wannacry | 01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4

Analysis

max time kernel
459s
max time network
616s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-09-2024 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe
Size

224KB
MD5

75031983cb851f3475c460a40797fe62
SHA1

4ee0238f082123aeb7642ea2e427f57cf4ee954a
SHA256

01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4
SHA512

635b72c7fb8d8b3818364a8a239941d4b4ec608f3d87ee966ce6abd599b847f2aee1e895d996391a1802a57afb41127fbc5e87020b5b280aca2066039e94ca36
SSDEEP

3072:Y059femWRwTs/dbelj0X8/j84pcRXPlU3Upt3or4H84lK8PtpLzLsR/Efc:+5RwTs/dSXj84mRXPemxdBlPvLzLe

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Documents\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDBB5C.tmp	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDBB6F.tmp	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe

Executes dropped EXE 4 IoCs

pid	Process
2780	!WannaDecryptor!.exe
2576	!WannaDecryptor!.exe
2372	!WannaDecryptor!.exe
1180	!WannaDecryptor!.exe

Loads dropped DLL 9 IoCs

pid	Process
2772	cscript.exe
592	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe
592	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe
592	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe
592	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe
448	cmd.exe
448	cmd.exe
592	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe
592	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe\" /r"	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\taskschd.msc	mmc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg"	!WannaDecryptor!.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2196	vssadmin.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
2972	taskkill.exe
2988	taskkill.exe
2200	taskkill.exe
2116	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2804	chrome.exe
2804	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1180	!WannaDecryptor!.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2988	taskkill.exe
Token: SeDebugPrivilege	2200	taskkill.exe
Token: SeDebugPrivilege	2116	taskkill.exe
Token: SeDebugPrivilege	2972	taskkill.exe
Token: SeBackupPrivilege	2456	vssvc.exe
Token: SeRestorePrivilege	2456	vssvc.exe
Token: SeAuditPrivilege	2456	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3064	WMIC.exe
Token: SeSecurityPrivilege	3064	WMIC.exe
Token: SeTakeOwnershipPrivilege	3064	WMIC.exe
Token: SeLoadDriverPrivilege	3064	WMIC.exe
Token: SeSystemProfilePrivilege	3064	WMIC.exe
Token: SeSystemtimePrivilege	3064	WMIC.exe
Token: SeProfSingleProcessPrivilege	3064	WMIC.exe
Token: SeIncBasePriorityPrivilege	3064	WMIC.exe
Token: SeCreatePagefilePrivilege	3064	WMIC.exe
Token: SeBackupPrivilege	3064	WMIC.exe
Token: SeRestorePrivilege	3064	WMIC.exe
Token: SeShutdownPrivilege	3064	WMIC.exe
Token: SeDebugPrivilege	3064	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3064	WMIC.exe
Token: SeRemoteShutdownPrivilege	3064	WMIC.exe
Token: SeUndockPrivilege	3064	WMIC.exe
Token: SeManageVolumePrivilege	3064	WMIC.exe
Token: 33	3064	WMIC.exe
Token: 34	3064	WMIC.exe
Token: 35	3064	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3064	WMIC.exe
Token: SeSecurityPrivilege	3064	WMIC.exe
Token: SeTakeOwnershipPrivilege	3064	WMIC.exe
Token: SeLoadDriverPrivilege	3064	WMIC.exe
Token: SeSystemProfilePrivilege	3064	WMIC.exe
Token: SeSystemtimePrivilege	3064	WMIC.exe
Token: SeProfSingleProcessPrivilege	3064	WMIC.exe
Token: SeIncBasePriorityPrivilege	3064	WMIC.exe
Token: SeCreatePagefilePrivilege	3064	WMIC.exe
Token: SeBackupPrivilege	3064	WMIC.exe
Token: SeRestorePrivilege	3064	WMIC.exe
Token: SeShutdownPrivilege	3064	WMIC.exe
Token: SeDebugPrivilege	3064	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3064	WMIC.exe
Token: SeRemoteShutdownPrivilege	3064	WMIC.exe
Token: SeUndockPrivilege	3064	WMIC.exe
Token: SeManageVolumePrivilege	3064	WMIC.exe
Token: 33	3064	WMIC.exe
Token: 34	3064	WMIC.exe
Token: 35	3064	WMIC.exe
Token: 33	2868	mmc.exe
Token: SeIncBasePriorityPrivilege	2868	mmc.exe
Token: 33	2868	mmc.exe
Token: SeIncBasePriorityPrivilege	2868	mmc.exe
Token: 33	2868	mmc.exe
Token: SeIncBasePriorityPrivilege	2868	mmc.exe
Token: 33	2868	mmc.exe
Token: SeIncBasePriorityPrivilege	2868	mmc.exe
Token: 33	2868	mmc.exe
Token: SeIncBasePriorityPrivilege	2868	mmc.exe
Token: 33	2868	mmc.exe
Token: SeIncBasePriorityPrivilege	2868	mmc.exe
Token: 33	2868	mmc.exe
Token: SeIncBasePriorityPrivilege	2868	mmc.exe
Token: 33	2868	mmc.exe
Token: SeIncBasePriorityPrivilege	2868	mmc.exe
Token: 33	2868	mmc.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1180	!WannaDecryptor!.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe
2804	chrome.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2780	!WannaDecryptor!.exe
2780	!WannaDecryptor!.exe
2576	!WannaDecryptor!.exe
2576	!WannaDecryptor!.exe
2372	!WannaDecryptor!.exe
2372	!WannaDecryptor!.exe
1180	!WannaDecryptor!.exe
