wannacry | hxxps://github[.]com/Endermanch/MalwareDatabase/tree/master/ransomwares

Analysis

max time kernel
502s
max time network
504s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-08-2024 17:48

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase/tree/master/ransomwares

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD14C8.tmp	[email protected]
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD14CF.tmp	[email protected]

Executes dropped EXE 27 IoCs

pid	Process
1676	taskdl.exe
5628	@[email protected]
6072	@[email protected]
2824	taskhsvc.exe
4960	@[email protected]
1088	taskdl.exe
3552	taskse.exe
4616	@[email protected]
4008	taskdl.exe
5688	taskse.exe
5372	@[email protected]
6040	taskse.exe
6032	@[email protected]
4856	taskdl.exe
1880	taskse.exe
5576	@[email protected]
6036	taskdl.exe
2264	taskse.exe
5952	@[email protected]
5820	taskdl.exe
6020	taskse.exe
5716	@[email protected]
5216	taskdl.exe
2092	taskse.exe
5972	@[email protected]
4360	taskdl.exe
4580	@[email protected]

Loads dropped DLL 8 IoCs

pid	Process
2824	taskhsvc.exe
2824	taskhsvc.exe
2824	taskhsvc.exe
2824	taskhsvc.exe
2824	taskhsvc.exe
2824	taskhsvc.exe
2824	taskhsvc.exe
2824	taskhsvc.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5984	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wkwthgmgqegtew611 = "\"C:\\Users\\Admin\\Downloads\\WannaCrypt0r\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
93	raw.githubusercontent.com
94	raw.githubusercontent.com
144	raw.githubusercontent.com
145	camo.githubusercontent.com
146	camo.githubusercontent.com
147	camo.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Sets desktop wallpaper using registry 2 TTPs 3 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	[email protected]

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 38 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "126"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133695137344905840"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
5248	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3372	chrome.exe
3372	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
4588	chrome.exe
1640	msedge.exe
1640	msedge.exe
2776	msedge.exe
2776	msedge.exe
5532	identity_helper.exe
5532	identity_helper.exe
428	msedge.exe
428	msedge.exe
5944	msedge.exe
5944	msedge.exe
2824	taskhsvc.exe
2824	taskhsvc.exe
2824	taskhsvc.exe
2824	taskhsvc.exe
2824	taskhsvc.exe
2824	taskhsvc.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
428	msedge.exe
5396	msedge.exe
5396	msedge.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
3372	chrome.exe
3372	chrome.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
3372	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3372	chrome.exe
Token: SeCreatePagefilePrivilege	3372	chrome.exe
Token: SeShutdownPrivilege	3372	chrome.exe
Token: SeCreatePagefilePrivilege	3372	chrome.exe
Token: SeShutdownPrivilege	3372	chrome.exe
Token: SeCreatePagefilePrivilege	3372	chrome.exe
Token: SeShutdownPrivilege	3372	chrome.exe
Token: SeCreatePagefilePrivilege	3372	chrome.exe
Token: SeShutdownPrivilege	3372	chrome.exe
Token: SeCreatePagefilePrivilege	3372	chrome.exe
Token: SeShutdownPrivilege	3372	chrome.exe
Token: SeCreatePagefilePrivilege	3372	chrome.exe
Token: SeShutdownPrivilege	3372	chrome.exe
Token: SeCreatePagefilePrivilege	3372	chrome.exe
Token: SeShutdownPrivilege	3372	chrome.exe
Token: SeCreatePagefilePrivilege	3372	chrome.exe
Token: SeShutdownPrivilege	3372	chrome.exe
Token: SeCreatePagefilePrivilege	3372	chrome.exe
Token: SeShutdownPrivilege	3372	chrome.exe
Token: SeCreatePagefilePrivilege	3372	chrome.exe
Token: SeShutdownPrivilege	3372	chrome.exe
Token: SeCreatePagefilePrivilege	3372	chrome.exe
Token: SeShutdownPrivilege	3372	chrome.exe
Token: SeCreatePagefilePrivilege	3372	chrome.exe
Token: SeShutdownPrivilege	3372	chrome.exe
Token: SeCreatePagefilePrivilege	3372	chrome.exe
Token: SeShutdownPrivilege	3372	chrome.exe
Token: SeCreatePagefilePrivilege	3372	chrome.exe
Token: SeShutdownPrivilege	3372	chrome.exe
Token: SeCreatePagefilePrivilege	3372	chrome.exe
Token: SeShutdownPrivilege	3372	chrome.exe
Token: SeCreatePagefilePrivilege	3372	chrome.exe
Token: SeShutdownPrivilege	3372	chrome.exe
Token: SeCreatePagefilePrivilege	3372	chrome.exe
Token: SeShutdownPrivilege	3372	chrome.exe
Token: SeCreatePagefilePrivilege	3372	chrome.exe
Token: SeShutdownPrivilege	3372	chrome.exe
Token: SeCreatePagefilePrivilege	3372	chrome.exe
Token: SeShutdownPrivilege	3372	chrome.exe
Token: SeCreatePagefilePrivilege	3372	chrome.exe
Token: SeShutdownPrivilege	3372	chrome.exe
Token: SeCreatePagefilePrivilege	3372	chrome.exe
Token: SeShutdownPrivilege	3372	chrome.exe
Token: SeCreatePagefilePrivilege	3372	chrome.exe
Token: SeShutdownPrivilege	3372	chrome.exe
Token: SeCreatePagefilePrivilege	3372	chrome.exe
Token: SeShutdownPrivilege	3372	chrome.exe
Token: SeCreatePagefilePrivilege	3372	chrome.exe
Token: SeShutdownPrivilege	3372	chrome.exe
Token: SeCreatePagefilePrivilege	3372	chrome.exe
Token: SeShutdownPrivilege	3372	chrome.exe
Token: SeCreatePagefilePrivilege	3372	chrome.exe
Token: SeShutdownPrivilege	3372	chrome.exe
Token: SeCreatePagefilePrivilege	3372	chrome.exe
Token: SeShutdownPrivilege	3372	chrome.exe
Token: SeCreatePagefilePrivilege	3372	chrome.exe
Token: SeShutdownPrivilege	3372	chrome.exe
Token: SeCreatePagefilePrivilege	3372	chrome.exe
Token: SeShutdownPrivilege	3372	chrome.exe
Token: SeCreatePagefilePrivilege	3372	chrome.exe
Token: SeShutdownPrivilege	3372	chrome.exe
Token: SeCreatePagefilePrivilege	3372	chrome.exe
Token: SeShutdownPrivilege	3372	chrome.exe
Token: SeCreatePagefilePrivilege	3372	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
2776	msedge.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
3372	chrome.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
5628	@[email protected]
5628	@[email protected]
6072	@[email protected]
6072	@[email protected]
4960	@[email protected]
4960	@[email protected]
4616	@[email protected]
5372	@[email protected]
6032	@[email protected]
5576	@[email protected]
5952	@[email protected]
5716	@[email protected]
5972	@[email protected]
5972	@[email protected]
4580	@[email protected]
1828	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3372 wrote to memory of 2288	3372	chrome.exe	85
PID 3372 wrote to memory of 2288	3372	chrome.exe	85
PID 3372 wrote to memory of 2876	3372	chrome.exe	86
PID 3372 wrote to memory of 2876	3372	chrome.exe	86
PID 3372 wrote to memory of 2876	3372	chrome.exe	86
PID 3372 wrote to memory of 2876	3372	chrome.exe	86
PID 3372 wrote to memory of 2876	3372	chrome.exe	86
PID 3372 wrote to memory of 2876	3372	chrome.exe	86
PID 3372 wrote to memory of 2876	3372	chrome.exe	86
PID 3372 wrote to memory of 2876	3372	chrome.exe	86
PID 3372 wrote to memory of 2876	3372	chrome.exe	86
PID 3372 wrote to memory of 2876	3372	chrome.exe	86
PID 3372 wrote to memory of 2876	3372	chrome.exe	86
PID 3372 wrote to memory of 2876	3372	chrome.exe	86
PID 3372 wrote to memory of 2876	3372	chrome.exe	86
PID 3372 wrote to memory of 2876	3372	chrome.exe	86
PID 3372 wrote to memory of 2876	3372	chrome.exe	86
PID 3372 wrote to memory of 2876	3372	chrome.exe	86
PID 3372 wrote to memory of 2876	3372	chrome.exe	86
PID 3372 wrote to memory of 2876	3372	chrome.exe	86
PID 3372 wrote to memory of 2876	3372	chrome.exe	86
PID 3372 wrote to memory of 2876	3372	chrome.exe	86
PID 3372 wrote to memory of 2876	3372	chrome.exe	86
PID 3372 wrote to memory of 2876	3372	chrome.exe	86
PID 3372 wrote to memory of 2876	3372	chrome.exe	86
PID 3372 wrote to memory of 2876	3372	chrome.exe	86
PID 3372 wrote to memory of 2876	3372	chrome.exe	86
PID 3372 wrote to memory of 2876	3372	chrome.exe	86
PID 3372 wrote to memory of 2876	3372	chrome.exe	86
PID 3372 wrote to memory of 2876	3372	chrome.exe	86
PID 3372 wrote to memory of 2876	3372	chrome.exe	86
PID 3372 wrote to memory of 2876	3372	chrome.exe	86
PID 3372 wrote to memory of 1944	3372	chrome.exe	87
PID 3372 wrote to memory of 1944	3372	chrome.exe	87
PID 3372 wrote to memory of 5080	3372	chrome.exe	88
PID 3372 wrote to memory of 5080	3372	chrome.exe	88
PID 3372 wrote to memory of 5080	3372	chrome.exe	88
PID 3372 wrote to memory of 5080	3372	chrome.exe	88
PID 3372 wrote to memory of 5080	3372	chrome.exe	88
PID 3372 wrote to memory of 5080	3372	chrome.exe	88
PID 3372 wrote to memory of 5080	3372	chrome.exe	88
PID 3372 wrote to memory of 5080	3372	chrome.exe	88
PID 3372 wrote to memory of 5080	3372	chrome.exe	88
PID 3372 wrote to memory of 5080	3372	chrome.exe	88
PID 3372 wrote to memory of 5080	3372	chrome.exe	88
PID 3372 wrote to memory of 5080	3372	chrome.exe	88
PID 3372 wrote to memory of 5080	3372	chrome.exe	88
PID 3372 wrote to memory of 5080	3372	chrome.exe	88
PID 3372 wrote to memory of 5080	3372	chrome.exe	88
PID 3372 wrote to memory of 5080	3372	chrome.exe	88
PID 3372 wrote to memory of 5080	3372	chrome.exe	88
PID 3372 wrote to memory of 5080	3372	chrome.exe	88
PID 3372 wrote to memory of 5080	3372	chrome.exe	88
PID 3372 wrote to memory of 5080	3372	chrome.exe	88
PID 3372 wrote to memory of 5080	3372	chrome.exe	88
PID 3372 wrote to memory of 5080	3372	chrome.exe	88
PID 3372 wrote to memory of 5080	3372	chrome.exe	88
PID 3372 wrote to memory of 5080	3372	chrome.exe	88
PID 3372 wrote to memory of 5080	3372	chrome.exe	88
PID 3372 wrote to memory of 5080	3372	chrome.exe	88
PID 3372 wrote to memory of 5080	3372	chrome.exe	88
PID 3372 wrote to memory of 5080	3372	chrome.exe	88
PID 3372 wrote to memory of 5080	3372	chrome.exe	88
PID 3372 wrote to memory of 5080	3372	chrome.exe	88

