91e26dd6d14cf1f4bead15edd2c67026998

SHA512
5810ce3306fc6ac7d724f16b2e82bfffd91279373bae55a7c90cdaa642e5c01c880751680d509474a02c52f09a34a120a54a94ec695affbfd0a708f33212228d

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
5.3MB

MD5
0142398a116cbcf879a0bb66ebcc7e6f

SHA1
913136cf7428e97183506eebf95b4af641d601a5

SHA256
2d77a8659ef7ca61e7b9e6fe3107f768aaba3786a8b8224776fe60c838380dd0

SHA512
efa33e3ff162eed417a6e1e51d0241a1ffdc50691f253d842b156e2cdf327de2a425d3b2c956ce0bfe1e9f3f98ac2637d747f03429c8dd15e39aa40be1068f34

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\bookmarkbackups\bookmarks-2024-05-26_14_vhlCqEwKUMFmq7TpJh4FQA==.jsonlz4

Filesize
1KB

MD5
3a21fa3a29163f572df81c5dceac0268

SHA1
437d8cf56d18c5cdef275297107e1dd217faa912

SHA256
3c884021a15abdd015038c6aab57e31e53b779d25f641c439fd3a4494751a3c8

SHA512
eb99957937e3a02ade09dfe7ab7b14808c1a6937b7f7b4e7d74ca4b814551ab8613c7576748156efa15eecd3b091ae0fd9660011750239541fa5006d52047c6c

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\datareporting\glean\db\data.safe.tmp

Filesize
182B

MD5
63b1bb87284efe954e1c3ae390e7ee44

SHA1
75b297779e1e2a8009276dd8df4507eb57e4e179

SHA256
b017ee25a7f5c09eb4bf359ca721d67e6e9d9f95f8ce6f741d47f33bde6ef73a

SHA512
f7768cbd7dd80408bd270e5a0dc47df588850203546bbc405adb0b096d00d45010d0fb64d8a6c050c83d81bd313094036f3d3af2916f1328f3899d76fad04895

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\datareporting\glean\db\data.safe.tmp

Filesize
182B

MD5
1c3c58f7838dde7f753614d170f110fc

SHA1
c17e5a486cecaddd6ced7217d298306850a87f48

SHA256
81c14432135b2a50dc505904e87781864ca561efef9e94baeca3704d04e6db3d

SHA512
9f6e9bcb0bba9e2ce3d7dabe03b061e3fda3f6d7b0249ecf4dbc145dc78844386d047ee2ac95656a025ef808cd0fc451204dc98a1981cf2729091761661a3b49

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\datareporting\glean\db\data.safe.tmp

Filesize
182B

MD5
c58234a092f9d899f0a623e28a4ab9db

SHA1
7398261b70453661c8b84df12e2bde7cbc07474b

SHA256
eaec709a98b57cd9c054a205f9bfa76c7424db2845c077822804f31e16ac134c

SHA512
ae2724fc45a8d9d26e43d86bcc7e20f398d8ab4e251e89550087ace1311c4d2571392f2f0bed78da211fcb28766779c1853b80742faa69f722b2c44c283569fd

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\datareporting\glean\db\data.safe.tmp

Filesize
182B

MD5
b1c8aa9861b461806c9e738511edd6ae

SHA1
fe13c1bbc7e323845cbe6a1bb89259cbd05595f8

SHA256
7cea48e7add3340b36f47ba4ea2ded8d6cb0423ffc2a64b44d7e86e0507d6b70

SHA512
841a0f8c98dd04dc9a4be2f05c34ecd511388c76d08ca0f415bfb6056166d9a521b8bc2c46b74697f3ecdac5141d1fe6af76dd0689350caca14e9f849ee75a8b

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\datareporting\glean\db\data.safe.tmp

