wannacry | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/tree/master/Joke

Analysis

max time kernel
135s
max time network
197s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Joke

Score

10^/10

wannacry aspackv2 bootkit persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Downloads MZ/PE file
ASPack v2.12-2.42 1 IoCs
Detects executables packed with ASPack v2.12-2.42
aspackv2

Processes:

resource yara_rule

C:\Users\Admin\Downloads\Avoid.exe aspack_v212_v242

resource	yara_rule
C:\Users\Admin\Downloads\Avoid.exe	aspack_v212_v242

Drops startup file 2 IoCs

Processes:

WannaCry.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDEA13.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDEA59.tmp	WannaCry.exe

Executes dropped EXE 6 IoCs

Processes:

CookieClickerHack.exeAvoid.exeGoldenEye.exeWPDShextAutoplay.exeWannaCry.exe!WannaDecryptor!.exe

pid process

4748 CookieClickerHack.exe
2304 Avoid.exe
6072 GoldenEye.exe
5268 WPDShextAutoplay.exe
5284 WannaCry.exe
4532 !WannaDecryptor!.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4748	CookieClickerHack.exe
2304	Avoid.exe
6072	GoldenEye.exe
5268	WPDShextAutoplay.exe
5284	WannaCry.exe
4532	!WannaDecryptor!.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WannaCry.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

49 raw.githubusercontent.com
50 raw.githubusercontent.com
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

WPDShextAutoplay.exe

description ioc process

File opened for modification \??\PhysicalDrive0 WPDShextAutoplay.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
49	raw.githubusercontent.com
50	raw.githubusercontent.com

description	ioc	process
File opened for modification	\??\PhysicalDrive0	WPDShextAutoplay.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

4984 taskkill.exe
6104 taskkill.exe
2844 taskkill.exe
5272 taskkill.exe

pid	process
4984	taskkill.exe
6104	taskkill.exe
2844	taskkill.exe
5272	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133640702597180455"	chrome.exe

NTFS ADS 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\SporaRansomware.exe:Zone.Identifier chrome.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\SporaRansomware.exe:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

chrome.exetaskmgr.exechrome.exe

pid	process
1424	chrome.exe
1424	chrome.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5436	chrome.exe
5436	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

1424 chrome.exe
1424 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe
Token: SeShutdownPrivilege	1424	chrome.exe
Token: SeCreatePagefilePrivilege	1424	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exeAvoid.exetaskmgr.exe

pid	process
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
2304	Avoid.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe

Suspicious use of SendNotifyMessage 59 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
1424	chrome.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe
5128	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

!WannaDecryptor!.exe

pid process

4532 !WannaDecryptor!.exe
4532 !WannaDecryptor!.exe

pid	process
4532	!WannaDecryptor!.exe
4532	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1424 wrote to memory of 2916	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 2916	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 5052	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 5052	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 5052	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 5052	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 5052	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 5052	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 5052	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 5052	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 5052	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 5052	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 5052	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 5052	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 5052	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 5052	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 5052	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 5052	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 5052	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 5052	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 5052	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 5052	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 5052	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 5052	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 5052	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 5052	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 5052	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 5052	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 5052	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 5052	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 5052	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 5052	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 5052	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 5052	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 5052	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 5052	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 5052	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 5052	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 5052	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 5052	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 3840	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 3840	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 1972	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 1972	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 1972	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 1972	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 1972	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 1972	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 1972	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 1972	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 1972	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 1972	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 1972	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 1972	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 1972	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 1972	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 1972	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 1972	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 1972	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 1972	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 1972	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 1972	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 1972	1424	chrome.exe	chrome.exe
PID 1424 wrote to memory of 1972	1424	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/Joke
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa45ee9758,0x7ffa45ee9768,0x7ffa45ee9778
2⤵
PID:2916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1660 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:2
2⤵
PID:5052

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:8
2⤵
PID:3840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:8
2⤵
PID:1972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3196 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:1
2⤵
PID:832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3320 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:1
2⤵
PID:2240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:8
2⤵
PID:1732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:8
2⤵
PID:1084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5028 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:8
2⤵
PID:2264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4776 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:8
2⤵
PID:2204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5616 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:8
2⤵
PID:4784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5852 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:8
2⤵
PID:576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5884 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:8
2⤵
PID:2228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6112 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:8
2⤵
PID:2564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6084 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:8
2⤵
PID:3664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5828 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:8
2⤵
PID:2516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5984 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:8
2⤵
PID:2648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6020 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:8
2⤵
PID:2060