1180	!WannaDecryptor!.exe
2868	mmc.exe
2868	mmc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 592 wrote to memory of 2244	592	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	30
PID 592 wrote to memory of 2244	592	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	30
PID 592 wrote to memory of 2244	592	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	30
PID 592 wrote to memory of 2244	592	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	30
PID 2244 wrote to memory of 2772	2244	cmd.exe	32
PID 2244 wrote to memory of 2772	2244	cmd.exe	32
PID 2244 wrote to memory of 2772	2244	cmd.exe	32
PID 2244 wrote to memory of 2772	2244	cmd.exe	32
PID 592 wrote to memory of 2780	592	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	33
PID 592 wrote to memory of 2780	592	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	33
PID 592 wrote to memory of 2780	592	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	33
PID 592 wrote to memory of 2780	592	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	33
PID 592 wrote to memory of 2972	592	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	34
PID 592 wrote to memory of 2972	592	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	34
PID 592 wrote to memory of 2972	592	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	34
PID 592 wrote to memory of 2972	592	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	34
PID 592 wrote to memory of 2988	592	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	35
PID 592 wrote to memory of 2988	592	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	35
PID 592 wrote to memory of 2988	592	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	35
PID 592 wrote to memory of 2988	592	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	35
PID 592 wrote to memory of 2200	592	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	36
PID 592 wrote to memory of 2200	592	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	36
PID 592 wrote to memory of 2200	592	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	36
PID 592 wrote to memory of 2200	592	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	36
PID 592 wrote to memory of 2116	592	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	39
PID 592 wrote to memory of 2116	592	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	39
PID 592 wrote to memory of 2116	592	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	39
PID 592 wrote to memory of 2116	592	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	39
PID 592 wrote to memory of 2576	592	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	44
PID 592 wrote to memory of 2576	592	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	44
PID 592 wrote to memory of 2576	592	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	44
PID 592 wrote to memory of 2576	592	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	44
PID 592 wrote to memory of 448	592	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	45
PID 592 wrote to memory of 448	592	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	45
PID 592 wrote to memory of 448	592	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	45
PID 592 wrote to memory of 448	592	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	45
PID 448 wrote to memory of 2372	448	cmd.exe	47
PID 448 wrote to memory of 2372	448	cmd.exe	47
PID 448 wrote to memory of 2372	448	cmd.exe	47
PID 448 wrote to memory of 2372	448	cmd.exe	47
PID 592 wrote to memory of 1180	592	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	48
PID 592 wrote to memory of 1180	592	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	48
PID 592 wrote to memory of 1180	592	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	48
PID 592 wrote to memory of 1180	592	01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe	48
PID 2372 wrote to memory of 2100	2372	!WannaDecryptor!.exe	50
PID 2372 wrote to memory of 2100	2372	!WannaDecryptor!.exe	50
PID 2372 wrote to memory of 2100	2372	!WannaDecryptor!.exe	50
PID 2372 wrote to memory of 2100	2372	!WannaDecryptor!.exe	50
PID 2100 wrote to memory of 2196	2100	cmd.exe	52
PID 2100 wrote to memory of 2196	2100	cmd.exe	52
PID 2100 wrote to memory of 2196	2100	cmd.exe	52
PID 2100 wrote to memory of 2196	2100	cmd.exe	52
PID 2100 wrote to memory of 3064	2100	cmd.exe	54
PID 2100 wrote to memory of 3064	2100	cmd.exe	54
PID 2100 wrote to memory of 3064	2100	cmd.exe	54
PID 2100 wrote to memory of 3064	2100	cmd.exe	54
PID 2804 wrote to memory of 644	2804	chrome.exe	59
PID 2804 wrote to memory of 644	2804	chrome.exe	59
PID 2804 wrote to memory of 644	2804	chrome.exe	59
PID 2804 wrote to memory of 2688	2804	chrome.exe	61
PID 2804 wrote to memory of 2688	2804	chrome.exe	61
PID 2804 wrote to memory of 2688	2804	chrome.exe	61
PID 2804 wrote to memory of 2688	2804	chrome.exe	61
PID 2804 wrote to memory of 2688	2804	chrome.exe	61