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2480	attrib.exe
5972	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Endermanch/MalwareDatabase/tree/master/ransomwares
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd0f11cc40,0x7ffd0f11cc4c,0x7ffd0f11cc58
  2⤵
  PID:2288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1920,i,11527279158426172988,4128082765628519868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1872 /prefetch:2
  2⤵
  PID:2876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1800,i,11527279158426172988,4128082765628519868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2088 /prefetch:3
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2200,i,11527279158426172988,4128082765628519868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2404 /prefetch:8
  2⤵
  PID:5080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,11527279158426172988,4128082765628519868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:3316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3116,i,11527279158426172988,4128082765628519868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:1688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4836,i,11527279158426172988,4128082765628519868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4896 /prefetch:8
  2⤵
  PID:2164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4580,i,11527279158426172988,4128082765628519868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4420 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3540,i,11527279158426172988,4128082765628519868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5016 /prefetch:8
  2⤵
  PID:5772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4040,i,11527279158426172988,4128082765628519868,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:2852

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcfca746f8,0x7ffcfca74708,0x7ffcfca74718
  2⤵
  PID:3952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,684906747537573420,16785589376469929303,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1956 /prefetch:2
  2⤵
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,684906747537573420,16785589376469929303,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,684906747537573420,16785589376469929303,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
  2⤵
  PID:1708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,684906747537573420,16785589376469929303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,684906747537573420,16785589376469929303,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,684906747537573420,16785589376469929303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4396 /prefetch:1
  2⤵
  PID:2144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,684906747537573420,16785589376469929303,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4532 /prefetch:1
  2⤵
  PID:724
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,684906747537573420,16785589376469929303,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 /prefetch:8
  2⤵
  PID:5368
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,684906747537573420,16785589376469929303,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,684906747537573420,16785589376469929303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
  2⤵
  PID:5668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,684906747537573420,16785589376469929303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
  2⤵
  PID:6100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,684906747537573420,16785589376469929303,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:6108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,684906747537573420,16785589376469929303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:1
  2⤵
  PID:5364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,684906747537573420,16785589376469929303,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1
  2⤵
  PID:5424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2052,684906747537573420,16785589376469929303,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4260 /prefetch:8
  2⤵
  PID:1588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,684906747537573420,16785589376469929303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:2584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2052,684906747537573420,16785589376469929303,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5580 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2052,684906747537573420,16785589376469929303,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6172 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,684906747537573420,16785589376469929303,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4612 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1676

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4772

C:\Users\Admin\Downloads\WannaCrypt0r\[email protected]
"C:\Users\Admin\Downloads\WannaCrypt0r\[email protected]"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:6064
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:2480
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:5984
- C:\Users\Admin\Downloads\WannaCrypt0r\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1676
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 44511725040361.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4556
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5608
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:5972
- C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5628
- - C:\Users\Admin\Downloads\WannaCrypt0r\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2824
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5208
- - C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:6072
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      PID:3048
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5020
- C:\Users\Admin\Downloads\WannaCrypt0r\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1088
- C:\Users\Admin\Downloads\WannaCrypt0r\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3552
- C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4616
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "wkwthgmgqegtew611" /t REG_SZ /d "\"C:\Users\Admin\Downloads\WannaCrypt0r\tasksche.exe\"" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5772
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "wkwthgmgqegtew611" /t REG_SZ /d "\"C:\Users\Admin\Downloads\WannaCrypt0r\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:5248
- C:\Users\Admin\Downloads\WannaCrypt0r\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4008
- C:\Users\Admin\Downloads\WannaCrypt0r\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5688
- C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5372
- C:\Users\Admin\Downloads\WannaCrypt0r\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6040
- C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6032
- C:\Users\Admin\Downloads\WannaCrypt0r\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4856
- C:\Users\Admin\Downloads\WannaCrypt0r\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1880
- C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5576
- C:\Users\Admin\Downloads\WannaCrypt0r\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6036
- C:\Users\Admin\Downloads\WannaCrypt0r\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2264
- C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5952
- C:\Users\Admin\Downloads\WannaCrypt0r\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5820
- C:\Users\Admin\Downloads\WannaCrypt0r\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6020
- C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5716
- C:\Users\Admin\Downloads\WannaCrypt0r\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5216
- C:\Users\Admin\Downloads\WannaCrypt0r\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2092
- C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5972
- C:\Users\Admin\Downloads\WannaCrypt0r\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4360
- C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4580