C:\Users\Admin\Downloads\CookieClickerHack.exe
"C:\Users\Admin\Downloads\CookieClickerHack.exe"
2⤵
- Executes dropped EXE
PID:4748

C:\Users\Admin\Downloads\Avoid.exe
"C:\Users\Admin\Downloads\Avoid.exe"
2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:2304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3452 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:8
2⤵
PID:5744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4712 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:8
2⤵
PID:5752

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2696 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:8
2⤵
PID:5848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4940 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:8
2⤵
PID:5940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2380 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:8
2⤵
PID:5948

C:\Users\Admin\Downloads\GoldenEye.exe
"C:\Users\Admin\Downloads\GoldenEye.exe"
2⤵
- Executes dropped EXE
PID:6072

C:\Users\Admin\AppData\Roaming\{d1e550e9-cf68-4fcf-8d9d-72b166f7c66a}\WPDShextAutoplay.exe
"C:\Users\Admin\AppData\Roaming\{d1e550e9-cf68-4fcf-8d9d-72b166f7c66a}\WPDShextAutoplay.exe"
3⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:5268

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1812 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:8
2⤵
PID:5312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4924 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:8
2⤵
PID:5296

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:8
2⤵
PID:5496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3748 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:8
2⤵
PID:5508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=948 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:8
2⤵
PID:5520

C:\Users\Admin\Downloads\WannaCry.exe
"C:\Users\Admin\Downloads\WannaCry.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
PID:5284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 248591719596758.bat
3⤵
PID:5624

C:\Windows\SysWOW64\cscript.exe
cscript //nologo c.vbs
4⤵
PID:4868

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe f
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4532

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im MSExchange*
3⤵
- Kills process with taskkill
PID:4984

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Microsoft.Exchange.*
3⤵
- Kills process with taskkill
PID:5272

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlserver.exe
3⤵
- Kills process with taskkill
PID:2844

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlwriter.exe
3⤵
- Kills process with taskkill
PID:6104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5984 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:8
2⤵
PID:5612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3980 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:8
2⤵
PID:5396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5600 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:8
2⤵
PID:3476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2324 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:8
2⤵
PID:3592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5052 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:8
2⤵
PID:5716

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5480 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:8
2⤵
PID:6036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1812 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:8
2⤵
PID:6040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3732 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:8
2⤵
PID:6000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:8
2⤵
PID:5940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5856 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:8
2⤵
PID:5864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:8
2⤵
PID:4672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5952 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:8
2⤵
PID:5924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5856 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:8
2⤵
PID:4900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3872 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:8
2⤵
PID:6044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4704 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:8
2⤵
PID:5896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5856 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:8
2⤵
PID:5848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5880 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:8
2⤵
PID:6048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5988 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:8
2⤵
PID:4612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3880 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:8
2⤵
PID:6064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5880 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:8
2⤵
PID:4928

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2380 --field-trial-handle=1908,i,17109800423379824039,5005645298884922797,131072 /prefetch:8
2⤵
PID:3792

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1332 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
1⤵
PID:4868

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5128

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {289AF617-1CC3-42A6-926C-E6A863F0E3BA} /I {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} /X 0x401
1⤵
PID:5996

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {35786D3C-B075-49B9-88DD-029876E11C01} /I {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} /X 0x401
1⤵
PID:5872

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {B155BDF8-02F0-451E-9A26-AE317CFD7779} /I {ADD8BA80-002B-11D0-8F0F-00C04FD7D062} /X 0x401
1⤵
PID:5956

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {088E3905-0323-4B02-9826-5D99428E115F} /I {000214E6-0000-0000-C000-000000000046} /X 0x401
1⤵
PID:5972

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
f4458fec945e22d35206d07a8c6c7255

SHA1
e0f007fef7006c9c05cba4482c2db0db5ee73ee6

SHA256
4bb310195f65c8e73c1f3178c6d08d967099f58913e25b9bf1852e3b542b70ad

SHA512
15ad2658279661b3fcaf52b0f7efe856514de8604a2311f27928365ae94cae85486588141b629c4f8bcfdbe744d9543ff0cbcafc6811003475becb39b599cb81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
857b2926e78a6aafc923703025872783