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe
"C:\Users\Admin\AppData\Local\Temp\01ce2c3c8448bae948c37ceeb6e9631805055738b5b94b22dfa8a005ece895c4.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:592
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 284781727174758.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\SysWOW64\cscript.exe
    cscript //nologo c.vbs
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2772
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe f
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2780
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im MSExchange*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2972
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Microsoft.Exchange.*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2988
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlserver.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlwriter.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2116
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe c
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2576
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b !WannaDecryptor!.exe v
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:448
- - C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
    !WannaDecryptor!.exe v
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2100
    - - C:\Windows\SysWOW64\vssadmin.exe
        
        vssadmin delete shadows /all /quiet
        5⤵
        System Location Discovery: System Language Discovery
        Interacts with shadow copies
        
        PID:2196
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
- C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1180

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2868

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" shell32.dll,Options_RunDLL 1
1⤵
PID:992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6bf9758,0x7fef6bf9768,0x7fef6bf9778
  2⤵
  PID:644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1168 --field-trial-handle=1288,i,17217396138335069066,10709903486324403733,131072 /prefetch:2
  2⤵
  PID:2688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1448 --field-trial-handle=1288,i,17217396138335069066,10709903486324403733,131072 /prefetch:8
  2⤵
  PID:832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1616 --field-trial-handle=1288,i,17217396138335069066,10709903486324403733,131072 /prefetch:8
  2⤵
  PID:1420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2116 --field-trial-handle=1288,i,17217396138335069066,10709903486324403733,131072 /prefetch:1
  2⤵
  PID:2360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2356 --field-trial-handle=1288,i,17217396138335069066,10709903486324403733,131072 /prefetch:1
  2⤵
  PID:2328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1540 --field-trial-handle=1288,i,17217396138335069066,10709903486324403733,131072 /prefetch:2
  2⤵
  PID:796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2196 --field-trial-handle=1288,i,17217396138335069066,10709903486324403733,131072 /prefetch:1
  2⤵
  PID:1472
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:2224
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x140197688,0x140197698,0x1401976a8
    3⤵
    PID:676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3936 --field-trial-handle=1288,i,17217396138335069066,10709903486324403733,131072 /prefetch:8
  2⤵
  PID:2564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3876 --field-trial-handle=1288,i,17217396138335069066,10709903486324403733,131072 /prefetch:1
  2⤵
  PID:2148