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5964

C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]
"C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]"
1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultd362e6e0h9c8dh43f8hadc4hbf0abfea2026
1⤵
PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcfca746f8,0x7ffcfca74708,0x7ffcfca74718
  2⤵
  PID:3276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,1636935713341596241,11232033339322379014,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
  2⤵
  PID:5792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,1636935713341596241,11232033339322379014,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5396

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:5440

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38bd055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1828

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:6044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\022c26fc-4394-4423-902e-cd4decf9681a.tmp

Filesize
99KB

MD5
4e75d9090f8440de30e9e1da20ac418b

SHA1
f78db5bf3ec0a561fda0a761e61be895ef2bab8a

SHA256
2326d87d5df5d456e73156123d23eb9bb45f1b40fce718ac6f7dbd5f6acfae3b

SHA512
8e8087b2be04d242edb6eb0d840d3f28ba10ed0d5dfb1ffe5cb545db412ca996a8ef3d895c3dfbbd7d03686d959b2a07f5da9d2a699defa6357e263bc0c0a3fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
b1ce6d543fc75e95662d742716adfabb

SHA1
565783a9ae41371305b80dfea0e03747a8051a97

SHA256
175e116eec8df9de2e5d46b4fe50579d6097b945087bff19cf94aae818a94cc7

SHA512
cc6159e3a561a54beba5e80f254a04bccb39765057cea2906a858212c2a52761fc786dcffd98a4f49d3da9841480d07c8701df67ddb9affca60091547223dedd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000011

Filesize
211KB

MD5
e7226392c938e4e604d2175eb9f43ca1

SHA1
2098293f39aa0bcdd62e718f9212d9062fa283ab

SHA256
d46ec08b6c29c4ca56cecbf73149cc66ebd902197590fe28cd65dad52a08c4e1

SHA512
63a4b99101c790d40a813db9e0d5fde21a64ccaf60a6009ead027920dbbdb52cc262af829e5c4140f3702a559c7ac46efa89622d76d45b4b49a9ce01625ef145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
11746096499d7443fe14551838883b5d

SHA1
c0b5a32fdb3914bb3c3fddbd5b8435a8252363fe

SHA256
634b2ec555d66700f95f82781986e08869e965768be6210e37c2b344b8c8c91b

SHA512
be1915cb310f38752f9f7579c735c3b9edc742d289a2400fe8859d84798af9fcc4083d9a690f56ab04aa5cdca458ef7f5b4f3a600325c86128c89a46e0f16992

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
602d7ad48302d10798a28a53b96ee3f0

SHA1
32bd1fac6676335c6695574a7debe954f1b1282c

SHA256
edc60885da05e4f42746d84f69a324106f02e75beeb03ec69d428c1ea9c8e696

SHA512
6c4b2256a51f07ffa1d185af899c0561b61816cf0fe6cc314e9731e922a2eb60441daaa9c222dda4c3ae615bc0201d31bb7412e3175847e1e8e2974cd93fe5be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
a2a70bfd6afc44b5a8a3682368dd79cf

SHA1
c8c34415c33862fa53c55e3f0bd2327f0b347e8a

SHA256
3ac2cf5564e76bff332c2271a329461f8dfa74cca39c4060b205b9ea18c90d39

SHA512
a543628e67535f8f1601911b0a90fc9f9de1e3a88135c13ba568a1f1d1fe382bdee20d498961dfe414840b6a3a3df1b55f99291b8edbc4e0f02e5ec81a5690d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
03349bc6118b033a6ae22da4d30219b6

SHA1
d0c66299bf82ec8b0cd6da08bb168ec957dabd1d

SHA256
d3aadea0fe7b09c18b3cbf666c71bc3691f6a962e41a92884d776eacc57126b9

SHA512
485e35445d205a4e14fa84188c291b3d869d10f27df5baf59ea81dd651f3c2f0a4ac2a83ab2e40f6436c26b5fb1ec9fdab0f20036eeff71e957690d4c9333a00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
0a6491d72dd10191dafefe6493c76075

SHA1
e59c0390152f694c30b760baaa94472ab2088433

SHA256
8d69f1f522f748f27dbec4001d739bddb70f3e7e3c95d9e56de3f80ff84aa94f

SHA512
2ce67454c6f90b1264580e06665724ad70c5389077d3568e1a9051d1c651ae745221431e8fce12f42a0ce0c161d7e0712e44e75498c5a05e6c8ab9f6c611b93e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
6f3806ce697f48e53362888bb4fa9e16

SHA1
925fb507c00122fb2467102ccb23a3a6f42ba47f

SHA256
602368e8bdc88e59d692a6634553f617cd314336de937829e411e0fb068f2f70

SHA512
acc15b3851bebcef9c147d3e61e6c6624f5e60b353c055c2f0c3bd571c25e6cdfdf6fb174ca46f42cddebfb1337e48badef2e43b1c4cc0cb6622ef4ab477d34b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
ec17b8a9653a4282cac195f132eb3f2c

SHA1
19998565a32162bf95da921a22aa383a70a55813

SHA256
dc26267ff82e9fb6c381beb73b644c4222f87c013208a4b223c34e33f2c8ebf8

SHA512
910c82522933166e44749fd3d912455ae6652bcac68a5e8c796698ba2a0fd3c6dc3ef4bef362186dbbf1bf6ecf341370a3606c1b4a8e7dae491bc269e585731c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
130c3ff8aca8970ace4a4a65bd5cb799

SHA1
038a463dfddb31f970ea5fa79f2046d7120afb95

SHA256
1b65b0b1b4b6cad8e7e57576e3c9f8df8d56c11f7c4e0bbaf12352c4b65ca9f4

SHA512
c16d9f3cdb8f077ada4395d648e08db0cff3fcac66f6271314294ce7a11d09013944641e8404ddca52e6e15d727a87e823e1bf072c98d9ef3240cbd9a8fb2d5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
59f04ea079e8e1431563b5ec37eb5870

SHA1
184e2163ee6bf80cda922ec87b794b33b462cb7d

SHA256
6d464aa9c7b62bb3805980591d53118e71e179d9329775ddb2b987ccb9d37db5

SHA512
fe7d85288b61a0b22ac82971b3b1d818b9476b2656b586e57d87d01f69819f9a07ed69f1702d66f7104e89dcdc7d5bc2880dc53c99791695e1394c46716cf42c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
dddb5cdd0929af1630d2ff2ea8eae31d

SHA1
216f0bd807e7e0991b925634462acc5fa2bfe398

SHA256
64e6e14697804608d9ef88b6879b0f9fe75cdf791537791290c11987f5b4895e

SHA512
6fee7cd9a28764b99e3e95a0541de536f2108c8b8099d5ab7ac9cddb1cfdd0d2258a555a66d68baeed7c3b6535470b607b2ac22259cb5a0ceba8b03c3440d5e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
122817056518928c821f3101e0030f7a

SHA1
0f6d93ffab48a11e0a8a7a082f4b855263772779

SHA256
2e600b18553efe188539b811a180d1d9c3c398857c3cc2264d9b5599255ac964

SHA512
164562169f57e7b4492cc3349c1416bf4acafcabea5eb506f626084921fb0cc62937008f1a3a11bd45e69d31875db94f4d6702fa999b9b0d30bb8e5fc63c5be5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
72f0c0646582f0236a9fb9d759a28e53

SHA1
b995d93b6b46417d6d302115a69cf82c582719f0

SHA256
1ddb25c864a49c03192debff0ae65a510dd982a922eae724b38f49bc89979d72

SHA512
d7af5490ae57b7f7ec31c6e3adebf02cf81252fd9c807b49d0aeef0d012aaf4c2db96a8756fcae2e3a1dbcf1992b8deba208412fd00dd1d0d1f167593ebc8018

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c6be7f0d10c425147f021de79621b8f3

SHA1
006abe83b2dd2db58e317491ca89e0d39cc65a41

SHA256
62d529ed1a2e3040dfda6612b6dfd749c9382cac50edc32ae7c57cfe5cb695d3

SHA512
a44cbf4c21479bcaa4f868cb9a89a687102676135b04dbcca2ec8b7be6a44e8cef8c3a39a7649eb08f9e72a21de7220bfb7dbac1dcb4fb352418d4047e6de341