SHA1
f0bff7ae0fdd5c57ff5a813f593b72ede88979e0

SHA256
59f6a1a8f6561ff7d1ff69bf5cdc0b615c3bf67700767634e5cd0065bad04abe

SHA512
28480e2dfd5c236542940410556d5bf4f4a603127c1f54221441a0207a107a1e696e489bcbb727d71b4e55b04b0f7cd2036628a5bd6aabe5cacab00db7d41ab6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
986B

MD5
5047587818a14c4ba6ab259d83feb6ad

SHA1
f9ff955d5fb437a964fcbe3ea746e3c0fc770ca8

SHA256
4d9be2ebd72c359f0621935d7a8fd3812d220779536472a3fa4b407643e29b40

SHA512
4eb9ca1052c9bf2a402a44346b6f74079a4d4187d7dbe9c65dbfc69ca3ddc668e61a20b4a875c4a93b1f44f01bec7aa38314f11aacccd3b64bfd03e2a369ab0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
986B

MD5
d7e02f0e8647e1137b22fa4accdd8a42

SHA1
cc000fa83f7a7f58a2d334b482762208ddf1e6ea

SHA256
496f920359f40b0831888f75a8f20dd75268a9951a1e8effeed454b60d28a38c

SHA512
4dd93db0ca01f3f6351b17dc1b334643d0b01a2f5f2fc7c40066841786f94510f53cba2b97e3113584f2c8ba9dd5424a9c22bd1d0fd7d0932aa57eba34dcc14f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
2b35e76148b0d795c013a1595d9d0074

SHA1
269b1b911083cc21f1c43615f502495bce3aebdb

SHA256
83a919509c73a3068bfc88121d557159199729f5b53e0e180046150f228fc5fa

SHA512
2759b5fca8ea888767aa3b4aa989419a7e9cab518e018ec3afec09a61867ca681bd4cd052198ad707aa75fa7cb49575dbd2f6d9fe09eb49fb9d511dc55ffd679

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
3ce3fa61b4cc664eb52dd3d07ade1272

SHA1
a01a2ab2cce454e3548d457fba3ba1a53dc80282

SHA256
2bddf3b727a8f65a4cd8d0766119570d0522f0697328b281f1b4b6edcf7ea8e2

SHA512
94fd7ab02e61c5a443bdc067085db62831d43b4460042fd40043e0a3da9d0ad6ce0bf78c1dc22ddb4f6682a950416172c11fbe510e022e77cd17e69bc2b2c163

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
edcb53b85baceee5e32fd34e8bb21dfd

SHA1
c6bbb3b233d32561c6f93dc8e0b94b480aec8920

SHA256
44eb18c1a3ac8c38b616f65158de9b29e8acc09fa4b9c19d1d9f029c845393f9

SHA512
7d0194ad77855190b856bd7f1751992bfc07f6cc912bf393a13a4de5c61f4ec0d7e578595533c8bc8cee144ec2f19c11a98561cbfffe49b5dd6b5bb1ad953ac9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
9d2814a04e99d4aa0ab937d99c2f7e6d

SHA1
a7be6fe4acbce41a07bd10c0735c6ff83a4e26cc

SHA256
fccba55b38ded1814b7383cdcd6a9789e42f383395f7f701b2c3013e57795f38

SHA512
c005fe3f1e8fc26fb4c912a5877751fa3cdd8f13500c555606bb093f00a7ca36a8da60c3c181a94d1a751180e1bb424e5e98582ddd03ee8498c14cca716a3870

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
093d671d8b844851db51fb5aaf04480d

SHA1
bbb3deb97ad4885de5408370022b2cfc8b717050

SHA256
313f0573dabd6be415a692ddd28f41ed964980f3dbed8d0b8ca423307c5126af

SHA512
7b2f806040b449f369a238df3c6d22cfaec10612afbead681e8f5c93983cc4afe775d1b21fe275c01a4cfb92be3eef154db518f0c3e2d280621eb94fdbaefc36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
6049401806122c081797bd98400bb3ea