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2924

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2868
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:2396
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2396.0.1622525916\180102924" -parentBuildID 20221007134813 -prefsHandle 1240 -prefMapHandle 1188 -prefsLen 18084 -prefMapSize 231738 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6becd2a3-84a8-45fc-95f9-50613fca3826} 2396 "\\.\pipe\gecko-crash-server-pipe.2396" 1296 fe03b58 socket
    3⤵
    PID:2876
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2396.1.331164691\20447932" -parentBuildID 20221007134813 -prefsHandle 1624 -prefMapHandle 1596 -prefsLen 19179 -prefMapSize 231738 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3fb9215-6350-4bf6-974e-5b33d0171a47} 2396 "\\.\pipe\gecko-crash-server-pipe.2396" 1644 15014a58 gpu
    3⤵
    PID:2188
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2396.2.1254189892\163493877" -childID 1 -isForBrowser -prefsHandle 2476 -prefMapHandle 2472 -prefsLen 19854 -prefMapSize 231738 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {65ad10a9-9175-489b-90df-484b6cc2b388} 2396 "\\.\pipe\gecko-crash-server-pipe.2396" 2488 1689dd58 tab
    3⤵
    PID:2740
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2396.3.648396215\1422772025" -childID 2 -isForBrowser -prefsHandle 2864 -prefMapHandle 2860 -prefsLen 20041 -prefMapSize 231738 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d7881b9-b179-4453-98b6-75936c951dce} 2396 "\\.\pipe\gecko-crash-server-pipe.2396" 2824 15d4a458 tab
    3⤵
    PID:2120
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2396.4.550390715\2072148433" -parentBuildID 20221007134813 -prefsHandle 2832 -prefMapHandle 1524 -prefsLen 20082 -prefMapSize 231738 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0418e16c-313c-40b5-b896-3e9b0644f74a} 2396 "\\.\pipe\gecko-crash-server-pipe.2396" 2844 e5be58 rdd
    3⤵
    PID:3068
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2396.5.1432160822\727834606" -childID 3 -isForBrowser -prefsHandle 3196 -prefMapHandle 3192 -prefsLen 26552 -prefMapSize 231738 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4adcceb9-a121-4d37-ae17-1c58622158a9} 2396 "\\.\pipe\gecko-crash-server-pipe.2396" 3204 16885c58 tab
    3⤵
    PID:2708
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2396.6.591994020\110609256" -childID 4 -isForBrowser -prefsHandle 3380 -prefMapHandle 3324 -prefsLen 26650 -prefMapSize 231738 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e75855a8-be8b-4a22-925b-9f78e28a90aa} 2396 "\\.\pipe\gecko-crash-server-pipe.2396" 3368 1d6d7c58 tab
    3⤵
    PID:1716
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2396.7.616945900\402272156" -childID 5 -isForBrowser -prefsHandle 2592 -prefMapHandle 2524 -prefsLen 27401 -prefMapSize 231738 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {86fad9ae-752f-4dfd-a586-7892617848ea} 2396 "\\.\pipe\gecko-crash-server-pipe.2396" 2488 2079d058 tab
    3⤵
    PID:924
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2396.8.1146971269\340205885" -childID 6 -isForBrowser -prefsHandle 4100 -prefMapHandle 4104 -prefsLen 27401 -prefMapSize 231738 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {54cadcd7-76a4-470a-807d-76b23efb50c7} 2396 "\\.\pipe\gecko-crash-server-pipe.2396" 4084 20d1de58 tab
    3⤵
    PID:2244
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2396.9.143275281\1471787379" -childID 7 -isForBrowser -prefsHandle 4256 -prefMapHandle 4260 -prefsLen 27401 -prefMapSize 231738 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {58c09fef-358e-49e4-8e3f-b989c35a732f} 2396 "\\.\pipe\gecko-crash-server-pipe.2396" 4244 20d1a558 tab
    3⤵
    PID:948
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2396.10.991520764\1307394205" -childID 8 -isForBrowser -prefsHandle 3268 -prefMapHandle 3260 -prefsLen 27770 -prefMapSize 231738 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {10ba01bf-3312-4c10-99b0-55872b362fda} 2396 "\\.\pipe\gecko-crash-server-pipe.2396" 3256 1b988c58 tab
    3⤵
    PID:2424
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2396.11.1075762370\612968759" -childID 9 -isForBrowser -prefsHandle 3776 -prefMapHandle 3732 -prefsLen 28100 -prefMapSize 231738 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {91c1d33d-0b10-49c8-a37a-bf86e796a221} 2396 "\\.\pipe\gecko-crash-server-pipe.2396" 2696 2079ca58 tab
    3⤵
    PID:1684

C:\Windows\system32\control.exe
"C:\Windows\system32\control.exe" /name Microsoft.DefaultPrograms
1⤵
PID:1272

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json

Filesize
102B

MD5
7d1d7e1db5d8d862de24415d9ec9aca4

SHA1
f4cdc5511c299005e775dc602e611b9c67a97c78

SHA256
ffad3b0fb11fc38ea243bf3f73e27a6034860709b39bf251ef3eca53d4c3afda

SHA512
1688c6725a3607c7b80dfcd6a8bea787f31c21e3368b31cb84635b727675f426b969899a378bd960bd3f27866023163b5460e7c681ae1fcb62f7829b03456477

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\953f5b16-6200-4ef3-9bd6-f864a67b0be7.tmp

