wannacry | hxxps://www[.]youtube[.]com/

Analysis

max time kernel
560s
max time network
561s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
18-06-2024 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.youtube.com/

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDECD1.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDECE7.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Executes dropped EXE 16 IoCs

Processes:

taskdl.exe@[email protected]@[email protected]taskhsvc.exetaskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskse.exetaskdl.exe@[email protected]taskse.exe@[email protected]taskdl.exe

pid	process
4004	taskdl.exe
4672	@[email protected]
4556	@[email protected]
2624	taskhsvc.exe
4924	taskdl.exe
372	taskse.exe
512	@[email protected]
4640	taskdl.exe
5080	taskse.exe
4864	@[email protected]
2144	taskse.exe
2560	taskdl.exe
3044	@[email protected]
3788	taskse.exe
396	@[email protected]
612	taskdl.exe

Loads dropped DLL 7 IoCs

Processes:

taskhsvc.exe

pid process

2624 taskhsvc.exe
2624 taskhsvc.exe
2624 taskhsvc.exe
2624 taskhsvc.exe
2624 taskhsvc.exe
2624 taskhsvc.exe
2624 taskhsvc.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4596 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2624	taskhsvc.exe
2624	taskhsvc.exe
2624	taskhsvc.exe
2624	taskhsvc.exe
2624	taskhsvc.exe
2624	taskhsvc.exe
2624	taskhsvc.exe

pid	process
4596	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\guaqpnihl896 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_Ransomware.WannaCry.zip\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

190 raw.githubusercontent.com
191 raw.githubusercontent.com

flow	ioc
190	raw.githubusercontent.com
191	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe@[email protected]

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Drops file in Windows directory 4 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exechrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Interacts with shadow copies 3 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Direct Volume Access
T1006

Processes:

vssadmin.exe

pid process

424 vssadmin.exe

pid	process
424	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdgeCP.exebrowser_broker.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

chrome.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133631971746858778"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 0ff65b6b92c1da01	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 58cd736b92c1da01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "262144"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Pack = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{29B109BF-CD74-4D10-A8F4-222180E5E28B} = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\ClearBrowsingHistoryOnStart = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 7b32386b92c1da01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4380 reg.exe

pid	process
4380	reg.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

chrome.exechrome.exetaskhsvc.exechrome.exe

pid	process
3816	chrome.exe
3816	chrome.exe
1332	chrome.exe
1332	chrome.exe
2624	taskhsvc.exe
2624	taskhsvc.exe
2624	taskhsvc.exe
2624	taskhsvc.exe
2624	taskhsvc.exe
2624	taskhsvc.exe
96	chrome.exe
96	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

@[email protected]

pid process

512 @[email protected]
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

748 MicrosoftEdgeCP.exe
748 MicrosoftEdgeCP.exe
748 MicrosoftEdgeCP.exe
748 MicrosoftEdgeCP.exe

pid	process
512	@[email protected]

pid	process
748	MicrosoftEdgeCP.exe
748	MicrosoftEdgeCP.exe
748	MicrosoftEdgeCP.exe
748	MicrosoftEdgeCP.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

Processes:

chrome.exechrome.exe

pid	process
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exeAUDIODG.EXEsvchost.exeMicrosoftEdgeCP.exeMicrosoftEdge.exechrome.exe

description	pid	process
Token: SeShutdownPrivilege	3816	chrome.exe
Token: SeCreatePagefilePrivilege	3816	chrome.exe
Token: SeShutdownPrivilege	3816	chrome.exe
Token: SeCreatePagefilePrivilege	3816	chrome.exe
Token: 33	4076	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4076	AUDIODG.EXE
Token: SeShutdownPrivilege	3816	chrome.exe
Token: SeCreatePagefilePrivilege	3816	chrome.exe
Token: SeShutdownPrivilege	3816	chrome.exe
Token: SeCreatePagefilePrivilege	3816	chrome.exe
Token: SeShutdownPrivilege	3816	chrome.exe
Token: SeCreatePagefilePrivilege	3816	chrome.exe
Token: SeShutdownPrivilege	3816	chrome.exe
Token: SeCreatePagefilePrivilege	3816	chrome.exe
Token: SeShutdownPrivilege	3816	chrome.exe
Token: SeCreatePagefilePrivilege	3816	chrome.exe
Token: SeShutdownPrivilege	3816	chrome.exe
Token: SeCreatePagefilePrivilege	3816	chrome.exe
Token: SeShutdownPrivilege	3816	chrome.exe
Token: SeCreatePagefilePrivilege	3816	chrome.exe
Token: SeShutdownPrivilege	3816	chrome.exe
Token: SeCreatePagefilePrivilege	3816	chrome.exe
Token: SeShutdownPrivilege	3816	chrome.exe
Token: SeCreatePagefilePrivilege	3816	chrome.exe
Token: SeShutdownPrivilege	3816	chrome.exe
Token: SeCreatePagefilePrivilege	3816	chrome.exe
Token: SeShutdownPrivilege	3816	chrome.exe
Token: SeCreatePagefilePrivilege	3816	chrome.exe
Token: SeShutdownPrivilege	3816	chrome.exe
Token: SeCreatePagefilePrivilege	3816	chrome.exe
Token: SeTcbPrivilege	4148	svchost.exe
Token: SeRestorePrivilege	4148	svchost.exe
Token: SeDebugPrivilege	4568	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4568	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4568	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4568	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3636	MicrosoftEdge.exe
Token: SeDebugPrivilege	3636	MicrosoftEdge.exe
Token: SeShutdownPrivilege	1332	chrome.exe
Token: SeCreatePagefilePrivilege	1332	chrome.exe
Token: SeShutdownPrivilege	1332	chrome.exe
Token: SeCreatePagefilePrivilege	1332	chrome.exe
Token: SeShutdownPrivilege	1332	chrome.exe
Token: SeCreatePagefilePrivilege	1332	chrome.exe
Token: SeShutdownPrivilege	1332	chrome.exe
Token: SeCreatePagefilePrivilege	1332	chrome.exe
Token: SeShutdownPrivilege	1332	chrome.exe
Token: SeCreatePagefilePrivilege	1332	chrome.exe
Token: SeShutdownPrivilege	1332	chrome.exe
Token: SeCreatePagefilePrivilege	1332	chrome.exe
Token: SeShutdownPrivilege	1332	chrome.exe
Token: SeCreatePagefilePrivilege	1332	chrome.exe
Token: SeShutdownPrivilege	1332	chrome.exe
Token: SeCreatePagefilePrivilege	1332	chrome.exe
Token: SeShutdownPrivilege	1332	chrome.exe
Token: SeCreatePagefilePrivilege	1332	chrome.exe
Token: SeShutdownPrivilege	1332	chrome.exe
Token: SeCreatePagefilePrivilege	1332	chrome.exe
Token: SeShutdownPrivilege	1332	chrome.exe
Token: SeCreatePagefilePrivilege	1332	chrome.exe
Token: SeShutdownPrivilege	1332	chrome.exe
Token: SeCreatePagefilePrivilege	1332	chrome.exe
Token: SeShutdownPrivilege	1332	chrome.exe
Token: SeCreatePagefilePrivilege	1332	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exehelppane.exechrome.exe

pid	process
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
4476	helppane.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

chrome.exechrome.exe

pid	process
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
3816	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe
1332	chrome.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

helppane.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]

pid	process
4476	helppane.exe
4476	helppane.exe
3636	MicrosoftEdge.exe
748	MicrosoftEdgeCP.exe
4568	MicrosoftEdgeCP.exe
748	MicrosoftEdgeCP.exe
4556	@[email protected]
4672	@[email protected]
4556	@[email protected]
4672	@[email protected]
512	@[email protected]
512	@[email protected]
4864	@[email protected]
3044	@[email protected]
396	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3816 wrote to memory of 1352	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 1352	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 5072	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 5072	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 5072	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 5072	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 5072	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 5072	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 5072	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 5072	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 5072	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 5072	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 5072	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 5072	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 5072	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 5072	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 5072	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 5072	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 5072	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 5072	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 5072	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 5072	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 5072	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 5072	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 5072	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 5072	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 5072	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 5072	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 5072	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 5072	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 5072	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 5072	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 5072	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 5072	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 5072	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 5072	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 5072	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 5072	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 5072	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 5072	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 4140	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 4140	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 3536	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 3536	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 3536	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 3536	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 3536	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 3536	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 3536	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 3536	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 3536	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 3536	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 3536	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 3536	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 3536	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 3536	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 3536	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 3536	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 3536	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 3536	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 3536	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 3536	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 3536	3816	chrome.exe	chrome.exe
PID 3816 wrote to memory of 3536	3816	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

2916 attrib.exe
3304 attrib.exe

pid	process
2916	attrib.exe
3304	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.youtube.com/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fff08cb9758,0x7fff08cb9768,0x7fff08cb9778
2⤵
PID:1352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1612 --field-trial-handle=1780,i,5112768047246243276,3046241214860969513,131072 /prefetch:2
2⤵
PID:5072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1820 --field-trial-handle=1780,i,5112768047246243276,3046241214860969513,131072 /prefetch:8
2⤵
PID:4140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2104 --field-trial-handle=1780,i,5112768047246243276,3046241214860969513,131072 /prefetch:8
2⤵
PID:3536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2864 --field-trial-handle=1780,i,5112768047246243276,3046241214860969513,131072 /prefetch:1
2⤵
PID:4684