SHA1
58ca38cbcb5438a5ac73a52a52991f38f68b8fff

SHA256
80286f44868203da8246ca2ffaf50030408cc3f4e108e1724bf5ca3e87b61aa1

SHA512
bdb977559cbe1d9ba34ab38155a5e0608fe17b64b7bdf3a1c5185ecd69cd99ea342b974a764ef49231f94bf6cb44411717c784c56c440bdae4a39dadf74ba367

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
8439d2d5f14913cfe171ceaa1de95cdd

SHA1
5a947b640a4cdc1f151963355edbb3aa5d171127

SHA256
3f57059ebed3524be14ff0bb7e60e180f1a69a8fe26ecf04c271f976ec1d06b4

SHA512
987bf4f54c0c1e200a9bc825ad4b09f8133572b3d460c07f0cf4ddd482c1962cf097907d80ae16c9ea1771d200dbb79fcee5a34a362e7b0e4df6ba060378edef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
295dd01eea954e6445f0851fa9475a10

SHA1
292ef618eca4236fe2d9cd264178fbcb7c704aa2

SHA256
3b8aaa772534011b49c9e07c57dbeab6e882627a119474bbae4889a436b4e06c

SHA512
d891bb968e1e9c21c9a30ad0f3ca9ed516f42991f68acdcde4f2fde3e2da442b38d008bd264034e3082cd554ab06210f6146b38611d18481471708c904972f94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
ebb236806eec9c67906c47f89bd09182

SHA1
3e169f77adae9beedbbef06ae44a807fd7cd5667

SHA256
aaee58b8e52629fc02b7d16d784bbbd8269f203f26d3d7d2eca5aec399fa6d1c

SHA512
ce922c72becfb720a9ee5a300c68135ed107fe96db5b81a9da6a51ad5dc1391e75182ed1796a0a9730d4ba959a5545311321b0f493c31c6247ef2f16fb756a9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
b3d9159f8a2d9a54fdc4262b5fc19642

SHA1
795906a1b666aac3099ca343c0158883e1c4cce7

SHA256
00e57a264d3b28c6521730f3e32d8336963bac0abf41b02985fb6110e3145d5f

SHA512
1e429b00e2f9d8c937025ec9c3bb2f57915d1dede3f0ea32a98ef2a6328d473d70567509b393d41dd3d2965d22a6fdae17d1c74931bb91b96a86c29d71958330

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
dc6fe376d6054e8f2569de7f508490b8

SHA1
cad941445a9bb201ede79d38c877ecc07b0a37b6

SHA256
18da978f39bf8374b6142578931227783da752c4ee95fe57788e8b1987636b50

SHA512
4e12b3e94c7f1140b308a161a5f419c0103669ac506844e4d1beb9351437398f047f17fe70ed7723c70bbcd139642a552997de5df17c86431f276f804fd2ad52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
efc1521fff5221af3c6a72c3242d0690

SHA1
281b1aa37a13fc22e7f336c06cff21840ddc2489

SHA256
c6664ed9d9f77e88ee93b13228a2f131e407c585693af6938c8cb35fee8a170d

SHA512
8f22d743f08419627553c32caa4e278eb784e7028745b9e08e8e37b06316f3594bb21d2acfed68b525391650ffac14da98ce9470ad4a52ee9b9f4b642c9b946f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
4370622c542730b3e89239c247201bee

SHA1
96de74208f4554088af5884e450fbccb2452d839

SHA256
2668cb74d165f7f3e271ee0f6eb500217c14f742be99745b4d221ce41ac36739

SHA512
a1dc4249cfd440cb14c65d95455846cf19811449a876acb37539465eb6e0c6b8c5d49dd975ea9c3109794665578dca4384352127961c482fdd681610a718a425

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
2de68f2093680397afd03abcf76b0f29

SHA1
e4b6f8214c650c768b18cdfb49bbf1d8d6c00e41

SHA256
440cdd379902359baeebab976f6e8c1f2bb3c61842194927bb1bdec312c15367

SHA512
bcbc43d9ff17390881b547abbe70a6148fd02664ccaf4e0ab736c261e46d8fb57793f57859b0e5bad7e62026aeca7702199e1d6745616f068f22d88ed7c75a86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
49e81840063a86d8d2671c2a22a76682