Filesize
342KB

MD5
76dc2bd4a0a0b23a76bbd56f40ec0cc2

SHA1
6b6429dfe14f6bcb972cea656616dad4c59b11d8

SHA256
5f738dff803dc13e99f72947d8d7430c11a1b72828eb206f107ba05ff56ccbe7

SHA512
8f55db93331a759da13e3d0a279aa2b81ba71fd3dcf0a6195de0a6fdb7d54cdb305666257ea5f6f904c3466d7a16b5b723ca2798d489802f7b6bf510dfb3ccb8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
212KB

MD5
08ec57068db9971e917b9046f90d0e49

SHA1
28b80d73a861f88735d89e301fa98f2ae502e94b

SHA256
7a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1

SHA512
b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
e9a08c86bc556abb1a6d8d6445ff67c3

SHA1
8eb2bf1e27962d1d2a2ab4f49df223d05f586138

SHA256
93818748bb4c87e9b9607e3c30b64c6c5736de75e6128732415995a82c51f99e

SHA512
0ed4a2fdb40aea24d4a2205d06d5dd5a11485523820797532a453b664a5ec6aae9a11134a07722c74ad327e4bc499ee7ea168769173c6ef642f5f4570781b684

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
ffa32c03c4d00a68094426b2fd04f7ed

SHA1
1f93476e1515849cde7fef790fcfc7a6d6092266

SHA256
c643522d881b1215298d755fda036d8eafa34e26a6616c1ef804341b68039f26

SHA512
bdc6a1f767f2a978307aac8779dfef6a3c54fbd0daaeb3282a5ab65bc2bb5fa217afcfc2d09386751ef25d31101420dac08ddd8abd3b0b7f8427ac9143ddbd93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
83c27337f78e64e7712805b6b3e3b3c8

SHA1
5b68e62cbbf5ceebd24bbb60b2460e5884b9f38d

SHA256
f04590ac39da1b87a98a175c5e6e6c3d2e4979a045ccd72f7025655072b131f2

SHA512
6506de4b6ea9184431e1f752a446946a52831e8ee44a6f335910cad36b13095bbce385724173e33dc121a6f02099f9b8dc90f531f80d5354d191dd4a10ce45f8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
8a1be344c6034dfbcd99247092dc58dc

SHA1
1f88e1114c1c3f846b56898c8965433668d02a3a

SHA256
619218934f27fe39ddd89548185530a6d9b362203cde98843708fe450f9bc602

SHA512
ecc137a8ddf3b53bd923e87f8c53ec128a5a443ecc93e97ded1725b3b5645ff112b9c130a90c225da2d7b947cdde9206cb1f31190fb88dbdd4d9b653b32b2927

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
2b291a2b3cd00194abdbf1a9530d7425

SHA1
394c9e32a5b430532a0cd436011880591992ec0a

SHA256
052fc953308ae02f1fe8d34b7b1386ffaab9864b53843732cf830bacfb53fe37

SHA512
57db74a451656da3c8a02240334fb7c56d849873717898912dc8b58d20bb8157e3814a549a6a04749e6588217a00cd6b8f707a93aaea3ae1832ad439ef6b4dfa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
97c2239071efd838365822ff1e3779c5

SHA1
221ecf6dabc031e8f836a0c9e1b43ff4ff5e40cd

SHA256
b054ee8495c3fcff768f55b880f63883f968a5c9720b0ffad7deced730e7f03e

SHA512
8c4c064aa98e332d108985cb5b6e5e671b4b1d1849c195d33a42b1796b114ea300c5f1a6de1d04f9e794a8bc83a1705b7cfee066157fe5b7c67d6f8dbefb440d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
e13c4215ae7250dfb3cd06a90ff77d50

SHA1
a16fe28712ec746b8f1477308f6dcf2c57f656d3

SHA256
027d6664265903c559d3ef67d96f4d63aa07bebda7eefbfa6180d56970cffa14

SHA512
a7ce866a87d27428512e059d31c080b35b0f2fd7f979ed8f9d68f153c4469aecc1a57b4098c93b82f47f10e70b82b0e11e63422f2ac4869d4c48a1a0c513791c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
813e7133dcf083bc5a7689b180286336

