wannacry | be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

Resubmissions

02-09-2024 01:55

240902-cb6e8azaqf 10

02-09-2024 01:49

240902-b8vjjsybjl 10

02-09-2024 00:25

240902-aqws8awcrr 10

Analysis

max time kernel
62s
max time network
80s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02-09-2024 01:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

yourmom.exe
Size

224KB
MD5

5c7fb0927db37372da25f270708103a2
SHA1

120ed9279d85cbfa56e5b7779ffa7162074f7a29
SHA256

be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
SHA512

a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
SSDEEP

3072:Y059femWRwTs/dbelj0X8/j84pcRXPlU3Upt3or4H84lK8PtpLzLsR/EfcZ:+5RwTs/dSXj84mRXPemxdBlPvLzLeZ

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Documents\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDCB93.tmp	yourmom.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDCBA7.tmp	yourmom.exe

Executes dropped EXE 4 IoCs

pid	Process
2760	!WannaDecryptor!.exe
2084	!WannaDecryptor!.exe
768	!WannaDecryptor!.exe
1064	!WannaDecryptor!.exe

Loads dropped DLL 9 IoCs

pid	Process
2164	cscript.exe
2152	yourmom.exe
2152	yourmom.exe
2152	yourmom.exe
2152	yourmom.exe
1752	cmd.exe
1752	cmd.exe
2152	yourmom.exe
2152	yourmom.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\yourmom.exe\" /r"	yourmom.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg"	!WannaDecryptor!.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yourmom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
780	rundll32.exe
2968	AcroRd32.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
3000	vssadmin.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
1572	taskkill.exe
1084	taskkill.exe
1480	taskkill.exe
1136	taskkill.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\WCRY_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\WCRY_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\WCRY_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\WCRY_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\.WCRY	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\WCRY_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\.WCRY\ = "WCRY_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000_CLASSES\WCRY_auto_file\shell\Read\command	rundll32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2832	chrome.exe
2832	chrome.exe
2608	chrome.exe
2608	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1572	taskkill.exe
Token: SeDebugPrivilege	1480	taskkill.exe
Token: SeDebugPrivilege	1136	taskkill.exe
Token: SeDebugPrivilege	1084	taskkill.exe
Token: SeBackupPrivilege	2144	vssvc.exe
Token: SeRestorePrivilege	2144	vssvc.exe
Token: SeAuditPrivilege	2144	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1796	WMIC.exe
Token: SeSecurityPrivilege	1796	WMIC.exe
Token: SeTakeOwnershipPrivilege	1796	WMIC.exe
Token: SeLoadDriverPrivilege	1796	WMIC.exe
Token: SeSystemProfilePrivilege	1796	WMIC.exe
Token: SeSystemtimePrivilege	1796	WMIC.exe
Token: SeProfSingleProcessPrivilege	1796	WMIC.exe
Token: SeIncBasePriorityPrivilege	1796	WMIC.exe
Token: SeCreatePagefilePrivilege	1796	WMIC.exe
Token: SeBackupPrivilege	1796	WMIC.exe
Token: SeRestorePrivilege	1796	WMIC.exe
Token: SeShutdownPrivilege	1796	WMIC.exe
Token: SeDebugPrivilege	1796	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1796	WMIC.exe
Token: SeRemoteShutdownPrivilege	1796	WMIC.exe
Token: SeUndockPrivilege	1796	WMIC.exe
Token: SeManageVolumePrivilege	1796	WMIC.exe
Token: 33	1796	WMIC.exe
Token: 34	1796	WMIC.exe
Token: 35	1796	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1796	WMIC.exe
Token: SeSecurityPrivilege	1796	WMIC.exe
Token: SeTakeOwnershipPrivilege	1796	WMIC.exe
Token: SeLoadDriverPrivilege	1796	WMIC.exe
Token: SeSystemProfilePrivilege	1796	WMIC.exe
Token: SeSystemtimePrivilege	1796	WMIC.exe
Token: SeProfSingleProcessPrivilege	1796	WMIC.exe
Token: SeIncBasePriorityPrivilege	1796	WMIC.exe
Token: SeCreatePagefilePrivilege	1796	WMIC.exe
Token: SeBackupPrivilege	1796	WMIC.exe
Token: SeRestorePrivilege	1796	WMIC.exe
Token: SeShutdownPrivilege	1796	WMIC.exe
Token: SeDebugPrivilege	1796	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1796	WMIC.exe
