wannacry | f9f37002a708c8f1c1fd97fa4c60f983eeaa64c455b0674a361a88864fd13637

Resubmissions

29-09-2024 07:37

240929-jf6p4sxfnd 3

28-09-2024 17:27

240928-v1m92szfnb 10

Analysis

max time kernel
255s
max time network
252s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
28-09-2024 17:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

iloveu.bat
Size

407B
MD5

a9939aeb66d847e99abd1e90fa338fb5
SHA1

f96a93e367aad3cbc0ce6477c8dcef3a8bf6b33d
SHA256

f9f37002a708c8f1c1fd97fa4c60f983eeaa64c455b0674a361a88864fd13637
SHA512

6c06bc121f73af3dafa708da63fb1a6d59b32df472a5b42ccf999d07790083f3e7765c1b00d9966f318cd52cf2d3074fdcff98353102bded2593e68c4de5c310

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware worm

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD66C3.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD66DA.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Executes dropped EXE 11 IoCs

pid	Process
4880	taskdl.exe
4768	@[email protected]
4136	@[email protected]
1260	taskhsvc.exe
3180	@[email protected]
3156	taskdl.exe
4684	@[email protected]
3256	taskse.exe
2756	taskdl.exe
4804	taskse.exe
1768	@[email protected]

Loads dropped DLL 7 IoCs

pid	Process
1260	taskhsvc.exe
1260	taskhsvc.exe
1260	taskhsvc.exe
1260	taskhsvc.exe
1260	taskhsvc.exe
1260	taskhsvc.exe
1260	taskhsvc.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
620	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xinooffmkqlv074 = "\"C:\\Users\\Admin\\Desktop\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
74	raw.githubusercontent.com
2	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4920	4136	WerFault.exe	123
964	4136	WerFault.exe	123

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4300	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133720181796431462"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings	chrome.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3016	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Ransomware.WannaCry.zip:Zone.Identifier	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3612	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1716	chrome.exe
1716	chrome.exe
1260	taskhsvc.exe
1260	taskhsvc.exe
1260	taskhsvc.exe
1260	taskhsvc.exe
1260	taskhsvc.exe
1260	taskhsvc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3180	@[email protected]

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe
Token: SeShutdownPrivilege	1716	chrome.exe
Token: SeCreatePagefilePrivilege	1716	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe
1716	chrome.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4768	@[email protected]
4768	@[email protected]
4136	@[email protected]
4136	@[email protected]
3180	@[email protected]
3180	@[email protected]
4684	@[email protected]
1768	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 832 wrote to memory of 4300	832	cmd.exe	80
PID 832 wrote to memory of 4300	832	cmd.exe	80
PID 1716 wrote to memory of 4148	1716	chrome.exe	89
PID 1716 wrote to memory of 4148	1716	chrome.exe	89
PID 1716 wrote to memory of 3000	1716	chrome.exe	90
PID 1716 wrote to memory of 3000	1716	chrome.exe	90
PID 1716 wrote to memory of 3000	1716	chrome.exe	90
PID 1716 wrote to memory of 3000	1716	chrome.exe	90
PID 1716 wrote to memory of 3000	1716	chrome.exe	90
PID 1716 wrote to memory of 3000	1716	chrome.exe	90
PID 1716 wrote to memory of 3000	1716	chrome.exe	90
PID 1716 wrote to memory of 3000	1716	chrome.exe	90
PID 1716 wrote to memory of 3000	1716	chrome.exe	90
PID 1716 wrote to memory of 3000	1716	chrome.exe	90
PID 1716 wrote to memory of 3000	1716	chrome.exe	90
PID 1716 wrote to memory of 3000	1716	chrome.exe	90
PID 1716 wrote to memory of 3000	1716	chrome.exe	90
PID 1716 wrote to memory of 3000	1716	chrome.exe	90
PID 1716 wrote to memory of 3000	1716	chrome.exe	90
PID 1716 wrote to memory of 3000	1716	chrome.exe	90
PID 1716 wrote to memory of 3000	1716	chrome.exe	90
PID 1716 wrote to memory of 3000	1716	chrome.exe	90
PID 1716 wrote to memory of 3000	1716	chrome.exe	90
PID 1716 wrote to memory of 3000	1716	chrome.exe	90
PID 1716 wrote to memory of 3000	1716	chrome.exe	90
PID 1716 wrote to memory of 3000	1716	chrome.exe	90
PID 1716 wrote to memory of 3000	1716	chrome.exe	90
PID 1716 wrote to memory of 3000	1716	chrome.exe	90
PID 1716 wrote to memory of 3000	1716	chrome.exe	90
PID 1716 wrote to memory of 3000	1716	chrome.exe	90
PID 1716 wrote to memory of 3000	1716	chrome.exe	90
PID 1716 wrote to memory of 3000	1716	chrome.exe	90
PID 1716 wrote to memory of 3000	1716	chrome.exe	90
PID 1716 wrote to memory of 3000	1716	chrome.exe	90
PID 1716 wrote to memory of 1320	1716	chrome.exe	91
PID 1716 wrote to memory of 1320	1716	chrome.exe	91
PID 1716 wrote to memory of 4576	1716	chrome.exe	92
PID 1716 wrote to memory of 4576	1716	chrome.exe	92
PID 1716 wrote to memory of 4576	1716	chrome.exe	92
PID 1716 wrote to memory of 4576	1716	chrome.exe	92
PID 1716 wrote to memory of 4576	1716	chrome.exe	92
PID 1716 wrote to memory of 4576	1716	chrome.exe	92
PID 1716 wrote to memory of 4576	1716	chrome.exe	92
PID 1716 wrote to memory of 4576	1716	chrome.exe	92
PID 1716 wrote to memory of 4576	1716	chrome.exe	92
PID 1716 wrote to memory of 4576	1716	chrome.exe	92
PID 1716 wrote to memory of 4576	1716	chrome.exe	92
PID 1716 wrote to memory of 4576	1716	chrome.exe	92
PID 1716 wrote to memory of 4576	1716	chrome.exe	92
PID 1716 wrote to memory of 4576	1716	chrome.exe	92
PID 1716 wrote to memory of 4576	1716	chrome.exe	92
PID 1716 wrote to memory of 4576	1716	chrome.exe	92
PID 1716 wrote to memory of 4576	1716	chrome.exe	92
PID 1716 wrote to memory of 4576	1716	chrome.exe	92
PID 1716 wrote to memory of 4576	1716	chrome.exe	92
PID 1716 wrote to memory of 4576	1716	chrome.exe	92
PID 1716 wrote to memory of 4576	1716	chrome.exe	92
PID 1716 wrote to memory of 4576	1716	chrome.exe	92
PID 1716 wrote to memory of 4576	1716	chrome.exe	92
PID 1716 wrote to memory of 4576	1716	chrome.exe	92
PID 1716 wrote to memory of 4576	1716	chrome.exe	92
PID 1716 wrote to memory of 4576	1716	chrome.exe	92
PID 1716 wrote to memory of 4576	1716	chrome.exe	92
PID 1716 wrote to memory of 4576	1716	chrome.exe	92