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2872 --field-trial-handle=1780,i,5112768047246243276,3046241214860969513,131072 /prefetch:1
2⤵
PID:3468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4408 --field-trial-handle=1780,i,5112768047246243276,3046241214860969513,131072 /prefetch:1
2⤵
PID:964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3116 --field-trial-handle=1780,i,5112768047246243276,3046241214860969513,131072 /prefetch:1
2⤵
PID:3456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4728 --field-trial-handle=1780,i,5112768047246243276,3046241214860969513,131072 /prefetch:8
2⤵
PID:5016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4800 --field-trial-handle=1780,i,5112768047246243276,3046241214860969513,131072 /prefetch:8
2⤵
PID:1864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4880 --field-trial-handle=1780,i,5112768047246243276,3046241214860969513,131072 /prefetch:8
2⤵
PID:4500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 --field-trial-handle=1780,i,5112768047246243276,3046241214860969513,131072 /prefetch:8
2⤵
PID:5020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 --field-trial-handle=1780,i,5112768047246243276,3046241214860969513,131072 /prefetch:8
2⤵
PID:4520

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4960

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3dc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4076

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4988

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4148

C:\Windows\system32\dashost.exe
dashost.exe {d012d92d-99db-473d-b7112b2c91c990f7}
2⤵
PID:1804

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4476

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3636

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:5028

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:748

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4568

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:2312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0x60,0xd8,0x7fff08cb9758,0x7fff08cb9768,0x7fff08cb9778
2⤵
PID:4576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1644 --field-trial-handle=1864,i,13692229167749398552,3722873716960404858,131072 /prefetch:2
2⤵
PID:3012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1832 --field-trial-handle=1864,i,13692229167749398552,3722873716960404858,131072 /prefetch:8
2⤵
PID:4852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2120 --field-trial-handle=1864,i,13692229167749398552,3722873716960404858,131072 /prefetch:8
2⤵
PID:1084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2916 --field-trial-handle=1864,i,13692229167749398552,3722873716960404858,131072 /prefetch:1
2⤵
PID:148

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2940 --field-trial-handle=1864,i,13692229167749398552,3722873716960404858,131072 /prefetch:1
2⤵
PID:1296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4512 --field-trial-handle=1864,i,13692229167749398552,3722873716960404858,131072 /prefetch:1
2⤵
PID:2844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4676 --field-trial-handle=1864,i,13692229167749398552,3722873716960404858,131072 /prefetch:8
2⤵
PID:5004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4816 --field-trial-handle=1864,i,13692229167749398552,3722873716960404858,131072 /prefetch:8
2⤵
PID:1052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5044 --field-trial-handle=1864,i,13692229167749398552,3722873716960404858,131072 /prefetch:8
2⤵
PID:1424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4760 --field-trial-handle=1864,i,13692229167749398552,3722873716960404858,131072 /prefetch:8
2⤵
PID:1672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4924 --field-trial-handle=1864,i,13692229167749398552,3722873716960404858,131072 /prefetch:8
2⤵
PID:4500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4720 --field-trial-handle=1864,i,13692229167749398552,3722873716960404858,131072 /prefetch:1
2⤵
PID:4480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3004 --field-trial-handle=1864,i,13692229167749398552,3722873716960404858,131072 /prefetch:1
2⤵
PID:3728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3164 --field-trial-handle=1864,i,13692229167749398552,3722873716960404858,131072 /prefetch:8
2⤵
PID:4412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3820 --field-trial-handle=1864,i,13692229167749398552,3722873716960404858,131072 /prefetch:1
2⤵
PID:2624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5256 --field-trial-handle=1864,i,13692229167749398552,3722873716960404858,131072 /prefetch:1
2⤵
PID:1348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5288 --field-trial-handle=1864,i,13692229167749398552,3722873716960404858,131072 /prefetch:8
2⤵
PID:2672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5544 --field-trial-handle=1864,i,13692229167749398552,3722873716960404858,131072 /prefetch:8
2⤵
PID:3772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=3248 --field-trial-handle=1864,i,13692229167749398552,3722873716960404858,131072 /prefetch:1
2⤵
PID:1252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=1852 --field-trial-handle=1864,i,13692229167749398552,3722873716960404858,131072 /prefetch:1
2⤵
PID:3772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 --field-trial-handle=1864,i,13692229167749398552,3722873716960404858,131072 /prefetch:8
2⤵
PID:4236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 --field-trial-handle=1864,i,13692229167749398552,3722873716960404858,131072 /prefetch:8
2⤵
PID:4640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5788 --field-trial-handle=1864,i,13692229167749398552,3722873716960404858,131072 /prefetch:8
2⤵
PID:1540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3256 --field-trial-handle=1864,i,13692229167749398552,3722873716960404858,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:96

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:212

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
PID:4952

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- Views/modifies file attributes
PID:2916

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:4596

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 258521718723990.bat
2⤵
PID:4376

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
3⤵
PID:424

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
2⤵
- Views/modifies file attributes
PID:3304

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected] co
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4672

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2624

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
2⤵
PID:1336

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected] vs
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4556

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
PID:964

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:424

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
PID:2772

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4924

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:372

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:512

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "guaqpnihl896" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\tasksche.exe\"" /f
2⤵
PID:2484

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "guaqpnihl896" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\tasksche.exe\"" /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:4380

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4640

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:5080

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4864

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2560

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:2144

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3044

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:3788

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:396

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:612

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

Filesize
1KB

MD5
822a8ed1871a585d9fb209b402a59fa7

SHA1
52b90d779c458ea7cdfafbe16f1f51baef5daf16

SHA256
5cc1ab325b22efb8459724a2f54c35a20da814df515fa81358b6876782b682e6

SHA512
1f52c3ffebc3c617c779a3748d506d2fd0645119f35957da0c6087cf71f5d8401833368c78b7d970abc9958e49461f9c3ce49562fa804532f88946605cf5a1e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
c86640aaa33658aa24db5a9e946108b5

SHA1
42a8819c961a6db7e165a84bab0781ef72e71d81

SHA256
bad1ea3662cf7bbc1c20e838088b1b20eb1cdc6060eff54f7513c67a6bfd0717

SHA512
5fea5255ffee9a38d99ff112b0ccadccc5c08458ba90d91655a92bbfdb83d921188bd1952893c934467d211b10e6b9f89ae8b4a5fe1a3db1124641f86897fc83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000012

Filesize
69KB

MD5
921df38cecd4019512bbc90523bd5df5

SHA1
5bf380ffb3a385b734b70486afcfc493462eceec

SHA256
83289571497cbf2f2859d8308982493a9c92baa23bebfb41ceed584e3a6f8f3f

SHA512
35fa5f8559570af719f8a56854d6184daa7ef218d38c257e1ad71209272d37355e9ad93aaa9fbe7e3b0a9b8b46dfc9085879b01ce7bb86dd9308d4a6f35f09e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000013

Filesize
326KB

MD5
6b0fb47d5de062b7d60d8c5f4e744879

SHA1
3fec5ddec74367e07b1681d5e1a0b348a31e6e61

SHA256
1dcbea2fc9dc82f3df55361f9f096ea268025393ae362b213da82f877cc0d3d4

SHA512
431720440646fddf2f69f497a91ff9e10f3c5a863d6ffc68ddccce2a24b58883c0fd41032f19a1ccdb003a1abc4f648f635bd7196b4e7da6df0dd94d6817ef37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000014

Filesize
133KB

MD5
b609af4f8ac31c8ca07d489d909a6902

SHA1
32450b199004e269a69fb211dff176cdd5170976

SHA256
f5ac7e1c949dee2187d2d94e8034da9727eefefbd3ad9839c70356c1f05fabf2

SHA512
0717c49d0051e1a69f175fa95bfd7deb4b8071e11e9b8bef3199f7dbd2b126421c7975cbf54a7f0bacd10bf626a640991d03bcd166f9fa2ffd1b860007b53c38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000019

Filesize
252KB

MD5
2465cd3428f83af5f3d168e75e3b79e6

SHA1
ea19fa9d949b582d2a84a3cd5e3240bb688be1d0

SHA256
111474d9102cfae0cf4ae2c2ebc128788c685b8499aacce9be790eef25ac45ba

SHA512
a336abafa1190917d09ef67e67ce5f842e105568f5f1ea5fc0d8e6d10d4f17af56b9eb66b1ff008338e0139d04f8fac086100ef4be9053ca7982bb8e97d912f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001a

Filesize
163KB

MD5
6d53dd4517b48262aab18bdc2ef3a830

SHA1
9c163a2d1fec496db66789ff4ad73b35baf576bb

SHA256
81320c19b14c74cc0f4440df9b3e1872ba364c823fb5fb25c80a8af7ef7f54f1

SHA512
c3f71f748902ca950b9eece75a4114e7ae0227028cab4440b3155f2fd3dc2bc88a50531f720383f269d05575777ff0971b2b2c362eb459e4787eeee9b3a12bdc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001c

Filesize
205KB

MD5
c8756359e661d300936f33eb8539329f

SHA1
72b09d0b9af7b57df263c2ff2d4d750b71b5338b

SHA256
a0922c7eafb2cbc59163b773fb3c7a7095b045b49e3aced8f60a0c45291e5ded

SHA512
f4ad8eeba5163217e52cf7239277113bbf32988d98356ee3165a4f8f3fba2904323e2a4e384e949f777ace6beb55a2da2cd91a1d0d68efa31751d59aa240cd02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
1f745a6cbea914289867292e5fed78de

SHA1
94b143c3a924d402a0266153810da5ee49bb55c0

SHA256
dbbb3f33505e6aaf9d7b46a2f4a005ac8fcef5856b0fd939621f484b915160bf

SHA512
c34e565b882488de95196fe2b831662fa9e3bb6b99f93236213469132b586644a5c6567ea922cba1be78663c343f8c747734e50c98ac059dedb15849c103cb7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
4c12e6fddcff373c83198b3378f180ea