Token: SeRemoteShutdownPrivilege	1796	WMIC.exe
Token: SeUndockPrivilege	1796	WMIC.exe
Token: SeManageVolumePrivilege	1796	WMIC.exe
Token: 33	1796	WMIC.exe
Token: 34	1796	WMIC.exe
Token: 35	1796	WMIC.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe
Token: SeShutdownPrivilege	2832	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1064	!WannaDecryptor!.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2832	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe
2608	chrome.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2760	!WannaDecryptor!.exe
2760	!WannaDecryptor!.exe
2084	!WannaDecryptor!.exe
2084	!WannaDecryptor!.exe
768	!WannaDecryptor!.exe
768	!WannaDecryptor!.exe
1064	!WannaDecryptor!.exe
1064	!WannaDecryptor!.exe
2968	AcroRd32.exe
2968	AcroRd32.exe
2968	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 2392	2152	yourmom.exe	30
PID 2152 wrote to memory of 2392	2152	yourmom.exe	30
PID 2152 wrote to memory of 2392	2152	yourmom.exe	30
PID 2152 wrote to memory of 2392	2152	yourmom.exe	30
PID 2392 wrote to memory of 2164	2392	cmd.exe	32
PID 2392 wrote to memory of 2164	2392	cmd.exe	32
PID 2392 wrote to memory of 2164	2392	cmd.exe	32
PID 2392 wrote to memory of 2164	2392	cmd.exe	32
PID 2152 wrote to memory of 2760	2152	yourmom.exe	33
PID 2152 wrote to memory of 2760	2152	yourmom.exe	33
PID 2152 wrote to memory of 2760	2152	yourmom.exe	33
PID 2152 wrote to memory of 2760	2152	yourmom.exe	33
PID 2152 wrote to memory of 1572	2152	yourmom.exe	34
PID 2152 wrote to memory of 1572	2152	yourmom.exe	34
PID 2152 wrote to memory of 1572	2152	yourmom.exe	34
PID 2152 wrote to memory of 1572	2152	yourmom.exe	34
PID 2152 wrote to memory of 1480	2152	yourmom.exe	35
PID 2152 wrote to memory of 1480	2152	yourmom.exe	35
PID 2152 wrote to memory of 1480	2152	yourmom.exe	35
PID 2152 wrote to memory of 1480	2152	yourmom.exe	35
PID 2152 wrote to memory of 1084	2152	yourmom.exe	37
PID 2152 wrote to memory of 1084	2152	yourmom.exe	37
PID 2152 wrote to memory of 1084	2152	yourmom.exe	37
PID 2152 wrote to memory of 1084	2152	yourmom.exe	37
PID 2152 wrote to memory of 1136	2152	yourmom.exe	38
PID 2152 wrote to memory of 1136	2152	yourmom.exe	38
PID 2152 wrote to memory of 1136	2152	yourmom.exe	38
PID 2152 wrote to memory of 1136	2152	yourmom.exe	38
PID 2152 wrote to memory of 2084	2152	yourmom.exe	45
PID 2152 wrote to memory of 2084	2152	yourmom.exe	45
PID 2152 wrote to memory of 2084	2152	yourmom.exe	45
PID 2152 wrote to memory of 2084	2152	yourmom.exe	45
PID 2152 wrote to memory of 1752	2152	yourmom.exe	46
PID 2152 wrote to memory of 1752	2152	yourmom.exe	46
PID 2152 wrote to memory of 1752	2152	yourmom.exe	46
PID 2152 wrote to memory of 1752	2152	yourmom.exe	46
PID 1752 wrote to memory of 768	1752	cmd.exe	48
PID 1752 wrote to memory of 768	1752	cmd.exe	48
PID 1752 wrote to memory of 768	1752	cmd.exe	48
PID 1752 wrote to memory of 768	1752	cmd.exe	48
PID 2152 wrote to memory of 1064	2152	yourmom.exe	49
PID 2152 wrote to memory of 1064	2152	yourmom.exe	49
PID 2152 wrote to memory of 1064	2152	yourmom.exe	49
PID 2152 wrote to memory of 1064	2152	yourmom.exe	49
PID 768 wrote to memory of 304	768	!WannaDecryptor!.exe	50
PID 768 wrote to memory of 304	768	!WannaDecryptor!.exe	50
PID 768 wrote to memory of 304	768	!WannaDecryptor!.exe	50
PID 768 wrote to memory of 304	768	!WannaDecryptor!.exe	50
PID 304 wrote to memory of 3000	304	cmd.exe	52
PID 304 wrote to memory of 3000	304	cmd.exe	52
PID 304 wrote to memory of 3000	304	cmd.exe	52
PID 304 wrote to memory of 3000	304	cmd.exe	52
PID 304 wrote to memory of 1796	304	cmd.exe	54
PID 304 wrote to memory of 1796	304	cmd.exe	54
PID 304 wrote to memory of 1796	304	cmd.exe	54
PID 304 wrote to memory of 1796	304	cmd.exe	54
PID 780 wrote to memory of 2968	780	rundll32.exe	57
PID 780 wrote to memory of 2968	780	rundll32.exe	57
PID 780 wrote to memory of 2968	780	rundll32.exe	57
PID 780 wrote to memory of 2968	780	rundll32.exe	57
PID 2832 wrote to memory of 2940	2832	chrome.exe	60
PID 2832 wrote to memory of 2940	2832	chrome.exe	60
PID 2832 wrote to memory of 2940	2832	chrome.exe	60
PID 2832 wrote to memory of 1436	2832	chrome.exe	61