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2580	attrib.exe
3400	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\iloveu.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:832
- C:\Windows\system32\timeout.exe
  timeout 3
  2⤵
  - Delays execution with timeout.exe
  PID:4300

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2432

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\SendDeny.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffafc8acc40,0x7ffafc8acc4c,0x7ffafc8acc58
  2⤵
  PID:4148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1832,i,17950503441954374646,16738626605387818585,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1824 /prefetch:2
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2096,i,17950503441954374646,16738626605387818585,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2104 /prefetch:3
  2⤵
  PID:1320
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2172,i,17950503441954374646,16738626605387818585,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2204 /prefetch:8
  2⤵
  PID:4576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,17950503441954374646,16738626605387818585,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3168,i,17950503441954374646,16738626605387818585,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:8
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3580,i,17950503441954374646,16738626605387818585,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3576 /prefetch:1
  2⤵
  PID:2372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4616,i,17950503441954374646,16738626605387818585,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4472 /prefetch:8
  2⤵
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4620,i,17950503441954374646,16738626605387818585,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4740 /prefetch:8
  2⤵
  PID:4140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4868,i,17950503441954374646,16738626605387818585,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4736 /prefetch:8
  2⤵
  PID:2996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4476,i,17950503441954374646,16738626605387818585,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4908 /prefetch:8
  2⤵
  PID:4904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4752,i,17950503441954374646,16738626605387818585,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4736 /prefetch:1
  2⤵
  PID:1036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3564,i,17950503441954374646,16738626605387818585,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3516 /prefetch:1
  2⤵
  PID:1488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4364,i,17950503441954374646,16738626605387818585,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3408 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4056

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3796

C:\Users\Admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:2124
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:2580
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:620
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4880
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 253691727544642.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1060
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:352
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:3400
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4768
- - C:\Users\Admin\Desktop\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1260
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:708
- - C:\Users\Admin\Desktop\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4136
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      PID:3132
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1732
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 260
      4⤵
      Program crash
      PID:4920
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 500
      4⤵
      Program crash
      PID:964
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3156
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3256
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4684
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "xinooffmkqlv074" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2020
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "xinooffmkqlv074" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3016
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2756
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4804
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4136 -ip 4136
1⤵
PID:4980

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4136 -ip 4136
1⤵
PID:2396

C:\Users\Admin\Desktop\@[email protected]
"C:\Users\Admin\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\421d896d-a2f0-46e5-b6c1-5e828a7d2341.tmp

Filesize
11KB

MD5
b70bf1e8c842048406e91d9dfbec8423

SHA1
fe87f0ea4a852f1334f0f7e84fb4e5e34d1cf8af

SHA256
a8850e7e6cc63373605fa18fc413dcd5086dbc60e75746622ec535736a842abb

SHA512
595427720254c6cefdea5e251d775bf910c84178df84ff8051bb2d90d9f740121d2ae25efc6a99b5d72660740135a759594e9aa0ae886584ddf0bb223949f022

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
cf95b65d9028dfcfa0accc8aa9051ec1

SHA1
bbbc13c0bca80b1a64a7bd50efb8e4bfa732b2b7

SHA256
6b7b41394666ab72c293a043d9d54cb2f62b279b3248cd8e58775daa8d1fc578

SHA512
2ea00bb3540f9a4603c5176e1cf3efadef93a704e42ddea8f1e9f276895b96a9b69017469379d8b6282b779786f4d50bb626da80806de7ba7617f98c97ae622b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
69KB

