wannacry | 91042c10359fc942d006b21a21597a648ded58612cbb24ecf52664a785e1624b

Analysis

max time kernel
476s
max time network
476s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
27-06-2024 08:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cmd Emulator.exe
Size

90KB
MD5

478b63bc955fa6b9cfebf8746ef50fc9
SHA1

698995cd1d6f062b937028c161e8d52f0ac7356f
SHA256

91042c10359fc942d006b21a21597a648ded58612cbb24ecf52664a785e1624b
SHA512

7aef699fc3074d90e921ac38b575b7dbdd0dd95a9e26973fbe17bf602c40ca6cb058448ee09fda4d9e64cf65a77a855a493055e18e803d243248e6be3ecaeba5
SSDEEP

768:Xy8I80jk9UqQFWv0ygho3wlrq3pOKBE5yiJV392AJ9gm:Xy8HskaXWvUhIwlCpTBiyiJ/23m

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 2 IoCs

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDC1FE.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDC1F7.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Executes dropped EXE 30 IoCs

Processes:

vc_redist.x64.exevc_redist.x64.exetaskdl.exe@[email protected]@[email protected]taskhsvc.exetaskdl.exetaskse.exe@[email protected]taskdl.exe@[email protected]taskse.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exe@[email protected]taskse.exetaskdl.exe@[email protected]taskse.exetaskdl.exetaskse.exe@[email protected]taskdl.exe

pid	process
1288	vc_redist.x64.exe
2792	vc_redist.x64.exe
2288	taskdl.exe
2872	@[email protected]
3408	@[email protected]
4020	taskhsvc.exe
2312	taskdl.exe
4624	taskse.exe
1816	@[email protected]
3972	taskdl.exe
3584	@[email protected]
2280	taskse.exe
3084	taskse.exe
1116	@[email protected]
200	taskdl.exe
4472	taskse.exe
5036	@[email protected]
4452	taskdl.exe
2620	taskse.exe
1584	@[email protected]
1652	taskdl.exe
4436	@[email protected]
4616	taskse.exe
2576	taskdl.exe
3636	@[email protected]
896	taskse.exe
1576	taskdl.exe
1424	taskse.exe
868	@[email protected]
876	taskdl.exe

Loads dropped DLL 8 IoCs

Processes:

vc_redist.x64.exetaskhsvc.exe

pid process

2792 vc_redist.x64.exe
4020 taskhsvc.exe
4020 taskhsvc.exe
4020 taskhsvc.exe
4020 taskhsvc.exe
4020 taskhsvc.exe
4020 taskhsvc.exe
4020 taskhsvc.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4284 icacls.exe

pid	process
2792	vc_redist.x64.exe
4020	taskhsvc.exe
4020	taskhsvc.exe
4020	taskhsvc.exe
4020	taskhsvc.exe
4020	taskhsvc.exe
4020	taskhsvc.exe
4020	taskhsvc.exe

pid	process
4284	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iktoyyfgvmkopm952 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_Ransomware.WannaCry.zip\\tasksche.exe\""	reg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

129 raw.githubusercontent.com
130 raw.githubusercontent.com

flow	ioc
129	raw.githubusercontent.com
130	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe@[email protected]

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2780	4852	WerFault.exe	wanakiwi.exe
1704	4052	WerFault.exe	wanakiwi.exe
3104	2020	WerFault.exe	wanakiwi.exe
3700	4836	WerFault.exe	wanakiwi.exe
3688	4628	WerFault.exe	wanakiwi.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133639498688889014"	chrome.exe

Modifies registry class 4 IoCs

Processes:

OpenWith.execmd.exeOpenWith.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings	chrome.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

756 reg.exe

pid	process
756	reg.exe

NTFS ADS 4 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Ransomware.WannaCry.zip:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\wanakiwi.7z:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\wanakiwi.zip:Zone.Identifier	chrome.exe
File opened for modification	C:\Users\Admin\Downloads\vc_redist.x64.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exetaskhsvc.exewanakiwi.exewanakiwi.exe

pid	process
4808	chrome.exe
4808	chrome.exe
4836	chrome.exe
4836	chrome.exe
4020	taskhsvc.exe
4020	taskhsvc.exe
4020	taskhsvc.exe
4020	taskhsvc.exe
4020	taskhsvc.exe
4020	taskhsvc.exe
4852	wanakiwi.exe
4852	wanakiwi.exe
4852	wanakiwi.exe
4852	wanakiwi.exe
4852	wanakiwi.exe
4852	wanakiwi.exe
4852	wanakiwi.exe
4852	wanakiwi.exe
4852	wanakiwi.exe
4852	wanakiwi.exe
4852	wanakiwi.exe
4852	wanakiwi.exe
4852	wanakiwi.exe
4852	wanakiwi.exe
4852	wanakiwi.exe
4852	wanakiwi.exe
4852	wanakiwi.exe
4852	wanakiwi.exe
4852	wanakiwi.exe
4852	wanakiwi.exe
4852	wanakiwi.exe
4852	wanakiwi.exe
4852	wanakiwi.exe
4852	wanakiwi.exe
4852	wanakiwi.exe
4852	wanakiwi.exe
4852	wanakiwi.exe
4852	wanakiwi.exe
4052	wanakiwi.exe
4052	wanakiwi.exe
4052	wanakiwi.exe
4052	wanakiwi.exe
4052	wanakiwi.exe
4052	wanakiwi.exe
4052	wanakiwi.exe
4052	wanakiwi.exe
4052	wanakiwi.exe
4052	wanakiwi.exe
4052	wanakiwi.exe
4052	wanakiwi.exe
4052	wanakiwi.exe
4052	wanakiwi.exe
4052	wanakiwi.exe
4052	wanakiwi.exe
4052	wanakiwi.exe
4052	wanakiwi.exe
4052	wanakiwi.exe
4052	wanakiwi.exe
4052	wanakiwi.exe
4052	wanakiwi.exe
4052	wanakiwi.exe
4052	wanakiwi.exe
4052	wanakiwi.exe
4052	wanakiwi.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