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
6717cee85972cd7268c8349b70e3d82f

SHA1
b514e7adb66c0b099124be78aa14b67bbb3fac84

SHA256
2d24891374bebb984eb74cedc490641ae9eccb5a6c1a215a2b96309053f03e38

SHA512
a444c6a772c2b4bf0e33a591d8b2b106c4ddb92d7ce4a5c4e35a52ee7de0cb9790b5e331f627b656f536682411d15e77efcb379f9ff380cf7e73051491ab8697

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
8994ce71d4c8233639b89270e88e332b

SHA1
2496660b9a89c1f24b57d3edf3f50dbe4fc16959

SHA256
0bd86862c6bfa4f77d26a889bea327357f703b4dd504294c51ac0448cbde2723

SHA512
834d9e444852051b4a4f6d021bfb05574122c3916352f6e0c0a4f2c1fdfe56ff32f4a79f5cb7c1d0afd0a19e41f6cfed43190ba763d73129a780d86304ef141f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3a7291d85e6c2f801f6f6fb6be26497b

SHA1
6dff359d19450a7bef7e5dbb3c775862f04b834c

SHA256
28e456b848cf0e2511bf0191396338c0b528560aed2b28ba5019af829daa2644

SHA512
7a13bf196a8d47c91089e28a1fb204eab6981a2db6f2ff87201a90fe2b0e15fb817c5c802f50f69d34bdf10f58f69202278bd270daf7c04b938e2f3d0f84e6c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a3917859e31438dd14c6f618c37546ed

SHA1
45a1127d6814cccb4b658ed575da27a87b4e153a

SHA256
80c3dfc7c9531e9a0ad18f8c759277ce0776e1d77be4fb5fb15ed3826c8afbf2

SHA512
23dddfbe843d4ed4a95b2eff20f381f94097fefb4a33d3211eb775beba3cdb8c4eaac2f4e996b7f2023e8f00142e6661c4165b83d94901923a466c39ba569868

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
328c60b437ccafb3f8e9566c11bd5ebc

SHA1
16875b0a8d97ff2d24dccbf1e89fe02c48ef7d59

SHA256
e6ee5088f6852dabd0969f9a3714b5e37018ae3b2d8dcbe6130fab3477074a3a

SHA512
1132280fdfa6a8c4b627b356cfec06b31bfa9bbb8ba87502efcb3aa2b9b165f02ca61bd6f9dbc1ca6b334038f4f4fdd1ee8c856982a029f5399a8842f948f3fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
80d181359beab1955fc425d9171d15e8

SHA1
c2e6235a884ae906c8f027cec78982d0d2f33617

SHA256
1945b9a96444c965d91c913f166e3dd7f54cc8ad90bef76315da36fe7e7e62f5

SHA512
8f70dd739f9b988bde591f3b12a7be6156866c20f74243fe4e00fcf3077bf836dec05e4e8eab495e894008ef3e5a3e9bc7954ba56797060818b6fbb7ae806476

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d116388b31c9cd6cfd481a9d2e3ebab2

SHA1
ee1f3451c20bd02874ec3cfd3abb6d37b812d0eb

SHA256
ade3a2636e87f2c80a23655358425c0418952b0f61db6ab301f5b3d1dd3fade7

SHA512
fe0d4ef625926267a057491f64710c4d91fe3f4bac6bb8249e97b91c4dd7a9651d358fcccf51ad7e6d3cba38a4a6692c3b8470359d9e372b0fe8bf4e4a416302

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
315ca486500e2f96a10f782e69b08ead

SHA1
f265817eb988bef8b60cf405e6688af853e1388a

SHA256
9a531eee895eefaee34faae3c453bb2ac2af14c302f6e0f9d77d1f9c728045a2

SHA512
2d2efa6fedba2d2652a6954966920718d080322da9dc489655a363f6181a754a8bea1d4fcd6bfa198594ca2343b001cbaf8837bfb286e2a172273cf77138a05d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d726d197f2be8d5c28cdc7c5d83921e9

SHA1
77a79c010d7197369e40c4a0cc221e9cfb3b332b

SHA256
ae26c65e9eeea7e94e5d66c1cba66cbc02fd816e8684e393f5307b0bed948f6b

SHA512
75a092f00c218e69bb6b779aabf31ccac2a17696bcc36a9163b1de1680c96cb03e011b509a91a3859d92ceb556cb35af3ca7e58f9f7d2495b5e4ff53765e7991

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
06bf25972f940a819cf8a29c1260885f

SHA1
722301091c58e3bef573ae99fd4015fbcded2b0f

SHA256
7b3dc012c37da680a39d8ad451e52926032f0945d0b3e065a5901798242b4509

SHA512
9c5b65a939559fa489f2a5cf40a1f52fe9c2e9f36d8dad1fe0867706aca496fa84813d5aca6f1e210816a591f28ba2eb38f50dd1477609d86551e9577500a422

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
af002641941cb550ecabd815d54d4f74

SHA1
19f1727a204c44e26c0d7b8dcecd172fb074cb24

SHA256
48370f40c1525ba480456f4c9bbaac775482b0846865743ffcd3a2f657b8a045

SHA512
5b0b348b78838d9d8e5519562612ca9cdc549e30fed3969075d30a552eef7ae377205a4388bdff1a6cda4ea8c3403c06f9646c96662e104ae46698ed4134f712

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5258d59c7028669e50740f52d3b1b013

SHA1
b77d391c87e4e23f2009bdd94399a4db4ce973a4

SHA256
97e3216b733dcfa6ea874f3e4455d2811ab3576fe5fb4fb46935f1ea9b5426ab

SHA512
60045a09f805bf13b1ef5a1a15b95f49f1cad6337317b02232762aa1b0c05e79bc66793d809cecb65da9215ea25e7c67371fc26ec69aaee77567e442ad84115a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
55e62c617e11ec813e7ab85190a5932a

SHA1
f84c73bdf07b160bd5e1068bc453981a2fa894d1

SHA256
b347edb0d4ac534c93174ac04ad18022f282e88475951acd610ea1d70ed8779a

SHA512
1ee9742df23c5bc51e120b6579609b7cb50282c32d1f23bdbd182f517528a660bf068f9ad4927fc3546487af9243f3fb6540db111c8e6a31f1267a05befa4669

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4b7e407683088b5f0b9f48d0b4ab7d00

SHA1
b9102b52d68002c8e7d644b626ee18083203422c

SHA256
8b1bb36fcc7ba82a025b836eade47345d907dcce0dba67351cb6b0d1632885ac

SHA512
c9fb465b9c9d412142d36ce306b4941a5be452b12adff5ae092bf80bdb8925087d1da84e78b794c253c6a20d6a2d5a4de3c76a1e514a7f3e30e2b53984c52ef1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
cbfdc5a5f0b497f531376ec35d2a9884

SHA1
30071c1410564fabc7b41ca19c5fded67bf49270

SHA256
367733b64b54e86a6abae1ce4001b960758272900727ee46b6eb8fde64cb4b6d

SHA512
d13948817c994f41f864c3fa542163043d7fc12445644d922f871cdda5686f3350d40229c16f4b9d476869a7b3a7b00746bd1540a456a371274e145240be986d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
27ae1c9774d129ff1412fbc5d4487166

SHA1
877d78b6cef76edf7cebe491dcf8e18bb23ec30d

SHA256
ff88eb9a895085a6620095d732a3eeb852d3a12801e93769ee1faef371a9ce97

SHA512
09d465428bd8eb108875e22c83b4c1f017874cbedaf2ef7fe0969a762370930602586f89a96942ad36fcdb6c4463b20a35954321b75f1dd97a21a435f4d9b348

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0db3f4ab63d7bd5ce289e857ecdf4909

SHA1
755cc59872332e464bdc3f2b5fb93c19515eed54

SHA256
3f4fbb842e83a5934fd36a5e1c0aaaf13c68f06ccbfdbafaf0434ac6e1d178bd

SHA512
6ea40e71382bc05a099c499707f33971ffe4fbfa2285fab26fd3dd2c298e9b8a71857d674886df9bbb9d3776285c7b74c45a134ffd4f84e286a2d9f0a0c7d9d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2aa0a4442af65595f897f969990b42d0