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\yourmom.exe
"C:\Users\Admin\AppData\Local\Temp\yourmom.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 97201725241767.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Windows\SysWOW64\cscript.exe
    cscript //nologo c.vbs
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2164
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe f
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2760
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im MSExchange*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1572
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Microsoft.Exchange.*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1480
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlserver.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1084
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlwriter.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1136
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe c
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2084
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b !WannaDecryptor!.exe v
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
    !WannaDecryptor!.exe v
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:768
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:304
    - - C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        System Location Discovery: System Language Discovery
        Interacts with shadow copies
        
        PID:3000
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1796
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1064
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  PID:328

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\PingExit.gif.WCRY
1⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:780
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\PingExit.gif.WCRY"
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5ff9758,0x7fef5ff9768,0x7fef5ff9778
  2⤵
  PID:2940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1172 --field-trial-handle=1240,i,10473247638916719016,15447860648665406015,131072 /prefetch:2
  2⤵
  PID:1436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 --field-trial-handle=1240,i,10473247638916719016,15447860648665406015,131072 /prefetch:8
  2⤵
  PID:844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1640 --field-trial-handle=1240,i,10473247638916719016,15447860648665406015,131072 /prefetch:8
  2⤵
  PID:2044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2300 --field-trial-handle=1240,i,10473247638916719016,15447860648665406015,131072 /prefetch:1
  2⤵
  PID:2440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2332 --field-trial-handle=1240,i,10473247638916719016,15447860648665406015,131072 /prefetch:1
  2⤵
  PID:704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1292 --field-trial-handle=1240,i,10473247638916719016,15447860648665406015,131072 /prefetch:2
  2⤵
  PID:1936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3204 --field-trial-handle=1240,i,10473247638916719016,15447860648665406015,131072 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3980 --field-trial-handle=1240,i,10473247638916719016,15447860648665406015,131072 /prefetch:1
  2⤵
  PID:2880