MD5
aee6d5d48230c7b49c109c2293d85c5d

SHA1
33ba15a284668344dc8cceb29fdeec0db3fc3def

SHA256
e7321897d3021c6db779654c12766d211d0c83dd81b67c418c85310fcda37448

SHA512
8630b6671be4858e6c91486cebf6eb6de9461686663fad3e501de544ebeb9d60ac3b2d96eedf50cafadb0cda367ea90709c343b6e1160d7d9771a38587f09d68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
414KB

MD5
46cee909d13b1fe89335ce4eceb8e8a9

SHA1
73fe85199a5fa009f79ae86554f8728447c7ef48

SHA256
fa0e3a093900f70b16df2b794a40b04a31277eb68336e9acecb5d1a322e5bb5b

SHA512
f01c35783b0141aa034d749627a406141d535ebe8f8a9701a1dbde382bfac6d9b2ffd5d15d96e0c8c8c8a4ffe3902be7126970e0d5c3c6c2850f1594e72879c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
0092848142c240b10aa10450ded5beba

SHA1
f8f595885c750e983a65d41fcb9422c434bd4170

SHA256
689475eb65adae3690ba71da9b5fe18585da1197edbb0bd60185c289003a12ce

SHA512
8e42359c80015aa3030f0872ae6e81b398513f38a02dfdd85716af75b3cecef8b953a4cf60e0e95d1bbcbc072f91af6420dcec1e9a967cd66a02d5dc87d0facc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
d70290a9b1b899e297dffc421d60411a

SHA1
6211d574d63b3c282dcf529fcfc663a3f66c96a1

SHA256
a1043bcfdf6c662b80ff514a3ae0cfc26824cf752d2189e814f3cae160252883

SHA512
b3eb8f3d299676c7c8cce104fd02b9dafb9b6c5f337699264e5c1af8d5264324296185b8930d1b53c1ed26472fac52351e9426f0a8aea366207d9618df0c6190

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
3b34fd22ece3ff1f0d7241f1fdca9b45

SHA1
4389f58d0bc64ce35e91fbb117dee28535aabf5a

SHA256
63afbfd0ee435b3847cc7ffafd6c1539f9ddd5620572358cbdb5ebb7927243c2

SHA512
91a2a6db72c6c018c9a090263f5b35a30e2ed1a1ca4a85aa493837b435d0172c3525655e58fc7dbbc768632163d9245d2d0cf7f260250750c5a8cdee1aee251e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
682a06966096b31c82675ab0159a28ba

SHA1
b842e3b594dab467d7cd310a256c3577bcad6dc0

SHA256
68c603f4b46e93fe3ed0d2ba7e2b57634a5fb736c9bd7284cf67289fbca2e8c5

SHA512
c3826a10eb780a1a9342589ee9ea36948cafdc7998dce12034d14d60615493cacfca4218bc9ece317badfa65584cc5f3280d539c352b38dca9175505c3baa645

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a25d5f0a6ad857942b72c93cdc277fe9

SHA1
7fe1abb4b5a881e190e13bc8c71be6a7adce88e7

SHA256
a18a16d29c7489380c41467582f243c1a69248c6b4776ade4a110c4752c60206

SHA512
d70be0aa4de1bf8a2ea000234cc01cf1689f8687c28b52d053c3d76df95d55b659c2152b8a7a2a4f1c07d36762bcbd593d970088e8d3371e8dcd5c6535158e01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
4670f2478d25c1351a374728c5cc52a6

SHA1
6f033df5f359ca2def6dd03113e884a258f3a83c

SHA256
8bf27b16ac2effb443a91cb141a77156f9ad9ef09ad55723f47806339882bda5

SHA512
d2f896752640f47b1b8de319357ffcdfea4442c6c9791800c6d5aa1df41b556a8b08e087a7ab1008668914e2e14625c31dafb93f2c4583610e8e654ffcb830d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
fa364c71ece86da7aa98d0dc3957ca26

SHA1
9db4e288042f1185c3a76662412ffb2330016153

SHA256
e22e1086c97729baa0268c602b411071eb8666dec00cf403d8fa06a8f8af78ae

SHA512
4febbcb30842d492d66eda8270faeb7b07d31b43b31f675d59f7f37d2a106c06fed0fa78d6fe21fe436b0ead2ef2f080b24f24ddc808225a09b1587c048d3f0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c6611849fade63243f7229789b1484c7

SHA1
6a2b81953c537bf67f22c0ecb804bd2dfb1b5170

SHA256
b51304dc04932ea204f9b77d106fbdc280e554a72fe3b9a36b070872e46c6328

SHA512
0e02eec69fa94bb43953171fdb93ef56607bfed519b7fda9e5ca0cf6e589b456be7f5a2f1f0b3a185906ded32d9bb0b46a7d22ce82aa02af0a78d9929677a027

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
211b03f3f5876f4bfb8247d6c587b423

SHA1
b695013d6a7134b19b3aa8c13ad71c6d435d58a0

SHA256
eb91e3ab9f9fbd5572b918e6afbdfe359a969a000aa3b7b81e4b0713a5ecb6fb

SHA512
4a6884db2ab591d9ca57f42822e9036b0cc7bd6eef081c9f4757bd1a56ed46ae0d5e1d46d507f970aef66891b1c04489155f322cc666f65df8f27330a93396c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5b12a5b93136252b61b85e199586ad71