SHA1
b4a1ce4c0627c9235992e3d10521199aaf687427

SHA256
6aed0ba10eb606112ca4c8e8c04cf494b2d7152fb413749a75bbe3eea6795af4

SHA512
c0b9bb95e5cfa6756efb889e1044091005b7b6b14b76032ffdd3fe12a58c6f2ff86c3e85fc6eb0a3fb66275f2e647d287facbf910e5d92ed0fe3ad9092f98598

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2b73db4a7f3fe1e5570dddbab1c65bf3

SHA1
0eaf1b094794f20cf2015dcbdbf6bbeaf5172595

SHA256
cc1243a92d5de104296903673f033741788e75b60328626e2b1a0df1854cc46a

SHA512
f0f31d1b90b31954aabb6d4bab366473968703a6c5182461cf63e3a4a09a89bbb4f583c231b7d6152b7d8f1817b327f62ab1c957c1ca280bd630ea638416c35c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
107c0d988298fffeb94c4b9859a844fb

SHA1
3f740d669b20eb64137efe203e646993e405c13d

SHA256
332b1690069cf5ed729659ca857a34c48abf98bffb35c73ff9c12ffa0207387a

SHA512
98b473a54072a298112698b013060d5a2c17002dfaf3ceca86167b0f88145614812c43d4ad52ceab03e4291baf003eb5fea6d4dd367d3087d60020cbe902769d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
53f2d74090e239ff828ecd9f1483c380

SHA1
02116a5f5c2cd46869183a0242b0ef665e4ddd62

SHA256
1809c78211c0975342f9449e555ee49e342ffcc273cb516eb9ffda4cf62c6f68

SHA512
931015e8957b8d92b41b6181572d3555d78f02dc0ae646e3ea51d1fc09bce7a89fd8448aa18a738158a84a4677b7a45bed18afaf6b712a5178bf115c69f0dfc0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1b847b1cd72348487dbdc1b00be72ceb

SHA1
add92edd852d6c8a2e24773d6ecf7a7b1cf9654f

SHA256
e0d464c7b50fd32df230b66d2f768949fe0d72629324a94f66724df294564067

SHA512
17ecbca3f0985490299a64934f6dbbe76d9265d066e975dabcc0150159877e5225b35a0eb21e73a15157309c726512186f47a2af7907d323186b4abd12373a30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c73f7a55565728eb2636c9b2e36ff949

SHA1
d3edd708a52d5b4c75576057ecc5308c41f1ab58

SHA256
bc0d569803eed44d4f0de05d9fd4ffc1bcbea165536161ba867d41df54fc36d0

SHA512
f35f0766979e4650af20cfbbb3982923403980c3e275396294fa93f2ea59220716d009a179f7603b03a5957390d04938d10e35590ea86a687e1abe455423905a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
12f626256066f01f4a73785e1a496bf7

SHA1
0ede08e67da7661398ee395bf359beac313eff79

SHA256
0a9964e2c9a917deccfdf3ea6335cca11317665b13439cf551ef48005707023e

SHA512
f84db5680b30bd72a94dc237da5d17c7414871beff44700a682593c3951ad32d2799771c73f47a1a220778dd1151e2e4fba1ca379afd618f412fce3ac1f538da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5ea62903082bdc27fc2903556eb52d3c

SHA1
dc48e5e771724bc91492e90a399faf7ea527da71

SHA256
42ea2727910c9dd1a18d9845d4c2e31f57399e1699b6a6ce88419f8cd20dfa5e

SHA512
bd13a9c807d46ebd0f2319232009aa160d2d5c57924be70187adf37a6c6a5f8d82151e55b3a30f258bef112376bd487d35836244d0544dfa642a0885b017c44c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6f8a44feac7274dc62b99b6b9b67ffed

SHA1
2ae0d440612b6d32deb76a7406f47ada03a5e73c

SHA256
294b9d0360fe58dcbde213a66a22fa2bd132f60a393c2c1e841066de9b0e0e57

SHA512
3c621dd66e1eff758c9f4e29f5bc60df8c179c23b0a94d523926da72638e50f2e47216d6a011314b6fd32d73cb6ec4dfedae19ae3bae1bd137b0d6417b7e7dde

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
cdd964101af7ceece1e8e60288754293

SHA1
9c73d03ed6f9cbcfe46d892837cad8de0efd33f9

SHA256
0e02e0c0f15fe08ba47dbeaf86ee23ec0eb508bdddedbed56ac5757215f973bf

SHA512
c3332b12e5171d0f37b7f1aad6b5e3a1aba16c50e32ae27c6cdd582871ad593cdc5eb0e1ede6cb651c9fdaab599a054076da69cf12503d9f128a8ebd0b77ba32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
760e81492af6538d552aa9d7b4a5fc4f

SHA1
bbf8c91312ae84eb46364ee40f32d09637b6e151

SHA256
f403a3e43258af01155b94888d8f4ec4e9a0e48ccce5bd0248f08b7989639169

SHA512
2dad83cae85d280c634ee770c477877315939280b0c778b6af667accd2e4e780f5f1a55ca7c64d77947700b09182584f5117056b51edaf10abc6a7b0dc0055f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
602240f95104e2bc5bf2b29b5ead25cb

SHA1
9b5b7ccbfc492fe0bb22336bed6087b4514898bc

SHA256
6185e32dc108c7fb45920712d79835c6114b2f10f18920c77e9a46ae0496e09f

SHA512
e0b5818eaaa5e6935e2813c28655a47195baef5ef65f2b6d70ce2761b1b740f0fd1fcf247f495efbc92bf5003a4d0cf65c9e2e18388c3895e412eb5ca39bc168

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
74b2b1e1c5b3085f0f84b013ea61d5e8

SHA1
924d9dbfbac4ba78b6fb17c47d8b0351f073e81c

SHA256
d547f6979bafd1ba7e53dd4c1bc91797561ca6e7606a305fa301cd31c005c57b

SHA512
5be4d1956713cbacf9bbcf2af3524f100b3cba7ac5301a47c20899329c03ddc802a29f462730652049e246079b128d378dc550e6ef4f639616d78e036bc2eda3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8dfb95d03926d3fa7fd5b3a8e45c93a3

SHA1
c5a9e255f7317ae18ba3478809b5e2db2b8e045c

SHA256
df234570fdd95dcb30bd5369e185ca2159dcd02cce31a61f2537f90a2da46ac3

SHA512
4f13db805016626d5c384c60cef95f9be2b1bba5f8c272b2eb033a7db0f4a46ee60b147b6af316520d363fb3a8e5620dd7da2a35c4f31b70b71de8c063755594

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3ff9e07e6cfce806e2d1186540590980

SHA1
8a6c7800275564c3025cf8a89337ed3c0f2f797b

SHA256
bac7548e87db64d971d43052aaf601b09720951b36ae64941ed0499f52709cb1

SHA512
fae8498d8457d4ffd9a24e7d9aebb877d74ee558388422ba1bbb2f74cff2b287395129b2dda3d53bff175c458c61704bcf10f51ae3bc293188f3be9fec3e22e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
089724e4ff35ac6da63ed7c9d1730668

SHA1
2b8ad2be6ef1d82a417f6456a2ae469a5a1735ba

SHA256
9549cbec4c6716265ebfa69489165c146df72d66a18b684eda18421b8ffd93b1

SHA512
ed155e3daf95b47557107d7626130836ea696f2a3ff026432948f89b40cedf8847993ae56b1576585dd9a10411e59d5b8d5854c5ce2af9c18fb0c8ff1336a089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
adec33f03c688f693a0c8a745651c14b

SHA1
468a67c73f9bf62a5fd3a494c595fed3b0828351

SHA256
b1f950ba1f8bca855146cfee9bd8b3baca4219760a32ecb01ec6bb1d60f33a45

SHA512
e583372f55fd49d8b222e83e17a706bae5757fbe2994ebdeaf142b9b2dd50f45f6b719af4b99770ada824ceff689f3f5be14010f3338ee696dff451bad6b1ef6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3e7923e782a3e6ac684783784876377e