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5ff9758,0x7fef5ff9768,0x7fef5ff9778
  2⤵
  PID:892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1096 --field-trial-handle=1280,i,371951360388546802,12137280085968210425,131072 /prefetch:2
  2⤵
  PID:2968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1400 --field-trial-handle=1280,i,371951360388546802,12137280085968210425,131072 /prefetch:8
  2⤵
  PID:2904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1472 --field-trial-handle=1280,i,371951360388546802,12137280085968210425,131072 /prefetch:8
  2⤵
  PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2080 --field-trial-handle=1280,i,371951360388546802,12137280085968210425,131072 /prefetch:1
  2⤵
  PID:2888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2272 --field-trial-handle=1280,i,371951360388546802,12137280085968210425,131072 /prefetch:1
  2⤵
  PID:1312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1840 --field-trial-handle=1280,i,371951360388546802,12137280085968210425,131072 /prefetch:2
  2⤵
  PID:1560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3168 --field-trial-handle=1280,i,371951360388546802,12137280085968210425,131072 /prefetch:1
  2⤵
  PID:1952
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:2000
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13fd47688,0x13fd47698,0x13fd476a8
    3⤵
    PID:948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4052 --field-trial-handle=1280,i,371951360388546802,12137280085968210425,131072 /prefetch:8
  2⤵
  PID:2596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4024 --field-trial-handle=1280,i,371951360388546802,12137280085968210425,131072 /prefetch:1
  2⤵
  PID:2640

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3052

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
afb41067687ecea644b43e2cc260fb66

SHA1
27e6a6607b864a0e0d91023dfbd58a811be6642f

SHA256
b2ddecb055ae02e1b4e3732a92153d3f6ad7965ee69ab9e3d71557aac026844d

SHA512
648ce3fcb7b07e030e507d962e823ca68b999a5aa972724441c00d410598fd61790037f1943a3f0f642fa01b6e8f37218d01d023a7b1a7e274a5c533bc1fee86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\80d41f64-bfbf-47aa-bc0a-aba2580de7b5.tmp

Filesize
6KB

MD5
26bbc619153c89b4c50d5ee7f5e254c7

SHA1
720314dbe4f07d0c9b286bf50fda13958520a829

SHA256
9067863c8b6a12392f9e7598b5d158b949ff891b5205f2d4d796cbfd9ed787ca

SHA512
e23838d237db35ca8848a88592414f8dc14995a06e5f71316dd8633cefb1ce56846408b8dbec39afdb100a4fba08c8a1986241b9c4425330b40eeb2ce80fb031

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
211KB

MD5
e7226392c938e4e604d2175eb9f43ca1

SHA1
2098293f39aa0bcdd62e718f9212d9062fa283ab

SHA256
d46ec08b6c29c4ca56cecbf73149cc66ebd902197590fe28cd65dad52a08c4e1

SHA512
63a4b99101c790d40a813db9e0d5fde21a64ccaf60a6009ead027920dbbdb52cc262af829e5c4140f3702a559c7ac46efa89622d76d45b4b49a9ce01625ef145

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
fa4aac6e06a61d977e2e4eba5fc6dd4a

SHA1
2d350a7cc05b4b8ba8002fb409e6b57788c56e9c

SHA256
8d730f7945f8e19599ed288b101ae7fab5cbe4d569a7a22e7761c084c6174ec6

SHA512
d4eac199f32155cff49b2887f363fa98b0825b35db5c4000e32f13413ad8644d302e4b6c8c3537c75a20f2efe825c383b6fc2a8f37a908d8b3585bafb06fb78e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
b91ac1e56f6f15060d2bd889d22cfb22

SHA1
338f0ae8d1b7ba591e8ad0bdc301c148fbddff4a

SHA256
a4bcc3238ef75f2f93539c9d3cc51fb5a1200e39f6c447335fbcb5e626560835

SHA512
333bcbf7ce7701a0963dff076d5fe9cda41fecd58d921addeacbdcb3de1fa2aed4af3a610080a013264ceb2ccd64e5da33c558e1fc1cd1fa2673fc0d3ed39fb4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extension State\000009.dbtmp

Filesize
16B

MD5
979c29c2917bed63ccf520ece1d18cda

SHA1
65cd81cdce0be04c74222b54d0881d3fdfe4736c

SHA256
b3524365a633ee6d1fa9953638d2867946c515218c497a5ec2dbef7dc44a7c53

SHA512
e38f694fd6ab9f678ae156528230d7a8bfb7b59a13b227f59f9c38ab5617db11ebb6be1276323a905d09c4066a3fe820cf58077ab48bf201f3c467a98516ee7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Favicons