SHA1
b2013c8be75999a8023b573ff12c95dc5a9fda9a

SHA256
e833d6769d1b32549f3fac6e884cd641b8dd087a56f2bcdda90a3d5455828067

SHA512
0d26069a190c3bcc0bed58770ca1b15ce7efab1a5129acd3c6b87d64b6e89f95df782d760ff7fb9f952804bf157f1cb24642ae122182b473669f85799e20156a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
99fb6cfa1ca56264ced506f62aa421be

SHA1
feaa0f2455016b7a10e0c00b1495cf0dfeb553e8

SHA256
5979cc8d599ee8e6c5876f588b988df25a849c4565ffaa9bee78b9eb2bdcc2bc

SHA512
a40fb1371989acf049cc08c6c64b23c20021ba202adcab81b086e519c72eb3a18c63c843a98d4f247be3d4bbd927d62d22d7e0833eeba04a3a8ad718a0ee5a8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
487471f9fde03d905a191f670b6ffd19

SHA1
7edd4ac93d9c83eff3ea72c9f42ddf8c75a46a7d

SHA256
a66d12631d59595d93e2ee12e7ada5d8c59fb886821d6090e66cf2a41c974b05

SHA512
1e4e5b8b18685f4fa3ed152d5bae2db8ae32048edfa95cae49416e77080b928b13478b12ced6eee78a18e80c33635e7e0c8e3597b7bc96e09b3becea9efd52b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
6f397c5e6ce46fb94a9f1ef9aac3a1f8

SHA1
e2e0bb7008daa30efb3549dc93755a3140f5bdd6

SHA256
d04872dbbf617e0f5b1922ee0557c971c9218f57e1881f33a1f9390a91ec7c3b

SHA512
515898e101e2bd452f7653b7fca378623267f7c22bf4caab79ac94bf23969a0b24f78532dbd023e9efea851352e4a082c4cb3d61f29661024ae9d00f351e9d8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
7f9c1709df2a9e879865ed0eef420923

SHA1
dc13d5187b5b3df41f1db522e81ade2a94a19e49

SHA256
2f35226d90619020f1b500650140a96929813e6d84f4d7863d3d17b4af19b925

SHA512
08f57a0cf7ece56b100d2a99c889f11f8f2a1947c46ce0c8278879c28a0fbbe7e80591f57525a1680973e510ea590d5d1651a4252626a67e954af29e1bfe6be0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
17c69188c219235c40fd7769189dd9e5

SHA1
f9a93dce7757081cae166067931775954255f801

SHA256
be553385a014f1ce2a2be7b76266aa2116acd47983c9d873bf1eba86b0a8850c

SHA512
56143c90e216637d1df76ee040c24f8a050b0d0853f80e7c11cf5689081fc62369f5cb2bf5d3ee7c9620bf92d4bf1fddb296fde6d3f957ad94b3940219dae906

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0bacae50d02de3a063410edec35d2a65

SHA1
c2d85336e738a8b8732bba13f477cdb68338677f

SHA256
4a5ea456c40040ced48bbfb06a2cc6777071c6c88064ceea13512ada391b7ee1

SHA512
a712e27c47ee9b31868d95eb28f09058ff10c8120fa9050169cd6c8f1bfa1bea9c7bf3f357dfe2245106c4bd720f611864820a83531c11ef44602f5f3bb5da52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e77c8bf9c4642fff9efea1239b6ce4df

SHA1
dda427d15a92a0fcf37ea7511a0ba97c0f4f98ef

SHA256
6bbf99235a83f2b6998348386cc2480b3e632bf0a37190125211a9ad32ba1579

SHA512
36b29e17be45a6f2c30b0b7209c101a7ff41e7b8a2978aed2743205374f10f3761d5aca2ee9a44d1d6dae0de98d8a57dc56ea7f88f3e889b3c796b2f597e2f02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
eaff74a6996145460bafb42e615142a3

SHA1
9009d80bc63e52f288e52dac152c7ff1cc0a7d86

SHA256
4983139067faf7a4db134553f015762ac75c62ee5b027592da918373b30cbe48

SHA512
1e30e2729a18e6352daf962b02d561ba38d6d3dc552f795bc50d3f68d57a0292c0d56d96defed6edbcc71aa14bbf87d40c0e84a2d52528ba2e4ebe686695107f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
7b4cca7635462ea0455c64a0a9564f76

SHA1
eb7547bef86f973b2ad9a68a279448f3ea33f3cf

SHA256
a1d8620a157bfa815dfd6c010d3d91c91d5b792eb01a47db6dce4ab5d962d1a8

SHA512
7427714ab34598a86d674a2086a4ca1305441ded8bcc3503e37e6de70402493d01c8033903270b5e93c95a967682b354666a6987e6bcea4059fce75c5a3b41ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
87c0160e29d5dc8899765ee3406f3c14

SHA1
237c848a47170af730749596976ae167fd8b1890

SHA256
e0e70d0970bf912b9bb1fed953f31bcf251ba13bdc06e40fcb678597497ea073

SHA512
909989bf6de205273780c738132167fb7d702c2cebbe2568255efdb64bccc5a98541e00d656f5fb79186586ade17e6cab9b824d7e37f6e06a4cd4b5c6d5a735c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
642d051df1328aa184046d02184471f8

SHA1
e9131571c744f1f090be7779c46ce98ed17601f5

SHA256
1c1c44ab06d70a467ed4a2ffb3ce12b25572d9ef90ded537f1c05c2407e5653a

SHA512
3261612eab31a30c6c60cfed04ee3b34f5c5fad8a898fcf3d54c5bbb9c18713a9b1daace47300c3e3867e3a89bd77b849abc69a25f5ec501337aab1475321d3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
cb9978519aa4df59b637385169ec87c0

SHA1
c40e8a983308e129f151080eec5fdf84d0523cbc

SHA256
42426fdf343f20b64a691ee71195ac93223edefef87fb00a4a1547e38120d811

SHA512
01607d20f351d2c9f8308624597f803770c8359d5b30df8d6e86a11832dd9c99574f573040d57d019355d738f0a15f1334fa3288ed71a8b79020059ab99288c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
333365cfaf6f2b82cba3bc1c1ec7ac0f

SHA1
1b284240124d37042a1dcdde1bd55ed983f62920

SHA256
b0cbe443b6515cc7dac27486c3966e40f7dba112a7b37c3f1c24d4af1e3e1f45

SHA512
e95a30ce8e01c7fafd4e2b689ff661ef5fd9f92939fd9b52debdd79373aecb9aed5ebde0ed70224e83cd62e8e4c4bb8ef4275a2cbbb487460ed8ab431901e693

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
c241529c07bdb756cc4393315f8045b6

SHA1
c50fa9259cf4017751e7053500b08aea38e177e6

SHA256
caeeedc303bae0a4b5a433e206cb380552f3e30f1ed940a137920ace82f618ca

SHA512
195686a3abcc569724740644016f573be90b7e1712b913fca8cd2dc2078ba49be0f49b50b86112c8880d329163431445f00d92db535d48b9e7f0ab067d6ad5a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
d1f2639c87802ef475bb380f32c151e0

SHA1
d9a7795823a0ce5b2d155d74c6a5e89b7de68eb7

SHA256
f798f5f9ee04b4eedabe4cecc8d01871a34f99aa46d634e7862ced4ffd6cc1e2

SHA512
3f7a23dab01c16825abc61a30a03d70050fd6f07395c6dcfc7119f5aaae92bfc6a413b57d46cf3e2009f1951eebd67d14145214d39e6456a285da02a11460c8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
b40ce2a5bd8c6780eee4400adcfe8d9d

SHA1
36d1d6d56c83e60b2e9307c6175d3ce7f5e7564a

SHA256
823cba64e76ba900c602f7b02e021cd69691ff7ab52e143dc2f5a035241e2636

SHA512
ec0ad254eaeed3a7f4eb08e2b6ec5ac6f0051dbd00900371bb26a1a52ad8a48ba5b41840999975cb5ec12a2640e2272243447c929c2f2adea3c0b58a67ae560c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
92987e8f56455b66b36e98d3bb9413b8

SHA1
95d65a74ad8ea22d1b457a1aa7f067c124a8836a

SHA256
29626f64a10ed1115c4412bd97f5c5f0c89257e81b9ef6f179a64de28679e878

SHA512
36c7f9cdc7c4e15d4ad07099b66d989412bc7186030b6075d6558309ea9886c249091b19b9f2f90a496915cb35127cba46c56d8f107d85e0395b60e36d42893d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
138bfb005313a954ce71bccdfbcb70a0

SHA1
b8b7af9dd3df4c5108e6c4e4cbd8ba5c8f398566

SHA256
1412da5d154890eafe5286958209d5afbe3c5555621c798e8a0ebe81eff400e3

SHA512
c1d4b5be3641451a85fc6ceb479a315b9299a97dda7419adc1f8cb0cbe53463e6d5519876a0bd735b1dbb495795d918852656ced401df1317229727df4de9701

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
293df52598db228292d1c77ed3a8c2f0

SHA1
f59f6ba16d66b1cb2ccfaf2ceb1718c5359f53af

SHA256
b161e57fe1e656e8abb7539a5d5b098c05bc537099bb9aae3afc7bd8f1b7aca8

SHA512
2271a5e182ddcb0d104cadfdbf9be4ddad49ee7fe0abbf0faa9da971280a2444ab4b42a87b0f1069e95bf2aae1b6a94dcdfd1c0228149891937a3598df6e4f2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
084efa87b6cd54b7f1be488f24454afa

SHA1
195af79960c5af4ef35818762e070af0941706c9

SHA256
1abb89413d3558b7ca2a1807d8b1f71730e5a1101eacb4de39d0916e8dc13fbd

SHA512
c68d79a7bdf72748b9bf135f167570b894af7c8465aeb1e7152ccbc842f25076f929bf00946973614ab46a328e0106cc5645356cdb66d08216063127be77904a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
12KB

MD5
a2e3244c31d469f883ffdb9e9d60234b

SHA1
547ef0ba6b0a2c7714f70cd8266deeb9c0c874aa

SHA256
916bf0b0f7e1ae6b2fdb2c887ff71ca557a9348abaefe216ef3c945c54cec745

SHA512
1e825853adec14f8341235980d473294408774af31f7ca053d141835a16375eec5b3e0c58f4fd97d78b366c2a32951c66463419ae0d6974058d6db0e012ab8e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\00c4e407-52c3-485c-9331-a36accc51743\index-dir\the-real-index

Filesize
2KB

MD5
ce8ae01f1a54e474ad815b503e97ff41

SHA1
6e61e95b7abeb8ca9c864d731cbf439715812493

SHA256
09a9bf8441593cf92a7d6478d9a95c87588f25b63841f56673e5eaac8acf3e2d

SHA512
f425d9ee5f0b1c77ba9bf6eedfd60358c755f410109d815f9cdd5b7bdfd69e326ef5f6da897c926d5129c12a66d8d589cda00935f619928e2d4425e0150b2d93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\00c4e407-52c3-485c-9331-a36accc51743\index-dir\the-real-index~RFe57a856.TMP

Filesize
48B

MD5
7cd77ea259ad031832c99cd4cfc74e63

SHA1
cb65ea9e5b9ec8236f5afbb97f3ca8a56eb5f2d3

SHA256
cdb0ba49f852283e8ef389507779af4738e0790e32cc9d42ef998f140e87ac04

SHA512
a178112670e8855d70cbb86522c1f4f5b55a145bbd676f1c126ce480b4868ce226ac67134f959aa9082563675d236fc9d5769d98834bda19a04406c579cadc39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\2ea76926-bb35-4b1f-98b8-5578ad7e8b63\index-dir\the-real-index

Filesize
624B

MD5
ac494abd65e2870d144e9ba1372921a0

SHA1
d813e81e7db3c71c63ff67b729c8b088797bfa85

SHA256
1d0247dd94da699a6d4749c887d427a84d045a2cc6f6a0a73ca16306e4fc355f

SHA512
f44c61b5dc257814a089a8a850990d15e1348552740b2fd5c71f8cf576bd9ecb9badf51f4e431f5426c0131793ed9a1e371280ac05a3221fb433a85803bf07c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\2ea76926-bb35-4b1f-98b8-5578ad7e8b63\index-dir\the-real-index~RFe57a856.TMP

Filesize
48B

MD5
bbc16b69c74f67de121420870bb20e11

SHA1
55ee0bbaa25592eb5e14b43442d1ee96940e4b3c

SHA256
491c83302c329cbcee2490ee80307228099333944c666bbdf04ef50a1d7be09b

SHA512
101796c5987a92625d355249e07ff9bd897a9f59fba75f5c4911192f7df56669b150f48c5a9900352f985118fa75d13cfb59bc18ce69d748c752bea24d342f45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
176B

MD5
109baad70de83999e974db9c973eecf3

SHA1
a297cd30ddf68c3b566d269c358314b3f144f3d1

SHA256
441aabcdbf4e7a451993ea354f6c13d2afcb57744ec367e72fa817f9448e3f1e

SHA512
627738e9fb16c6d230d83d644ee3f1c03855330f38b15a04f7784a498f448b46fec5bedcaae85e373aa8eb8f93d22b6e359cc08df9d4ec24439d3537c98e8df1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
112B

MD5
efa95a80d289efb4bc70872d9cfd686c

SHA1
fc71515ee5bcfcc49af3be19e588be6165a5f963

SHA256
8dbf645677a5133acd639eff0fec1812e51cbd2dbf40e172818502b1e85271d4

SHA512
19aec4ebe5794971df27645899a8d7f6c0985ebc50ae481c9441d2e422a9e20029020ba1c04f3010290044851f08111640937bd04ae578b7e31b9b30e011047b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
185B

MD5
d76aa1494e6b51085ee6b14a0ffa26d3

SHA1
4d03c3f4044d700d2fb69c8d09ff43e72b82ab2f

SHA256
6e6e5a46965d04ff2fb777cdec404c3fe84bf9c0b06adb388871b7c5b832acf3

SHA512
a54f76e5677db0f8526e45bc01824a3769f295d2050853eafd3361f09d75281b6521be55e4be68e6490eb20ef9b596b8b2e6e551d21e6446450f1624c41597c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
183B

MD5
0603a576ef34b2ef2370f5fce5ee57ea

SHA1
041595596a6f3b7a5106052ea04499ec15421c56

SHA256
ebc49166fa158d09eda332b21496031f027291dd4e1d13eb2b88557761f58173

SHA512
ec0f6fc04ff00d551c7dee73cfe14aa4d12ab6f70e0c48d0d9021bf3806e914be104b5692577a36715a21c2271d634b1692e484926db1a371a3b637a3a33a5be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5775cc.TMP

Filesize
119B

MD5
242ff7e67520c3ac65a4d80ea071aeed

SHA1
487e2f015a26ddac12b4b962a50212b997001cd8

SHA256
40a4266388b3946f4e9c000821839af89d76aaf5995cc369a8948e76aceee136

SHA512
8c171429b30e1b7d25f8106dd546e0170745cca1907a38df9afe9441d9d79a1a5e9bcd6548d5ea2b4b2bf4f72fdf585b979961f90a9c5aa9ce4b1d085200635b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
ce904da07f8bf62e64f873e522042c5a

SHA1
9b66fca34b1e2a2b75167f5f769c1191d92931d5

SHA256
30a15521e51f1a0626d86dfca9d1e57ae9a7d726eb55f0a88d41779c2a6fd728

SHA512
0bd77530983b009f46a7f01278e5a40fbb16fc5c3a7276a050037361a50f500e2f6bb193e76c3f119405e68e043454e72bcc2504d3d8ca13b454d657be06652b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57a856.TMP

Filesize
48B

MD5
6b3c5472ae6b7d65ebacfefe07934f56

SHA1
bbd3754cb293dc406bc7aa6357f76734ed632c00

SHA256
4d6c7be9eee6be7920169b86685fb4b009b1a6c88648415b98d3849e9abb78bd

SHA512
030ba73edb61c5f1aedb5d19c209404172bcb100dc7ce906876339770c2fb03618dbe128e86832ab37e6602425f3e391f912a34d20336f81439d17a9e6595c10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir3816_806662541\Icons Monochrome\16.png

Filesize
216B

MD5
a4fd4f5953721f7f3a5b4bfd58922efe

SHA1
f3abed41d764efbd26bacf84c42bd8098a14c5cb

SHA256
c659d57841bb33d63f7b1334200548f207340d95e8e2ae25aac7a798a08071a3

SHA512
7fcc1ca4d6d97335e76faa65b7cfb381fb722210041bdcd3b31b0f94e15dc226eec4639547af86ae71f311f52a956dc83294c2d23f345e63b5e45e25956b2691

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
285KB

MD5
0632f1efd8b8093e26a2b8aedc11fd11

SHA1
410e4c13aaa6ac82d0d031e11e1e365628a0c24c

SHA256
31de174af57d629ef309d55f2f3660f1e1fedc7c7c2d2fad28490c849d2c522f

SHA512
20338907981010e024e0b67ab3336dbf10f68f528b4ff5f481ebdb8c0cd9005794fb5b45bed629a04af56a59526d1b2c1165732ea365903e6f22551db20fac6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
285KB

MD5
45b1b153e546af521580b434d7a0bfb0

SHA1
b63374ed9bf31b03bf7c3cafc490fd929268491f

SHA256
2709e866ee60143b28b6797d577c8708d53b082a4d3a429d2b3689e6bd70b96d

SHA512
619341af50e8f6ebd1de19f6ab3c9bb2e983309c2cfca798ae92108dd00e942b00d7cace722e79e99e1c30bcf394438bf1d7a6545bce26c6512eac9b43615be5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
0c6b5b43db71f120f1332109d08499ec

SHA1
bcd9bc736409848c6659040fa3568cd860eff173

SHA256
d71385194da03f6dabb0c2716f9fd38cf37b784a8f7f0a89ce5c10bbd652a17c

SHA512
027eacc797b6d947b313db64eb9ea2e7b400ee72daed431f90e2e30620732973119c02ec6fb13277b1d51dcdec71196d2d53775946a4aba231c5a71e7eb06bb2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
0378c885731e50ed4d0104dbdaa0c8ca

SHA1
f39009d13306838f47468b2f0b11e3c5a078d8f6

SHA256
13f0bf8948760c12d3160bbb480ce005be70bfbb3dd6519815a8875e73c13948

SHA512
1d8d7394ab1d6c095d9f7a5a40b66c9bb32e1c40de6350da88f0e2e714399c73abb382218c47bf5b9b81b7dd4967a0801512228dc5bf36b3d0d01e62a6e7285e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
93KB

MD5
7be508a6cc0393344e974e4f51457fb1

SHA1
15a2e991cd149e5776e25f4e24891c60b7a8c4e6

SHA256
05ba42d93bd4303ab6282544a7bea3a03ba9c7ef5ca6ce3ada01b93dd4d4cfa3

SHA512
f707ab4e092166c2ab44b48050477d11304993058a23fee3410f7632102529ba46041e68bfe9910814015cc56ec83b704b10ece76c24c499b809813a01347a91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
100KB

MD5
7401f0c7a2774a452dc8b6b0b0231529

SHA1
d75739321dbb9af75263b246352df3a38d35a0e6

SHA256
de5250bdcb94cc24472078f4c38d434e63ff98065f1e23f6dee832325e72a079

SHA512
c82e03c1125343fa29f5fba11bad4ebad4078a465af19e6c1c2a5940fa5a3afc28f6d7bf5cd00d8da91c885f7fef66ea8d08ff436edc07113e9050656fecd076

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
103KB

MD5
9db58ecf42712232b2ed935f5aedb742

SHA1
908499720bb41207c6b678d38e741e058ae9c959

SHA256
e4c00fefa7a57b70988eca9271ec1a6203570aafa64ab46f3ddc4d2924fd176e

SHA512
4b90d461684952ba9ff1f603ef3e850d69add27cb8d44264a2db33f7bb6dc1d5bd585db718a10bb80f424c0ef3e188f177ef98c4c320963513e1e86169bfc193

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5ccdf6.TMP

Filesize
92KB

MD5
0c3d4afb8b9612d25575cec5bc48d48e

SHA1
185df8a4e51cd286c4b5709a86d21bafca215bd6

SHA256
6a8b692863198de5ee5d0011863811ba8c059e12ccfb42c8091164774209b88f

SHA512
d161969a525909aa01058737a88284cd94e36a5b734b2cfa66e9e80357f9d54864df995589689f59602fc0a3e79f32e024e240225d224a0ab77065de70d10ba5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\5E19559Z\byLmVJQA1UzOFcrs9Jrvys4jXhM.gz[1].js

Filesize
1KB

MD5
2ef3074238b080b648e9a10429d67405

SHA1
15d57873ff98195c57e34fc778accc41c21172e7

SHA256
e90558eb19208ad73f0de1cd9839d0317594bf23da0514f51272bf27183f01da

SHA512
c1d7074a0ebf5968b468f98fc4c0c7829999e402dd91c617e679eeb46c873dc04096cbf9277e115fc42c97516a6c11a9f16afa571e00f0d826beb463e2d1f7b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\4W502WQ8\favicon-trans-bg-blue-mg[1].ico

Filesize
4KB

MD5
30967b1b52cb6df18a8af8fcc04f83c9

SHA1
aaf67cd84fcd64fb2d8974d7135d6f1e4fc03588

SHA256
439b6089e45ef1e0c37ef88764d5c99a3b2752609c4e2af3376480d7ffcfaf2e

SHA512
7cb3c09a81fbd301741e7cf5296c406baf1c76685d354c54457c87f6471867390a1aeed9f95701eb9361d7dfacce31afd1d240841037fc1de4a120c66c1b088c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF4B71C0C1A60C4913.TMP

Filesize
16KB

MD5
02c437f170a410e08a8b621c4e0fdd17

SHA1
331cb465de50ad52590ffe73b69271f8485667f4

SHA256
96ff54cd3b44be9c49215bfe0ad6e15353bcab6980642705086f83a6342514e9

SHA512
9a07f0f48f3f3cf8674ea77d9371f0e08761d352d009b12f05bef5594df7d9a98889282e7aec517d23a03ee283e15aa455bbe6ffb00d4b3d0c09750bedd1a231

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]

Filesize
933B

MD5
7e6b6da7c61fcb66f3f30166871def5b

SHA1
00f699cf9bbc0308f6e101283eca15a7c566d4f9

SHA256
4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e

SHA512
e5a56137f325904e0c7de1d0df38745f733652214f0cdb6ef173fa0743a334f95bed274df79469e270c9208e6bdc2e6251ef0cdd81af20fa1897929663e2c7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
7.7MB

MD5
1dfedc11f1d799c55291da610fc0dd61

SHA1
f45409210c9074ea6424c5ba907fbe86cc335adb

SHA256
24ce50b030de6977331a8ad30a815c2de51b857f93f71df650caffa4fd8ed86e

SHA512
20a54267fd9eab4ae529912e80c0a8edb1b469eb850d2aacb28228714b0b550d4f031bb410005dea0198118fa8df5d932c3875e7d6facd6b81a3868c33cede02

Download Submit
C:\Users\Admin\Desktop\AddClear.3gp2

Filesize
362KB

MD5
1e7fa1c18e020daebc46010a57631987

SHA1
de95d4e026743c50a4ac9a27cae76d5927e0b962

SHA256
bfaa82c823fab1fe4552958f3231c1cfe397c1fd4915dfe023e12a7c223c825f

SHA512
0c50542daec648523c7c6dbe634aba481820f16079de60fc4e40692da197d1cd574ef2f267804b0f1ced774206a6de304dc3a0ae1a4b90a046cd942f6b9fc651

Download Submit
C:\Users\Admin\Desktop\BlockResolve.ods

Filesize
483KB

MD5
679e96a1e325eeae18d050bbc68e67e1

SHA1
b4d65ae8fb5cc71386b5072799240d28dd188770

SHA256
a1adf48eb4b895552c341226dfc6eea6806b9c3b46164c97201efdc97bc41a38

SHA512
6d1b4bbb673b43773609d1106d0cf02504f7b17f17ca2b8a1964c5b542591e8f3a24cd7faecdd574987663db1c8d700966dc33fd1d587aaf71864f50c885271e

Download Submit
C:\Users\Admin\Desktop\CloseUpdate.lock

Filesize
906KB

MD5
a5a9afccc15828f1e0b4024ffdbec81e

SHA1
aa6797d32f51ffe02a40b5f3d49853d192df9e20

SHA256
6e184aafca977acaa6c2fcc832b6e7bc3690cc7b5813dce4d8615b4b81087762

SHA512
8e861f9b3dc479e6efc1539e1bfeac519a4ff1715f7a722499c1e05fc712dd12d7ff84ce07250878f688971e08790a350b445ce6ea089024d80b91ec37423593

Download Submit
C:\Users\Admin\Desktop\CompleteOptimize.vb

Filesize
634KB

MD5
eb263ba1a893334ef1c2ddacd57b3082

SHA1
fab3c3ffdcf296bc8c32685a54ff615feb9ca530

SHA256
8e226e11bcba39eaecc724cb8716bffab990f1ed619cc9636ef076ac2fce8f8c

SHA512
2347c4b84684457bf8d97404b7bb56249f3d095730b518f0090ca3ddb4340000192539d53012fba6aa4027bc73f0f87b9a7ce30443dd325d2ae46bc59e986aa1

Download Submit
C:\Users\Admin\Desktop\CompressRequest.asp

Filesize
453KB

MD5
349993c49d190475fa53a10c34adbf11

SHA1
42fd2465567ecff780fd570be4e94414764bd8d9

SHA256
9fe2ee43be289cc828c2aace4019d5ae3c1fd10d2de68aeec4a5df30bfecdfd7

SHA512
30539576bdc3af41db05a8919c2409f32bbebe8e7c54c2472b6b983e82b73809f95dedf83941e74e83cc428dafa0219e4a591383e491fc3b27667f05adc8cb3a

Download Submit
C:\Users\Admin\Desktop\ConvertConnect.3gp

Filesize
725KB

MD5
eae11b9d3ec920285b5be858dc0c699a

SHA1
fc0b733b00b2c6c96d543af65458b187350a9729

SHA256
1673b31c6dabf561dd061c2c6e5dddf4cc6bafe5939a2cdc5ea67546196d6421

SHA512
8ba6ccfa348268dbd76c474273ad47ec8c924dc89976cabab335d87c242cc45acdb97fb9864b1443553d338b40571b3c2bb67acc9d9c06c8d70e55c14770af12

Download Submit
C:\Users\Admin\Desktop\DismountCompare.m4v

Filesize
695KB

MD5
98076fc3026e3234c85ef175c95b552b

SHA1
086cfc38e5d906aafa72aec97689b0638f25cd88

SHA256
5b2ca492a26e02a95024234e88a87c208706c7aa64a28edce4da8ece2f2b9ea3

SHA512
719c492160c01903266876e302b769e6ac4f1759bfd937660628efcd46ac27416ca2b02370ef5af4df728437ef7259bfacdfbaf4e98cbf83412e1a9e76fb58e9

Download Submit
C:\Users\Admin\Desktop\EditReceive.ico

Filesize
423KB

MD5
497a6ffafb322a9e9c167e496cbb1e04

SHA1
bbb95ee714900ab7afeefb55fe1fb76890ef7a1c

SHA256
535e7f6a1524c5b6d2a8df6e2167ae31521601d511d686080d960c47d7680e43

SHA512
ac25bbb419c975cd4d5986318f8d258fe47fc55eb7208e414a8fa26690698d38b58f339ff97171f7d98d1656a305baa3569c3e2a22bd480fa44f0706d6a89847

Download Submit
C:\Users\Admin\Desktop\ExitEnter.tmp

Filesize
1.4MB

MD5
aae0b08a078ff63a58a6d582cd3bc757

SHA1
8cfabd85470f18d0703d41b379790245a49a5026

SHA256
abc69d1577934de45a9e113943cf90e99b91331cea2a1c719e58cdd40cb2c306

SHA512
f27e0669b13ef686bf8c216173a15aa25ab5bacb0379fa7e568918e1eb9df5d6ba8b55a64ff001cd7a1943f9fd6b33729ef2c7fe7bbcebf16736548d366f5284

Download Submit
C:\Users\Admin\Desktop\ExpandLock.ico

Filesize
876KB

MD5
14cddbd64b4dbb65bfe914a8a0749604

SHA1
ab1088f951dd7a22b8698d7d00ea7aa27e597845

SHA256
8e2cf94f8ff8d012bbfafa29fc522ffd60fe78a8ee9f81c045e89c67c7fa81f8

SHA512
3eefa23714decca8d71c29a98d49099689117caf24b93db5daf063ca59639c7444cd8602f39a7f604d596a2e55d2f52a415b7ea9923d84a05df7ef9b31f1536a

Download Submit
C:\Users\Admin\Desktop\FormatUnregister.docm

Filesize
544KB

MD5
1386d342b69b0e48ee02ba56952727ad

SHA1
6e9649165df17ba0c6765337f74b388d0f1afc37

SHA256
9b9d523be2a57d073c1baf445c76ec02b0cd347455807f0145c5c2ac12cb4bbe

SHA512
79892c496a5c19dd4ea5e45d3659604122ebbb77a1a9e813ceb0a329d06883a412a1e20671ef61caad8da66eea45f41c41d41e79576e71f9f8dc60df1ea1eeff

Download Submit
C:\Users\Admin\Desktop\ImportBlock.mid

Filesize
936KB

MD5
87b3e3a459e98d3067da7f8bd8a389cc

SHA1
7f862e56a2eb17b9c6fbb65f67fdbff660405f07

SHA256
307cbaea35ed1829f2f3b8d321dcf808e20bf1b66bc9d39654b90d683696ca43

SHA512
55441ae198b962cda2e2e0241c5e0723e0c7198cc610d04eed5f3e9bdbb89f47ebe18b98f12271496b6366d5cf9b81480952542c82eaaa606cae8dc63ffb0349

Download Submit
C:\Users\Admin\Desktop\JoinCompress.MTS

Filesize
846KB

MD5
e74f1a772348690cfd3c3d252445a371

SHA1
c84bfcdca484d243a38b16821a5a85cd2e9178ee

SHA256
3ae373ae2ae9559dd1f7c6e5681aff6a8fd7f1d4bf7ca349e10081fd5ae5573e

SHA512
72a366c1757a210abc614b32665ac0596a4de75cb85a4a0f5f102218e4d4b56d73d9fdc016e2bba90bf3dce32eabe4b6b5bbafe5ccd39990e951df4e1d3bbf28

Download Submit
C:\Users\Admin\Desktop\MoveExport.pub

Filesize
816KB

MD5
29f1fa314a03f8016fc27722546db4f6

SHA1
47d0467caa0d6e9a06653778f6445a23f733756f

SHA256
930a320d28e8cf4800de1d2b64ff1c192b6025a9c4c8eba1fa470a3230d6b621

SHA512
8d7539502b7e3a275601d4455b169a5c2ebb0bb66d859ff4077277ca62f1648b146e57582c772dffafaddc16e9df1fe9d934c2068a8eb37b6bf35f8ff5d7da8f

Download Submit
C:\Users\Admin\Desktop\ProtectInstall.css

Filesize
664KB

MD5
48e67c2446176512b14b4f344d9cc633

SHA1
1b70d976bb9f5f925bdc058cf524e36cd4e06ffd

SHA256
eec608ae76d3ea475c5c506ea9d076679adc335151ed26c48883b7f8eb4b78f2

SHA512
c1000910814ff317c701efa660bf787ba354a4148d3aecebbc1e00f5aca069310aa4ebba662d4da7929a3ea907e926fa2567162e998b609ee0341c397bc15d8e

Download Submit
C:\Users\Admin\Desktop\RemoveComplete.dib

Filesize
513KB

MD5
7ba7b62e466e1df58cb57b02272c4a67

SHA1
00f0106f5a1848741f16d85c02516cbac72e618d

SHA256
14ffcf4defc8b6aef13a354c99863f13c42e7d89a4530d273c582efede98e423

SHA512
12a9f94035cb7e8b0b106234f96475dc9335a6f46872eec0881ee6193529905783e969f7b2c61f8d3fbdd0147764e75acfaf35a36dc402b7eb8da94193b2bd23

Download Submit
C:\Users\Admin\Desktop\RemoveCopy.js

Filesize
392KB

MD5
ac4d79f016edadbc945e1428d978391e

SHA1
d765ce43d0e28c19b01b737f571f1230eb4fa789

SHA256
c060e02ec58355c3e447ef36c2d116d51a866400554ed6ae2e77fd1acdfd9b77

SHA512
6fb25e81b81309694fe115f44136fabd64fa870a1f917fdbaf925717e19b2649f32fbfb37c40babb4481d75e4472e998da3efe4ea3ad5f6495acc6bb10b543af

Download Submit
C:\Users\Admin\Desktop\RenameDisconnect.cab

Filesize
785KB

MD5
b5ec8789a46e887e25073324ec2b7160

SHA1
70eeb6412d645cbad4b8ed2b70ae95aa0dced59f

SHA256
bb18e1dc4f5a5752f9634870bca2d12bcc1f16df6c38c11de8b00dbf315a7890

SHA512
b976261ff6ff13e3a1dc1478d1ab98be08ae98144001687bf374250bf33fe75efcf0a404d5cfe53e6d22732d4af01cc64c614797cef300bb64c8fc5e148608bc

Download Submit
C:\Users\Admin\Desktop\ResetUse.ex_

Filesize
997KB

MD5
603c156208fb0ab17d0df475209560cc

SHA1
580bffbbb675ca4ffda0bd18cf657048dd1f5097

SHA256
a1bd31f2461db806446e84744c1f17b9fea6bc6af8220e7ce2effac3776c293f

SHA512
e991bfe320893efe960767fc3e6f7433ab04bc6609ce009bd63a2a345917d0802868557c435d73eef9b72b005af3c6a55a3c05fb8fc33702eb3e49f794aae208

Download Submit
C:\Users\Admin\Desktop\RestoreRevoke.dotm

Filesize
1.0MB

MD5
7193848364e563e40b59669e046b403f

SHA1
3c887ce10c15aa2cd1459529d1bca1d554d6a96f

SHA256
a02883befc9d48a5fb6877cc1ac2f38bcd7e5432e6ab601862f523df7d487616

SHA512
78bf06a67774ad10357bcf7fd47fddaaa43a1b810f175e2663d4c202e53465bfbfdd22e81123b850ea3faad12cfec6bd0a868ffa6deb4ffedbd48074d772a5c1

Download Submit
C:\Users\Admin\Desktop\ResumeConvert.mpp

Filesize
604KB

MD5
8c4d9c19175b24957d5249950d06a0ff

SHA1
0fd1cd757b66fa9d572f3552c00a8c2fe78ebdcd

SHA256
93b438a7711661ba8f7bcaf6b0c30bb37c31908206fd300e9b63f50ed320de1d

SHA512
1ba3b69f14743730e717a6706b1598bf675a80d9aff8a93acbc075f788ddde3ec1864b4da36c81558266f50650f8daf11934be638de964a0a626b3bc57bafee4

Download Submit
C:\Users\Admin\Desktop\ResumeOptimize.jpg

Filesize
755KB

MD5
5b70213e24b50f26d1bb0b344d840ca2

SHA1
abd767b52b64dd6bfcc10210268da009e0ff8290

SHA256
217c4e9dbc5be66835cd4a249b53313ea17c7aeaa42b673a90e1d38e964215a4

SHA512
1b3f58d7b3b000e82a095f95e9ba86b6e1e3198f2ca838820d4165d6325c924a252c77b5a8c8a91e147cea2adde71d7311e1915f4b957560b7237c582afbda4b

Download Submit
C:\Users\Admin\Desktop\ResumeWrite.sys

Filesize
967KB

MD5
8fed8ab0963621679eb1700fe97549cc

SHA1
7e8b38fc6ba8a90e8ac0f42a7608e7b63ad0e0c8

SHA256
eec3df96dd35bd087dc00ee8e24c6964efe83a72bd1cb316897a120f04fa14f1

SHA512
0f0e4dcf490a640198cb221e4855e2d2f647648c6b8133acd1aa47c4355c2318106bdbbaef5a364dc4afb362a47de9fdc26b9b76d32157cb4fa3bc93faa58018

Download Submit
C:\Users\Admin\Desktop\UpdateLimit.mp4

Filesize
574KB

MD5
18552f083029d5751ef0f82a2ae051db

SHA1
21645c84ad08ee8a06e23f47498eab18390ace10

SHA256
d6043f63b0fcf49d3a52579731fe7bc77f88f34ac603bf9f7ea41cc1680d6a10

SHA512
f7545085ba7d778a7662911302d93a637f1598b95cea1464c88ef2f402e4982e50b84b1669a1cfa2fd5b2f3abc729bda03065a899b209ec64750819407f871e9

Download Submit
C:\Users\Admin\Downloads\CheckpointUnblock.docx

Filesize
558KB

MD5
1b790c7a59eeca342d6b686241fb4611

SHA1
cb5d3cc8509dffacb21cbd74f5c731dc29267feb

SHA256
c2d6ac7f45725649188f173cde1c7fb3b74cd3a965f413eedfe4295498a85d6b

SHA512
d94abbc7c1efca26a8b4e2f70d351442b61550b632947bc2a446bb1fce30d11167374941c4a765b518800e87bc211a3c9d26fc13030c17592e280cabdb060493

Download Submit
C:\Users\Admin\Downloads\CompareShow.eps

Filesize
289KB

MD5
a9e4db35c63cd2362ecffd1cef1c1525

SHA1
7b6867ef9015affb2e4759452bea8f4bfe3d8e51

SHA256
40f202104f1ff6014ef85d8e8ea62ddee7d4b4320d2116e1acaaebf54cd16b74

SHA512
3ba4d245a52e012c5e2baa272004faf1bcbedce99002dd4252aa3a648a6afe7c2aab7ab27a19a1df58fe0601ca8fb30cccfa246453d0c1e64dcff20314b1dbcc

Download Submit
C:\Users\Admin\Downloads\CompressRestore.ogg

Filesize
491KB

MD5
b3da2f67f2ffe4415d37b171bdbfcd1f

SHA1
1b21ba06cfe88efe8f7225caaecd11b93c790eae

SHA256
ebcec0ee3259d4b423af9c67b339a345a4f9a9a76033fc30fafba5d3cdd74e88

SHA512
8dc5ae0d723d2c065db605fb114d63dfc354a71d5e011600e9220881dc4b56113182fda613b6d040a4088692fb47dc88192f14b615875319edf58596d410a1a2

Download Submit
C:\Users\Admin\Downloads\ConvertToStop.ttf

Filesize
451KB

MD5
9fcd8ebafa7cb1915d464b6385ea934d

SHA1
fc919646dd6cac4a226fbda3e6f04d0718fc758a

SHA256
f7d4863e55957bae87a5e7776d504e454018d98dabfba6a28d964fd39722e3d3

SHA512
32c90fc3654683669cebab429db453013fccb15a2610b003e6a0a57b3e06021097e3d49754a2cc9952ac47290f04653f6904c08220b265337faf10ffa7684cd4

Download Submit
C:\Users\Admin\Downloads\CopyUpdate.m1v

Filesize
679KB

MD5
6fce72c12ad41086b5b4e2755eb9f98a

SHA1
5798aed6e45e615b47a8f7ada088df1312dc29d9

SHA256
378ed5bf9237e588ad3d293e6d14fc7fc90e057703ff02037043a9f80fd5db3f

SHA512
0a9e2680a450f37c4b5795cb61e45c19cefeeed3c169396290def94e7f9aa929f2249f5f74461a30702c5d2bdace93ec23486c485a29adb984e4a49efb8ff670

Download Submit
C:\Users\Admin\Downloads\DenyWait.3gp2

Filesize
693KB

MD5
3cfb1a0d1326f1c0038d7aacc0856f5a

SHA1
8e9a8277258a3c1cf0c65aab56aa088f0742d877

SHA256
d22bde2fe0652d62cc69e56db3050c37c7425a38bb9842ffc7c5acdba79dd7fa

SHA512
d21b0114723c678d8bf610ef9b7939a5fc336427c91a8ebce5ebc50eda1bc92d908f3f3413e45e2b6a59fd667ff9de85f4da610fedbdc156c20ed6460176dac2

Download Submit
C:\Users\Admin\Downloads\DisableBlock.mov

Filesize
599KB

MD5
c8baabc7b78500d0706f753618491c60

SHA1
62bf39b0add21b76b5c154ff9dc117fe41dd1f21

SHA256
c380f23bbde6190fcc789df4ba15dcdf6169cb4251eb8ca921a568b6f13db0c1

SHA512
cb3fb1d5cba9241420eb49bcdc1ba35682df7c70286d81435c0018a5f542dc5c408793c7547b4bb971315f4aa24db989db36cfd2b0ece433fba15b9322a95b3d

Download Submit
C:\Users\Admin\Downloads\ExportSwitch.shtml

Filesize
410KB

MD5
fe3dede1e49b508474aa437ab429f010

SHA1
7e75cc2e658fb43c71652b2586ff1eee7312c471

SHA256
ecd4df48c5908f6029e29b694e53340e28f7c8c99bd2829ccf7faab8665f0c3d

SHA512
76f35929b58de19b9e1c13bbd75050fa191a0506dc67c50cb1009d5051d2f64e8869e7c9455b0f85f755f22bbe6035f688cb1e72478695500eda709210e29640

Download Submit
C:\Users\Admin\Downloads\FormatMove.dotm

Filesize
356KB

MD5
db0b8466010f07b6b1237563a3720761

SHA1
2f1424447580b7069de41804dc986d2765ff1576

SHA256
ae558e9734be099323d802c00f941fe455c66c62afac67e1859a6ccc14c1aa59

SHA512
778c147c910ebcaf0d726a5f3283df1ee96d12c5eeb905f66f714506b0086038102a67b6da942c9c1358c97a8d2761b3834e2e3895f3d9216c007ba3c7c1cb26

Download Submit
C:\Users\Admin\Downloads\ProtectResize.wmx

Filesize
572KB

MD5
aa7c045fdce503ca4dbddebab71bb430

SHA1
6e3c1180f634cead5166641032af6aa9cc4b7629

SHA256
096d4f3a6e982bfc32268c929babd3016680bf875b9109d6c971143ec792c7c0

SHA512
73d35215968f866107977e28e068bf44df9669a4bd225fd1ef37e92505da3c4d43bb821f3bd9f287c2fcd3ea47eafff24fbbfad2d9892807d13f71b7f2f51fe9

Download Submit
C:\Users\Admin\Downloads\PublishClear.DVR

Filesize
747KB

MD5
bd225c845b989a208aad08773938fb01

SHA1
1bb12f78b3158879c19b32be89e40037c180c03b

SHA256
462a783a36b3d2597833770b3de964eb35f8bf94f3c99914b7e25802b3e1af51

SHA512
8280f894e0075d1e7d9bec60da9124886b96a6666ac6fc280f464648d5e55f8cbe9cc3a82749a2022c8ca1ae68184f97c6c0ecb09f202b511447bfb65eabb8c4

Download Submit
C:\Users\Admin\Downloads\PublishComplete.cfg

Filesize
276KB

MD5
8e10a96375f70d81a8fc5a4150e78c62

SHA1
0155ba32f89cc31a0d9fffda5a5e07e0d2623abf

SHA256
1b3c035a2bcd50c4f411dac521723c991e51b99ce5799f7ef81adf463672c516

SHA512
3f4dfd12a62ad95f339947f619326f81cdaa4483dd3ce3e968ea24af8c732bb9690c451ae85cfca0f33a422e4a1c5d1202029fdce1395a96a92c5c8bda800a2d

Download Submit
C:\Users\Admin\Downloads\PublishGrant.mp4

Filesize
760KB

MD5
11008d8d743c780dd638ce530f74db36

SHA1
c21cf92702e76cbecddb67c0473f215623aa042c

SHA256
ea283fbad7ece94956381fd58d5bfae64b94f64d79dc8c2129300dce31c89028

SHA512
abd56f291c601cc62dba42cbe68912cca208ba7539537efb7331c5ca3aa829b5fa7ca4dbfd1a78e69ea61d15e34d0c4a00afc526b630f282faa0bb4e944e0144

Download Submit
C:\Users\Admin\Downloads\PushPing.xlt

Filesize
1.0MB

MD5
0d4bc7e0b9e6bd30c2d8f9fb4661532f

SHA1
6a295fd6d0e6fec308bc6d8d5b112e24e2785fb3

SHA256
67b4080ebb4eaa1f3bab395a816579b96fc3693dfed1849fa8899d551a6b7006

SHA512
2c488d908051ad5f201cfc87a997cd06e07f39b9403eb9dce3953c70bfbb5a2bd3ed5b2ee9c4a2fad03a06f7d0a2bb976f4b3bc11fc91230904560749ab46dd8

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry.zip

Filesize
3.3MB

MD5
efe76bf09daba2c594d2bc173d9b5cf0

SHA1
ba5de52939cb809eae10fdbb7fac47095a9599a7

SHA256
707a9f323556179571bc832e34fa592066b1d5f2cac4a7426fe163597e3e618a

SHA512
4a1df71925cf2eb49c38f07c6a95bea17752b025f0114c6fd81bc0841c1d1f2965b5dda1469e454b9e8207c2e0dfd3df0959e57166620ccff86eeeb5cf855029

Download Submit
C:\Users\Admin\Downloads\ReceiveProtect.temp

Filesize
464KB

MD5
d722b4153d91e9cc0f2eb3d303a05d19

SHA1
eb4ac66a2c91d5694ac6f4d1a78d64b3005f249e

SHA256
64c416197c11cd92248fcf0ba6f9a0dd800fe96f1c2b57cc0c8b1bda8f7b9013

SHA512
4175bbbfe43eacdcee74156ad0b71240946e7467db604a48180e3ce38d1650a7f01120f6e605eab7ce7f3c826c3f06309047d571694faa190984aa658e45b05b

Download Submit
C:\Users\Admin\Downloads\RegisterMeasure.mid

Filesize
302KB

MD5
93372ed2c8589a07ea7f1fa3beb4f9fa

SHA1
94ec0f49ece048de036c7011d66351f1ff0f056e

SHA256
9a252844d13dbc107159e322653d4fc15c3087230518b38d7a2482cbe234baf2

SHA512
bdf30c055f051082b3c9a94f955165eecb73178a85a202cf68426aa8d92075f78da03f6a6787c5c40f0671a7e96d96a5c767f0159851d15537f5ba4cd0681ce1

Download Submit
C:\Users\Admin\Downloads\RenameWrite.doc

Filesize
316KB

MD5
7a80826df3fe05fc513d4c04426c7cf2

SHA1
17185ca180842066fb68998b58a2fa2e73752830

SHA256
db33dc470617537f71faf00f84052d84955637522f5f20cffc17668bc59acc19

SHA512
03863a2387e558715b44392cc310a4abf10ae3af5ef8f74fd2d49bdd269b46b8ee5ccebcf334c3440cc90da19a286e246758f467f2d21625eb10d47a55831328

Download Submit
C:\Users\Admin\Downloads\ResolveLimit.contact

Filesize
612KB

MD5
0b3cc6c843a821ebbec86905f438bc86

SHA1
aaf705dfa5a4eb3b43f705c237dbaa77e3bcc45c

SHA256
736d1f66c19f332b42b31caf8be6cae6375b0f2a787fe39839f5c44dddd2b560

SHA512
8e0f56969199d391ddf086b8960051fb3bd30c91d9076f628896a392a38486cde542c1c83a2c3b026176d0bb6c7acc5c647d67ded0db67c9b503ae02c595ba82

Download Submit
C:\Users\Admin\Downloads\ResolveUnblock.rm

Filesize
397KB

MD5
436321e83122acec069cedf47a7b20d2

SHA1
4b4fc7b02849c206e5f32f590c9d8d45fddc3f80

SHA256
8f4154138adc7c8289e1ccbfa3132d07eba746f575214466a985020bb3b03b2c

SHA512
339fa95489426736b126591a97c77c2034e33c963918f28c82fa4f9684617fc15c291ee39238d95af00886ccd962d757019ad24e1653d238074df789e425f4c6

Download Submit
C:\Users\Admin\Downloads\ResumeCopy.vbs

Filesize
653KB

MD5
f142e6e37788866fd97fc078a2b9845f

SHA1
1f5a2c1afd962f627bc955b3a278f2a41ed67442

SHA256
a01ba3f7070ecb699184807f1ae5ad64f2211df8a079866781069f2320955967

SHA512
0da7ead93ebe1f2db471e3681b0d2ed9c370fde9a05a48e7d5af0bbd10c58f364ccd402bb463e67a8580af1a18e396e6aed4b264b85fb1b001032ca4a6ac78e0

Download Submit
C:\Users\Admin\Downloads\SaveCheckpoint.xlsm

Filesize
639KB

MD5
c8619821ef5f4181b5d4a2d0fc2b8b08

SHA1
6cf32727d7bd4e4fbacaf0379f5528bc23256d02

SHA256
beff183eeb13e7a6706db297bc7753628ad25fc4f53e7f863043c4dcf60af313

SHA512
6757ee0cfb2e9e5f7c091a628d60e442187f74857348149d19569f9eb86a0f41dc854a3a6c42c30ece6a58a483ea774553b8635b6416260896f4b4f0acec96d2

Download Submit
C:\Users\Admin\Downloads\SearchResume.jpeg

Filesize
383KB

MD5
97ba8b1126d17118bb687a5e68c6701f

SHA1
e728a38ce5a9e083d226af75755820c4259d6f79

SHA256
bf1e0b9e7ef9eeea81f7d772b7bc6a46a679177b6ebea71291bb46ec975ea7f8

SHA512
b5593bedfa5fee30d0db496b606019a618dbbf7efcaf2c0e760a90bb05ec08929b8bdcb67c74d08d677426387a72d5dcc12a09694ef2dbb31989ff44102aac88

Download Submit
C:\Users\Admin\Downloads\ShowSplit.reg

Filesize
666KB

MD5
b4ee943d533248099baa0de9a04d0a8a

SHA1
1357d087d7ebbdaafa2fd5a49cf671049e07a7aa

SHA256
4910b53a5bc6cbb448826696f9a0c3a7fe8308b22d3a1cc3d01b2ad53ca61d7f

SHA512
14496d945d5f04c8f517ba64485af7391655dd8685767e065139d5d3efa5d1d0c2ba012859aea6e0c4f7266590e36f3edcf2335c5466e4c555a24cf01af325df

Download Submit
C:\Users\Admin\Downloads\StepUndo.AAC

Filesize
343KB

MD5
5ac5792b5885a187a022ded54f0c40da

SHA1
a76f122700cd9f91b7cae49d4df66436f31a5eb0

SHA256
8de8c3d8277817fb63b4d662367cf6d22b4ec7bf8e6d8d4d301b2c7c32e33fe3

SHA512
7c77d215c16049158804e47e9f6aa5a287c04ff2bc48c3edacabd6afa0e641b45c17d2de1349497e125c23287651c9a72a446c02aeb5a2021e349e12d0e9b859

Download Submit
C:\Users\Admin\Downloads\UnprotectStep.mhtml

Filesize
504KB

MD5
54052fe68d05434942df9162e0d9a69f

SHA1
f917111eebdb331f611fd2429c2c753dcdc14796

SHA256
8cf6549a7fedc04af9a059d3b3205450ec410fa1a86446790a63cc2a38d6d893

SHA512
be67ff48012b3cd2b256747cd0fcddee2a036a3113c035be391ae1dd8bc6a6fbcffb1ed96f1f636796f96831c15242a4f7c47f537b12a469939ee21618da7f78

Download Submit
C:\Users\Admin\Downloads\UpdateMount.docm

Filesize
329KB

MD5
403cc90e197feb9e72b5fbeec5e0c6c2

SHA1
3a461f50a8352847a506b527adc5c5832bc47bc7

SHA256
dc6798d0218202037629e736b41fad580984acc88018a057ad632861c000bc09

SHA512
b13cd9f42274c0b0ef756976e2be97d1b07d753b52d3593b357cd73b7bea90520124342e5717fd6e3cceaae8379d01f10c5bf48490b62784879d7c1187f9b56f

Download Submit
C:\Users\Admin\Downloads\WatchGet.ttc

Filesize
262KB

MD5
99ad831efa11280a316ff4e83928aca7

SHA1
ec12fd22b96a3104793b59ade5cc109a08228ed6

SHA256
392d11c0ca4f82d53a1aa5727aafa1b61ade359446219ed48fbf2d35e7307601

SHA512
3ac1cab1863ae712316d21eb13ca63393a117d16862f1972d0c2726e847b420d2f9472ef0698c79230f095c1aa030f9b1fdbe69859a59f0ba47877d2c0e6b9d4

Download Submit
C:\Users\Admin\Downloads\WriteConvertFrom.mpe

Filesize
626KB

MD5
1054cc6ac3f7d4e761c25b46bd3a8ac4

SHA1
e0af7d6395567120bab5c6870c6ec525265f4046

SHA256
7f2ab357cc07a7f480ea2a19c45e4a9099d5ddda6d1b965a8a820f5a27be4c08

SHA512
47b465242e73ff752fd405e88bbbbca3acb3c83e817630098b3411df877002a8f21933cdcdb19a799ee57ffaf4dc884c83c32b330639e5d70c46ecd5af310309

Download Submit
C:\Users\Default\Desktop\@[email protected]

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
\??\pipe\crashpad_3816_GXFELKDHIYMLYSJY

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2312-713-0x0000016978500000-0x0000016978502000-memory.dmp

Filesize
8KB

Download
memory/2312-941-0x0000016978A80000-0x0000016978AA0000-memory.dmp

Filesize
128KB

Download
memory/2312-688-0x00000169773E0000-0x00000169773E2000-memory.dmp

Filesize
8KB

Download
memory/2312-692-0x0000016977420000-0x0000016977422000-memory.dmp

Filesize
8KB

Download
memory/2312-683-0x0000016976860000-0x0000016976862000-memory.dmp

Filesize
8KB

Download
memory/2312-685-0x0000016976880000-0x0000016976882000-memory.dmp

Filesize
8KB

Download
memory/2312-1232-0x0000016978560000-0x0000016978562000-memory.dmp

Filesize
8KB

Download
memory/2312-1141-0x0000016979B00000-0x0000016979C00000-memory.dmp

Filesize
1024KB

Download
memory/2312-675-0x0000016976040000-0x0000016976140000-memory.dmp

Filesize
1024KB

Download
memory/2312-695-0x0000016977430000-0x0000016977432000-memory.dmp

Filesize
8KB

Download
memory/2312-1105-0x00000169781E0000-0x00000169782E0000-memory.dmp

Filesize
1024KB

Download
memory/2312-986-0x0000016976EF0000-0x0000016976FF0000-memory.dmp

Filesize
1024KB

Download
memory/2312-690-0x0000016977400000-0x0000016977402000-memory.dmp

Filesize
8KB

Download
memory/2312-709-0x00000169784C0000-0x00000169784C2000-memory.dmp

Filesize
8KB

Download
memory/2312-985-0x0000016976EF0000-0x0000016976FF0000-memory.dmp

Filesize
1024KB

Download
memory/2312-681-0x0000016976840000-0x0000016976842000-memory.dmp

Filesize
8KB

Download
memory/2312-852-0x0000016977210000-0x0000016977230000-memory.dmp

Filesize
128KB

Download
memory/2312-679-0x0000016976810000-0x0000016976812000-memory.dmp

Filesize
8KB

Download
memory/2312-711-0x00000169784E0000-0x00000169784E2000-memory.dmp

Filesize
8KB

Download
memory/2312-715-0x0000016978510000-0x0000016978512000-memory.dmp

Filesize
8KB

Download
memory/3636-739-0x0000028FD1710000-0x0000028FD1711000-memory.dmp

Filesize
4KB

Download
memory/3636-628-0x0000028FCA730000-0x0000028FCA740000-memory.dmp

Filesize
64KB

Download
memory/3636-738-0x0000028FD1700000-0x0000028FD1701000-memory.dmp

Filesize
4KB

Download
memory/3636-611-0x0000028FCA620000-0x0000028FCA630000-memory.dmp

Filesize
64KB

Download
memory/3636-1332-0x0000028FCE920000-0x0000028FCE922000-memory.dmp

Filesize
8KB

Download
memory/3636-646-0x0000028FC9770000-0x0000028FC9772000-memory.dmp

Filesize
8KB

Download
memory/3636-1335-0x0000028FC97C0000-0x0000028FC97C1000-memory.dmp

Filesize
4KB

Download
memory/4568-654-0x000001AD42F00000-0x000001AD43000000-memory.dmp

Filesize
1024KB

Download
memory/4568-655-0x000001AD42F00000-0x000001AD43000000-memory.dmp

Filesize
1024KB

Download