Processes:

chrome.exe

pid	process
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe
Token: SeShutdownPrivilege	4808	chrome.exe
Token: SeCreatePagefilePrivilege	4808	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe

Suspicious use of SendNotifyMessage 16 IoCs

Processes:

chrome.exe

pid	process
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe
4808	chrome.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

@[email protected]@[email protected]@[email protected]OpenWith.exe@[email protected]OpenWith.exe@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]

pid	process
2872	@[email protected]
2872	@[email protected]
3408	@[email protected]
3408	@[email protected]
1816	@[email protected]
1816	@[email protected]
4828	OpenWith.exe
3584	@[email protected]
3368	OpenWith.exe
1116	@[email protected]
5036	@[email protected]
1584	@[email protected]
4436	@[email protected]
3636	@[email protected]
868	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4808 wrote to memory of 3376	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 3376	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 3456	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 3456	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 3456	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 3456	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 3456	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 3456	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 3456	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 3456	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 3456	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 3456	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 3456	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 3456	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 3456	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 3456	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 3456	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 3456	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 3456	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 3456	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 3456	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 3456	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 3456	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 3456	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 3456	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 3456	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 3456	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 3456	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 3456	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 3456	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 3456	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 3456	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 3456	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 3452	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 3452	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 8	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 8	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 8	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 8	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 8	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 8	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 8	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 8	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 8	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 8	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 8	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 8	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 8	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 8	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 8	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 8	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 8	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 8	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 8	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 8	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 8	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 8	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 8	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 8	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 8	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 8	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 8	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 8	4808	chrome.exe	chrome.exe
PID 4808 wrote to memory of 8	4808	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

3232 attrib.exe
4020 attrib.exe

pid	process
3232	attrib.exe
4020	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Cmd Emulator.exe
"C:\Users\Admin\AppData\Local\Temp\Cmd Emulator.exe"
1⤵
PID:3944

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2208

C:\Users\Admin\AppData\Local\Temp\Cmd Emulator.exe
"C:\Users\Admin\AppData\Local\Temp\Cmd Emulator.exe"
1⤵
PID:1612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8ad1dab58,0x7ff8ad1dab68,0x7ff8ad1dab78
2⤵
PID:3376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 --field-trial-handle=1808,i,11379406501482171575,7558553976324083932,131072 /prefetch:2
2⤵
PID:3456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1808,i,11379406501482171575,7558553976324083932,131072 /prefetch:8
2⤵
PID:3452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2144 --field-trial-handle=1808,i,11379406501482171575,7558553976324083932,131072 /prefetch:8
2⤵
PID:8

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3088 --field-trial-handle=1808,i,11379406501482171575,7558553976324083932,131072 /prefetch:1
2⤵
PID:2032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3096 --field-trial-handle=1808,i,11379406501482171575,7558553976324083932,131072 /prefetch:1
2⤵
PID:3692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4196 --field-trial-handle=1808,i,11379406501482171575,7558553976324083932,131072 /prefetch:1
2⤵
PID:4648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4440 --field-trial-handle=1808,i,11379406501482171575,7558553976324083932,131072 /prefetch:8
2⤵
PID:712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4564 --field-trial-handle=1808,i,11379406501482171575,7558553976324083932,131072 /prefetch:8
2⤵
PID:3572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4476 --field-trial-handle=1808,i,11379406501482171575,7558553976324083932,131072 /prefetch:8
2⤵
PID:2880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4724 --field-trial-handle=1808,i,11379406501482171575,7558553976324083932,131072 /prefetch:8
2⤵
PID:1508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4900 --field-trial-handle=1808,i,11379406501482171575,7558553976324083932,131072 /prefetch:8
2⤵
PID:3224

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --reenable-autoupdates --system-level
2⤵
PID:2168

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0x7ff6ddfeae48,0x7ff6ddfeae58,0x7ff6ddfeae68
3⤵
PID:4464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4564 --field-trial-handle=1808,i,11379406501482171575,7558553976324083932,131072 /prefetch:1
2⤵
PID:2472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4116 --field-trial-handle=1808,i,11379406501482171575,7558553976324083932,131072 /prefetch:1
2⤵
PID:1732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3460 --field-trial-handle=1808,i,11379406501482171575,7558553976324083932,131072 /prefetch:1
2⤵
PID:1744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4184 --field-trial-handle=1808,i,11379406501482171575,7558553976324083932,131072 /prefetch:1
2⤵
PID:5048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5008 --field-trial-handle=1808,i,11379406501482171575,7558553976324083932,131072 /prefetch:1
2⤵
PID:5024

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=4112 --field-trial-handle=1808,i,11379406501482171575,7558553976324083932,131072 /prefetch:1
2⤵
PID:4000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3088 --field-trial-handle=1808,i,11379406501482171575,7558553976324083932,131072 /prefetch:1
2⤵
PID:4092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=3404 --field-trial-handle=1808,i,11379406501482171575,7558553976324083932,131072 /prefetch:1
2⤵
PID:2240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=2296 --field-trial-handle=1808,i,11379406501482171575,7558553976324083932,131072 /prefetch:1
2⤵
PID:3208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=5268 --field-trial-handle=1808,i,11379406501482171575,7558553976324083932,131072 /prefetch:1
2⤵
PID:760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5364 --field-trial-handle=1808,i,11379406501482171575,7558553976324083932,131072 /prefetch:1
2⤵
PID:4668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=4984 --field-trial-handle=1808,i,11379406501482171575,7558553976324083932,131072 /prefetch:1
2⤵
PID:1056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=5636 --field-trial-handle=1808,i,11379406501482171575,7558553976324083932,131072 /prefetch:1
2⤵
PID:4236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=5740 --field-trial-handle=1808,i,11379406501482171575,7558553976324083932,131072 /prefetch:1
2⤵
PID:2772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2652 --field-trial-handle=1808,i,11379406501482171575,7558553976324083932,131072 /prefetch:8
2⤵
PID:2780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2708 --field-trial-handle=1808,i,11379406501482171575,7558553976324083932,131072 /prefetch:8
2⤵
PID:712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4656 --field-trial-handle=1808,i,11379406501482171575,7558553976324083932,131072 /prefetch:8
2⤵
PID:4892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 --field-trial-handle=1808,i,11379406501482171575,7558553976324083932,131072 /prefetch:8
2⤵
- NTFS ADS
PID:3348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5632 --field-trial-handle=1808,i,11379406501482171575,7558553976324083932,131072 /prefetch:8
2⤵
PID:2060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5564 --field-trial-handle=1808,i,11379406501482171575,7558553976324083932,131072 /prefetch:8
2⤵
PID:456