Filesize
20KB

MD5
d2395374e6bddce4332224992828d3e8

SHA1
eecce244b5b3314c17bc85229b4c8d35088b472e

SHA256
772595367af144f34c367f4ab8ecde05226cd1206472c0b484e41b48bca14aae

SHA512
6bbb7635c8ce0e48c0571bc8b1be7785933f7da1d1a8014e86c65f0e5c12dc513af88de50f740e699079f21e9dfd2acd2f2d267df702b4de94644244c5dec4e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
148KB

MD5
0fd320fd56572a04ba4a71cbb90e61bf

SHA1
30f91f6a26de90093bbc71fcefe1a2c0aee9ed22

SHA256
dfffab7101281aecf695d2898ff2fe52eb0102fdfb05e1f30508b735fad775e9

SHA512
5f5e26cdf3757f2d1405b5d5e8f3d828fee57167b89e8d10682f12f355fbd138eaef9577c59789f39a1c6888e034890d94ad40c6198e7de0dd845c1d7d0c1490

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
838e73039e383d803ebf439e35834e5f

SHA1
912673c3543c8cad2e303a3001c2c612ddcd18af

SHA256
a378f2226e0ee86d044a49a47a3ceb1b883128d1623a8f3744605dd2b392dde3

SHA512
d72f9db1ad844e34e69d4d9a312dd7319f63547c117c64d4b5d196ea6a0e491c9c75acf9a8f33e7561dc9ea43525a79a63615d352c593a4789617837aef2820f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ae23dcbd79f62619881efcc673cd34ad

SHA1
cd25f5f52661d8a2e8f06365e9d3f378188a0b78

SHA256
ee9cf6dc5d4df816a1fccbc046aeea997f9984e0771f09b46de1d2dced0c4a3d

SHA512
25a958e88eb2120411e2aca39c58bd4ac03ece7264c50f7d317b2d8cf107450ddf6daf900bacf6fbbf1a4cd94b1f9e3e2f177f1d27082e96d48a9976b150f8bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
8397084d4959af3f3937599376af89d6

SHA1
6b709a7fcd31abb44a1ab7025a22e538a5cc111e

SHA256
96512ac278bd32803479c756546b1a36881e42741a0558edb461a3b157c776a9

SHA512
dc2490406fc4cceafecab05bc159e99f201ae2a7e1b12eb4f2ffb51986515a3d68d289d2d1e9305e44f5d1707b7d558aa1a78b9fdae1b7339d7c320b91f4d9c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sessions\Tabs_13369715416958400

Filesize
3KB

MD5
b52565365bbf18128a30087fa7188b93

SHA1
74d0a8c6fd786042f3e207c3e574fb829c2a4906

SHA256
20532e5b6168cd5bf42d35740f127e753674bf5b1e6e2add15a2de7f7d95a7ad

SHA512
df3d0c49e7e8981d180f4fd76b689c93707cee788cfced6ebb7d378f3ca660669704b7c4106e690247736d3764ee1a9fcc87c49ec9b8d859e4a6ff7bd804ffaf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\CURRENT

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG

Filesize
136B

MD5
41a7e5c24e3500f2786e300edd35bb6c

SHA1
224fd071ec9a759edec4d497bbff661ce6e7b9c3

SHA256
8ea7a9c8cbeb695f6ee12131c004ed464e5218707cdb6d1b013c5b9b87e2fc24

SHA512
1179ea7d72d703e059f434977fb22b0d93ed0650d0308ee8dbd17e76b4deca3526647a90fd252807f3b1452cbae8768b6ec27faf7b1e2902da64d526033dcabd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\MANIFEST-000007

Filesize
107B

MD5
22b937965712bdbc90f3c4e5cd2a8950

SHA1
25a5df32156e12134996410c5f7d9e59b1d6c155

SHA256
cad3bbec41899ea5205612fc1494fa7ba88847fb75437a2def22211a4003e2eb

SHA512
931427ad4609ab4ca12b2ee852d4965680f58602b00c182a2d340acf3163d888be6cfad87ca089f2b47929ddfa66be03ab13a6d24922397334d6997d4c8ede3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000008.ldb