SHA1
afe5d7198a4290d429e072a9dc1ffe28c7f53a1b

SHA256
e2424b8dd6b1ab44ac02eed8013f14fcd4ba4fc4475341845a4748f7ef6a80f0

SHA512
f2737f5b7ef0266e7b577b9fbe7a8737f974fe5c575c827b479774ee7d6e5a8504578ceb19871e6dab3ab927e67532d81288395f963a34f3c07b081b2ac890e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7420239f51bcf1ef144f80c7a9b61fac

SHA1
8b37bf4101b7f10817c70824ebd1a70a7b2e4d45

SHA256
553a34864c3ce30564232d90a79a2412d62a79b2d12dd1dcf154a1be3a9b8da5

SHA512
294bccc4b211d8078a6aa6138b1c5a6221c38eb276c5de3ce46470b0facbde07ee0485cb0f161d3b0747e7bd39f43b575a4a68abd5b1d659fb25ccd1e2d78091

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
185848d31231e0956d71186fffe1967e

SHA1
63d089d6354a0984ed7eb5370cb0f5caa51665b3

SHA256
604dd062d929c3cbb2c331bbc4cfe8c35e729e39ac06b3efb803a4fbfe0e2cf3

SHA512
e147cb815cbdebd7b8b0ddb6dd92ad4335fdb5506f59b04f9e6e5cfb225886311e6bdea4e41492e308a08978169562ae0b0d0c6808d79a3a1f02b19954c0977c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8e32e42c367d312f7dc582828af2bf56

SHA1
22774345aa60f4994ddd9207cba78aa3fdc35030

SHA256
9c7e6da4d8be951e04332f34cf82caf8dda76db8d977bfa5b188146ce39b5a97

SHA512
4fc7a4975ce35946013a46809f0e6f59ac62ce9a3f56a09a74de5818ebe667cdc113dff2a5f5c4a67700ecbde6f1e849f8938935068a9347bb88a08c03db075a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5c409de18e812a395ddd3ff1b322b18e

SHA1
60593d0bfcacb94cbeeb1ac02a5e74b7e485233e

SHA256
fc6add90793527f585911b4924127d43bdfed72ae2ac419f38e0c48ad0e4c15f

SHA512
693a0d2552ab3ed94ff4233bc836609ac203240824ddf47e4b35dada2fc631c5ecfae675d7e11e9e5dc6d647ccb768699e6896a8a6df45ffed768949a61d86b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3217b6bba39f1fa050a4c62bee9fef0d

SHA1
5fea3c551812e348cfdc9324f78b1f13d61b9b0e

SHA256
89677ad2312528932daec95dbb59dc8b66e69cc36d16a74ef8385ab74b5849b7

SHA512
ba67be4498a7a6868173a008d67b019e3cf9dfed5d3eacfcae471773395b59ace28c6626ceb9a79449bacd9051baaa1e5ded23057cf11ee78de0748dcdf9da54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3fbab97d6d44da41f8eba7cbb58311e3

SHA1
84ca4968115e41c1f9341a16fde33e1d60a3cd86

SHA256
dcb30d540fa44337a2b1e7bb0d7cea7d91390b46c906d42af0936f1031079fe7

SHA512
77aa95edde7a2d800c2ec85ab14fc9636c197bc670619d7f4f0aeed7559de939a0f015c071dbe96b4dfac3de3be406fd9decf90e2c0487a83eec404dce461a66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
4b0e5116ba979fa41ba0ee295391db14

SHA1
b265b24f7e597f55ead0cc495227a36a4da321fd

SHA256
cb87022a6687d110419d982f13ce8a1b2ddd24a67d3458bf98f63a8f445baf94

SHA512
547f5954561bf82040594ede8ca8227337a9beb670d53d08cc8b6be1cadfcb0688aa4b4af27b79a5a54cea599be02bd0784545bd4a1be9c3e02609b3215510b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
116763074670b8a15bb651077980c482

SHA1
2d85d8aa9bc6376e6475fc2554084796b8a4161a

SHA256
e76b3731fb57f275683d7121c90837062b7f0855818df6ad9c09413f8ba008c9

SHA512
a89da010d4ece5f6b2674e9eab5e080ced432e7714510c889bdec50744e0d54c1a1a905db48e8dc09f2b7f306021f95aac24bae00c8adc1695a88ae1214c4570

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
668b113f1d075eed0d43da420bbc8396

SHA1
3d903045367339e0f58ddccb7414858ea174fd1b

SHA256
efaa209694bb8c5857f389a4d9007245ac64acc9c91a9f6ce057560d90863726

SHA512
e128b12f9b701fa15e20025a20ea21e5d8a3df91fd20367aa8083a7b8d3a2f77de5e5aad885e41185b598b013e2b1f4071b2ae3cb339f7277b33b6429dcf5b40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2783c40400a8912a79cfd383da731086

SHA1
001a131fe399c30973089e18358818090ca81789

SHA256
331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

SHA512
b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ff63763eedb406987ced076e36ec9acf

SHA1
16365aa97cd1a115412f8ae436d5d4e9be5f7b5d

SHA256
8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c

SHA512
ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
18KB

MD5
2e23d6e099f830cf0b14356b3c3443ce

SHA1
027db4ff48118566db039d6b5f574a8ac73002bc

SHA256
7238196a5bf79e1b83cacb9ed4a82bf40b32cd789c30ef790e4eac0bbf438885

SHA512
165b1de091bfe0dd9deff0f8a3968268113d95edc9fd7a8081b525e0910f4442cfb3b4f5ac58ecfa41991d9dcabe5aa8b69f7f1c77e202cd17dd774931662717

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
2a3ea308e0ae19eaa203cabd397ade36

SHA1
866dc057842378785f68d67cd06db1e964f8ee2f

SHA256
74ebb7cd34fb930dcc1aabd355d5cb077ee0851b84d75a8e42eded1133b25ed5

SHA512
ac63d802ea8b8f0eb02281e1d545bfadba4a45cb113c01920e1161ebba63f510fe7eb8d20dbdbf92aec7fc982a545faa8b515e6bf3d8469db856f70432f83e7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
ccd1b5b8cd94d937d3fe959d58a998d4

SHA1
e2228be7ea56f7a4652f6b82a79e96b6b50685c6

SHA256
fe1743285fc255752b87cb50dc6b9c4064f64f93e5607f1399a2dd3742abf630

SHA512
2348c908bec99c588dc2ea013525fb397f8ac5a1f69ecca2f7396bf5bd3b17daeb537b5b6ecefae73a7846d93043bf565e7ad430cf8b84b53b99b59a9f2beebe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
663B

MD5
6a8ce64eaea5f715c7cbf9379b2b17e3

SHA1
39df10620a9fd0e947d3bdaceb9ecf0924131864

SHA256
85e999b7267298a11c774e8151a329e0e3765a357c2ab94de6a931dbb5e5d4fc

SHA512
04e78c7bcda8950a7f85ac2e20e6ec3150a30d896efab0a71aefb337dac8fef3d691e0c4ecf85de168b6c629d86dde4d3e6897c02fe93b083b334ea1f9f91391

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
663B

MD5
541183e116815b6319c0297d707385d4

SHA1
5953d049440eaa200e72d08305c212215b42af20

SHA256
d8666abdcdc0a013032693dfa1ec533acbee05033782cb74f5d57d63eeee20d6

SHA512
95a05f54318d1b4204be5c9bae4c714326b3c1858a7847377463231eaef159aca785792c0017efbac5698aa31d9544f301d845a02b72906ee454ba17e6ff0584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9074a0f4284f775d8b1bcb642c631e6d

SHA1
406f36c6743aa467333c68f8766ed09620932e62

SHA256
52bacfa1920e16a2ed4c5e5871fed55e239afe46a5c81d54743d43f4a8dfaef4

SHA512
a568cf26e36bb835166fcb5450d8ac98eee39eafc2f18f0cb80ceb64714aa7f7bb84130fe92796761ca5575271c40cfb51ba4e079fb337d0ad8d0285c11197c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
653e6ebfb1dc593b645e4739dbc0cfd4