C:\Users\Admin\Downloads\vc_redist.x64.exe
"C:\Users\Admin\Downloads\vc_redist.x64.exe"
2⤵
- Executes dropped EXE
PID:1288

C:\Users\Admin\Downloads\vc_redist.x64.exe
"C:\Users\Admin\Downloads\vc_redist.x64.exe" -burn.unelevated BurnPipe.{F2D14D01-0565-485E-B34B-3B3D8DE33EDF} {A7B2C1EA-2C56-4D3E-B7BD-F3607C1D210B} 1288
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=4380 --field-trial-handle=1808,i,11379406501482171575,7558553976324083932,131072 /prefetch:1
2⤵
PID:3088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=5352 --field-trial-handle=1808,i,11379406501482171575,7558553976324083932,131072 /prefetch:1
2⤵
PID:4472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6024 --field-trial-handle=1808,i,11379406501482171575,7558553976324083932,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4156 --field-trial-handle=1808,i,11379406501482171575,7558553976324083932,131072 /prefetch:8
2⤵
- NTFS ADS
PID:1076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 --field-trial-handle=1808,i,11379406501482171575,7558553976324083932,131072 /prefetch:8
2⤵
PID:920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=4148 --field-trial-handle=1808,i,11379406501482171575,7558553976324083932,131072 /prefetch:1
2⤵
PID:2516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=5320 --field-trial-handle=1808,i,11379406501482171575,7558553976324083932,131072 /prefetch:1
2⤵
PID:4960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=5468 --field-trial-handle=1808,i,11379406501482171575,7558553976324083932,131072 /prefetch:1
2⤵
PID:1056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6204 --field-trial-handle=1808,i,11379406501482171575,7558553976324083932,131072 /prefetch:8
2⤵
- NTFS ADS
PID:3828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4184 --field-trial-handle=1808,i,11379406501482171575,7558553976324083932,131072 /prefetch:8
2⤵
PID:1512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6192 --field-trial-handle=1808,i,11379406501482171575,7558553976324083932,131072 /prefetch:8
2⤵
- NTFS ADS
PID:1596

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:652

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
PID:2792

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- Views/modifies file attributes
PID:3232

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:4284

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 19711719476415.bat
2⤵
PID:1872

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
3⤵
PID:2240

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
2⤵
- Views/modifies file attributes
PID:4020

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected] co
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2872

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4020

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
2⤵
PID:2280

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected] vs
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3408

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
PID:1676

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
PID:3828

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2312

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:4624

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:1816

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "iktoyyfgvmkopm952" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\tasksche.exe\"" /f
2⤵
PID:3552

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "iktoyyfgvmkopm952" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\tasksche.exe\"" /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:756

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:3972

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:2280

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3584

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:3084

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1116

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:200

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:4472

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5036

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4452

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:2620

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1584

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1652

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:4616

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4436

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2576

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:896

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3636

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1576

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:1424

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:868

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:876

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3692

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4828

C:\Users\Admin\AppData\Local\Temp\Temp1_wanakiwi.zip\wanakiwi.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_wanakiwi.zip\wanakiwi.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4852 -s 436
2⤵
- Program crash
PID:2780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4852 -ip 4852
1⤵
PID:1904

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Modifies registry class
PID:2316

C:\Users\Admin\Downloads\wanakiwi.exe
wanakiwi
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4052 -s 396
3⤵
- Program crash
PID:1704

C:\Users\Admin\Desktop\wanakiwi.exe
wanakiwi
2⤵
PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 396
3⤵
- Program crash
PID:3104

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:1016

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4052 -ip 4052
1⤵
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2020 -ip 2020
1⤵
PID:1016

C:\Users\Admin\Desktop\wanakiwi.exe
"C:\Users\Admin\Desktop\wanakiwi.exe"
1⤵
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 396
2⤵
- Program crash
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4836 -ip 4836
1⤵
PID:4952

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\wanakiwi.exe
wanakiwi
2⤵
PID:4628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 396
3⤵
- Program crash
PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4628 -ip 4628
1⤵
PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

Filesize
1KB

MD5
6cb2cc5067b027aa70d9d71fcad7f026

SHA1
f08dcbed26b377c692c231c06e862765e5298760

SHA256
8696272800b858eabb9569e8574048dbc72a331366259972507e16d3e3d9e5d7

SHA512
ddda83a4e66564c033f386e4f4b4d622e0303496d7ffce6d0a0e321db0349c81047c25ab6d93b32c05c63913f14605e44b2dc3997f6dfa96aacdcaf3f271156c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000009

Filesize
24KB

MD5
87c2b09a983584b04a63f3ff44064d64

SHA1
8796d5ef1ad1196309ef582cecef3ab95db27043

SHA256
d4a4a801c412a8324a19f21511a7880815b373628e66016bc1785a5a85e0afb0

SHA512
df1f0d6f5f53306887b0b16364651bda9cdc28b8ea74b2d46b2530c6772a724422b33bbdcd7c33d724d2fd4a973e1e9dbc4b654c9c53981386c341620c337067