Filesize
1KB

MD5
38cdf797e7528d6142f72e2994a28bb9

SHA1
22ce7898f1982cda0258a6d62a0af7f915407f28

SHA256
afb45450e5c136fcf15a928e5ef58104f88525bef3aa15d9eaaf8b3dd7d28901

SHA512
e1cfadb8f85f55f3efcb534d035e33a43c13db470c87b7f245e348fed01a193717dd6c1f27cd64187069b78bd179734286ef49e2ac27ec0b3cd35e1c70349371

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG

Filesize
250B

MD5
54e3695f3375c262159c3014e0b68eeb

SHA1
08e77f080d0922541bba9df72dc1915acc47e9bc

SHA256
44fe7f17bc2bb70dc17341e47f4f37f064bfaa89f3153cc367ab7a767e11e121

SHA512
2e4868c36769e1f0adad55bcb3796a3ca4ffce45a64a3dc84ffb377d036735fd4404e341307b24c70905eadcc21e3bb0e87866afa12c4a280a6f797b036734b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\MANIFEST-000007

Filesize
250B

MD5
6316ced427e0896eabba65c73a534940

SHA1
efd205e6f424ead848d34c60dbc1c78b6224328e

SHA256
0a54d5903ab8a4927d4ef07ffa5ad577cfd670da9e92da498fecbc70f6710f38

SHA512
381a08f735c4867750e5540841c10a911f3af98e42089fb50a69766ce9f6902e265e88dec1695bda15b7a709d3ccf311dc3c0252d7f5592fda0d5fda6875fa86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Visited Links

Filesize
128KB

MD5
35409685545066c94bf9b70190e0e326

SHA1
82e2033ffb7284b93b7754b704dd84ae5ddbf10d

SHA256
ec7e0afbf98bc62fa7a7eca19e1a043ac1cc6f6c818a7aa8632f56f6f986e4cd

SHA512
7589e2c457dee8c9e16da6a0b2e08ee1bb76e18e1f350d0cea59ce9d46645ec861aa9f80b0c9c970f7551a9a71d5cf2a5d9438b29e58c43ce624fbe8828932ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data

Filesize
92KB

MD5
704994918ea4ea1c1fdf6e93d4edcd3c

SHA1
d92b6c013229181b13634a2b955924f07e105c59

SHA256
6ce9adb9d5774cc7a22840d43eac903d836eb6662904c896a9a0cc88c6d1269c

SHA512
91b432091553d432a724720e625656712ccf79f223cf88a892295d82231a92aa3c43a76c04133910bd5155a7cb3c475b3ff0ecb49399d5a48dee6b74acb317fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000009.log

Filesize
19B

MD5
a2f36fd75efcba856d1371d330ed4751

SHA1
fb7c3dff0fa2b47c6f0026287d12d16d05d14d8b

SHA256
561fe33b81dac187686e9e50103590f3a857f4e1b9c8ada714d43964b938ea7f

SHA512
79ca96560a074fa678cfdc06007d0e1e01718831d18c4a800c5361b8ba8091b46acada47418a8d7be3b626d2d9af5cf346abcdd88166a9d1634f81157ab1ad6a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG

Filesize
249B

MD5
ba057c608caab9a11e3ccb8d47250bb8

SHA1
4bb7a03e7baeecef02b6a54d7921f077a94232b5

SHA256
6eee9859e086e69ff8750c717f3d461f7f4f34ef43143f168d256a26bd81e119

SHA512
93f35afe32b95ba2ca4d2faf0f33489ee33a9b11fb9e6139c12fc85d53052261bdfcd879079ae3deb21083a5d6f178c525a5e417bb2046488757af045a1515e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\MANIFEST-000007

Filesize
98B

MD5
1c0c23649f958fa25b0407c289db12da

SHA1
5f6b10cd5a39fe8c30353bcf4cd4e4a60ef35574

SHA256
d5134b804a775cfb79c6166d15b5721d38ffc2da11948a6c1263595d6c2941cf

SHA512
b691e882018833a108bd286bc76c55a140d00d5a266617a3a381af1ceff01aefaef17acef29d14dec931d7051455726cde8974cd04cc07302f1c3cc452fe2f52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000009.log

