wannacry | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry[.]exe

Analysis

max time kernel
202s
max time network
179s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
28-05-2023 03:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry.exe

Score

10^/10

wannacry persistence ransomware worm

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Downloads MZ/PE file

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

WannaCry.exe

description	ioc	process
File created	C:\Users\Admin\Pictures\ResumeFind.raw.WCRYT	WannaCry.exe
File renamed	C:\Users\Admin\Pictures\ResumeFind.raw.WCRYT => C:\Users\Admin\Pictures\ResumeFind.raw.WCRY	WannaCry.exe
File opened for modification	C:\Users\Admin\Pictures\JoinWait.png.WCRY	WannaCry.exe
File created	C:\Users\Admin\Pictures\PingMove.raw.WCRYT	WannaCry.exe
File renamed	C:\Users\Admin\Pictures\PingMove.raw.WCRYT => C:\Users\Admin\Pictures\PingMove.raw.WCRY	WannaCry.exe
File opened for modification	C:\Users\Admin\Pictures\PingMove.raw.WCRY	WannaCry.exe
File created	C:\Users\Admin\Pictures\JoinWait.png.WCRYT	WannaCry.exe
File renamed	C:\Users\Admin\Pictures\JoinWait.png.WCRYT => C:\Users\Admin\Pictures\JoinWait.png.WCRY	WannaCry.exe
File opened for modification	C:\Users\Admin\Pictures\ResumeFind.raw.WCRY	WannaCry.exe

Drops startup file 2 IoCs

Processes:

WannaCry.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD6429.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD643F.tmp	WannaCry.exe

Executes dropped EXE 4 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid process

1592 !WannaDecryptor!.exe
4440 !WannaDecryptor!.exe
4276 !WannaDecryptor!.exe
3732 !WannaDecryptor!.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

chrome.exeWannaCry.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Desktop\\WannaCry.exe\" /r"	WannaCry.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

!WannaDecryptor!.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

4264 vssadmin.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

3740 taskkill.exe
4896 taskkill.exe
4548 taskkill.exe
4608 taskkill.exe

pid	process
4264	vssadmin.exe

pid	process
3740	taskkill.exe
4896	taskkill.exe
4548	taskkill.exe
4608	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133297257195451999"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

4048 chrome.exe
4048 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

!WannaDecryptor!.exe

pid process

3732 !WannaDecryptor!.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

4048 chrome.exe
4048 chrome.exe

pid	process
3732	!WannaDecryptor!.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe
Token: SeShutdownPrivilege	4048	chrome.exe
Token: SeCreatePagefilePrivilege	4048	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

Processes:

chrome.exe

pid	process
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe

Suspicious use of SendNotifyMessage 26 IoCs

Processes:

chrome.exe

pid	process
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe
4048	chrome.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid	process
1592	!WannaDecryptor!.exe
1592	!WannaDecryptor!.exe
4440	!WannaDecryptor!.exe
4440	!WannaDecryptor!.exe
4276	!WannaDecryptor!.exe
4276	!WannaDecryptor!.exe
3732	!WannaDecryptor!.exe
3732	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4048 wrote to memory of 4992	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 4992	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 4948	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 4948	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 4948	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 4948	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 4948	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 4948	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 4948	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 4948	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 4948	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 4948	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 4948	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 4948	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 4948	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 4948	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 4948	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 4948	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 4948	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 4948	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 4948	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 4948	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 4948	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 4948	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 4948	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 4948	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 4948	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 4948	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 4948	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 4948	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 4948	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 4948	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 4948	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 4948	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 4948	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 4948	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 4948	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 4948	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 4948	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 4948	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 3152	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 3152	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 1140	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 1140	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 1140	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 1140	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 1140	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 1140	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 1140	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 1140	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 1140	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 1140	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 1140	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 1140	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 1140	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 1140	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 1140	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 1140	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 1140	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 1140	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 1140	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 1140	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 1140	4048	chrome.exe	chrome.exe
PID 4048 wrote to memory of 1140	4048	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry.exe
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff97d9b9758,0x7ff97d9b9768,0x7ff97d9b9778
2⤵
PID:4992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1352 --field-trial-handle=1888,i,17699262757630261081,4579572932574442769,131072 /prefetch:2
2⤵
PID:4948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1716 --field-trial-handle=1888,i,17699262757630261081,4579572932574442769,131072 /prefetch:8
2⤵
PID:3152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2108 --field-trial-handle=1888,i,17699262757630261081,4579572932574442769,131072 /prefetch:8
2⤵
PID:1140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2972 --field-trial-handle=1888,i,17699262757630261081,4579572932574442769,131072 /prefetch:1
2⤵
PID:3020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2964 --field-trial-handle=1888,i,17699262757630261081,4579572932574442769,131072 /prefetch:1
2⤵
PID:2548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 --field-trial-handle=1888,i,17699262757630261081,4579572932574442769,131072 /prefetch:8
2⤵
PID:5048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 --field-trial-handle=1888,i,17699262757630261081,4579572932574442769,131072 /prefetch:8
2⤵
PID:848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4884 --field-trial-handle=1888,i,17699262757630261081,4579572932574442769,131072 /prefetch:8
2⤵
PID:1104