SHA1
9480b0bfe789c3807594e758a965b151ee5a0f5c

SHA256
36cd2f0ad6ff72458b1206bb0153e76131973df4a26a166b4ff6a253a5f18269

SHA512
c4bdc6594dcd2da7a83d1364be81ad1daa3572e43a01da7a0c11de6afec668bcceac660c8d331243fd9067d3c23b64a9c491fe9063542ece949e1296e7772d1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
995750e8ee5e527ab144d07a67b89351

SHA1
c873e2bb2660e0d6842a64022253e951d99f76c8

SHA256
98fff4ebf01dc4fe453109a8c27cd0cfe0a0816aa932522cfbaeb0e8dab2ad06

SHA512
6b4f21504ec12b7f811f7491b24998475919ec74cef1735ecbbfea22cd75111dd59633656208fdea927b5e4be745ff64b285f018a3252b63e59d4692b00d2b75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
08f8286a43dfc16885e1139d43f52eef

SHA1
6083cae6a93604401ceb2627848da71559ec48de

SHA256
ab4e0acb2b906ab867885e5f7d40a62783a01a050d407ce4ca16ad78dc7a0738

SHA512
654b7a4150aedf510e6b3f290885dfe0d6c6b1ff0952628441ed49e7c062428a70cf421420d16fd903a95c01573aba944641c70d388874f5d1970187dd4b973d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
342KB

MD5
bca9fa7dde717807fc31d69f0a9fe6b7

SHA1
03f4d3b3bb88ae0e02524f9108415d12f2b3c212

SHA256
01a30d1e0f79340ef25ea849707be6b2f81e240aa331c543e8e4865d9b754279

SHA512
31f056c776ab89db0568386f23a5343d7678ad300f761b292a12cebbc8f1b8471ae65aa91ca3ab9c984ac17b31d7685923c1e95955990a4b7158dc390ec7fbfb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\activity-stream.discovery_stream.json.tmp

Filesize
35KB

MD5
742b0c91c3f93f3b82650a8e6c2ac7a7

SHA1
dae9e181e640ed3ab3e11d7a006d029fd6cdaca8

SHA256
0859071c4fe8d733c35273877a5742a924076a05aba788515ba18004c39b3473

SHA512
2edf4a56bb56d6b94b3531a16b3194db3a71062bc3080afa38734b478d40d736538a1e7e83a3dfb1345afd7b3e4f937668b905442021a7a2b8491ace6226812f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\cache2\entries\10A0222AFA26BA84074326BA5AAF691B1EB56EDC

Filesize
32KB

MD5
ea5f465d21ed6eaee71a4fe607287f9e

SHA1
465d343144d8ab4faccf9a556f6aabf5d78566fd

SHA256
be656637825123c109a2b11cbb43377ed6e131801bd76c2ee2e4b2f498402342

SHA512
13f5ebb0b20be94d6bd4d9665c36bb7f3d5c74e3d6c3834ff9c9cdb6b911e37ce374c270dc4b5f348bd819982fb3c213593613d2f436a717217c602e5edcc947

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\cache2\entries\B5828FB7F4A1E55AB23A7BD2583B87AC746240E0

Filesize
60KB

MD5
dfbaa1b1fb4f3eabff8319fb44a545ac

SHA1
7a7f7d104f5231caa295fe5f42b6dd83cc756c44

SHA256
5a84e195c85253c0d12d28cd5da25453e86fc138d833de25ce27db0d09e89e66

SHA512
32001d1944702108e556082ca4cb0e9263cfa18f53e3bf857eb28088ea7e253400062c4ec0d23c36eb19725bbd132749a5c8b160babe17774ec8e0c688767bb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnk

Filesize
925B

MD5
a15247ab61448ce7badf389b5c511661

SHA1
ef08c2f82ea04a35a2d7085c13397416b6f11d4d

SHA256
b8a04cf475be2e6939341d88c06d671cd6d168b281296dba126b8a47b5517ff0

SHA512
f41d23fd0716580d585f33c29f0be9522be35a15b76e9f8aebba6aa46836cb74365bfc6fe9e7e2fc6b3ba753063617d5a8ae9bded8dac29d9b67092498890ec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
a7c37f136d5e3d82c969104a7dd0a527

SHA1
bb0de2036667e692848fa140ea7f3b12373068bf

SHA256
9be3ae161464cafd6b243684bf3b69823173396503c8c56398490d3ebda2afc9

SHA512
bf94eaf56c4f0f44c8b7ec48be8d0a88fe445d77a62df060a1ed9e98ebfcb0c75a8fb5905a22f23a5094b351d0c4b9797e506a6da9655d3331bb44a10dc3dbd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
e7a047af3a6181e9d6422fb658c47f4c

SHA1
f5ec0dded6f82319598974146870e274dd1b6b03

SHA256
3ef981405e93d89759ea9ecfcf64cc68e7f5584db2392f905d3bf54418076710

SHA512
7945c9dc9ea31f8011de3e484d6bb8dfb8a63f9392addf5af04c399415482057b51d930372c42b95af12957969d4c06dd1ce4c7e0d72702b9d77d3824fb612ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res

Filesize
136B

MD5
c1a2912a923b6f132dd89141e57327a0

SHA1
c0e437166ffae9f12bf1f605fbb66014c15dd527

SHA256
10c6eb4b9b7810145dda7810f3b7541303985603bb890a7f22a9cc9372a054e7

SHA512
caad03c3da3a6a3f3f8e42f68b336fb94294db7d4f60978fbde0c18615b1d4dabbd04bc91b1f1b2524a2347adb7a1731a13149e49658d372726e94f681671a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\284781727174758.bat

Filesize
336B

MD5
3540e056349c6972905dc9706cd49418

SHA1
492c20442d34d45a6d6790c720349b11ec591cde

SHA256
73872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc

SHA512
c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.vbs

Filesize
219B

MD5
5f6d40ca3c34b470113ed04d06a88ff4

SHA1
50629e7211ae43e32060686d6be17ebd492fd7aa

SHA256
0fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1

SHA512
4d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wry

Filesize
628B

MD5
373e28b1358b1acc7dc706dae1c54d6d

SHA1
01743683c8e1efdb970af8d0ffcf3700dc996cde

SHA256
3345f35fa9311cff8ea7f8186f376da76bfc1efdaa05f11eff84d41139eba791

SHA512
29e318930725a49c3059381eecfa66ac63852dbd449f9535105e0aa1790b0f8b500cd3e4bd11f7274eeb32958bf5d3f4b6f6fc9ca08328b69eac92f9beb75e5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
1585b4bf5f7a4eb902894c63556e3fa8

SHA1
b0c50a3051b0122728281ec43f57bf844cba0b57

SHA256
c35c67ef9cc5d83805121b6df294917bfc5e1318eaba8c80979335ba1af8f4d9

SHA512
336e82a98f97b3cea115bebadc2fd0befca8b88f4a4dd26e75ca2fa2812ccf9a009b5a10a5b2c365b4fc01d336a49849baed0979302f2dcb5c37c0efde2d7c07

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\datareporting\glean\pending_pings\ae942d92-af69-40cf-81ac-5a2508018a0e

Filesize
11KB

MD5
530c287f384bf74eb73f63316197ce02

SHA1
ea074883fc7052ae087f54e06bbbd0f776096157

SHA256
91d7189040192c77798fb0910c42bd1f7894c0811fb5dc7b3598efb76960cbdf

SHA512
04a5f7f6e1e15b83e4c27d32d7c27c5e2ec12bf0c43b58aabed200f94a064c1585038feae006e365ed4f54bf7667956eddb0e12188c0029a5fdc3606a568ea9f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\datareporting\glean\pending_pings\e2398ae4-3946-4f81-af64-b70d80bb35d7

Filesize
745B

MD5
437a0ed967f47dd212012f2f0e39d5cc

SHA1
3c1d56f991fdf5a40cf482ded3b6d7dacd185788

SHA256
cd52696d10c0e351a69caa9bdcf7ae4fca8688ef92c0590740aa15be64a1097d

SHA512
6f529cc55e299a4bf687aaee350bd01072bd00fc335b7b3079895f9dc8620b7defe7432787d6c206619260c7f4659a9afd77ac3ec21557546dda33e0ba6426ce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\key4.db

Filesize
288KB

MD5
ce5a30b59521ac4076d42c5ecc18cf17

SHA1
a41f556bc73dfadd799660fe0e06fa050f94668c

SHA256
170e47e34a5cb45eb3f51fd23659d3e8f0577f20d7bb0d67802959d74af647bb

SHA512
5962a4903510555cbe4e4fb9c08034f1ccf4508b12898137434ba5b78365d604e8d6f325df9b6384773873386fc62ce5f2bb898648e8326dcc049a6c756032ee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\prefs-1.js