Filesize
182B

MD5
7d3d11283370585b060d50a12715851a

SHA1
3a05d9b7daa2d377d95e7a5f3e8e7a8f705938e3

SHA256
86bff840e1bec67b7c91f97f4d37e3a638c5fdc7b56aae210b01745f292347b9

SHA512
a185a956e7105ad5a903d5d0e780df9421cf7b84ef1f83f7e9f3ab81bf683b440f23e55df4bbd52d60e89af467b5fc949bf1faa7810c523b98c7c2361fde010e

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\extensions.json

Filesize
27KB

MD5
e24aafbe20a862f1d9a369c3275bb404

SHA1
5f2576c2c20b3433e207d8743852e1a7797530e1

SHA256
24d88d63b87caf974cb2d4ae63b26eb92f1ed5e29741d15719d5e3b322f1daa6

SHA512
e73d3543df43123fd028cd7f8ed3471e994a4df7b604d961f7816f75d40970c04a0308e2d2b9532161f90408620d5db4a31acc2ad3e9c04b871a152ecf9c040d

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\favicons.sqlite

Filesize
5.0MB

MD5
e624504b9ca682dd43b1a5d4832ff9ae

SHA1
68082a688fd3ace331e5e197683df4b01944d4e8

SHA256
1a0b1be0a5ff4dc8009f5514edc80b34f42d7aee07d7371d8014a046c5363fc5

SHA512
d1e5a7f8a68b3976c407c4f42950dc08e4155a08e26d7aabca9036734425c88c52031e04563669e9d7444ef201ba489d4eac299eedcf0f9e2a6e7f69861ea186

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\favicons.sqlite-wal

Filesize
1.3MB

MD5
da6e772b0e6cb3eb6db15a3cba9c4f3c

SHA1
e3130cabfa154625efbd4994a84fa0cc0b89277b

SHA256
606af937076a663fbda697ce5d4efa5cdeacf34dfa042a3f6af64c1f984060a6

SHA512
f34ec8a64b0fe4de15645f8251e91e1dec7163d2267bbe6be0e92dc8758d5b1d85afb8f7ae81b7833cb5df5e408ae296cab3529f1c936bcadefb53c990376386

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\places.sqlite-wal

Filesize
2.1MB

MD5
030ba76b23b8ad9470c3ae9a11c3665e

SHA1
35d423f0459f4d97e09ae16066419194727b21b5

SHA256
b4ea8a169e013390c5cce220fe2f7faa56128f230bd2027a6c501daa5005e203

SHA512
20fcec6fe1c3de41d711800b592fe27760fe3f448a5ee2b7f362f8d45e47b29b0a6d16d42b6afc5f09cb2fe1d3de639ada06f4fb14e870ab66a65652fbf7f877

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js

Filesize
5KB

MD5
83abcb6e5128c5648b6f407c51b99570

SHA1
7fbb2e1137d8ffd2cc63e813a0ffcf6631c4c5f7

SHA256
ff0eb408b6979b76da287d8253ab24985c047f8d59ce24a020f96860e23f3b7a

SHA512
d232f7530bec0b3560aa900c6b986eff5dec5c0732d8f3387df4a4c1ec775b748277be585071f428407b6aca262dade59cae9b9bfbaf53a75643b4aeb58ec7af

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js

Filesize
5KB

MD5
7c1ce43e3a8ff0d95fe878e30c1e0048

SHA1
7efddb9cec8e8c62aa9689a1df3e3bc01bb13864

SHA256
fca92fbe68f4e40b8d764ef4054d8012f06bd212c1a7f3c914c1540daeabe268

SHA512
e28c4a5e193b189743255902c893488feaf4dfd312e82ca4c848e63f44de4983aabaa2045967e83eb83227706f8d2b148390f5d69546b1fc2445ae1fd7d73ada

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js

Filesize
5KB

MD5
18dcd1e5cfa548998dfd62272a67e6c2

SHA1
0cf103c3ddd1323f2e6d9213e16d6c4ef2986210

SHA256
1dcabd4be6496b3c1abf9574ff4fd7d9f47bed1c062cf79d29e9956dc2bc18bb

SHA512
978f51e3e60a08721aa978b407e2fc045bbc0cbe3ee05b4d4770c2fd4f8598f1aa495023dda39e01a1c95e6407ba4d5cee289e3ea400ce398a190a682244422a