SHA1
a9ecbed74ffbafa99acccb64329c6acf3902ccc1

SHA256
239d0856111d89692f3db8aa65f868c361bb42e6e72b3a0e170a9c0f8ba77b3b

SHA512
583e03d71f3a03fb4f7b4c4aff7c946fdf29fc21ab49fe873c91c6251a5a854bc5bd1ca1c3cbd82b69226b6c42eb2e6816385062ca5ba0f66fec23d5409c87eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
76fcc74595e32c9798c98ba50a549c0c

SHA1
ba3dcc9e0e208233002c3e3ceabd743b9d86ae13

SHA256
49c415e4655ba79c29bc9c1cf2e2381da796064a03b55d688ff6b8875e6fc2cd

SHA512
0f1db1be9283491c33316ef7ccc6700ef3964c8d63057341778229c2694233e8005025a9f7b63d4457c17b593e73acfac6d24d7801d80a83d63bcc8efa49b881

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
65e05892da1e3e5871ad20073c384eb6

SHA1
a7903710547c6b9a53180a34e6caa2185fa957d0

SHA256
b4d88e187b217c1bdd1beece5446c34aea497f35a950d8f2ff1dbbb871dd5ac8

SHA512
50ba80589cb9410d45c81841dc54bea6b64fca6537c033d357bbf0e89e82b8d925aa671c0c8270d54906c756c750971de620951b75a0b4282f791589964d313b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
066f9da41957e12804102bd87881cfde

SHA1
a985a26809238a180300c3e34c6975aedf5a774e

SHA256
2e2ffc436a38aa76f9b629f3daae570dba7ebc1da06ab2982270c6a00e552735

SHA512
075b16acfa623b95ea96719f5693bbf284fb576c5c7264ec6201cf821bb39c8125028508483bfa7871fe40cda09841baa17e943b99ee619f7579a25dd9aaf4bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
a76263a1453062fc3aee10916bb1fe2e

SHA1
c592cbc8f2f9f24c92c3eb9d3b16adccf1be9060

SHA256
647c3e7854565ae4cf25a5472d190459530740e92f7b28264e3bec8b06976ce2

SHA512
dcb4f3a17507f5cdd2e34fb8d40271fe902ca480ed22ff18ee7ac76fde743afd89c9fedcf246a4ab19869ad46338c45cae2dfed2ea62c5d7ea87cff4a309c025

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2d9805791ae4d75246c834e9a48683a2

SHA1
709844a6ffa8ca5c4a14aa19c876e23c2feef2f0

SHA256
0a0e26a238c8d41b160e2213337522b2a5b2225db4e5eab65d7570db0b6e96ad

SHA512
1bf9a324fe7ad261cd2d9a20ecc34e468db239606fcbd68af120ebd836d3e3f714110689effb41ea8048fcf5cbb0a5bde8dc39419b90cbdb3fb04df57978f3d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
581d1eed62f7437f5a1bdaaef16c680d

SHA1
67176a8e76ff956011e90ecb314241d97bcaf061

SHA256
9d8c39f0fb1f3b3350074265a3969365dee52bd6f794e0cef7a688a10ced7abf

SHA512
8b50830e0502d73720931178b4394333797275fe33429d2c0aa5b36f4df516b093ae2ea229c08c5132f90f5bbc33ae952820234139d0247cd8e38a6402c4a84e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a05be.TMP

Filesize
706B

MD5
e285b705381c028809d0f7519485bf14

SHA1
e044baa16275e7c48fe2947232003e76bd53bbc9

SHA256
55674c9ac4cdabbb5419e9fe3f91d13c2a165db18974789681c702f6d0b55c31

SHA512
fd5b42f634677f51f72cfa38f18f455714f6ccb3eb7874d7568da5b9a6d978ec1125adcdc4aa1efdbf5ba0c5c4f7b4d3be227b6d02cba21f1eaed54235b726c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ebf2be6589c9f19c5581fa260194cb09

SHA1
3e3d761e94a6c99f5d2642e3d5c5315a7fb896df

SHA256
d4cbcd4c68a4a52d2cfab0b111d6dca8b8678288dcbffe6f2f7c5ba04f897362

SHA512
5433117cd0c6e9162da2e664e404b00fc233682455dcaaf42b8cf042bce24ab2823eb95ff2fcd3b54fe317ac2a840961e7c24fc425c39d8bd1a6157752e6b700

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fea400b55d69996bb55ff27bfb234d83

SHA1
43694ae3e1fd2a2015547508318c75c2910e22cc

SHA256
08fa53cc9ce0efc706a5f316fefdcc215548471b0c9fc3e3fa8c9eb1bbdc3a94

SHA512
a46c1004a142bc2d6bc87aca31865ee66e63c1f764aba543b4b177983343d5036d91c59fc9e8584a01e72b9117ade9567cc332e95cff38991588661c12e349ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
9dc13bbb7b0d8dbeb5ba446de1a9b64b

SHA1
35fb5fe737f8ad37ab554228542ee1b03a4b92dc

SHA256
dfed2272d8d1d4caf9b9c474992d935082031564594fac2db9b46475ac30794f

SHA512
26cc6ca3b08e49dc1cdf34e51a3821a9bfff0f8ff62067770584fcbc00120e4ccced22835438a94b54ecc337221970f159a7f830e0d920a7f974d675d62be1ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
cbc56c548c7e24ada7155c04a1bd14ea

SHA1
69f4ec19905136f8c8ef84cfeb6324450f19b83f

SHA256
fb84c46ba0173bde9466e98da0456cd3fb0c39b6ab0b1248503471f30e97e080

SHA512
a922f95dc0774cf9928a8626aab913f6877591182576820a78f2e361e80e20657c84bbc58a93a7a099ac816810be25ae386a03afc0f3c1f89452c1e4fa7a23c2

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
6.2MB

MD5
d97dad6ec2721d272c9b858a0e03448d

SHA1
d4a10066b33639214310ed02abb67eda26d245ee

SHA256
584b7c34697591ee433b931be9ab52bd84864316a1b72045ca6f7e7ae8b52967

SHA512
4c2b9c6b4cae36922bba9d1ef6cefb04879d48bd1941a9e5167348c7b86b510cf3bd130307839a044e41de70384f25e62fad4bf9707351b887798f92f5ed8b70

Download Submit
C:\Users\Admin\Downloads\7dd47e95-e7a5-4cad-ad09-caa847b7eeab.tmp

Filesize
66KB

MD5
196611c89b3b180d8a638d11d50926ed

SHA1
aa98b312dc0e9d7e59bef85b704ad87dc6c582d5

SHA256
4c10d3ddeba414775ebb5af4da5b7bb17ae52a92831fe09244f63c36b2c77f34

SHA512
19d60abf83b4a4fe5701e38e0c84f9492232ceb95b267ae5859c049cea12fee2328a5d26ffd850e38307fb10cb3955b7e5e49d916856c929442d45b87071d724

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r.zip.crdownload

Filesize
3.3MB

MD5
e58fdd8b0ce47bcb8ffd89f4499d186d

SHA1
b7e2334ac6e1ad75e3744661bb590a2d1da98b03

SHA256
283f40e9d550833bec101a24fd6fd6fbd9937ed32a51392e818ffff662a1d30a

SHA512
95b6567b373efa6aec6a9bfd7af70ded86f8c72d3e8ba75f756024817815b830f54d18143b0be6de335dd0ca0afe722f88a4684663be5a84946bd30343d43a8c

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\44511725040361.bat

Filesize
348B

MD5
16a4cb5a158a7f698730b0b63fe9c53f

SHA1
c22fe5bbf3ee4509c185e493a799c0a9ac779c7e

SHA256
0d0541fff4b5c257cfa41cf2aab38ca207804e7bc3251d3aade104beca73b137

SHA512
4a8049b0ace11a074b8648ef9515fc06fb771ade4ab11fb6f123d6ff76cb581295f01de4c8b6c5eeb445d9f7c0dfcb1ebd6fadb08f56b4239d168d4bd1106afe