Filesize
5KB

MD5
64667984cacf60f9033909b1922c6af6

SHA1
d6e1e5b690856b05dabf7799816309af6d7ec27e

SHA256
1ec5fcc1589cc0a4139e751ba88148cd480d74642a12c9289663ea1ce152d0d6

SHA512
1e88b8e4a623b1c6b3ef54741f6c7184a57022cf64d4a22fff4622ff1fb5318496e6fae1016cb57cd156ceccdee9d3110cb58c1703ce8eb92a1caee6c5849387

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\prefs-1.js

Filesize
6KB

MD5
1c931f14047d8980fd76d1388a434b9e

SHA1
ec4a9f0da7047aa405ef4933b82276bdd3701852

SHA256
4d76c7f9347f45f0075f4c64f55723cab595c9f5cd0fb9f01fd8fc5c7ef1d8f4

SHA512
551e00a48c516e658795283cbf98f030adc883c69993dd99e38cb81729a4ecd88f7ad2721e9f2588209848ad950e65fde21514eddd78e336b8c458c46af0c685

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\prefs.js

Filesize
5KB

MD5
c4e56a2a49afc484d120916fb7b7efb9

SHA1
cb19b1893f5d32345f6c1c75939e9658fa488c0f

SHA256
659c275e7adebe75bd958796b7ebd6c2823e3e9f2db6c01c033d784fb7834266

SHA512
5b46f0bfed7fb27ae6da454670dbcd479035d36346f3816f3df246be38ff493d2f08b8e234476a6cf2d6c0904e3a2d794d2f320510ebb95b0882dda7035a4c16

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\prefs.js

Filesize
3KB

MD5
43906bcf039c4155b7fa1909aeb7369f

SHA1
135b35049fe3c7708ce706a291f36f22f880591e

SHA256
f25f7a8fb3fc49b4441930b72b15d571610e92925ef3722bd3dcdb3d150a7763

SHA512
f248b38ec349782790a71a3b8281903227089c51da5de0b8b3de0382871e3f8b443ac33cbbc4e4bf97798dd0711d8e37e53c0915ba1a0a9c758933f50220b6f6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
84454b06cf56267c98e2411ccee079f5

SHA1
6ecb18231256a8b46bf9ba4a8268e41ed3f77718

SHA256
fab68a6d328edd937a998e550a346ac084de530ebb070cb5151eb1f092022881

SHA512
bbcf26ef1e71e9d5e78f9c7094c1b5a6ad45dd28bd40edfa1b19709ee2dbf20cffde327053d529246672c1a6ddf4543efdad0f07ff4105cf9494425aec2edb2d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
39e6a7b04f65cb17f554a1eb970f9759

SHA1
067cf686d6fef9a96d2c0a3209a2e7e04d7c8564

SHA256
5071165c93afee14d3c816cdbbf3335f5d972c32968e544ad029adea72a10401

SHA512
206e982631413a438dab1b478e2f67dcec2c71a9c9b6f178e333e67d5124c72ffa9ef4de35ee60d4ac085e7afa77b47d5867efff89765bab4963bf2a597170fe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
51c9ba9691b4b6a01049683792cb306d

SHA1
9a5cdc54e76f41f6457ffa63fb03be0551d12db3

SHA256
f8755445a908a9dd636fb467d6d1d3632f5786cf256d7ceaa55628e6d4a7c983

SHA512
83276433d6e12685ef7946b630950f482d3af66b88126a32502e0efdbe9ab0d7c80cff6c08066a1cce01bbe5d88eafa6b49b9daae00fa06e783f046b36bdd623

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.default-release\sessionstore.jsonlz4

Filesize
4KB

MD5
ccd89d42c3b04c30158467f74092cda9

SHA1
6dc4d7dfcb375aefa9c51cb1b1eecf021eebc688

SHA256
5eeb5b8bb68bb295b4ecd3b2a87106425ffe246502e8da80514387d107252f5b

SHA512
ef11f5d7019500d3d2292e0ae17e7636e4944ae22dfd66508f9d33ba7efb6adc6029f9f45ef409980af73dd3e0bb19e268513de8554d816ae308a4c30e7b5eb5

Download Submit
C:\Users\Admin\Documents\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
memory/592-6-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/2868-842-0x000000001D790000-0x000000001DAD6000-memory.dmp

Filesize
3.3MB

Download
memory/2868-841-0x0000000002200000-0x000000000221E000-memory.dmp

Filesize
120KB

Download