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs-1.js

Filesize
5KB

MD5
f146b0474385605bc8af7936c68ae169

SHA1
35137637c6ca6a6690fe0f8fef344e9b19cc17d8

SHA256
008682795d130134ada70e04670e43843d68c3b6a33722349467d1a49e451560

SHA512
48e73cc6e656c73a9bb40a3671885afcf110e4d781220ad65f260c225eaee2da3b69f6c24c1886838e3a7833e53cf456f13c91adbaec81f87bdcb12586cf4419

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs.js

Filesize
2KB

MD5
c068c7d05f8cea892b300e781339430f

SHA1
84467ae638d07103a8cecff47229d7546ff1f52e

SHA256
e2984eb573d3cd412a22a21fed572369a8f220297e27981d085956e2083db636

SHA512
198ac5e400453e87d5b007997da73e224e850d4f3b946e317f0e7d92694ec566b40c1a9b9555908326cbe576aa4af89ccef75fa2f50cc671eb32ecf30ca8ffc9

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\prefs.js

Filesize
1KB

MD5
ea22c709bcbfd1278af64f5cc69028ad

SHA1
a670a7552f9fce3d1090ff1ddeed88c622b0fa8b

SHA256
cf523ef34f7ee789e9bec14a4d641c91e2116511a6331958b185f2159793612f

SHA512
4e885cd03c051f0b317a5ecc5f6fc47a27e6ccb0625fdc3b6c6c45adc47890284da10b11aa1b06820ed6493d51afe38e796d3caee19a5217ced6819640008b35

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profile.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
160KB

MD5
06e73f204d4e6eb92d878ce341620a5a

SHA1
63d200d5ecef8ee2c0ca39a290bdb40fec63545d

SHA256
a8d3f74638a4976451cdb13ed4372007c9b07ceb17cdb4b4f41150335ddd879e

SHA512
cb199b8a875bdee47af56f1e61defdb8cb495cfda1d0d3a334535ad3f8c7a0a2e84077f333628bc17a5dfe6a41f43640f156db10e990022e6bd3a316bf941960

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Browser\profiles.ini

Filesize
103B

MD5
5b0cb2afa381416690d2b48a5534fe41

SHA1
5c7d290a828ca789ea3cf496e563324133d95e06

SHA256
11dedeb495c4c00ad4ef2ecacbd58918d1c7910f572bbbc87397788bafca265c

SHA512
0e8aafd992d53b2318765052bf3fbd5f21355ae0cbda0d82558ecbb6304136f379bb869c2f9a863496c5d0c11703dbd24041af86131d32af71f276df7c5a740e

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\cached-microdesc-consensus.tmp

Filesize
2.4MB

MD5
955eba1bd08f7689d15c64ae417812e4

SHA1
8e3ea7291df640a4494cbf538e6ea01bed810bf6

SHA256
1dd35ec40f250496aa3ccefec15dc20649fdad58d6aa9eada24880633e3713e7

SHA512
42c4db8aaf8189edbbefcfca66979797215183aabe247399508384c2e02f03a679cc14ab499f3836a223e35bcfdae3806a1ebed4ffeb2775ec77d2f961bd4759

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\TorBrowser\Data\Tor\cached-microdescs.new

Filesize
9.2MB

MD5
23fa300ed748620275367276df281898

SHA1
62c08e558848af0f6c9876f58a2d04bca90e9f85

SHA256
2a37e0b96e471cbdad3c815b43344daed2061a9dd87d56cecb58dd01abca18d3

SHA512
75c37465fd6744e4c33386def76dc4e37ade5a80dedd735b39519065da85fa5b09c6a0a83ff63e52e892a507b458a885f7e3757bff2ee5ce97b687aee1e1aa95