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]

Filesize
933B

MD5
7e6b6da7c61fcb66f3f30166871def5b

SHA1
00f699cf9bbc0308f6e101283eca15a7c566d4f9

SHA256
4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e

SHA512
e5a56137f325904e0c7de1d0df38745f733652214f0cdb6ef173fa0743a334f95bed274df79469e270c9208e6bdc2e6251ef0cdd81af20fa1897929663e2c7d3

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\@[email protected]

Filesize
696B

MD5
7b2215cda78762bd0c14ce1df2ebb848

SHA1
418e5a4b8a39d48f515c96c8aca36c0065d552c7

SHA256
5fd18b02f32f982377f91ca056be9b09388db4bfc24fde3e2892406f91203261

SHA512
da0d446429002e7507068aeb2cfee5fe56081e2f966190c9b1c02ed7481ef452a44305e813e665f6fbd446151d622603a3388aff7c85d6ea551a012cf677f4a6

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\c.wnry

Filesize
780B

MD5
93f33b83f1f263e2419006d6026e7bc1

SHA1
1a4b36c56430a56af2e0ecabd754bf00067ce488

SHA256
ef0ed0b717d1b956eb6c42ba1f4fd2283cf7c8416bed0afd1e8805ee0502f2b4

SHA512
45bdd1a9a3118ee4d3469ee65a7a8fdb0f9315ca417821db058028ffb0ed145209f975232a9e64aba1c02b9664c854232221eb041d09231c330ae510f638afac

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\m.vbs

Filesize
227B

MD5
93e7789ba451ff2677469765ae70f4c5

SHA1
ae58d6905d8de2541de0b54bc405bba0d04072c7

SHA256
365e4a23210e544d4b0df2cc58b74595d5bf19d7b42097da13f5abf6472d5bbe

SHA512
1417fa2c57b3abc4a8c545835cfb623a38d1fcb7e81f6065d0fd80ab70dd6a3f4a104037a6f6212d4e61115e74792acc1d56836c2f7d228b595650f5be39debc

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_korean.wnry

Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_latvian.wnry

Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_norwegian.wnry

Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_polish.wnry

Filesize
38KB

MD5
e79d7f2833a9c2e2553c7fe04a1b63f4

SHA1
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

SHA256
519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

SHA512
e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_portuguese.wnry

Filesize
37KB

MD5
fa948f7d8dfb21ceddd6794f2d56b44f

SHA1
ca915fbe020caa88dd776d89632d7866f660fc7a

SHA256
bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66

SHA512
0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_romanian.wnry

Filesize
50KB

MD5
313e0ececd24f4fa1504118a11bc7986

SHA1
e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d

SHA256
70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1

SHA512
c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_russian.wnry

Filesize
46KB

MD5
452615db2336d60af7e2057481e4cab5

SHA1
442e31f6556b3d7de6eb85fbac3d2957b7f5eac6

SHA256
02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078

SHA512
7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_slovak.wnry

Filesize
40KB

MD5
c911aba4ab1da6c28cf86338ab2ab6cc

SHA1
fee0fd58b8efe76077620d8abc7500dbfef7c5b0

SHA256
e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729

SHA512
3491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_spanish.wnry

Filesize
36KB

MD5
8d61648d34cba8ae9d1e2a219019add1

SHA1
2091e42fc17a0cc2f235650f7aad87abf8ba22c2

SHA256
72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1

SHA512
68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_swedish.wnry

Filesize
37KB

MD5
c7a19984eb9f37198652eaf2fd1ee25c

SHA1
06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae

SHA256
146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4

SHA512
43dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_turkish.wnry

Filesize
41KB

MD5
531ba6b1a5460fc9446946f91cc8c94b

SHA1
cc56978681bd546fd82d87926b5d9905c92a5803

SHA256
6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415

SHA512
ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\msg\m_vietnamese.wnry

Filesize
91KB

MD5
8419be28a0dcec3f55823620922b00fa

SHA1
2e4791f9cdfca8abf345d606f313d22b36c46b92

SHA256
1f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8

SHA512
8fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\r.wnry

Filesize
864B

MD5
3e0020fc529b1c2a061016dd2469ba96

SHA1
c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade

SHA256
402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c

SHA512
5ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\s.wnry

Filesize
2.9MB

MD5
ad4c9de7c8c40813f200ba1c2fa33083

SHA1
d1af27518d455d432b62d73c6a1497d032f6120e

SHA256
e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b

SHA512
115733d08e5f1a514808a20b070db7ff453fd149865f49c04365a8c6502fa1e5c3a31da3e21f688ab040f583cf1224a544aea9708ffab21405dde1c57f98e617

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\t.wnry

Filesize
64KB

MD5
5dcaac857e695a65f5c3ef1441a73a8f

SHA1
7b10aaeee05e7a1efb43d9f837e9356ad55c07dd

SHA256
97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6

SHA512
06eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\taskdl.exe

Filesize
20KB

MD5
4fef5e34143e646dbf9907c4374276f5

SHA1
47a9ad4125b6bd7c55e4e7da251e23f089407b8f

SHA256
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

SHA512
4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\taskse.exe

Filesize
20KB

MD5
8495400f199ac77853c53b5a3f278f3e

SHA1
be5d6279874da315e3080b06083757aad9b32c23

SHA256
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

SHA512
0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r\u.wnry

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
memory/2824-2481-0x00000000734A0000-0x00000000734C2000-memory.dmp

Filesize
136KB

Download
memory/2824-2616-0x0000000000EA0000-0x000000000119E000-memory.dmp

Filesize
3.0MB

Download
memory/2824-2724-0x0000000000EA0000-0x000000000119E000-memory.dmp

Filesize
3.0MB

Download
memory/2824-2727-0x0000000073550000-0x000000007376C000-memory.dmp

Filesize
2.1MB

Download
memory/2824-2479-0x0000000073550000-0x000000007376C000-memory.dmp

Filesize
2.1MB

Download
memory/2824-2688-0x0000000000EA0000-0x000000000119E000-memory.dmp

Filesize
3.0MB

Download
memory/2824-2758-0x0000000000EA0000-0x000000000119E000-memory.dmp

Filesize
3.0MB

Download
memory/2824-2482-0x0000000000EA0000-0x000000000119E000-memory.dmp

Filesize
3.0MB

Download
memory/2824-2635-0x0000000073550000-0x000000007376C000-memory.dmp

Filesize
2.1MB

Download
memory/2824-2632-0x0000000000EA0000-0x000000000119E000-memory.dmp

Filesize
3.0MB

Download
memory/2824-2619-0x0000000073550000-0x000000007376C000-memory.dmp

Filesize
2.1MB

Download
memory/2824-2478-0x0000000073410000-0x0000000073492000-memory.dmp

Filesize
520KB

Download
memory/2824-2528-0x0000000000EA0000-0x000000000119E000-memory.dmp

Filesize
3.0MB

Download
memory/2824-2480-0x0000000073770000-0x00000000737F2000-memory.dmp

Filesize
520KB

Download
memory/2824-2580-0x0000000000EA0000-0x000000000119E000-memory.dmp

Filesize
3.0MB

Download
memory/2824-2533-0x00000000734A0000-0x00000000734C2000-memory.dmp

Filesize
136KB

Download
memory/2824-2559-0x0000000000EA0000-0x000000000119E000-memory.dmp

Filesize
3.0MB

Download
memory/2824-2534-0x0000000073410000-0x0000000073492000-memory.dmp

Filesize
520KB

Download
memory/2824-2531-0x0000000073550000-0x000000007376C000-memory.dmp

Filesize
2.1MB

Download
memory/2824-2529-0x0000000073800000-0x000000007381C000-memory.dmp

Filesize
112KB

Download
memory/2824-2530-0x0000000073770000-0x00000000737F2000-memory.dmp

Filesize
520KB

Download
memory/2824-2532-0x00000000734D0000-0x0000000073547000-memory.dmp

Filesize
476KB

Download
memory/6064-958-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads