wannacry | hxxps://cdn[.]discordapp[.]com/attachments/1264672332707004526/1288885303301640295/onibye-1[.]7[.]3b4[.]exe?ex=66f6cf7a&is=66f57dfa&hm=03d7e6ac7058e5ad118eeb3eead66a00836b846b779d88fb41a850c54d4e5631&

Resubmissions

26-09-2024 15:52

240926-tbjpwsycrg 10

Analysis

max time kernel
300s
max time network
305s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
26-09-2024 15:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1264672332707004526/1288885303301640295/onibye-1.7.3b4.exe?ex=66f6cf7a&is=66f57dfa&hm=03d7e6ac7058e5ad118eeb3eead66a00836b846b779d88fb41a850c54d4e5631&

Score

10^/10

wannacry defense_evasion discovery ransomware worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 1372 created 556	1372	onibye-1.7.3b4.exe	5
PID 1168 created 556	1168	onibye-1.7.3b4.exe	5
PID 692 created 556	692	onibye-1.7.3b4.exe	5
PID 2932 created 556	2932	onibye-1.7.3b4.exe	5
PID 380 created 556	380	onibye-1.7.3b4.exe	5

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDD7E1.tmp	[email protected]
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDD7F8.tmp	[email protected]

Executes dropped EXE 12 IoCs

pid	Process
1372	onibye-1.7.3b4.exe
1168	onibye-1.7.3b4.exe
2212	onibye-1.7.3b4.exe
692	onibye-1.7.3b4.exe
2932	onibye-1.7.3b4.exe
2560	onibye-1.7.3b4.exe
380	onibye-1.7.3b4.exe
5080	onibye-1.7.3b4.exe
3828	taskdl.exe
4204	@[email protected]
2808	@[email protected]
3264	taskhsvc.exe

Loads dropped DLL 7 IoCs

pid	Process
3264	taskhsvc.exe
3264	taskhsvc.exe
3264	taskhsvc.exe
3264	taskhsvc.exe
3264	taskhsvc.exe
3264	taskhsvc.exe
3264	taskhsvc.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2536	icacls.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	[email protected]

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	onibye-1.7.3b4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	onibye-1.7.3b4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	onibye-1.7.3b4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	onibye-1.7.3b4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	onibye-1.7.3b4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	onibye-1.7.3b4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	onibye-1.7.3b4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	onibye-1.7.3b4.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	onibye-1.7.3b4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	onibye-1.7.3b4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	onibye-1.7.3b4.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133718396066583069"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	onibye-1.7.3b4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	onibye-1.7.3b4.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2860	chrome.exe
2860	chrome.exe
1372	onibye-1.7.3b4.exe
1168	onibye-1.7.3b4.exe
2212	onibye-1.7.3b4.exe
2212	onibye-1.7.3b4.exe
1168	onibye-1.7.3b4.exe
1168	onibye-1.7.3b4.exe
2564	chrome.exe
2564	chrome.exe
692	onibye-1.7.3b4.exe
2932	onibye-1.7.3b4.exe
2560	onibye-1.7.3b4.exe
2932	onibye-1.7.3b4.exe
2932	onibye-1.7.3b4.exe
380	onibye-1.7.3b4.exe
3264	taskhsvc.exe
3264	taskhsvc.exe
3264	taskhsvc.exe
3264	taskhsvc.exe
3264	taskhsvc.exe
3264	taskhsvc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeDebugPrivilege	1372	onibye-1.7.3b4.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeDebugPrivilege	1168	onibye-1.7.3b4.exe
Token: SeDebugPrivilege	1168	onibye-1.7.3b4.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeShutdownPrivilege	2860	chrome.exe
Token: SeCreatePagefilePrivilege	2860	chrome.exe
Token: SeDebugPrivilege	2212	onibye-1.7.3b4.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe
2860	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4204	@[email protected]
4204	@[email protected]
2808	@[email protected]
2808	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 4288	2860	chrome.exe	72
PID 2860 wrote to memory of 4288	2860	chrome.exe	72
PID 2860 wrote to memory of 2656	2860	chrome.exe	74
PID 2860 wrote to memory of 2656	2860	chrome.exe	74
PID 2860 wrote to memory of 2656	2860	chrome.exe	74
PID 2860 wrote to memory of 2656	2860	chrome.exe	74
PID 2860 wrote to memory of 2656	2860	chrome.exe	74
PID 2860 wrote to memory of 2656	2860	chrome.exe	74
PID 2860 wrote to memory of 2656	2860	chrome.exe	74
PID 2860 wrote to memory of 2656	2860	chrome.exe	74
PID 2860 wrote to memory of 2656	2860	chrome.exe	74
PID 2860 wrote to memory of 2656	2860	chrome.exe	74
PID 2860 wrote to memory of 2656	2860	chrome.exe	74
PID 2860 wrote to memory of 2656	2860	chrome.exe	74
PID 2860 wrote to memory of 2656	2860	chrome.exe	74
PID 2860 wrote to memory of 2656	2860	chrome.exe	74
PID 2860 wrote to memory of 2656	2860	chrome.exe	74
PID 2860 wrote to memory of 2656	2860	chrome.exe	74
PID 2860 wrote to memory of 2656	2860	chrome.exe	74
PID 2860 wrote to memory of 2656	2860	chrome.exe	74
PID 2860 wrote to memory of 2656	2860	chrome.exe	74
PID 2860 wrote to memory of 2656	2860	chrome.exe	74
PID 2860 wrote to memory of 2656	2860	chrome.exe	74
PID 2860 wrote to memory of 2656	2860	chrome.exe	74
PID 2860 wrote to memory of 2656	2860	chrome.exe	74
PID 2860 wrote to memory of 2656	2860	chrome.exe	74
PID 2860 wrote to memory of 2656	2860	chrome.exe	74
PID 2860 wrote to memory of 2656	2860	chrome.exe	74
PID 2860 wrote to memory of 2656	2860	chrome.exe	74
PID 2860 wrote to memory of 2656	2860	chrome.exe	74
PID 2860 wrote to memory of 2656	2860	chrome.exe	74
PID 2860 wrote to memory of 2656	2860	chrome.exe	74
PID 2860 wrote to memory of 2656	2860	chrome.exe	74
PID 2860 wrote to memory of 2656	2860	chrome.exe	74
PID 2860 wrote to memory of 2656	2860	chrome.exe	74
PID 2860 wrote to memory of 2656	2860	chrome.exe	74
PID 2860 wrote to memory of 2656	2860	chrome.exe	74
PID 2860 wrote to memory of 2656	2860	chrome.exe	74
PID 2860 wrote to memory of 2656	2860	chrome.exe	74
PID 2860 wrote to memory of 2656	2860	chrome.exe	74
PID 2860 wrote to memory of 644	2860	chrome.exe	75
PID 2860 wrote to memory of 644	2860	chrome.exe	75
PID 2860 wrote to memory of 824	2860	chrome.exe	76
PID 2860 wrote to memory of 824	2860	chrome.exe	76
PID 2860 wrote to memory of 824	2860	chrome.exe	76
PID 2860 wrote to memory of 824	2860	chrome.exe	76
PID 2860 wrote to memory of 824	2860	chrome.exe	76
PID 2860 wrote to memory of 824	2860	chrome.exe	76
PID 2860 wrote to memory of 824	2860	chrome.exe	76
PID 2860 wrote to memory of 824	2860	chrome.exe	76
PID 2860 wrote to memory of 824	2860	chrome.exe	76
PID 2860 wrote to memory of 824	2860	chrome.exe	76
PID 2860 wrote to memory of 824	2860	chrome.exe	76
PID 2860 wrote to memory of 824	2860	chrome.exe	76
PID 2860 wrote to memory of 824	2860	chrome.exe	76
PID 2860 wrote to memory of 824	2860	chrome.exe	76
PID 2860 wrote to memory of 824	2860	chrome.exe	76
PID 2860 wrote to memory of 824	2860	chrome.exe	76
PID 2860 wrote to memory of 824	2860	chrome.exe	76
PID 2860 wrote to memory of 824	2860	chrome.exe	76
PID 2860 wrote to memory of 824	2860	chrome.exe	76
PID 2860 wrote to memory of 824	2860	chrome.exe	76
PID 2860 wrote to memory of 824	2860	chrome.exe	76
PID 2860 wrote to memory of 824	2860	chrome.exe	76

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2348	attrib.exe
2808	attrib.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:556
- C:\Users\Admin\Downloads\onibye-1.7.3b4.exe
  "C:\Users\Admin\Downloads\onibye-1.7.3b4.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1168
- C:\Users\Admin\Downloads\onibye-1.7.3b4.exe
  "C:\Users\Admin\Downloads\onibye-1.7.3b4.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2212
- C:\Users\Admin\Downloads\onibye-1.7.3b4.exe
  "C:\Users\Admin\Downloads\onibye-1.7.3b4.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2932
- C:\Users\Admin\Downloads\onibye-1.7.3b4.exe
  "C:\Users\Admin\Downloads\onibye-1.7.3b4.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2560
- C:\Users\Admin\Downloads\onibye-1.7.3b4.exe
  "C:\Users\Admin\Downloads\onibye-1.7.3b4.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:5080

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.discordapp.com/attachments/1264672332707004526/1288885303301640295/onibye-1.7.3b4.exe?ex=66f6cf7a&is=66f57dfa&hm=03d7e6ac7058e5ad118eeb3eead66a00836b846b779d88fb41a850c54d4e5631&
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffeb3729758,0x7ffeb3729768,0x7ffeb3729778
  2⤵
  PID:4288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1512 --field-trial-handle=1816,i,2886322716348181913,2837675795123236870,131072 /prefetch:2
  2⤵
  PID:2656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 --field-trial-handle=1816,i,2886322716348181913,2837675795123236870,131072 /prefetch:8
  2⤵
  PID:644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2112 --field-trial-handle=1816,i,2886322716348181913,2837675795123236870,131072 /prefetch:8
  2⤵
  PID:824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=1816,i,2886322716348181913,2837675795123236870,131072 /prefetch:1
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3088 --field-trial-handle=1816,i,2886322716348181913,2837675795123236870,131072 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4960 --field-trial-handle=1816,i,2886322716348181913,2837675795123236870,131072 /prefetch:8
  2⤵
  PID:4740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5160 --field-trial-handle=1816,i,2886322716348181913,2837675795123236870,131072 /prefetch:8
  2⤵
  PID:1580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4952 --field-trial-handle=1816,i,2886322716348181913,2837675795123236870,131072 /prefetch:8
  2⤵
  PID:3092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 --field-trial-handle=1816,i,2886322716348181913,2837675795123236870,131072 /prefetch:8
  2⤵
  PID:4672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 --field-trial-handle=1816,i,2886322716348181913,2837675795123236870,131072 /prefetch:8
  2⤵
  PID:364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5408 --field-trial-handle=1816,i,2886322716348181913,2837675795123236870,131072 /prefetch:8
  2⤵
  PID:3720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5144 --field-trial-handle=1816,i,2886322716348181913,2837675795123236870,131072 /prefetch:8
  2⤵
  PID:3532
- C:\Users\Admin\Downloads\onibye-1.7.3b4.exe
  "C:\Users\Admin\Downloads\onibye-1.7.3b4.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2432 --field-trial-handle=1816,i,2886322716348181913,2837675795123236870,131072 /prefetch:1
  2⤵
  PID:3640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5052 --field-trial-handle=1816,i,2886322716348181913,2837675795123236870,131072 /prefetch:1
  2⤵
  PID:3588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5704 --field-trial-handle=1816,i,2886322716348181913,2837675795123236870,131072 /prefetch:8
  2⤵
  PID:1952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5784 --field-trial-handle=1816,i,2886322716348181913,2837675795123236870,131072 /prefetch:8
  2⤵
  PID:380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5388 --field-trial-handle=1816,i,2886322716348181913,2837675795123236870,131072 /prefetch:1
  2⤵
  PID:3576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=6140 --field-trial-handle=1816,i,2886322716348181913,2837675795123236870,131072 /prefetch:1
  2⤵
  PID:1600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=5292 --field-trial-handle=1816,i,2886322716348181913,2837675795123236870,131072 /prefetch:1
  2⤵
  PID:1892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=6132 --field-trial-handle=1816,i,2886322716348181913,2837675795123236870,131072 /prefetch:1
  2⤵
  PID:868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=4428 --field-trial-handle=1816,i,2886322716348181913,2837675795123236870,131072 /prefetch:1
  2⤵
  PID:2108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6072 --field-trial-handle=1816,i,2886322716348181913,2837675795123236870,131072 /prefetch:8
  2⤵
  PID:5112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5836 --field-trial-handle=1816,i,2886322716348181913,2837675795123236870,131072 /prefetch:8
  2⤵
  PID:1004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=1488 --field-trial-handle=1816,i,2886322716348181913,2837675795123236870,131072 /prefetch:1
  2⤵
  PID:4432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=5584 --field-trial-handle=1816,i,2886322716348181913,2837675795123236870,131072 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5664 --field-trial-handle=1816,i,2886322716348181913,2837675795123236870,131072 /prefetch:8
  2⤵
  PID:1272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6036 --field-trial-handle=1816,i,2886322716348181913,2837675795123236870,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 --field-trial-handle=1816,i,2886322716348181913,2837675795123236870,131072 /prefetch:8
  2⤵
  PID:588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --mojo-platform-channel-handle=1392 --field-trial-handle=1816,i,2886322716348181913,2837675795123236870,131072 /prefetch:1
  2⤵
  PID:2308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3184 --field-trial-handle=1816,i,2886322716348181913,2837675795123236870,131072 /prefetch:8
  2⤵
  PID:4620