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\browser\omni.ja

Filesize
24.9MB

MD5
0b3feaadc595d2b6588a71f17c6dcbbc

SHA1
3209da1b046534efe22c9b3da86e2cf4adf5d3ae

SHA256
4b4d1a732676a3775f133ef969b1b73c25a66603928ec542d81c144290a472c9

SHA512
55e873a9a824b95a594b7ae1dd106e94118adbb973be272d6b683a6530aaf4b9715a82b9404d1c8c4a9e950fc57a129f8205f2ea3f90d2b4b448f49211c6927f

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\defaults\pref\channel-prefs.js

Filesize
429B

MD5
3d84d108d421f30fb3c5ef2536d2a3eb

SHA1
0f3b02737462227a9b9e471f075357c9112f0a68

SHA256
7d9d37eff1dc4e59a6437026602f1953ef58ee46ff3d81dbb8e13b0fd0bec86b

SHA512
76cb3d59b08b0e546034cbb4fb11d8cfbb80703430dfe6c9147612182ba01910901330db7f0f304a90474724f32fd7b9d102c351218f7a291d28b3a80b7ac1e5

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\dependentlibs.list

Filesize
42B

MD5
70b1d09d91bc834e84a48a259f7c1ee9

SHA1
592ddaec59f760c0afe677ad3001f4b1a85bb3c0

SHA256
2b157d7ff7505d10cb5c3a7de9ba14a6832d1f5bfdbfe4fff981b5db394db6ce

SHA512
b37be03d875aa75df5a525f068ed6cf43970d38088d7d28ae100a51e2baa55c2ad5180be0beda2300406db0bdea231dde1d3394ee1c466c0230253edfe6aa6e4

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\distribution\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi

Filesize
930KB

MD5
a3fb2788945937b22e92eeeb30fb4f15

SHA1
8cade36d4d5067cd9a094ab2e4b3c786e3c160aa

SHA256
05b98840b05ef2acbac333543e4b7c3d40fee2ce5fb4e29260b05e2ff6fe24cd

SHA512
4897aefe3a0efffaa3d92842b42fe223f0b9882031a65bea683f4554d1fec92b8a66ea15c67e9b95c7fc12991cde3245010ccfb91768ba233711ced3412c13bc

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\firefox.exe

Filesize
1.7MB

MD5
1415ff2562e8a4c595e99ff713a1ba38

SHA1
0286f612a5572ec221e456ec145149078930c76a

SHA256
18324f12f6e5858900e764340a24cf1f86b78041db68f3da062b9bca8ce6c7a8

SHA512
4dc261ba9bb6476eedf0c050bbfc20f5a46d080dbe35665b0d9230608b0c08115e6d251de741e87d83cf4ab4304d59e3f2328af71196443f3b967d4492d8dc64

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\000_README.txt

Filesize
297B

MD5
793eae5fb25086c0e169081b6034a053

SHA1
3c7cc102c8fcaf3dcbe48c3f8b17ec0f45dcc475

SHA256
14e396a360e5f9c5833dc71131d0b909f7b24c902b74f31a7a3d78d5aa0fa980

SHA512
5e949be232df14bf7bfb679986a16f4a613439f5b5e71271abbfbf74296b43c977510fd6403702139ffd77dd3369e054dbe086e0188fff4f436f3505654e1f70

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoNaskhArabic-Regular.ttf

Filesize
225KB

MD5
27dfbbe8ee4015763e3c51d73474e94a

SHA1
4328cdc9a3f9c6b7df0624c81afbd3459f213e40

SHA256
b4fe7b745c5b40e5d6294a883afcb8b4264b88d331fd0b4620050441479f391e

SHA512
42cc921fee7bad58ee1fac12eb8153b580b5d9d6ed510d5df4bd4be754ef1b017c987051385d828b70de050340f9629be7b385d0338c9db6e0f9f51543387375