Filesize
34B

MD5
12275f46db968e27e4edb23a4517904d

SHA1
1bd41f5f55dc8532c45c5ed91bd0823deabe3d3a

SHA256
0b9769e63620205002586d7dbefa19d6c3573ffa65bc86eb49113ec271feea4a

SHA512
084364c331be5c6b8c537a6c56b732ccdbb45f0d74a1e0ed89ac195e9ae43e15f15c953e3ed188990f0abb7e0e6456fa4b6b34562a02c180f7c061a7728c8b66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\000010.dbtmp

Filesize
16B

MD5
60e3f691077715586b918375dd23c6b0

SHA1
476d3eab15649c40c6aebfb6ac2366db50283d1b

SHA256
e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee

SHA512
d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\LOG

Filesize
249B

MD5
9afe9ccbc7e64d6f28e09a98914ed2a2

SHA1
d1cb7b5c5f18f49dea8a56eb5be347af1890f85a

SHA256
ff1c4775c1cc4b5fc79eccc9ef3114a8a257a612c6b61a5be66d642a363e2272

SHA512
53c9398e438e1daa5f1f30c76d8ec0f38fbd9bbbca4c8868823da1f0ee4a5b91b490f2ba508862089953346f96a92a6dbbd2213683e0f6a8ca82609423892247

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata\MANIFEST-000007

Filesize
118B

MD5
e014e0466b6fa96f6a99973c5800706e

SHA1
bbe63576eac985c924fbc14bad9d4edecda33603

SHA256
1723ea79cecd3ff80f72afcd5f86e3472b34b41056611dd6b8235a8145e31dcf

SHA512
d208c2b301c3a9f6779ef5dd181350341a6636d1d75b98a96f710d3ef4e742e720b7493f075b66cad9b3ebea3414cdf0f886e8b28a61a2317513d287ea131379

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
9eae63c7a967fc314dd311d9f46a45b7

SHA1
caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf

SHA256
4288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d

SHA512
bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
320KB

MD5
e37ec9184869a873762a06aff2adcbc1

SHA1
5b8997ab572593a9b437ebd93d4e9de09b9a2978

SHA256
d0ec921242209b413de6ca3cafca0c5c4fff8201d5e4766f6669af30c29faf55

SHA512
629d4b4fe7e14c08e35118d11bb572237a2b5629d617769e7560dd89251bb5f6312831a85ac3a1c55264a56b6cca466ded5d63eb2e89429c1e27fd3ddca325ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
170KB

MD5
9bd4baaaf39fe55d22c71be6d3859c3a

SHA1
c477088fb7401ce6284eb5c8252bb7c634bbec45

SHA256
f5be53fe126fda7061b10d25a0875990e814268da8f686f94df2cb0393ee521b

SHA512
8d33adf087cb68ee123cfb0735ab78f341caba63c7448edbac74c81eb915e6d2d2dbe6cac71261c744691ea2be5f424a667cbf0dcecbfe34eaba308082d0d581

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
170KB

MD5
8ec5760df27f81b4605a99e204e2096c

SHA1
6b35a06bbe2ca6188f83874a9aaf7c0ffea7e41d

SHA256
c10450a03e9a431bcefd059c9b0c71eed672fa728a77613522125a2479cc83e0

SHA512
7dbc5e9f61c1f1990b964489a7575d36d2df5c9cfc672f3bd6765ce499e765cc3d9f385fb7a96373b610df82c1639d97ba0287bc98b404395fdf9bf4b40269f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Variations

Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\f53eafc1-6040-44e0-944b-db0ab7f42db3.tmp

Filesize
320KB

MD5
4ccc947c3bd3d5ab2bc700c967817f41

SHA1
1f1c476ed6f2dbecab0a66c413ce0da0a8f4a830

SHA256
f6097fa839f4195d560005479e84f40639b91b8a6a11f2e606a30f66433a887b

SHA512
be0c84a399a879e7b07a1e968546e50b3d859422f69859e331ef7906da031b87e280ca85955a64fa3e1f3c593e9fd5e51784b2634c0a89839ef8761f71f4bb04