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a

Filesize
69KB

MD5
2280e0e4c8efa0f5fc1c10980425f5cf

SHA1
1d78ccb26fef7f1bf5bf29de100811e1ac8bda23

SHA256
b9225cb1f0df94ebe87b9eb2ad8c63cf664d2dfdb47aeaff785de6c7ce01aa74

SHA512
b759fcbf578947c0290ab703652df9f37abb1f9f5cf6140acaa8c4d4ee655ee0ee1f9bee9d4fd210d9e12585a51358b52e0e9c0878abf2713e6fd69a496ac624

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b

Filesize
328KB

MD5
43af5c3167fdfcd680743f73ca4797c6

SHA1
d0112d91ef86ccd7ce7d6ac337902507035f67ee

SHA256
1cb2900776812ff6fedd4fce9dd614a047c42f971331caaba6fdcf473b7d4d4f

SHA512
b1e5171e540a4ad9e7551e6d698eea79e1a5764efc12b08280d34267504007bf15e6e78a172ece13f6565647400119e26c41bf3305da87957a6f8794b002302c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c

Filesize
105KB

MD5
f94a23999ded29172d782cec94ec200a

SHA1
b53b54c31b2d8267e57e900e05d7256cbee8fdcd

SHA256
862a9834102c10710d1d031344cdf5f42a1fac732893d18eaf42434d3df5a0ef

SHA512
99147f93bfb2abd8b79db780adfc3132e0844f8c4f063a513e7f6810416bdfd59cfe09299cea70bca2162f12b514edb2776162feba372915969c058611408200

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001d

Filesize
79KB

MD5
e51f388b62281af5b4a9193cce419941

SHA1
364f3d737462b7fd063107fe2c580fdb9781a45a

SHA256
348404a68791474349e35bd7d1980abcbf06db85132286e45ad4f204d10b5f2c

SHA512
1755816c26d013d7b610bab515200b0f1f2bd2be0c4a8a099c3f8aff2d898882fd3bcf1163d0378916f4c5c24222df5dd7b18df0c8e5bf2a0ebef891215f148e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00004a

Filesize
20KB

MD5
0f3de113dc536643a187f641efae47f4

SHA1
729e48891d13fb7581697f5fee8175f60519615e

SHA256
9bef33945e76bc0012cdbd9941eab34f9472aca8e0ddbbaea52658423dc579f8

SHA512
8332bf7bd97ec1ebfc8e7fcf75132ca3f6dfd820863f2559ab22ac867aa882921f2b208ab76a6deb2e6fa2907bb0244851023af6c9960a77d3ad4101b314797f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00005e

Filesize
283KB

MD5
b7322253c704ee6f3ee3c3b3fb24568d

SHA1
584bb2437369b8d9f0a635104b86e44636df0b9a

SHA256
050ac29258050638b85a35ebff24cda08d47d17b1f2b8df9ed19f02bd95ba72f

SHA512
a38d23253fa615954fa2a163868281596670245a345b37f2015c3b067750331bce500a574be5d59a1bac58c93d968f5b6ef46b22a3f32640ca9d1b334a0801c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
f11fba5f24b4cbaedc57e05f610af3f9

SHA1
204643c3b34524ef2c5c59c371c03167f70a1772

SHA256
9715db0128472f0db41e5d04a3d7b49504850a150291d40f35d1d1b5eb677c94

SHA512
d3dfa37521e487c6ab66fd07c34c70414c19394e1319f10ee1265bdcd46eb9e09601e99310e36b9ec11c12575951a25e5d95ce42103e8bf86a6b085b47683971

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
b2715bb4955a20750e85717d93587fc8

SHA1
b1c654e494e2a17ffafe6d5cd4f95b09486129ad

SHA256
917a6e826a0af4a835a40ef68059b67cbace79b077e7be214e25dba42b6ba4e8

SHA512
ba780bb21712f384ec758a4a1e04778f3b8d6a8f5544b91689ca69313e696dac0010da8b032c0d1956724bef5b7b7f989cebd1ba3eac494c1672bbe24e5a6934

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
d8cf9b84e6aa610ff16e2e99f0d4e4ad

SHA1
2756088f0b0a5b2e91c9d836cc4551e9e78c1f86

SHA256
0894104a41a03c9c3d1e8654c1e71b588e9f1fa568a0d89ebe520148ee23103b

SHA512
b0d251ea3e746797854689f94468fbf3f8abf5704aa88e7a198bfe0988ac1e2cab9466593c3a85f6403a4827ef0cea4f356946a36c11d5d55ee773bc8fda71e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
8a237e24a2213f4beb03c75506ebf3bd

SHA1
79fc6a0f9d7e6eaba35dd36210544d55b2b9a7f6

SHA256
e7499a096460f782c6dcd2cdb61934bfb2dc62034f31037b5618be59cccb8b0b

SHA512
eca110e3203d7981096cf289a60bf544b2f8c1fe603d74bdbee97a640ddce9d5193be3f1ecfe588c62c6a289dc5957350f731179c45560860be770874eed7391

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
0109ff99f2108c6f7a222b9c7b739434

SHA1
b69de955ac042395ccf977e2234590c3fc6b0c2b

SHA256
54e0b766c367607ec21f084883ed85e610aad8e46c4721c742855e1bcfeefac0

SHA512
c7b4389f37794a43dacc4894a0a92e4e3ed7e0839c29f9e0632d179ace55120da20a9ebd2cdd52d9dd82ded09dbfebc97233064c538374a049d003cb33de6db2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
15c39ef2f177eda93f625f43f84fed3e

SHA1
eda19072753d2dc138c8dd8382f4c1e1cfd7c89c

SHA256
6b9d115605c6b9d0220f3eed20810952cc21ba321956afc05920ceee4eaa43e8

SHA512
1b8e506574671e584eb595a0264b68ab45c93000c33fa5047a74064732fd4f0e1c35295227dadfca75e81e7e087af0ced3410deeed9ee31acf0de8171206780f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
0f163b9e560152ddabd7633ea88157fe

SHA1
abff049fbc14c6415572ec31f3cc857e22cbcad8

SHA256
2d303380271cfdc606cde3c0304ed5a1b04c9c03f8e4f01578b1a64003779407

SHA512
bd593126ef260d0ac0eac4397f2147c5b6cd8a396033fd6fc86013f80d676cde6477174bd308b5da5a165e0b69d486492c889b22578c7ec2f8e7a3878f27f4d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
46366fe5f81051929933c918aff053fc

SHA1
95db781678e6290485d6bb97a5215885b9952c1f

SHA256
1643a0076b0f3f421fc55cd63845d3fcfbad513d8e11c9e333db2f03e5b602d3

SHA512
39345d1f9925ef85bf51cd27598d1fff5c9397277ba4fae644e8a43df90ec310dd7f032ef97b2f51a61627ca97d191fc4f1b3868b4cca2104ed3fcbff6ab666f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
89b6d65053ef049abcf6b33bc2eb6e92

SHA1
a5c79ac7f87671c98745e835c561d5b2130ab411

SHA256
73f10a9a6d119f1aea18e549d7e692a09329979c409e1dff161115f4f27852fe

SHA512
c000a08f268c8b82b5e74d6757e8552eb05c052935df91db56495ac7795d0f738b96ea7274544beebde1bf92abea9a52c234dfbc84677ca9d0acb8c19190a295

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c02e4532da99ed3828d843aa09ec6f0e

SHA1
4533535a8aeaeea3b21b6d29e26bcdda938d79af

SHA256
9e45a2620a4b569643f575860809a2c261852ec49d95808c30ea8e2a0b520b8b

SHA512
e4cc5f6cb5c9f6605e6eec165fae4a58fb5f59cfbcf2595b85c748dea07c70cd222f3191d71459ffc5c1c91ffc79f146286667bf573fa47e015ed0a7f17dfa2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
97ab84b3bf8cff7c0cd8e0ea29ca2978

SHA1
065db89d35b163a2bbe2627a0d57b8521c66ca58

SHA256
baf1be6c9afa348301f290a219b42a7bbffb08f7bc043f7d4eafe1e0f66b1dfb

SHA512
ef2c9da2a9467b2890f03e835985b90ccc06c188417813e47d0989c6f0745f84087103b7ec18b4cd0bb5a59b4d43e092dad39c93d2c54d27cadf08e21ed9f3a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
3d59ee5dace890232b94f58f84cc3a38

SHA1
8f5fcd13f1a67870318f3d93eed6ff17ba00bcca

SHA256
acc01002e1589d351ff3e12022540b8362bf5a296be9e990e4c1ea301dca13c4

SHA512
97de45f3e1e2d70084b6893924250d238b70aa4fd8dae524ced46336ee9906d4bef6976ed99d2c93df51e48a0f3b02410e5cb5e1bbc751fbfd9728c7c5f07814

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
13cd8b09ca3590c10f9bdda4c2651991

SHA1
cc991e144a3ecd3304230d03ded235a48c94ba81

SHA256
7affddbf67c664c5f8418315616112fad2d1be0973455410ce95dea56ba7d5fe

SHA512
5c4bf59f76efb466be3ff3a058424b5e29e81d35c3a48e8cdbdf9b7ab758e163083dcfae8622a3ba8c2e4b96de1d98c55154d8799cdcf1ec5bbeedc00a160470

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
1137394e59987aa3b9a0530886ab6a09

SHA1
b56ab5be090ac795e3efeddca8e0648469f1328b

SHA256
835fc9376dfb8babcb3540f8e7c0c61ad7036b3d482c1be401ce958443fd87b3

SHA512
2018fe77c9147910105a5143f5dc19912d2b7b754605307de04ae88a212c5b905777bf2f1a1a9c1687365bad489cfcdc1b9b02a2b00815da8d9dad3a77caf0df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
cb3f7f8272004d86de5589113729e25a

SHA1
2dab2125f1326b8314253dfbfb7891521cd05b3c

SHA256
ca0e3bcbdb69a0914fb26a65e44065c6000e32b02ad52478ec365d0f18f966fa

SHA512
0cbfca39f3d6642bab7cd65b4e6256f2bc8feff30036c83b36ceaaa7b96f126f283fd96cbc697c27b31658340d7ce9fc0e3ad5316dc80566294b133c42506317

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
2704601c3fd3e0397041ed465db5aa87

SHA1
2039bd31fe0109717eebd86e585af8deae5b6c94

SHA256
facccfc503590da7af4e064452860457d9b5c5487aa682ee26b95fa86a7b8d76

SHA512
4a7c6a78946cf08a54bcb627c155d21827d351fe73d5ff80ecdf8de38a7707c456da2f4478b6f3e29ad3385f511d474b9d5e1388585aec6458b40cc94934d257

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f5d4aab3659374b71c6c31f0dc61a155

SHA1
a48ce1efc2538bb1629a9d2901111a9802546973

SHA256
bbdf77ccccffb2e14101f51a7bcafa2e4b8d5c9ed40031f13833435d7f54a72c

SHA512
58c04b7c0c534e52ebe83665e08be256c8fd7725d241c3ef0561f3d6384c9462284270d4c7880c5ebe4d83d6780ede5deb99ef42cea1e402402f97eddb81ab72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
3fc3a77b7e4d7c64a4d54b7c3ec2cd4d