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSans-Regular.ttf

Filesize
589KB

MD5
e782457ebb0389715abdf5a9e20b3234

SHA1
e0d9ad78d1972d056d015452ed8dee529e8bb24b

SHA256
0e90d375cdb64f088a6a676eb560b755afa184e523fefbb9c33fdda4d7dd8461

SHA512
3ec030fdaa18f90bd8060466276c9ec49fd9233746e603d61a4f65a9a53e97e7b3382f8f913da17c48ffefc8adcf2be25f7e1c51f16555068b8f344a4e6dd961

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansAdlam-Regular.ttf

Filesize
91KB

MD5
ac01114123630edca1bd86dc859c65e7

SHA1
f7e68b5f5e52814121077d40a845a90214b29d41

SHA256
1b7b86711479fbfd060ed38abe1258246b4be2826760e6827287958218bb3f5c

SHA512
1c9ac878ba12f3de207aa9a7eb8c0239f769f9ae7475fec998e998192aa6900fe146039ac982612c6c0b7e5363355f2803d8f62e4787c0908c883ac3796e2a9b

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansBalinese-Regular.ttf

Filesize
128KB

MD5
12764d72c2cee67144991a62e8e0d1c5

SHA1
f61be58fea99ad23ef720fbc189673a6e3fd6a64

SHA256
194e110cb1e3f1938def209e152a8007fe5a8b0db5b7ce46a2de6e346667e43d

SHA512
fb670a7dbb57465d6384cd5c3a35356e94bf54ac4cb7578e67c8729ff982943b99c95b57f6059443e3e8b56d8c8d2cfc6e81ae3a1cf07306f91c3a96e4883906

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansBamum-Regular.ttf

Filesize
224KB

MD5
f0b22427c3ddce97435c84ce50239878

SHA1
a4a61de819c79dc743df4c5b152382f7e2e7168d

SHA256
0282610e6923d06a4d120cff3824e829b4535a8c4c57c07e11dbe73475541084

SHA512
ff2b22e58597d0ba19562c36f03cf83b5f327eee27f979c9ff84fe35a21b1fc9234f21fdb35fb95f933c79b9cf7760328d29b31480153da59a6576cf5f7f544e

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansBassaVah-Regular.ttf

Filesize
7KB

MD5
778376d22591a4a98bf83ac555ddf413

SHA1
608172ca18450b4cc61ff6cc155f66cff55c5bf9

SHA256
8218239377452e05634a91ee8a4338daf0aa96a15673a437533a098eb9c06f53

SHA512
e895a03374a3d3da04554cd048191722652ed4f1f7cc91639354843138ce26aea6c7f2da0ecda47eb76bcdd61a0315cc2e35e080a5953c24d82f4e94ce4aa260

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansBatak-Regular.ttf

Filesize
21KB

MD5
9390ee64243e5335b79e33e5e8311341

SHA1
c8d4b3ab79f6b12311eb4e4da29e709e583b5870

SHA256
cff9f0e51e7f1d95934cac31d9ad43ba453ee308c7b46a27803dc7e2e6c3adef

SHA512
ad7b23dab247c5c71298c5023bc58bd1d00160145558d86ab75dd37de1f1017540bac544cd9bf1cb2802d19d2973c0cf189d05a980777de886ffb552ae923bc0

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansBengali-Regular.ttf

Filesize
198KB

MD5
7b5138efef2c02dda9cfae9917cd913f

SHA1
b44b58f354c4a68e119df226f01ad763b2d1025c

SHA256
9f8b4dd091f19b111d24ea18daae81bea8684cc67de17ea1acd797e144bf20ba

SHA512
47e4cfd2218c91080fc4ccc3ac13dabe9efb7c96b981d53577177fb062973b9fad0052edcf2b0c663ff3b7a1d9e38e96586c93cb72618d64344b96e3df13204c

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\fonts\NotoSansBuginese-Regular.ttf

Filesize
7KB

MD5
bd4c30081a164037311e8712423c5bf2

SHA1
2a13bc7987ca34644b075c1fe197ba293b4ca527

SHA256
bc19f17d7f6e8f280c2cc95ef6d1b67fac25becfe98722f482039a4d84f3c9ba

SHA512
2a20d113b73cbca311d08dba40dcb7f8ab9d5383f7590b61b785070f77204db9ab163557a420c6c96ede815643f82ffdf75bc59b5802284779ff237616734c66