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4564 --field-trial-handle=1888,i,17699262757630261081,4579572932574442769,131072 /prefetch:8
2⤵
PID:404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2676 --field-trial-handle=1888,i,17699262757630261081,4579572932574442769,131072 /prefetch:8
2⤵
PID:2888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4592 --field-trial-handle=1888,i,17699262757630261081,4579572932574442769,131072 /prefetch:8
2⤵
PID:2396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4672 --field-trial-handle=1888,i,17699262757630261081,4579572932574442769,131072 /prefetch:8
2⤵
PID:3904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4928 --field-trial-handle=1888,i,17699262757630261081,4579572932574442769,131072 /prefetch:8
2⤵
PID:2224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5056 --field-trial-handle=1888,i,17699262757630261081,4579572932574442769,131072 /prefetch:8
2⤵
PID:1340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4664 --field-trial-handle=1888,i,17699262757630261081,4579572932574442769,131072 /prefetch:8
2⤵
PID:1344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 --field-trial-handle=1888,i,17699262757630261081,4579572932574442769,131072 /prefetch:8
2⤵
PID:3772

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3136

C:\Users\Admin\Desktop\WannaCry.exe
"C:\Users\Admin\Desktop\WannaCry.exe"
1⤵
- Modifies extensions of user files
- Drops startup file
- Adds Run key to start application
PID:544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 215431685252176.bat
2⤵
PID:848

C:\Windows\SysWOW64\cscript.exe
cscript //nologo c.vbs
3⤵
PID:1952

C:\Users\Admin\Desktop\!WannaDecryptor!.exe
!WannaDecryptor!.exe f
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1592

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im MSExchange*
2⤵
- Kills process with taskkill
PID:3740

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Microsoft.Exchange.*
2⤵
- Kills process with taskkill
PID:4896

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlwriter.exe
2⤵
- Kills process with taskkill
PID:4548

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlserver.exe
2⤵
- Kills process with taskkill
PID:4608

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b !WannaDecryptor!.exe v
2⤵
PID:1740

C:\Users\Admin\Desktop\!WannaDecryptor!.exe
!WannaDecryptor!.exe v
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4276

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
PID:632

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:4264

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
PID:1888

C:\Users\Admin\Desktop\!WannaDecryptor!.exe
!WannaDecryptor!.exe c
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4440

C:\Users\Admin\Desktop\!WannaDecryptor!.exe
!WannaDecryptor!.exe
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3732

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4268

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\!WannaDecryptor!.exe.lnk
Filesize
588B

MD5
715d6e65ca1e92f4a8a0a0c14751b295

SHA1
13dce039901ba87820d0f2e2f1e292e09f2c7f8a

SHA256
3f637ab6a29172730c0c3a411534625084bd3f549b0066728b4bf320d94e47b2

SHA512
5f5f5e591429df9b67a6471d12b25f47785d1cc717ad46d03b1584b22c241c528d63f4c88b178ed27b708a01d6d1b3e8b87924f92d3cf53e643873c87c6f2bc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
105fe4411b38671441923790a479dc53

SHA1
0aed70e583f1722fced517bb8266f584348d454a

SHA256
852a4e201a1ea8966f0a435c2862b4c3ddd8c2a7881034fd843ac887ae085180

SHA512
c4f57156c62417cfbb4bfe7012eb36213b7300880d20e05a7117810d2fd1ee7981dcbddeeb522da4939a4112bd8d369b097b66d715fabff2a359d5a8d3100f00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1
Filesize
264KB

MD5
a4b40e02c280136507002f6b4f6a058c

SHA1
6f2511228eae3a65655db48c355cb2db06da0b6e

SHA256
0198087a944f45a1aca7f9349f59f9b81800a68106f9f414788d4a06e6366b20

SHA512
f7b3a3fd7ba3c72d9293f4fd6c5ed5003d3f9c77f567cc6a75f87e32e0dbff16f2d5c16b5b810e4da3b22b8eb5e45fd84f7c516fcc7a45c8fcacbfa3b87bfa31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
9b225da7e7863494e3b496a6db1cb94d

SHA1
4ed3de8c9d0c7f73828ab52d55e803c2e08a56ad

SHA256
ff46040692d7ad24248c8cea7dac1497ddf5c8f3a14bc407a38a64274cee0565

SHA512
c76e5acd877d583007f48c1a0972e7e1cba42f6fe7e7bd63aaa818d33ace8448130eddd8e831a6204aba8b7a2d5603a2afd27f531092ac100cfb15f6997e3bcd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
64072b2da05a4500e2a7dbc646fd101c

SHA1
6ef9ce761ae102c9f4d570aa3b5f924ede554a4b

SHA256
8c771177fde29f2a42ee07a150ef08f944c6a889f1907f3762a2e4e6406905b6

SHA512
6156c3eed4dbc0bc93ec7ebf105b469f98743fd020ff3a55d576f74bfb790709eae610e955e350dd6f56b1f3f7cc5e09832b7a733f38481534af7209aa9bd6fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
09e7705d2390203b817f8f6710036772

SHA1
211cbee1164942d1216636d878302d8a46bd48f8

SHA256
3e82e8d19cba0a5abcc8a9d541e2f7d159bc7f72bb23664a08b11dcf8fd4534d

SHA512
dd565ed9a9c9f9bba43012210d056c6703bafe014cff66e55588db2b35acc2e8280963bc60ae9a714914504dd6324467c8de45b3354d026a1bee099d665b2795

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
217ea20860d400a107a85fff459aaa25

SHA1
c02f2334ef37e2b733cd7543259bb964624847a8

SHA256
28b1264ad3f755c71fcbd1bede3d168693e04dda94236514f8078341abe0ddae

SHA512
c06306d1b59183a0b5fee13c687554daeae24d51c574e4c3f5430e6abdd90103fe171ec43cae173f7f61c2c457eb9ac6bf5aaefafa0894edb6d6157a3a8118f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
a0c95a12b83c85c1a176e6d9e0d928f8

SHA1
52e1db9518d6070d2c6fcc906a131bef422507d1

SHA256
e77056ad7fc71ecc7955829dbfccfc19781f6a04e5b9535746245df7909de242

SHA512
d66ead0b51efebeb548413df1287ee4c5309bd9e0a8c5ebf371823314543b0970a0de03b4e269ea27d2a080121cd3b8fe94402ac7cd3b73e31e44fb55339851b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
fce45172f17a406c6d0211e397c912c9

SHA1
23a2553a03e42e0c4dc3544c64d00d4bf5c73a9a

SHA256
187a7aaaeab037a2870a81babf197d041f15dd5ab0c95a361c6af2b993dcf7df

SHA512
c4979ef17c1c00b3204a0ac238c99d52c6282b15c4c17dec4d37e37b283c0ee2b5d9881425473009dded8faf87619777f7322aea8394d1bcd0a3b778a61ebb9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
415428931ed9990506b6609379805ce5

SHA1
e88e424881856765236d8443e57449e71b84ce1c

SHA256
68493c60ea998ec834d089498eddc2097d7a51064379eed84c514d47f1bcb898

SHA512
ef59585bc99f711e7125dd532a596cc154539904e889052b5e9b3060f1d2d880802ee3596aabbf3217cf8827611e2d7c656cb9cb05a72d5c6467da83f4499949

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
155KB

MD5
7f39e59b4a73b324bf558e966ceb4606

SHA1
97d60fbe0915ac2bde9c2361c4f0d8a473cbb542

SHA256
df8a30b31fecfc5f11ea4c3a175d21f3a33bf6a5beeb551be9c56d0abe90045b

SHA512
96533bf85191dfd26d7067167598a85833a3a59efc2c180aa949962326cb54b6e1b818da882dc4a6256d1394d52af8026af11c51a7a78b3b70dd75a69c05464d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
155KB

MD5
b752185c1213a61214cc59e6751bf5db

SHA1
fc5df9b8e506e81321d60e384415abd90d87df81

SHA256
11e2c45c1a771a4708ea9679de9c48409c8bf724c1c5e82937c1b89736c45073

SHA512
0b8789353f8c2c81923259d696dbe627eaf07bdb607012c7862d26ab1135eee12cd002c53b5397267cdbfe5678f92838672d88b5455ae037ef17b680aeb53c22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
72KB