SHA1
1cabb2cbc36391a00ac13620177d3a33e8265fca

SHA256
8a8bdcb8cf66eb47eef4b7403052106fa670e66634f6925b0ad1960a8909c544

SHA512
0c6b726960bc0153dff5bcc8c900cde1a37a903eb1d6adc86e55e4653520fe71f77ac2536ec931ed76d3d07f295a1e8488c4dca89ad7feea627eab767ca54f01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
61fb3caed3e321591724af14d82299f5

SHA1
fbd2d3e9d7a80db9bb17669d4acc8c05b8b44bb2

SHA256
d293709b5bf3157a3b2e209969f774dd74bf1bc5e31d8c8606b909ed0b1aeebd

SHA512
23a346dd97d369eee881d6e6a3949f1ebbed7f2d1f9226408fb611eb8a499e070583a6bff9afe6df16b99f225445ba46386ca651b43f26078b411e66e478b0ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
af345e667991b4ffe6b8fff8e3417506

SHA1
57a63999ba9997b8dbe9c002395a8839d0f71e3d

SHA256
63c17b0559b56647e6a673cf68e474a97c8afadd0757f98cda618e5c9a7aa6c7

SHA512
2af2dad7f9b56431721110ad6e887e6d926c420ca3c7b02136a644f4165afa26196c887f0998ec55d88812a71230a62e328a53330ad91be697496e827dc09975

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
714827b930a208583b923b72bdc6fb32

SHA1
c29da4cbf483e3fafa728d90704cb04e76cc623e

SHA256
59e9d06c926b9e85c62b0b4c84b43df7ec32a327b57ad9b76f62f82fce05b41e

SHA512
24141210a719cc22a5e758f9da1f9c8d5f7afdaf61d5c507fb4ba1fee65a3b23df327e245859ec3f5ebe74277873a9f1e772b3f8b5e6b00995f376bb474e1058

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
4bec00dc23d829a6b58b5f49503fc945

SHA1
666330b5c657424894beca8a108bf8bcbd218344

SHA256
88cf52fb8d2070872e16a822aae863fdbd41ffb2fbca5bc6a315d7ef5d0f2f44

SHA512
6ddf53a8ff281d6934222069f7548baf879ab864fe9998ac9c85656e5f8a178399f00db1ef5b3d5d520113348d7c6fbeaa3d7dff43c01546e9df2022d46df1fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3233c1849af41c9d1f707c61ffca9f71

SHA1
69a2a71a64c35550748419463077f546eb22091c

SHA256
bd758c521f3ed6980a09e6712a44b07f838d9bbab960ba81dcfbafceaad9180d

SHA512
af48b2ad8f0641555962bb71b4b808b5610b808615ee8befbd8a88810e6042aff2ab6e6d14035f7932d8a001a0a2228ca1ca8e5c3cda3cab129141429baebadf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
345d70ad261003b68851bf84f28fe10f

SHA1
7eed44be912a3c3a17c7579bfc45ba4ad825dde2

SHA256
39959005a85ac8339d99e0e3da9b89bf8207da59f01d176c5648d890da964678

SHA512
4e64b3243974dba34557e9a3b23f66fc1f05731fe310fa1be2a5c031cdbbb874ef01e496e282632a868009d97d001b1ded6d13d50306859c2bb3369422e2f400

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
31987e49b5b6dc7daae725b0a69bdc23

SHA1
32cdeb74240551813bd0161cab02992dafed1d18

SHA256
78ec4b9efc0144feeb82b252b6841c80c86fe6edf9603725809fc39b01ebe55c

SHA512
b38de75eaaf3748f3420b7a78e8ce3216886f74f760d01470d7dbf880cb077d18b37abbd3dea23dbe787ee9b6653a3843a912a8813fae497f102f91dfa0c2b62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c172875ab226977a541331b0b430cf55

SHA1
54c7f55a0ab465452d95b2e0f9485753cf88be1e

SHA256
eab932d63246212699252e2405d50c9c6c9e7db38263c43a6f466198833f8853

SHA512
ff8f0e3bcd368117430030f43d63b45bcd660897bf208746a833ae8b10692ecbfce05c181d790cc941c4321ccacc78202b93ebb7bd4a50a49f6f2f383de901d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
89a871d79a8ff7421fc428ac6aae076a

SHA1
b473bf7489078be5f255d5ca8cc97158eb56e210

SHA256
46de02a45480e15f36b765acf12f568f87e836c8c9f7e3ff4742c8feab4d0125

SHA512
0c99de03fdd466b18bc4ba16136dc977db64880ca902fb51bcf3f4cba66be813c28400afa2924a7669e4ce9bfd3dc62f21d2188f5b441bb46878e52b8fd5d8f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
556ed86d8de11fb1dad13dc08be7b330

SHA1
c5e13cb9108a67491a6bfda0e8cdf630d81f888f

SHA256
ae72f6c310d86c942596033f2a17bc37d37c9ec9382b5584da124cbf03edf68b

SHA512
bc71c57ffa834ef138dc76bceb6ba162dcbbf73fd9b605082c277edaaf1accc0dbf9b15ab3898afb805993a2889ce5d5be7d330853741f123096287d0ce4126e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
75dbd1ce7f870ce4380d969b8533cd50

SHA1
4cf2fd0741acb60c4216fee0b80353459cb23820

SHA256
d3d77f1768cd7831449576f383322e2b1fcb7afec6f19250fce33406f6294050

SHA512
4cab6cfdc5aeda3362339f19760c5573444b527baa64d239f2d417d2fa17d525a71fa2cffba3934d0d3e5414fda68a208020c4e520739e465887531603b5baa7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fdedf86b9250613520a18f29f156b80b

SHA1
6bd1732ba609b1f7026ef1698a46210ce635594a

SHA256
9a1fd717cc816eb674661921d306d0014322270488832c6a6ad4ac96a3702675

SHA512
6d5c134012e5b5975a60a00a95df2c5afffb17284f1f5edee6c51a4ee1d3ada78cf0bfc745d4fd976d4b21cee78d9c84c92183b8281828967765cdb21c88cd11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
fe226b99da59b2045d930c4da557ecd7