SHA1
771b674df62f2e56cd414473aa04676b94e46db2

SHA256
dd5ff295f79de7c02fb4c3cb011ceafb7bbcb1cb728abc908d7f509efb9865e9

SHA512
7ce0183b1d0ff83159b61aab754b52d1b33ef0d454662631c08453e4cd9a2b4573ff3d63c9afea3e6d567315ce43d038fcf07c778124900121fd1fb02ac77616

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7c91000d84151926a52d37ad01b5e87a

SHA1
661573ac1259d46446e1d8662d374b27172de123

SHA256
cabe3dfcdbde1e6d38ea7f327b5c838e45dc61f52eb9da7aace1e2820f36446e

SHA512
3fd56bb9706bba769ba99085a136e8d95da4ab988e8c03b3cacc0cf5546d9a07ec5cda7641639f1314de6c70d056acdb828d5db353cbcd022f051040482f9227

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
ba99453d7d13294796f2ccc1e6056acb

SHA1
de36c4a2cfd90f5e7f6b79d0ab8423d266c0f208

SHA256
1692439eab9f6bb98212c9688152d5e08d1498af80c2e0349ed74b2fc7bd8a8f

SHA512
083d8325ca4d920436ba48c5b2af1e33f45ba9ddb6bdd315b336e3bb766b5823d8c5cfa05fa227a37da7eb09bcff58ee71b63ee2f247bdc2cc7bbcfa3385035c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
212KB

MD5
a771f075ce797dd7c5da4ec11311a96b

SHA1
6674a76808279f171395137228bd21bd853d346b

SHA256
f18e1409a1f39fc72b7d456b3e9d72d2d2aefc4e89bf1143354dcc8157baea17

SHA512
5cc62d2a1b1e94806725927fbc5883a8870ebed435e67f549c7291647703cc0115349bd9c7755c291491f8fc4eae416403ea528df4af4c541d2a0d0b9035b209

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
212KB

MD5
b577b3b31d7313dc10bcc45d9612809a

SHA1
c440abf979607542e9a68116b871f6781e1aefef

SHA256
3b91549c5cbfc27f64abc621c036fd9e95aea33a8dd5c98d1c3a7ed2ef112d95

SHA512
38d2e096ff116d7e300d10bb094f08b00e4e194ac643ac8cf56ca12b4bd7a8cf9f46f26ab7f9b1df03e8312bcd8051cf0f7612ba704146bdf357fae89f3698f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
212KB

MD5
e1dfb260d2cd4c3f27fa98fefccda432

SHA1
06422ef443a7ceabfdb3a54831b7ff139166f03e

SHA256
19a89e1a144e47610c1041149a253a512ee6f184c297731f951d3abc1a7cb531

SHA512
0302c3f0cc0ae35728f4b0ab35e2971bc409205fbdd5a5bd08481d010f13781307a14e23bf682e95fc220ed66c95f237b76f58a3a7cf9e524b5d7574441c0496

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
20.4MB

MD5
8a2eeca1778de559ab52c3dd31459f9a

SHA1
b9aa8caeb1d2859c3735cf5cc46d2ff95a90f98c

SHA256
4d4822c2c9e7e9ff20b160c2ddb62e125a165ffcbb72308922aa04b11a85f8a1

SHA512
066c4ad94a1f8440d208e0a8e5d6757a7dd5f36400e5f9914e9a1c0f9b0a985b8975cb67eaaa0e7a4d2b7055c9cdc0128e069293f8fa2d90871f703797699bf7

Download Submit
C:\Users\Admin\Desktop\@[email protected]

Filesize
933B

MD5
f97d2e6f8d820dbd3b66f21137de4f09

SHA1
596799b75b5d60aa9cd45646f68e9c0bd06df252

SHA256
0e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a

SHA512
efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0

Download Submit
C:\Users\Admin\Desktop\AddExport.wma

Filesize
355KB

MD5
0b25345924769bb91671259a82405bc2

SHA1
2845afbe2c75a7a488979eb2053dc52dace1db0c

SHA256
86dcd2959c7879d07fabe69d0ac72f755cd7b386833178487f38cd0dc910e3d5

SHA512
29720745a6b275d063741ce5d7382b27efce118ffe88c5319e591890dad7aebddc2245fd7c5e25663cc2d9288c599890f343e5c42f85982d1b29fb02ea4935a4

Download Submit
C:\Users\Admin\Desktop\CheckpointInitialize.exe

Filesize
583KB

MD5
9b634b1f6d43bf5f9559f2ccb41029b8

SHA1
259cf5bee9204944a8ebbc7bf6705033b2d74ad7

SHA256
4422200d9bd2f4187fb4ce78c05295a5101536525c48b1fd3dea1d72e7dff974

SHA512
cb938e00399377a279b913616966619a0ec86ec16e2bd8e89151fcb00739dcb316b7960dac23732dddd509cffb79c8f33886d5e0f633deb60f4bae2bab14f14d