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\freebl3.dll

Filesize
690KB

MD5
d95b080522c46eb65e8d5649f63b4dcb

SHA1
66a1d20c6a9d67c39dd27ab0653cb2c875e4a000

SHA256
bd7ba810019884ef8002302d8f3e6bc8476dfddbca6c6caf58bfe35dc1516d00

SHA512
720edeba3de59a0e6def728f6f097540032d426a45d2ed1b045f072d916e2f3b3e9b88e8c825959c1cbe52eb7e621ed1e635f3be5ce1bcaf67ccfba3823b837a

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\lgpllibs.dll

Filesize
43KB

MD5
60060fca03446a8d9927fb3e254d4827

SHA1
7939740fa99d45e9dfc8d974b2eb6b26ed6eaf87

SHA256
677c9992fbd068364a123f23c22fc8b023d8446b0c33fbbd09b88b722339f179

SHA512
aed767f0b4dd0ed8d5f7ef393c37f2512e3a29e0038d768f01b89c52bad85ef29d0a55bd3ab344f853f2a4e6c44d442e193c181d07dfcd38849b2c81c978670d

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\mozglue.dll

Filesize
1.4MB

MD5
5382e3987a1347af3bc4705f8c1d1487

SHA1
b909e402b53db1cd0adddd80eff9c7dde7a0baea

SHA256
7b1f3e637d1a219cf2e8e56a7cb940aeafb442308d8d35aab0fd3d5013346be6

SHA512
a3621b656cd9cde98c6bac04a94f564397d05eb62fc52c0b5879cc6d3e9756b3e2234e895f833e3b26e7a03faf1c85ace654c388aa46766929c5dee22d793745

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\nss3.dll

Filesize
2.5MB

MD5
ea8e6a9acebc39f558acd1bd82dbdde1

SHA1
17131f0a927ea1f857570b1b541a524d43b53fb7

SHA256
37b630d828d3d886ea06f841b83ba37b59b4ed4991e28debe5ecd1d765ff04b8

SHA512
a02b2f9850ba19093b9d8c291b0b5253f23c73c7e34fb5649f7effc8cc809d025581af64af28d5b8fd5337ea526146f274ffa25ee3eb7a055d69110752d2a9af

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\nssckbi.dll

Filesize
472KB

MD5
21d0d59316ebc2b15938ca84db562300

SHA1
144f12431f9804bf94103d0334b733865547b829

SHA256
aa9d1b7421d8f8925e324258ed832983cd9a81d3f11ae301b7c80b1cfd9a27a1

SHA512
ee5844abf71140e6bdb4826336b83fe144121c655e47daac3d5ab06312188f14ecbbefe8643ec0dfbc7071eb136d35811c0caefde0077e8707a2d15ec3f0db03

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\omni.ja

Filesize
17.7MB

MD5
19ecacaaea9cd1fa41ece74bf5eef8b4

SHA1
8813c248e348f1578a6286dfb6a07a4666e4af3d

SHA256
3ed1d3a73a91eb9ff0dd990ec4a2ab3e4ea54d7738dc193e3ad51ae6a9b5c1be

SHA512
7cdf9bb8a065792b281f5d9768f98b5326b10609dcd42f85bf06a80dc83bf9390aaac3492a66dbe60e2473b6598aa266e48409bc1b5ac87329f2d7bad510142e

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Browser\softokn3.dll

Filesize
288KB

MD5
c68998293eeb01f29158103e8c568dbe

SHA1
87afc20671346abb8c8151f3e7edff4d7c92b5b5

SHA256
d063690acd9d5567b497e7b1aad89e3675990c42fbf0c9e82286157bd7471c3c

SHA512
552bdb07c01d2008f892b2c4d9d612bcdd89394a34473e4433279fcf9cf4d1400ccc22e56db2b532c3391e4c1cc180d2a27e54173f6aba93a5f7324d693946c8