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk

Filesize
925B

MD5
8a03c0be60be56c1955acd104e5306a1

SHA1
4b543d7824a23816683351d5319e59de048eed50

SHA256
e6316fa5001dcf8734a24150ac98552fab1b54cabbd7aa8b91702b8a6d42c84c

SHA512
7efa73732ed8ca61e2a0a86ff3de18325e2e45027d1a0e5d7c77fb4c6483bbe8a1e780daa1490b61fd3524ed85a572dc6ab63c502dbb50883053f07361bc6a80

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
fa9c305eeefc62bca59f331342772d57

SHA1
37c2f1c1f82c627446b61031b654a8cabaa97a26

SHA256
98b761ed5b08f4c71643b948ce91e32aa86276b960d3e256d6a2c042f9a972ab

SHA512
58907ca1c4cf1906ceaa2679ec344b3b9faaa7ff0aaf1a63a9a60670e7dda1aece1e93323fb08c56514f93c384f80ec5c0d24181db56a4925d70a4f51f68d096

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
8dc9dc6bd0ca417cf9cedd92604d0043

SHA1
6fa9da66f332a35d245c1f976a5cd0178e9d811f

SHA256
8a29b8718f8f079dd56a60161419bbe5f30af6f1a3ee5b1205bd6e66b904a951

SHA512
e946aef7f7bd05ac0e6d269ee752894af8b67eaffe61f25f5e85244ccd109fc60f6765a4e78c2c8f40751374647c699ddce0581481a28c33ca7effebc26da6bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
b8d600702a30a450c227d9de11e821af

SHA1
e368d49615c969bf022179ed1004c76758e1b265

SHA256
11ea7c8ada6b2380e4a4093eaa86f54c3efb616ecf320503aaa34b4f42fd6ec8

SHA512
e883bb814d281c68cc2e5f6123026d8304078c123038755dec5d31c4f7dda31c67a2331867c82da7cbe0cbe1679056aa08ac6a011028eeeaaa6dc93a16394037

Download Submit
C:\Users\Admin\AppData\Local\Temp\97201725241767.bat

Filesize
336B

MD5
3540e056349c6972905dc9706cd49418

SHA1
492c20442d34d45a6d6790c720349b11ec591cde

SHA256
73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc

SHA512
c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.vbs

Filesize
219B

MD5
5f6d40ca3c34b470113ed04d06a88ff4

SHA1
50629e7211ae43e32060686d6be17ebd492fd7aa

SHA256
0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1

SHA512
4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wry

Filesize
628B

MD5
3135a139e6fd72f5a9cd10195953fce2

SHA1
10de6631123cfa49a0c8ba99acf6c9db2792617e

SHA256
271a5dbd1fc7696b5329ccfdce1cdc2bd06b6097ea32bd1e6d23a3bc8d98d0a5

SHA512
2abf8f283fca3cdc7fbdb8ceb2c08550d9ddc7adb4626e2078ebbf55015037f904c2dc25197d06d2b37ddc42a844cd3805835e685ccd68e4e05b417604ab9ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
c848f6a5e9af2ca72bb7e4791b3064ce

SHA1
19477b16bf2cc9938be8444f0e8aa1c4be30c895

SHA256
a951dc883c02790e45b8342a6557d7d9421f2343f76a1f129e05efaa084bc1b4

SHA512
fa9498be8eac87c0a917648bf98f4e9f019563de1f04383bec4e56fd81896e0dcb8552d1535a3cb2a743e9e31b172b614c7113fea08511b0d2ed69a0ed116083

Download Submit
C:\Users\Admin\Desktop\PingExit.gif.WCRY

Filesize
338KB

MD5
4d8d048c6cb3e7976afa449cab77a08d

SHA1
d54ba2ec22d2986fe831606ba20ace8f12bc13d7

SHA256
b2beea85bee65b402007c301218e3a20fb4e35884d4d616138c8d1748dc38e1b

SHA512
a40d390e66ecded42759e927a9c4d8512a1cb91aafb0b26a8b345bf07e63c573c541e9212610a9dc80b897d232952d1460050a6e42c0f1688589e4816fed91b4

Download Submit
C:\Users\Admin\Documents\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
memory/2152-7-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/3052-1216-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3052-1212-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3052-1211-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3052-1327-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3052-1329-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download