Download Submit
C:\Users\Admin\Desktop\CompressUnlock.3gp2

Filesize
761KB

MD5
7d746790b14b8578951e2c170c3f09ec

SHA1
68bb46cc2b1814fa29f93565bcb6ccd0ea2a5331

SHA256
701ab54f3487d8af22d4bb586f259b6cca62177f79f81279fd687b1dd9d4d464

SHA512
5bb135f76b5ea3e730880554143c0902694fa0d28da4601b1c27a9a8c4a6216f5243305c90393a094252d6f0ac6900b29bddf607b23e5e34dda3d6e85a5a12d4

Download Submit
C:\Users\Admin\Desktop\ConvertFromAssert.dotx

Filesize
660KB

MD5
01b67d8ba7ecc5b14384338f55d6e7a1

SHA1
868e54c74511ab07b7b2e0fed6e4c238049ab1c2

SHA256
d15531d468daa46e1897509d4054618667d798c76834631ee7295f70d46b0d66

SHA512
1fd1dc4e62949817c1e095c67a711673dd9276abef23cb5e1c559eff71da16fd799dfa39280e7053c6127a7975d2e4484427b6b7033236715e280985cc1e414b

Download Submit
C:\Users\Admin\Desktop\ConvertToRevoke.xlsx

Filesize
10KB

MD5
3e6661204cfacaa53cd8989373b93913

SHA1
7e3f32908fc32aca6716900dafe78c79816e12cd

SHA256
eb278b4b07428aa1b0b37cacb7f3ae437f5c20f666eed96919ef897c3c2cfe95

SHA512
a392dc14d430515c218cb6c0742eca0d9e5c65576ab7d2be841b83dab75b49a5567ea09e3336963cedefa4353db95e60e7b5b82638cf61ce2580d68063840762

Download Submit
C:\Users\Admin\Desktop\EditBackup.hta

Filesize
431KB

MD5
917865735eb7d6a6b683caae0580cb5b

SHA1
c8d19471bfe4f50502a7faafa7636206f71b40ad

SHA256
965cf8731314826aefc874363822867b487045e24a027ef39b86ac182fa569d4

SHA512
3fac8221f9b45a7e73bcc0b458ead8ddd10314deec2da7f718ef57eafdf05bfea9486f97b5acbd5eb39145bcd587ac06d4008bc562d751a1ea45e7f50f34adf5

Download Submit
C:\Users\Admin\Desktop\EnableLock.cab

Filesize
609KB

MD5
8be48ab4c5912cd8e68ad305b8b5bf41

SHA1
adaf18459e3dfbbdabafbb378fccd74eaefa4156

SHA256
8a7bdd1efe34064bf5a52955aa2d3af8021bb561cc36f4036a263bfde1f9756d

SHA512
dfc520b570fb795e165b3e2b837eb28b5b50afbaf4b3b778c2c46fee3248e04c529bb3128af5b98e5430936b20e67de777ebb99ac84eece6b72392c050cc2157

Download Submit
C:\Users\Admin\Desktop\EnterMerge.docx

Filesize
14KB

MD5
1e39d7293cd3a7777599989efedb6e71

SHA1
881508226ee4a26e5179ae54092b4175888afba7

SHA256
be26b7d20155d47afe7f1df5c90632f649d8dabd6939e016a67f84541fb597bd

SHA512
a55a896ba2fbf586f28a94a4d6d1ab2d691da80e7f46c15f68e418e6880ff6b0942b2e3db5763562e85535af4d96dfcf531aaf6b29e7e99aaf428b870484c536

Download Submit
C:\Users\Admin\Desktop\ExitDisconnect.xla

Filesize
787KB

MD5
b6bb6d36f5e5b291099250a3b2c46233

SHA1
fbe79ca8aa79bd8083eba0a913c961d6d19f2998

SHA256
edd4845defc31aa5370f54c66f35816966c9e449686ae103337efaa589e14656

SHA512
60094431cc5cd053d096b57d76add3b9787f95cc2178d2ef31ecfa41f5acdf819988acb1c4008ae8031bec3ab8ec6a9a636deb4208a295c7e4d213e0fa779703

Download Submit
C:\Users\Admin\Desktop\ExitTest.ADT

Filesize
507KB

MD5
11726cb14db9f9f0b75ad2b1a85c6d25

SHA1
0fa74cd9ca922af4316f0d3f771dd1a171c20c75

SHA256
2c4771f8c88ea8614aef2952f439a1648c925ecc28a8317eea210c182b3d4ad7

SHA512
8aadffe9da44de9142b97efb16cd9f959d04f00327cc4b690472ad7d19450478ff09816d710244d28ba00bec8154ca0d248e51a49a5871f28786f8bbc051b692

Download Submit
C:\Users\Admin\Desktop\ExpandUnpublish.mpe

Filesize
380KB

MD5
1d2406f440301bb7c9f91e8105521e99

SHA1
884320a8b92f67e36cbf6e1cf59013209f1af937

SHA256
29627f05246dfd3cdfcd9e64f4c621cca5058c9900791ade6837c3d6423d2eac

SHA512
18dc795b3a1784d1d7cf3063e39a19d44c864be2b2014b81f0030c242c44aacf2b7802092d80e26ef0b42d08d768b9fe3ac95c0e6190f346432bbf0180ba5b29

Download Submit
C:\Users\Admin\Desktop\ExportEdit.mpa

Filesize
710KB

MD5
5a14c65e847de33a0349a3837d005d72

SHA1
76c1be3b77444169d010c629a2cda20078be69f3

SHA256
1b91cdcb92ae923bc9b8451960675d5e43ef3a7e7514f455ee89436be8ad330c

SHA512
1466470d0f3ab0b4fff34609b69dba40c75ef9ca9629a48f9e66f4c72dd1dca3fa2b28a1b250d14941cb7a3d0ccc1fb5eaf7cf873653cc38cff97f2171eb3146

Download Submit
C:\Users\Admin\Desktop\GroupConvert.mpeg3

Filesize
685KB

MD5
823316df11e5dfd27ede1df444eebf3b

SHA1
25173c9ca0523973e59725ebf63994b1e49670d7

SHA256
277f271ba95f87adcfa97aa8d30707d6c2fa998be6f263c48d92c9c7ab206145

SHA512
e6599fdf31644cf1c8f8fa2fec88d23522bed9c0c96f9dc03f158ea258bc85a4e4a4006c6b97369c47f64532f6cca5a415eb0fb5a6f4da756917eca7d64228d8

Download Submit
C:\Users\Admin\Desktop\InstallInvoke.asf

Filesize
736KB

MD5
2d370b1a00cab0f9af61fcb60ee925f1

SHA1
d46cd8385e82317907535feb00bd3265a6973c4b

SHA256
a4c00f9075b1615c3df029b82aeb815796d5c50128f99c675c2565dba8215d6b

SHA512
17d90dd01c0c88b417b8b3b8ed559246d6cba971517e10a4654dfcd870a130629b525c464c0a03f520f80169d771062efe2ab56f50ef22d3d9ebaf91951fdf89

Download Submit
C:\Users\Admin\Desktop\JoinClear.contact

Filesize
1.1MB

MD5
a5dd32118659b79d7f68eb496713e787

SHA1
45cc0c8f1fcb0f8cd3532639364d937e3044e08a

SHA256
1aba4b776721d4fe95d0de3a4b9118e9aafa9323dea7be94aa51927ee2ac299d

SHA512
9833b1d015aeee7a6a7744402ea27081503ebd659d368580faca2c9270d3a0abd1117f68693f356763ac3dc5f4c084bd89693eccfdbb7722235b7af7e998fd28

Download Submit
C:\Users\Admin\Desktop\LockUnpublish.docx

Filesize
13KB

MD5
393dfd274739dab1f4ba68456796e2fa

SHA1
d6bd213381ee43839d01cdaf3fbed45fe8f1eefe

SHA256
2b8310b0b37c76f72b2b30bbc1a5cb4f894a4313ec07759fdd4c59965061291b

SHA512
79d061202f4fafa5b75fcab1fafa3b0108566cb2c0fa2ec85caf2a6679a9d1bea6bbbdd5131635c80a0d156aa5fee94f98643307088a2dbb06d40d617ef2d1f7

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
29f805c1e369b60c27d57c6578b71105

SHA1
b5ec6d66cedf9fe0026e02ce352139750681ff0c

SHA256
018b1ba6f7b9bee31100cfa40ce77029352a20d752be3922fe5c4f16c9a3b1f7

SHA512
4c6fe8f31fbefe357a369df29cb42d7e456f19c452c62a2e3d91968fbd329ddc850fb4be9c6c36e42bb5b157dfb3ad45e3a5d7a8df2e6ead0f5307bb782bb89e

Download Submit
C:\Users\Admin\Desktop\ReceiveSubmit.asp

Filesize
330KB

MD5
8defdb082d53a07aa38bf881ec54f866

SHA1
36044da0794780b0547f31e03aeca7bfb2108472

SHA256
b2074686b54cd3eab9104bb6562fce98e222c03f80b0a26638c7bc8d1009770d

SHA512
ec954f5cc2ec5f1dd1fcf997acbb50ef35e090d6a4218eff4a2aa418a40c5dd1c94bf9da767c929abe85adef37e4e5c159de94e643904f8c9a7bc5db8b2ba811

Download Submit
C:\Users\Admin\Desktop\RedoSync.mov

Filesize
456KB

MD5
a44d84d4567aba164f65ffa13ad4bda8

SHA1
1282a133ab68267e82eea8288a46806b44835891

SHA256
9054022a70ee0c65f20a5bc1119c6b00cc2d95d684628004f8f77bb3807dc544

SHA512
6d0f43c6d3b0526c08f31930e87425181fd54c6069a562f07ed267978f42798e2a913733cf0a63b1a1a65e279040c8db9e0b97cea4324bd73cf4a5ebe4983007

Download Submit
C:\Users\Admin\Desktop\RenameComplete.pps

Filesize
558KB

MD5
e2b2194ea4d3960494afdc4caa784744

SHA1
184874b43701ae62c62da67e6b1cff66cfc0f399

SHA256
446fce9a7ea8c2b62f3c5de589ba334ff37f547e2ab51aa11b4b1632060101a6

SHA512
274456fd8239850d30a2faa2c88bf53817d5dafe724c1dc72ddc1bcb36b4236a887aab9ba79990f11244fac6312fbbfa50607da029ca879a3cbd5969c6457338