SHA1
5f545ea6130514827c0b65b483cfe9f4769b2fa5

SHA256
10cf8d5a298e868af65a55542d7b7fabb62d75b99ba05e5b14f22bb776586b09

SHA512
7eefb1b74f73099d26559dc293a8239f3542b5ef2b614ca5c534c22b529f7b906bc894f200df91455bd9a8125f1b5ea696a50e38a68ae51ff3318f9a58446fd0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
56B

MD5
94275bde03760c160b707ba8806ef545

SHA1
aad8d87b0796de7baca00ab000b2b12a26427859

SHA256
c58cb79fa4a9ade48ed821dd9f98957b0adfda7c2d267e3d07951c2d371aa968

SHA512
2aabd49bc9f0ed3a5c690773f48a92dbbbd60264090a0db2fe0f166f8c20c767a74d1e1d7cc6a46c34cfbd1587ddb565e791d494cd0d2ca375ab8cc11cd8f930

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5b1b26.TMP

Filesize
120B

MD5
977d3281b5ed55f0260d28adad53f7c0

SHA1
362688f82e63afc3573bf0c0712d89af3d2b947d

SHA256
81d34a71a54510594b7938f0003506aa859ad3f2b4f671d776262221b8dd1258

SHA512
ba13c43a712de16e5523af77f3c7f5ad29d02c7b3cfd419f2493d694134f63b6b62fae946baceaf9620789dd3f03738b9a99c25780b7c2ebe0cd3974a7936edd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\e8ad4e82-b2c6-484c-b79d-c594d24dd8f0.tmp

Filesize
8KB

MD5
a8b0e8d5371b372e40afd05dbd3dcc0e

SHA1
09176d40dde46b684319234badad8591a83a0cb8

SHA256
9f141452a431995608c8b0ed699ed9a323d53fac54bb7457e788f0def729a6cf

SHA512
1375ca56a7c7f6f667b12160376453da4da4283e769f5fab4c002b05dd8f5522a414c71a9e87ce61a32ed3035523173e7d3a16edd8f1f653963857cbcc6bf05f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
281KB

MD5
373cbb5c08877b94ddcb60fef3e9bd42

SHA1
8cc606227ae695584766ee040e6f02c50ed35433

SHA256
c9004a11442a0fffbc7fbf374a1ce1444688e82512dba669d764b9cac2e6b0ba

SHA512
5780ef4977534094f3a58ce34a0fe731bfa3c0f58dbf381a187931350891cead7667987dff3ad5b1b3dfba427c384eb838f99b973df4aee518a151a926ff13d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
100KB

MD5
1709f14bb25bebc698477c2b71878087

SHA1
611bf37dc57920cc26ba8d6887f2747a1c0960ce

SHA256
b595b3ef5ab37fb864c66afbea82a4dfd9331dba7382f8596638fa38448460e3

SHA512
af90519d3bcc6e889626024ac830edb5fac79074377bf26e726e060253c76123fbf51e591d0105331df1c70b0d3c9fb8c99482223d82ff7f9385cbb6c8f1a50b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
101KB

MD5
00c4369d667c2fdcebfcc2cdae0f862a

SHA1
9937803d3187536aae98370cbfb5181940081ecb

SHA256
c59d459456efc8732f7cb8b8d386e54fabd1f070f38c7d3015a240bd1cac6554

SHA512
44ced28351698373715c994618038493f9069d0ad32ee44df770aed575d7d099b8b5ce1c74965e3d1c02cd6cbd5b5ef4dc513ee0a5e64f0020591af3d5e2f748

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
99KB

MD5
9a1b592ec56c89581a6c0bba5ba76c1d

SHA1
ea3c07ed7592404cfd0e0f8f799848caa5b55579

SHA256
b4586dcfc923871c9285a46b176640cb371b2231341344191bdb80cd8f979686

SHA512
686b07d2cc0c316da64e5b5a9fd23c6c15e6e3275dcda8ed64f611dc2b4b99ae777bc0f08e433c3beef8d44e3cffaccddd06e07cddc7a0b436057637b515a00b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe59a1a5.TMP

Filesize
83KB

MD5
fc9307e6a610fd116134f850f6b644a2

SHA1
aba590070859157446f62c0b68e165ecce125502

SHA256
dc2b7488886a2f3bf4c7eae1f47fad5e0bd1553d007d4983759eb0a19debb6b4

SHA512
b08a719b173a992c5e01ef0e0dc65a9c899c7179c44a3b9230d13d9759bb3fdfdcb9919b6c8069fe5240be75181f2bcc341d8c5084fbfc2949605fac62d160f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]

Filesize
933B

MD5
7e6b6da7c61fcb66f3f30166871def5b

SHA1
00f699cf9bbc0308f6e101283eca15a7c566d4f9

SHA256
4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e

SHA512
e5a56137f325904e0c7de1d0df38745f733652214f0cdb6ef173fa0743a334f95bed274df79469e270c9208e6bdc2e6251ef0cdd81af20fa1897929663e2c7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\c.wnry

Filesize
780B

MD5
93f33b83f1f263e2419006d6026e7bc1

SHA1
1a4b36c56430a56af2e0ecabd754bf00067ce488

SHA256
ef0ed0b717d1b956eb6c42ba1f4fd2283cf7c8416bed0afd1e8805ee0502f2b4

SHA512
45bdd1a9a3118ee4d3469ee65a7a8fdb0f9315ca417821db058028ffb0ed145209f975232a9e64aba1c02b9664c854232221eb041d09231c330ae510f638afac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_korean.wnry

Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_latvian.wnry

Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_norwegian.wnry

Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_polish.wnry

Filesize
38KB

MD5
e79d7f2833a9c2e2553c7fe04a1b63f4

SHA1
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

SHA256
519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

SHA512
e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\{e46eca4f-393b-40df-9f49-076faf788d83}\.ba1\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{e46eca4f-393b-40df-9f49-076faf788d83}\.ba1\wixstdba.dll

Filesize
118KB

MD5
4d20a950a3571d11236482754b4a8e76

SHA1
e68bd784ac143e206d52ecaf54a7e3b8d4d75c9c

SHA256
a9295ad4e909f979e2b6cb2b2495c3d35c8517e689cd64a918c690e17b49078b

SHA512
8b9243d1f9edbcbd6bdaf6874dc69c806bb29e909bd733781fde8ac80ca3fff574d786ca903871d1e856e73fd58403bebb58c9f23083ea7cd749ba3e890af3d2

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
17.9MB

MD5
12a09c0db281bd26c1fa168f71473dd0

SHA1
4b3a0e7db652b8393d88991bb0883941f0c59a4d

SHA256
7ee9348914d3311085b7e0a6c179acb5fdbf2f7a79c2d487b1c7a1ec745060aa

SHA512
ab1a26b80d2aebce0ed86f8cb2873e28e49f8e13e537aeb9f2df37c6463f68c33e959868de89705792e696fe8bcfb43989d448072cd05c60374fddea40bab50e

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry.zip.crdownload

Filesize
3.3MB

MD5
efe76bf09daba2c594d2bc173d9b5cf0

SHA1
ba5de52939cb809eae10fdbb7fac47095a9599a7

SHA256
707a9f323556179571bc832e34fa592066b1d5f2cac4a7426fe163597e3e618a

SHA512
4a1df71925cf2eb49c38f07c6a95bea17752b025f0114c6fd81bc0841c1d1f2965b5dda1469e454b9e8207c2e0dfd3df0959e57166620ccff86eeeb5cf855029

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 468907.crdownload

Filesize
13.9MB

MD5
27b141aacc2777a82bb3fa9f6e5e5c1c

SHA1
3155cb0f146b927fcc30647c1a904cd162548c8c

SHA256
5eea714e1f22f1875c1cb7b1738b0c0b1f02aec5ecb95f0fdb1c5171c6cd93a3

SHA512
7789eabb6dd4a159bb899d2e6d6df70addb3df239bda6f9ead8c1d2a2ac2062fce3a495814b48a3c2bec12f13800ad0703e2c61c35158b0912011b914f098011

Download Submit
C:\Users\Admin\Downloads\vc_redist.x64.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
\??\pipe\crashpad_4808_YHYLLMLIMZUXCKET

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1612-1-0x00007FF6BC2D0000-0x00007FF6BC2FD000-memory.dmp

Filesize
180KB

Download
memory/2792-883-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/3944-0-0x00007FF6BC2D0000-0x00007FF6BC2FD000-memory.dmp

Filesize
180KB

Download
memory/4020-2786-0x00000000004C0000-0x00000000007BE000-memory.dmp

Filesize
3.0MB

Download
memory/4020-2841-0x00000000004C0000-0x00000000007BE000-memory.dmp

Filesize
3.0MB

Download
memory/4020-2437-0x0000000073E90000-0x0000000073F07000-memory.dmp

Filesize
476KB

Download
memory/4020-2438-0x0000000073E00000-0x0000000073E82000-memory.dmp

Filesize
520KB

Download
memory/4020-2729-0x00000000004C0000-0x00000000007BE000-memory.dmp

Filesize
3.0MB

Download
memory/4020-2732-0x0000000073F40000-0x000000007415C000-memory.dmp

Filesize
2.1MB

Download
memory/4020-2432-0x00000000004C0000-0x00000000007BE000-memory.dmp

Filesize
3.0MB

Download
memory/4020-2411-0x00000000004C0000-0x00000000007BE000-memory.dmp

Filesize
3.0MB

Download
memory/4020-2407-0x0000000074160000-0x00000000741E2000-memory.dmp

Filesize
520KB

Download
memory/4020-2409-0x0000000073E00000-0x0000000073E82000-memory.dmp

Filesize
520KB

Download
memory/4020-2433-0x00000000741F0000-0x000000007420C000-memory.dmp

Filesize
112KB

Download
memory/4020-2789-0x0000000073F40000-0x000000007415C000-memory.dmp

Filesize
2.1MB

Download
memory/4020-2410-0x0000000073F10000-0x0000000073F32000-memory.dmp

Filesize
136KB

Download
memory/4020-2436-0x0000000073F10000-0x0000000073F32000-memory.dmp

Filesize
136KB

Download
memory/4020-2844-0x0000000073F40000-0x000000007415C000-memory.dmp

Filesize
2.1MB

Download
memory/4020-2863-0x0000000073F40000-0x000000007415C000-memory.dmp

Filesize
2.1MB

Download
memory/4020-2860-0x00000000004C0000-0x00000000007BE000-memory.dmp

Filesize
3.0MB

Download
memory/4020-2408-0x0000000073F40000-0x000000007415C000-memory.dmp

Filesize
2.1MB

Download
memory/4020-2883-0x0000000073F40000-0x000000007415C000-memory.dmp

Filesize
2.1MB

Download
memory/4020-2880-0x00000000004C0000-0x00000000007BE000-memory.dmp

Filesize
3.0MB

Download
memory/4020-2890-0x0000000073F40000-0x000000007415C000-memory.dmp

Filesize
2.1MB

Download
memory/4020-2887-0x00000000004C0000-0x00000000007BE000-memory.dmp

Filesize
3.0MB

Download
memory/4020-2690-0x00000000004C0000-0x00000000007BE000-memory.dmp

Filesize
3.0MB

Download
memory/4020-2435-0x0000000073F40000-0x000000007415C000-memory.dmp

Filesize
2.1MB

Download
memory/4020-2434-0x0000000074160000-0x00000000741E2000-memory.dmp

Filesize
520KB

Download