Download Submit
C:\Users\Admin\Desktop\Tor Browser\Start Tor Browser.lnk

Filesize
829B

MD5
a911b60c39e85b6aa337de0b86995d1c

SHA1
efbc9fa654b00827085efa1c76df69b5ce2d6a2c

SHA256
6c71868b0376429b7049ceed667801af29f93e35efcbf868443fa4738e0cc47c

SHA512
4c57afd9104e896924220f76cc4494bc44df606c6cd7b7e640ed7b529145decb40c1ebe60dac53f11f898a6865df43510b2df5595c63fdea0e47b82ecfc8203c

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry.zip.crdownload

Filesize
3.3MB

MD5
efe76bf09daba2c594d2bc173d9b5cf0

SHA1
ba5de52939cb809eae10fdbb7fac47095a9599a7

SHA256
707a9f323556179571bc832e34fa592066b1d5f2cac4a7426fe163597e3e618a

SHA512
4a1df71925cf2eb49c38f07c6a95bea17752b025f0114c6fd81bc0841c1d1f2965b5dda1469e454b9e8207c2e0dfd3df0959e57166620ccff86eeeb5cf855029

Download Submit
C:\Users\Default\Desktop\@[email protected]

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
\??\pipe\crashpad_1920_FLKROTWVPORCLKSN

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/576-649-0x00007FFF218A0000-0x00007FFF218A1000-memory.dmp

Filesize
4KB

Download
memory/576-887-0x000001D33C440000-0x000001D33C4ED000-memory.dmp

Filesize
692KB

Download
memory/576-886-0x000001D33C310000-0x000001D33C340000-memory.dmp

Filesize
192KB

Download
memory/576-650-0x00007FFF20E90000-0x00007FFF20E91000-memory.dmp

Filesize
4KB

Download
memory/1240-919-0x000001EFB0700000-0x000001EFB07AD000-memory.dmp

Filesize
692KB

Download
memory/1240-918-0x000001EFB02A0000-0x000001EFB02D0000-memory.dmp

Filesize
192KB

Download
memory/1836-779-0x000001D97A290000-0x000001D97A2A0000-memory.dmp

Filesize
64KB

Download
memory/1836-692-0x000001D975380000-0x000001D975390000-memory.dmp

Filesize
64KB

Download
memory/4500-538-0x0000000140000000-0x0000000140070000-memory.dmp

Filesize
448KB

Download
memory/4500-325-0x0000000140000000-0x0000000140070000-memory.dmp

Filesize
448KB

Download
memory/4500-326-0x00007FFF133A0000-0x00007FFF133AF000-memory.dmp

Filesize
60KB

Download
memory/4500-491-0x0000000140000000-0x0000000140070000-memory.dmp

Filesize
448KB

Download
memory/4500-493-0x00007FFF11410000-0x00007FFF1141D000-memory.dmp

Filesize
52KB

Download
memory/5208-920-0x000001C6D4F70000-0x000001C6D4FA0000-memory.dmp

Filesize
192KB

Download
memory/5208-921-0x000001C6D4FA0000-0x000001C6D504D000-memory.dmp

Filesize
692KB

Download
memory/6080-929-0x0000029A92EB0000-0x0000029A92F5D000-memory.dmp

Filesize
692KB

Download
memory/6080-928-0x0000029A92E20000-0x0000029A92E50000-memory.dmp

Filesize
192KB

Download
memory/6112-930-0x0000020A1BED0000-0x0000020A1BF00000-memory.dmp

Filesize
192KB

Download
memory/6112-931-0x0000020A1C300000-0x0000020A1C3AD000-memory.dmp

Filesize
692KB

Download
memory/6140-932-0x0000024F799B0000-0x0000024F799E0000-memory.dmp

Filesize
192KB

Download
memory/6140-933-0x0000024F79F00000-0x0000024F79FAD000-memory.dmp

Filesize
692KB

Download