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1804

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5088

C:\Users\Admin\Downloads\onibye-1.7.3b4.exe
"C:\Users\Admin\Downloads\onibye-1.7.3b4.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:692

C:\Users\Admin\Downloads\onibye-1.7.3b4.exe
"C:\Users\Admin\Downloads\onibye-1.7.3b4.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:380

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\[email protected]"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:4268
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:2348
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:2536
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3828
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 63391727366288.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1668
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:512
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:2808
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4204
- - C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3264
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1804
- - C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

Filesize
1KB

MD5
e02891620130e02fe84ef0a60215fe0f

SHA1
1ec49e10f83531dbf5f15ac2f9ed7e2964386296

SHA256
94cee6319ce2c1a081eec48a3702bbb8dddb722ef63fa0e79da88c4e060cd6a0

SHA512
68cb712fa05099598a2b3012e6ef4ce9d96ee48d57f0a59dbcc61a1fadbc14043a479e7ac35142250364854f9114b65fd1202eda35d0b9974c3d318772278ac0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
72KB

MD5
bf168b8ee29e8a9290aa60752a429516

SHA1
ad7b51c81f8045fdee9943fa4c23e14e6d0ba110

SHA256
11da5080b2b7bb2780e0db5bfa8015d08abb07c9c0e79d9bc6b3cc016302b96c

SHA512
7fa69369757f27bb5c7fb668ac9317a9cd460b701823b88d7a71e3ce8265fb8ac55a12d0e6cbdfe5d6871917220593aa0953f6ea8697bd65e6afdfbbdd38e57a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000018

Filesize
414KB

MD5
c0ee005f7f84bc2c106201913c9db567

SHA1
b6a3885c7efe9dfc61c3e27aac60314e690ed22d

SHA256
b5aa77234c229bc2839cab9fc9a134e430299f22ffff130b085827a26f336add

SHA512
e72d15d10bb82e827b7472be1444c0cf6b9a88b6ed596a1a06afec250fe53fc4843486259b6fd6a1621acc8c35e7163ce6934d8cb82f302f5eab26cb93e90089

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001c

Filesize
23KB

MD5
9a0b4318f34932da9e319f4afb7daec1

SHA1
b5fbf81e4eb2322bf468f7338f5d8ab244583eac

SHA256
6ef30d05be27b2d226f774d63565c7e4ce89a74375a5bb7f1e08ef303fd2843b

SHA512
bc6b8bb27f7b638c3802f5c3c553ccb498b40e5bde22d63eac4b0805ce435e3aa8bce92202d234c51807e65c4df5d75698450d9db69faded7b2b41e75057b8c0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
e1b9c97a5799b745cb3bc708dfd85528

SHA1
930f2a186eede24aef4b58e3087aa4b439009d33

SHA256
b2a7aa86296beefd71b223d7b43a44dfc02183dc8598717b45206f269de65061

SHA512
3dd4fe4aa56939a5faa42e340ff038f3167505e6a54a6172df1a1372b934ead1324c2e86d2a9789a197acacecf5f0b1cb1ade3061791ddf9e1425ef49a24fe9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
d4a055ec77dacc7ce4020419b29d4ec1

SHA1
2573ec7b761141382b01d86c2b3ea5d3808ea603

SHA256
53eecf0aff7809c5ea35775f7b98fbc00cecdad6bd2cee1982456fe2ed7807c9

SHA512
915c984437f422398b76d06584da9455211af9742ff28e16bcb0d1ef7941cabc65f28881a6cbaa5d511781d8aab8226465a989e41ea0adcfa38806b21fe8d76b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
325116cb53b534373a7048ad39a03d46

SHA1
a840e9084e3f0b3fd620432ea7668662a2687c2e

SHA256
4bde6174add9cb5a120857d7ef80ed99aa5eaddcb71c2bd363cfed33477e7e1a

SHA512
ae479ba7bd17f58295262c9fcd97861c7d62027707087d5259b09537dfd9e92cb20aa33b330e839a1f395466e941d7f33aef308f909967e22825b55b1f820115

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
fc8b53b93e1de1346c8aa947bae73f83

SHA1
d3b00270e9cc9f5de859a6a10110f4860d7b3b1e

SHA256
24bac5d910ee5a95efc9eddb336451a3b85238a7874f709c1781ca756eb35be2

SHA512
4a885c85c57d8a4dcdb4d264802257ce9e688c76b29c4febfa33c54ad53f4c53de6f4db9a67aefdf41d8dd79a572965db40cf03a2e8a753b9f7821935522d1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
3faa8ab44dfc6bb9db88ae2c48fa3d64

SHA1
cb6794549da4fb43c8dc61832841814b9a941771

SHA256
48487cd8206e43c4137b6ab9982e57fb841e1f4266277ca405058cb0e2bb35c3

SHA512
d09fcdbb3b066afd3266f5d8ee798e7e00ebbf2552c239d20cfb02c7a0716f25dfed8927fbdf6f59007d692499b4079194082d1264ade3f89b527c7ad87dc1ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
24f2d4ae9d405ae53234ee00952ffa64

SHA1
46b910a829802f04c587db97194bd16301a9d98d

SHA256
3cb6359234a75f8d9b2aad7a04a192d6376109c93cf51ef50e678c29dc6085ea

SHA512
c2d6f99e78f7f62a3e557cec11b32c456bf3c84fe7ab76b2f2b1012a1b85d36e2c2bdda2e3bc4eb407a71a419e22f466815d8e190163f0f7fddc29b86f7755da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
0bfe9430ad1df4edb048df4a4353e17c

SHA1
152daa074746ab592577b0ae67a8f92df4f44d9f

SHA256
4986f52e36a87bb18c7a6fd0c71e79e6aa104cb90349358ea068d57f34ccf3a3

SHA512
0aa060651c4f0f56727545a9f9b4dba6d623d56cf38e2965824e5767471532f9fce5ae5e3c3a1852f52b01ab916d9577e0ae0068988f54c4a199cfeec98d42c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b740b260aec7e48305be279d4034a878

SHA1
1e12196070c53db259a89cc31ff4bd75ea18fc28

SHA256
c4ed627be1044d8e3abae3e27155f0b3724a98ced18f9ae1c8f68e9c164a129a

SHA512
0839e872f021688ac34cb37b7e76d6bcfe8a55447c03b1a67921f0fc551d626d1fc9c2f8f7fae997b79309b34273e9f97ae08458444048dc465c92b1b95ecfed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
de961ab25073bcbe642f57dbfd43db0f

SHA1
d2073f0aa451c3b34c205a92267e7bf40164b33a

SHA256
118338b3a43e85fa02eb5cab2e14d6e34b3f8a26b3ab1741393e3b97a92b12d8

SHA512
71ff3fef2078790cd3da494b713fce0141f6681bdf330808c44b4783d3d76c281ee67a3cfb7ef7b1dbc4443e3da6833d279d72b793d072199245b590a46fc1d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
ff0743c9307e1f15f01b35f877938352

SHA1
69299bf865b92bb8df86729814ab6f4f9c9f24da

SHA256
038a26c4f7bda7c9157d31ff871288e87628945e1e25360ea0e98e330474309b

SHA512
2ca212577954a2511e75695675e8aec96bb164550b06f579b317486122f95dc9d75c6797422a98f62d0d6b6f745b170736f7157d0e09b94ce3ab1b81db0a2a2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
feaf0709f27262063e77f88677bcf495

SHA1
e928f326a7e76d451b67b6ecccf9b111d024ce05

SHA256
b9d928a37c3f1c4020ac029dff2ca9c9227f1550132353fc89430fbc575f8528

SHA512
ff428f94660fbe72220e4671d40722ef2ecd2eb045678103143192704ffc970d220801e7609e63baa7feeed771478c7244d4eccf3dcc33fe97827677e2b98629

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
2b43059f94c25d7eb3b59bd6cd96d15e

SHA1
47e669c3205b6b699c189492b6c8420c100e9490

SHA256
d0a09da8b2b9ecdc22cfa93babd90135bea7f35c971141a9c1c09e412158f2ba

SHA512
0d72374ee35d36fdd2af53ddb1a354164a5a2a5ff07cce7910eefd1a6dfaf78ef49419fa9a62b7b82937dead3a18a68fd29c5a1333286256d6b8462645b26686

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
851f261fc09e33b9bee54ffbe7560d13

SHA1
57b3f367c32a134d7cf3a7e41924013bb266957e

SHA256
b96259cd538e015ebffe65003a4b80f691a923ff715f7802a466538ecd866c38

SHA512
d5bef26897fa8182943a9c369e263711a621fec98479bf66afcd9e353fbbf5d8b424314b7c9a35d3787e116923976b286afef717a5bea785f5022944009f98ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
b0f2a93d83e5941efd4550515ed49c56

SHA1
90b5609021e5ae58ea19490b6cd9c71aea31e2ba

SHA256
e7e6c2b60fca9eb3cdcb03d9d553706c4f9a5e0113c8d605042ea3abd20e0c44

SHA512
7cde59abd2692a4aef7bf1cce517a2ce3afd9bf0b3f07361cdba365c124c084463b98e57423a5f67070b589d9a4d374c45e8dec71b0c5f1423a85c08dcd6212f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
e27f289ce518af9c32e5defc6b7b1e0f

SHA1
240792c6f67d3ef6476ac4a29bf8c7c569971158

SHA256
155d727135bbd42d0687e6419f4d42030e630ff0f36c381ffec1c6342796e0ef

SHA512
3e1b50f64445e3e1ee2428f1d34f149ee6ba8a8ec1859e7546b467b3b17f607cdc3caef18e22ea0e07cce9fb9e13facd3ffbe70d4900a9340d99ebb64d200758

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
007c93606c1f9a51b25382a0cdcf6226

SHA1
73abadc3ddbba14c87da6ae50eed293acbc80f28

SHA256
cf99f501d464dda23d4be3d1376f77e482038c76f5336d856167d1082994fc6d

SHA512
fcc4d55a1fa1428857c97302f8c13ff9e52debac593e4991cf02c2d8eed5591a3dfb0db706ad5efb90d881ddf73b23df3fa17ecd1df6a7ea521467eb2d01856d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
87acfef21a652589d392538e230b29a0

SHA1
8c2869fc8f475d3d6b671fc420e3712ca664e7a2

SHA256
f594278f7d107d3e58152d9a5c85fcbae99a37c354f176e73bb036a9036aa840

SHA512
ea15729b58ab52be6843385072f407c7007c16860efab34fd0346cdef4786db0267325a85df1e3de559c590a2a4795475d1fdb77576f315aeaccba471fe5b4d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
de2cf744754ca106f98cb9f1946174f1

SHA1
4e0190c50eb0a4b02df36ce6b2b3f5fe5762b7f8

SHA256
4950ce895e3c8cc3008d2f6fbd1234fc4cc314b0e8c0d59431f9744d8bb76254

SHA512
3c6f69e3af362c8ac4f8d3c16ddab13aab33f30be7115dbb17157e0071d1d726408df82b3f727fe264d2141504e3699789886a316581ed3e711cb7ca6ca7da16

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
f19685b09b7febda53742ea6150e8de3

SHA1
e3b3f3eb8b388eb9ca1b3b1fd963c758ff98a703

SHA256
a5f21fd7039990d4a1bc1e7d0fac8e0b8fcd1aeb4e0bd60d816610f5ffd1203b

SHA512
33baab19aa64e09e153a8d65c3b7f84a1e0f9a8ecebe128d897c169731ac6a898540d4786330d0b66edbc995345fa8b66aaaea916cf81a55a4095f8a555ae917

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
b63cbd971455f07044334d3f13d4b221

SHA1
5395dc5ea3b447fb0c7ea8a5827ecb7ca80e216c

SHA256
cb170726b61d75d1cae834567507d5ba446e707f2cfd1d60d831c09976144721

SHA512
6f7aeef1b977a217bf43c769aec571e3817c4a7e15075b637e8aa669b8dcb17f5926fad63758c520b34680777be20387f57605c348b144511fee37f6f3e6a0b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
95b6dbdbfb0dffadde0b0a1f93c3c25f

SHA1
1a453e365210ad084e6d516768e5056b3f39aa67

SHA256
4551939cea6c8b469dbd19cc073f7c36dafe6a21ddf6d6ca911e6e3a1054d7b7

SHA512
9d64380bc3040840046668d510bdfbe92921b53bdf95a5e7ba8c6c0bf1ebf934301ab335be8c5914960c30d86b713d617490930c8af53033b8fa1605040a631f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
4715da8388100b8fc46cc0f0074f0cbc

SHA1
293be2d1644572bfae44cd9c90507f3e014bab79

SHA256
5dda36fa8c6048730bb02a331e646013cb0b558aaa43927448f9c188e954077a

SHA512
2eb23b1baf57f05175b4bd49ad64d975790a17c5f98d2de320cbfe6f6a7a91e436cc028da3897e27aaac9d06c906a4952c9d7c7a1c8c45a7e137d1254e13a527

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
e9ff7849572f02654ec0ed9b7f93eed3

SHA1
823284800656ed4ee8ee0d9498d2102b7427f08e

SHA256
0e57c2dc8433dc16a9aab675e8a4f6927d076b11e23bb6bb4153b45ca4e98817

SHA512
9a960c0ce38c537434ea3a079f017af33064dbd9cfa2a01251662488290b83d973f90f1a67185c9659d426ec5a79e5f97c2f0bb830280b5e362eb5001df94e65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
112KB

MD5
f8b9fa7e10799b20386dfdbb0c762051

SHA1
48b1d9018692fb690b0bfab85f5a838c26fe85f7

SHA256
7e099504085e3161521ff295899f9178e471d108cc73e57c25a659a688679e1c

SHA512
d688a121cf28710da45e01146e03eeb0c69036933faa68721782c966cfa9ef0721717f517025e6fdbdd5dfda0a6d2e63f85d688154340ec369e8f6c565c450d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
111KB

MD5
5b57fcfb33629065d054476080844d7e

SHA1
5cffaacf1bef03e46640fcf79893f48e4520db4f

SHA256
e6be738d132f1c0510f8d3446e9b856550d42d2eb4d942b6ae5dcca1cf629e2b

SHA512
7f06a22d0f48a628b582194707bff7a5f27dcdf797ec737daa68b528c25d69b2ae923b820ef0cfed13f8d858d4966a6185fb72661e671a411f6711fa112c811f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe591c19.TMP

Filesize
106KB

MD5
a10b7d895cf90746e8091302cb67faa3

SHA1
1c49acb5b3180d1207caecb04c3714f2317c4f5b

SHA256
f675ca195001240d8fa8fc35e7163da8d892ac69a68e88737bd8cb47a677c979

SHA512
48f64c34d4e9e170cca1de51db0a808a6d431d9ee8b6c66e3d8f94a44d43bd3d2d7dc472015ae9a6b9c7e5c0fc56294bd2cd6ee9d1a8cecf35313df17fedfe7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\onibye-1.7.3b4.exe.log

Filesize
425B

MD5
605f809fab8c19729d39d075f7ffdb53

SHA1
c546f877c9bd53563174a90312a8337fdfc5fdd9

SHA256
6904d540649e76c55f99530b81be17e099184bb4cad415aa9b9b39cc3677f556

SHA512
82cc12c3186ae23884b8d5c104638c8206272c4389ade56b926dfc1d437b03888159b3c790b188b54d277a262e731927e703e680ea642e1417faee27443fd5b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]

Filesize
933B

MD5
f97d2e6f8d820dbd3b66f21137de4f09

SHA1
596799b75b5d60aa9cd45646f68e9c0bd06df252

SHA256
0e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a

SHA512
efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\c.wnry

Filesize
780B

MD5
383a85eab6ecda319bfddd82416fc6c2

SHA1
2a9324e1d02c3e41582bf5370043d8afeb02ba6f

SHA256
079ce1041cbffe18ff62a2b4a33711eda40f680d0b1d3b551db47e39a6390b21

SHA512
c661e0b3c175d31b365362e52d7b152267a15d59517a4bcc493329be20b23d0e4eb62d1ba80bb96447eeaf91a6901f4b34bf173b4ab6f90d4111ea97c87c1252

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_korean.wnry

Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_latvian.wnry

Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_norwegian.wnry

Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_polish.wnry

Filesize
38KB

MD5
e79d7f2833a9c2e2553c7fe04a1b63f4

SHA1
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

SHA256
519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

SHA512
e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_portuguese.wnry

Filesize
37KB

MD5
fa948f7d8dfb21ceddd6794f2d56b44f

SHA1
ca915fbe020caa88dd776d89632d7866f660fc7a

SHA256
bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66

SHA512
0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_romanian.wnry

Filesize
50KB

MD5
313e0ececd24f4fa1504118a11bc7986

SHA1
e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d

SHA256
70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1

SHA512
c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_russian.wnry

Filesize
46KB

MD5
452615db2336d60af7e2057481e4cab5

SHA1
442e31f6556b3d7de6eb85fbac3d2957b7f5eac6

SHA256
02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078

SHA512
7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 314156.crdownload

Filesize
499KB

MD5
f195d71283c98d129d4550aaf2835251

SHA1
fa1ef7fcae0588a2da0877d039856bb76ad18177

SHA256
3b1d11c706e0d33fd54f3957aec1292e14c6aa66ce13b5c27f4d1971dd41ad9d

SHA512
9dd7c3583f11b1bc0f06d947d567d4aeedf3bb3d5562998b50bfb6b95c7595844b3aa10894288e14b9bff7026221f48054acb9a436c7310f5889077afb7d95b1

Download Submit
memory/1168-58-0x0000000073DD0000-0x00000000744BE000-memory.dmp

Filesize
6.9MB

Download
memory/1168-77-0x00000000772C0000-0x0000000077337000-memory.dmp

Filesize
476KB

Download
memory/1168-78-0x0000000077450000-0x0000000077491000-memory.dmp

Filesize
260KB

Download
memory/1168-79-0x0000000073DD0000-0x00000000744BE000-memory.dmp

Filesize
6.9MB

Download
memory/1168-70-0x0000000073DD0000-0x00000000744BE000-memory.dmp

Filesize
6.9MB

Download
memory/1168-57-0x0000000073DD0000-0x00000000744BE000-memory.dmp

Filesize
6.9MB

Download
memory/1372-53-0x0000000000B40000-0x0000000000BC4000-memory.dmp

Filesize
528KB

Download
memory/1372-52-0x0000000073DDE000-0x0000000073DDF000-memory.dmp

Filesize
4KB

Download
memory/2932-581-0x0000000077450000-0x0000000077491000-memory.dmp

Filesize
260KB

Download
memory/2932-580-0x00000000772C0000-0x0000000077337000-memory.dmp

Filesize
476KB

Download
memory/3264-1930-0x000000006FC40000-0x000000006FCC2000-memory.dmp

Filesize
520KB

Download
memory/3264-1931-0x000000006FA00000-0x000000006FC1C000-memory.dmp

Filesize
2.1MB

Download
memory/3264-1934-0x0000000001080000-0x000000000137E000-memory.dmp

Filesize
3.0MB

Download
memory/3264-1933-0x000000006F9D0000-0x000000006F9F2000-memory.dmp

Filesize
136KB

Download
memory/3264-1932-0x000000006F8C0000-0x000000006F942000-memory.dmp

Filesize
520KB

Download
memory/4268-650-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download