SHA1
07afb11fc259b8c3debf414ba9dfd55c844cfc7e

SHA256
feca62f5b760d92c97a62cc122961b7760f85a6892228e32a9e65070f7ea6b48

SHA512
f6fbbe83f001e8e597b5e92b27e2b088bfda8ce91731f163d329028e9df4be850741c3988540e7efe7a8ab0753012cfcb2ce41a8119a8fd7446945680b420ff9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
128KB

MD5
5a1fd025f8a387d7e5c8fe9c4a2cb10e

SHA1
4fe14909bab9c563b18df786896a3c990520f882

SHA256
25f89213c84d6916201bc7a8266424640965a4e3a6a019e1d611bfadca47aa5b

SHA512
521425198cb6b085e8cf22d7de3cedec845490a4a4fc06e8c6483c4e38c66e97bc5afaaa2c2e9187d401e7f5faeaaac506bafaf16fc579247a00da899473d470

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt
Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnk
Filesize
590B

MD5
c8ddedaab144ba735267a97ce42983e8

SHA1
a9f49e307688316e1085c6c4b27d33a25f510e65

SHA256
c9515ba4a8534bfda7122aaeae3ab5c1ad69970179b94282e21f2c80b9f55e49

SHA512
acaa2d3527498f6fc80eb2a3b720539ebead034d430735d9f69916721970ab0874af47134f1ed945083cff0316563d0037a23063d014fa3d3423a0c9af9094e3

Download Submit
C:\Users\Admin\Downloads\00000000.res
Filesize
136B

MD5
fa0bf24790b54d1c116560f36a2902ff

SHA1
c735b197381e80e5df69e712ed4980a18e07365d

SHA256
35e665ae3c3794ec27504e1e48552e936714fcc01e5bfd505146230eb5d7fc88

SHA512
768417d46bf1e2dbaeb5cc3f258867ace3a3ba034b81ed209697eaf09913375279f55260c36bee999ff831de05f0300a157aee4d4888f06e8e15abc90df5b787

Download Submit
C:\Users\Admin\Downloads\248591719596758.bat
Filesize
318B

MD5
a261428b490a45438c0d55781a9c6e75

SHA1
e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e

SHA256
4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44

SHA512
304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

Download Submit
C:\Users\Admin\Downloads\Avoid.exe
Filesize
248KB

MD5
20d2c71d6d9daf4499ffc4a5d164f1c3

SHA1
38e5dcd93f25386d05a34a5b26d3fba1bf02f7c8

SHA256
3ac8cc58dcbceaec3dab046aea050357e0e2248d30b0804c738c9a5b037c220d

SHA512
8ffd56fb3538eb60da2dde9e3d6eee0dac8419c61532e9127f47c4351b6e53e01143af92b2e26b521e23cdbbf15d7a358d3757431e572e37a1eede57c7d39704

Download Submit
C:\Users\Admin\Downloads\CookieClickerHack.exe
Filesize
68KB

MD5
bc1e7d033a999c4fd006109c24599f4d

SHA1
b927f0fc4a4232a023312198b33272e1a6d79cec

SHA256
13adae722719839af8102f98730f3af1c5a56b58069bfce8995acd2123628401

SHA512
f5d9b8c1fd9239894ec9c075542bff0bcef79871f31038e627ae257b8c1db9070f4d124448a78e60ccc8bc12f138102a54825e9d7647cd34832984c7c24a6276

Download Submit
C:\Users\Admin\Downloads\GoldenEye.exe
Filesize
254KB

MD5
e3b7d39be5e821b59636d0fe7c2944cc

SHA1
00479a97e415e9b6a5dfb5d04f5d9244bc8fbe88

SHA256
389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97

SHA512
8f977c60658063051968049245512b6aea68dd89005d0eefde26e4b2757210e9e95aabcef9aee173f57614b52cfbac924d36516b7bc7d3a5cc67daae4dee3ad5

Download Submit
C:\Users\Admin\Downloads\SporaRansomware.exe
Filesize
24KB

MD5
4a4a6d26e6c8a7df0779b00a42240e7b

SHA1
8072bada086040e07fa46ce8c12bf7c453c0e286

SHA256
7ad9ed23a91643b517e82ad5740d24eca16bcae21cfe1c0da78ee80e0d1d3f02

SHA512
c7a7b15d8dbf8e8f8346a4dab083bb03565050281683820319906da4d23b97b39e88f841b30fc8bd690c179a8a54870238506ca60c0f533d34ac11850cdc1a95