Download Submit
C:\Users\Admin\Desktop\ResetMeasure.wmv

Filesize
406KB

MD5
73ed64bae108b44e020d229a51903ac7

SHA1
396e651cb0fd958378e4ba0c7bc2a06f15f76c0b

SHA256
695e39c281de10704742f95e25d9ed3fd96b842d133318ef8d7928e0f292c819

SHA512
894992b5cce546bd0f6939c850ad58c1a214a700b9dde7163c8efd363fdeeb5f8c16132a226f370736abf13fb3274e6258a59624b50bd6b56b37cecec9a81d0d

Download Submit
C:\Users\Admin\Desktop\ResolveShow.vstx

Filesize
304KB

MD5
7f094f142eb8c82c4592f5fa93d9b49e

SHA1
3ff39dbe88f2b2fcccd49f729204d2d240952f72

SHA256
ae1c952f01a124a897275a061a7681d6668e5924b05aebbbba438941cf33e830

SHA512
e9b1b9c722d84e7d76e2e5ba4ac3aee8bf7d7893ea27c64340c00d82462912a3c6eb75fdeb88e95d2717fbd7e0e52a83dcf5539ef2abfdcadd15aed5fbbc2223

Download Submit
C:\Users\Admin\Desktop\RestartUnblock.7z

Filesize
634KB

MD5
c18e81fdb7c22c01f25f1105026117c9

SHA1
2a6f6c2055db941380ca44a9ed93311fc7c3ba80

SHA256
7fa5dbfd12e26e7046eec6e256a9543b59d6adf5bc05a49151f1a0c8ea1e9f5a

SHA512
1ec7a849bcb4e4b5858c76ea3799e22fe4fce715a04b51f5a29d4fad2fd4de597180aaf6f1ca777468921057a2948d951caa54e45b3386c1c9b48f86e790eec3

Download Submit
C:\Users\Admin\Desktop\SplitAdd.xlsx

Filesize
13KB

MD5
86b3685a7ef8190a0681d1ce8ce5d28d

SHA1
375e94b21cb8c476a0b354c6a344c956992de3e0

SHA256
940ba9cb5cbeaa530f4f3d1d947cec107ea3a047db373f6b732958f016c69eed

SHA512
752cf9e25bfe323e6712928b362847b30213ec846f962a650dea2055cc6cd19819fbd3cd27b19ced9b988029fcf59d2bba646962a37f0217814134f086b6c25e

Download Submit
C:\Users\Admin\Desktop\StepWatch.search-ms

Filesize
482KB

MD5
e403c52c3d3139257ee6a742273f8575

SHA1
171edbb2a9e2d63dd52d8b3530b63ec2ebf0cbfa

SHA256
d9ed72d6a9ddae924fb06d61d8f7a67e6a5f5a965d633e42505968f9ecb03a5e

SHA512
08969e3e5db74071428687d4d0cf07bf4599a0f6a63088ae9563c7176fcee99c6fea7bbb7fe8c448f603212a54c20945a8bf547ff25ae0eb025c63d2238c79cc

Download Submit
C:\Users\Admin\Desktop\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Desktop\UnpublishRestart.ram

Filesize
533KB

MD5
97e618f6b4b8896fb6652ebd31eb550b

SHA1
ca6a070fc6f134d33b1bf9dbe14040f96e999b87

SHA256
17ef92a50e684e40df56469a04f11032231c825e64d510bbd152aca80fcf27ed

SHA512
e4dd2c1cb38e2c90de6b377996c4cc83f4032a1420b51037676d70bc96f77c5cea815aa67a18b0016e53424ef065d9050b236b68225a0059a3749e26f7d1afd2

Download Submit
C:\Users\Admin\Desktop\WriteSend.rtf

Filesize
279KB

MD5
92f6ac1a0237e8187a4f3c7d15e5874f

SHA1
e92dde993eccbb6a2a4179478fede33ff3fe4b5f

SHA256
e48a9f4d9971a2190cd083b402c5ee5a0e9910f0c825c8d966bbf4ab35ef4e59

SHA512
e38a1fee50012e9a41386bcc043bc58adf76cc2805969f9fd895861b5ab4e458b370b01c65920abd58b7da55c081bbd7ef147cafb8b7c75408732b564c8edd3d

Download Submit
C:\Users\Admin\Desktop\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\Desktop\c.wnry

Filesize
780B

MD5
383a85eab6ecda319bfddd82416fc6c2

SHA1
2a9324e1d02c3e41582bf5370043d8afeb02ba6f

SHA256
079ce1041cbffe18ff62a2b4a33711eda40f680d0b1d3b551db47e39a6390b21

SHA512
c661e0b3c175d31b365362e52d7b152267a15d59517a4bcc493329be20b23d0e4eb62d1ba80bb96447eeaf91a6901f4b34bf173b4ab6f90d4111ea97c87c1252

Download Submit
C:\Users\Admin\Desktop\m.vbs

Filesize
197B

MD5
94bdc24abf89cb36e00816911e6ae19e

SHA1
87335eea1d8eb1d70e715cc88daf248bb1f83021

SHA256
e9757f002a632de82ff9bd1283f90bcff2eec4ce6926f8b7e37879ff0c518660

SHA512
3bec73a3c6360499bb280aec0562157cda47c8ed11e3b1280c4fb8a457ab48dc1f3aea42d6a0d5c2842d60ca09436da96ef7136c0652d2b5c613fae87799ac0f

Download Submit
C:\Users\Admin\Desktop\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\Desktop\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\Desktop\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\Desktop\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\Desktop\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\Desktop\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\Desktop\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\Desktop\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\Desktop\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\Desktop\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Desktop\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\Desktop\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\Desktop\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\Desktop\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\Desktop\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\Desktop\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\Documents\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry.zip.crdownload

Filesize
3.3MB

MD5
efe76bf09daba2c594d2bc173d9b5cf0

SHA1
ba5de52939cb809eae10fdbb7fac47095a9599a7

SHA256
707a9f323556179571bc832e34fa592066b1d5f2cac4a7426fe163597e3e618a

SHA512
4a1df71925cf2eb49c38f07c6a95bea17752b025f0114c6fd81bc0841c1d1f2965b5dda1469e454b9e8207c2e0dfd3df0959e57166620ccff86eeeb5cf855029

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Public\Desktop\Acrobat Reader DC.lnk

Filesize
2KB

MD5
34a57aee30ca057c61c73ebab410117f

SHA1
eaf72023e5346a733d57e0ddb9a1d42c2908f396

SHA256
d7373cca840e81a42a578a23392bcfdadc3129ea9f90fc9056a3266b1040a8a4

SHA512
e61ff556d129d5bc8ec16ab151fd10fbc8a2c2b238bbe3e7a6a89bfc3b08612c8ba8bfd2111adb0cb134503b9f85f6bfaf58915fbec220f4d9b3d243515cf077

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Filesize
1000B

MD5
41d15f39f0cdd9e1fb87b0905c5eef67

SHA1
c67f6e793d56fca48207002577aa5e5917e18ae0

SHA256
77a8aa315a9ac40f597fb28733669f40f4697f564402dcb8aa918540811add9b

SHA512
77f1f4872a7ba998f17ae9c272669419b8755c4876ff7a163fe236a62af748c13f7ff9c5850c7cd0d764b9b02583982f773e58ac24f6c543c34dbd50821a74b5

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
ce4864e7fb15c7c15472264a8f8cbe62

SHA1
84fcf636c709029a882d7193c9288d1d37d68262

SHA256
42c9c4687d7369395d5121db46ff708cbf18f623fc8c515e616307461e4c4d64

SHA512
b3f37b21a8fe9971776fb4d711c98ef9a6b8b225f779dcc94ceed892d05882eaf4306593473d52f7d6370d9f1286cc01756a07b3292398c1d88591e5f88b71d3

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk

Filesize
923B

MD5
99b01f86a345233811cb34cf868c8534

SHA1
e483864dec47d5e3b71ba4b6ae15ed1579221bbf

SHA256
1151b9b4d907b845d6b7ca6d660494d9c39767094e0a90c0efe62d55f3906756

SHA512
665bdc5ddcdfeadf809b0b3cc6fc8927a272f79cee0032e09b083d2a21e8ffc1df96935f096d0df55aae0279eadf4ce740f608d1594a28e7046eb7bb8e0e09ab

Download Submit
memory/1260-2137-0x00000000733C0000-0x00000000733E2000-memory.dmp

Filesize
136KB

Download
memory/1260-2141-0x0000000000640000-0x000000000093E000-memory.dmp

Filesize
3.0MB

Download
memory/1260-2138-0x0000000000640000-0x000000000093E000-memory.dmp

Filesize
3.0MB

Download
memory/1260-2136-0x0000000073500000-0x0000000073582000-memory.dmp

Filesize
520KB

Download
memory/1260-2144-0x0000000073500000-0x0000000073582000-memory.dmp

Filesize
520KB

Download
memory/1260-2147-0x00000000731A0000-0x00000000733BC000-memory.dmp

Filesize
2.1MB

Download
memory/1260-2146-0x00000000733C0000-0x00000000733E2000-memory.dmp

Filesize
136KB

Download
memory/1260-2145-0x00000000733F0000-0x0000000073467000-memory.dmp

Filesize
476KB

Download
memory/1260-2143-0x0000000073470000-0x00000000734F2000-memory.dmp

Filesize
520KB

Download
memory/1260-2135-0x00000000731A0000-0x00000000733BC000-memory.dmp

Filesize
2.1MB

Download
memory/1260-2142-0x0000000073590000-0x00000000735AC000-memory.dmp

Filesize
112KB

Download
memory/1260-2151-0x0000000000640000-0x000000000093E000-memory.dmp

Filesize
3.0MB

Download
memory/1260-2134-0x0000000073470000-0x00000000734F2000-memory.dmp

Filesize
520KB

Download
memory/1260-2170-0x0000000000640000-0x000000000093E000-memory.dmp

Filesize
3.0MB

Download
memory/1260-2176-0x00000000731A0000-0x00000000733BC000-memory.dmp

Filesize
2.1MB

Download
memory/1260-2243-0x0000000000640000-0x000000000093E000-memory.dmp

Filesize
3.0MB

Download
memory/1260-2197-0x0000000000640000-0x000000000093E000-memory.dmp

Filesize
3.0MB

Download
memory/1260-2203-0x00000000731A0000-0x00000000733BC000-memory.dmp

Filesize
2.1MB

Download
memory/1260-2205-0x0000000000640000-0x000000000093E000-memory.dmp

Filesize
3.0MB

Download
memory/2124-596-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download