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 601801.crdownload
Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\Downloads\WannaCry.exe
Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\c.vbs
Filesize
201B

MD5
02b937ceef5da308c5689fcdb3fb12e9

SHA1
fa5490ea513c1b0ee01038c18cb641a51f459507

SHA256
5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1

SHA512
843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

Download Submit
C:\Users\Admin\Downloads\c.wry
Filesize
628B

MD5
5a0cfdbe26b85ac9266335b115e7be22

SHA1
6ce2ccc5b1306feb162d070c59a7a738122c948d

SHA256
e3bab0a08cfa23c1f215d93beba0427c32e307c9099370dc3852ec72127f32b5

SHA512
43f0f03d1f4fedc2b3f0b2d2f682b4b7c56d3bf2d0c63106d78d3446243faebc3aabd228422dcdd83ccf8323c54003c9f065d44747ad58c7d47387ef52f88b07

Download Submit
C:\Users\Admin\Downloads\u.wry
Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
\??\pipe\crashpad_1424_KDPRSZZLCZTBPZSD
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2304-294-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2304-291-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/2304-323-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/4748-252-0x000000001BB10000-0x000000001BBB6000-memory.dmp

Filesize
664KB

Download
memory/4748-255-0x000000001C570000-0x000000001C578000-memory.dmp

Filesize
32KB

Download
memory/4748-321-0x00007FFA33890000-0x00007FFA34231000-memory.dmp

Filesize
9.6MB

Download
memory/4748-249-0x00007FFA33B45000-0x00007FFA33B46000-memory.dmp

Filesize
4KB

Download
memory/4748-250-0x00007FFA33890000-0x00007FFA34231000-memory.dmp

Filesize
9.6MB

Download
memory/4748-251-0x00007FFA33890000-0x00007FFA34231000-memory.dmp

Filesize
9.6MB

Download
memory/4748-253-0x000000001C0A0000-0x000000001C56E000-memory.dmp

Filesize
4.8MB

Download
memory/4748-254-0x000000001C6D0000-0x000000001C76C000-memory.dmp

Filesize
624KB

Download
memory/4748-256-0x000000001C830000-0x000000001C87C000-memory.dmp

Filesize
304KB

Download
memory/4748-257-0x00007FFA33890000-0x00007FFA34231000-memory.dmp

Filesize
9.6MB

Download
memory/4748-292-0x00007FFA33B45000-0x00007FFA33B46000-memory.dmp

Filesize
4KB

Download
memory/4748-293-0x00007FFA33890000-0x00007FFA34231000-memory.dmp

Filesize
9.6MB

Download
memory/4748-295-0x00007FFA33890000-0x00007FFA34231000-memory.dmp

Filesize
9.6MB

Download
memory/4748-297-0x00007FFA33890000-0x00007FFA34231000-memory.dmp

Filesize
9.6MB

Download
memory/5128-298-0x000001FFF08E0000-0x000001FFF08E1000-memory.dmp

Filesize
4KB

Download
memory/5128-300-0x000001FFF08E0000-0x000001FFF08E1000-memory.dmp

Filesize
4KB

Download
memory/5128-299-0x000001FFF08E0000-0x000001FFF08E1000-memory.dmp

Filesize
4KB

Download
memory/5128-310-0x000001FFF08E0000-0x000001FFF08E1000-memory.dmp

Filesize
4KB

Download
memory/5128-304-0x000001FFF08E0000-0x000001FFF08E1000-memory.dmp

Filesize
4KB

Download
memory/5128-309-0x000001FFF08E0000-0x000001FFF08E1000-memory.dmp

Filesize
4KB

Download
memory/5128-308-0x000001FFF08E0000-0x000001FFF08E1000-memory.dmp

Filesize
4KB

Download
memory/5128-307-0x000001FFF08E0000-0x000001FFF08E1000-memory.dmp

Filesize
4KB

Download
memory/5128-306-0x000001FFF08E0000-0x000001FFF08E1000-memory.dmp

Filesize
4KB

Download
memory/5128-305-0x000001FFF08E0000-0x000001FFF08E1000-memory.dmp

Filesize
4KB

Download
memory/5284-441-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download