MD5
24ca2cc544bae055ff3b478c9f3659a5

SHA1
e4f4426b7bd88693d849ab111af17437638cd355

SHA256
2d32ea9ebc126978fbeac425d6479cdf4ff45e4f2b8a570e3727202ddbc80049

SHA512
bf77d24919a09537d96f53c680adcb3b370ad2cb58a31989d702ed8330a28fd44b5b37168efbb147f6b521847397287a390a68b5d9fae5b9012f966cac1453be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\chrome_shutdown_ms.txt
Filesize
4B

MD5
99c1967abe0f4b0a1c1ab84236743055

SHA1
f35a2f968ea6a49d95935f67bc565c60db398848

SHA256
0938413871fb4817cfa0590f4344bb7fa18cdf91c1bf42fec0decfd75a602fdf

SHA512
3e3afcd47dec1b42b66bd9c62dcd78afeccdaf67b18ef23c613e9f0c80269c74c8f61f4af7fdf95eaabe39611c442393b35ba070649a0e1d8d650ca515e062f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db.WCRY
Filesize
1.0MB

MD5
2c54eaffc393709b2108073d52340079

SHA1
9aa6a1b18cf2e60ec6189d214654a9e4d33c3093

SHA256
342e0731cc34e8fee0e2c6bc3d05d99ce47b74e32eae23e617571aa45d485fb3

SHA512
8214b80555a98b747ac81e464164f025461e6f84a9b9b5346f4bf7064d76abada95faba1cd48be17033569486cf0b13df640f04cd1add48c940a51f0886b3f8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3612_1156477845\CRX_INSTALL\page_embed_script.js.WCRY
Filesize
584B

MD5
33c2374fca18b9b7f543ad7b8584f8b9

SHA1
c7105aecec58dcf7274a16c5306057a28b434d8a

SHA256
ae4342e315ae8c7b6f6e156da1cf38ccd8f8aec342b4efa78cb8c42811fc4de1

SHA512
949153c7a00d39c92080a024d6fa2606f4bacdfaff61e8abcd810b5d9b0fe680d68194afe0fcf7ed17d33d9092f86271622a395ae1c9415071a3edb5e8609733

Download Submit
C:\Users\Admin\Desktop\!Please Read Me!.txt
Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Desktop\!WannaDecryptor!.exe
Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\Desktop\!WannaDecryptor!.exe
Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\Desktop\!WannaDecryptor!.exe
Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\Desktop\!WannaDecryptor!.exe
Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\Desktop\!WannaDecryptor!.exe
Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\Desktop\!WannaDecryptor!.exe.lnk
Filesize
588B

MD5
715d6e65ca1e92f4a8a0a0c14751b295

SHA1
13dce039901ba87820d0f2e2f1e292e09f2c7f8a

SHA256
3f637ab6a29172730c0c3a411534625084bd3f549b0066728b4bf320d94e47b2

SHA512
5f5f5e591429df9b67a6471d12b25f47785d1cc717ad46d03b1584b22c241c528d63f4c88b178ed27b708a01d6d1b3e8b87924f92d3cf53e643873c87c6f2bc2

Download Submit
C:\Users\Admin\Desktop\00000000.res
Filesize
136B

MD5
e7c77a427ad82763dba03a5cf9bd61aa

SHA1
8c121d6e74a54aa837807ecb1f8552d28c273655

SHA256
cc906f5dc066089c3fd9066e4a07a3e59d30af491f7cdd48b85ce369c5acce5d

SHA512
81f609998d6343dd015d1812dbb016d03e59f7b363e07efa3078ab01013a559307f41ecafce14ad02bb05d707cbf29508ae939cfdd542bcd9d20f7ef7370fa67

Download Submit
C:\Users\Admin\Desktop\00000000.res
Filesize
136B

MD5
0d8601b454f5d738c7146c28cdb123a8

SHA1
4f989850d8ec72b6b675c1e70bdc6675b0361215

SHA256
9fc63dc7d0ba828e0297ccb317adb3368af5b5601fda6681e5ffb102d565da60

SHA512
ea414060fcc6f7c6b0d6a11f3094fc6a6cebd3209c5983bc69fccd0db514241ddb0b73147fa912bf0a2474239cd6cb4d56cca0a08ff7ee654aaa0b3589ca32f7

Download Submit
C:\Users\Admin\Desktop\00000000.res
Filesize
136B

MD5
5ebf2b55e7d967565692cab2bde76f7c

SHA1
b7bba5c4bb6b56f758e6569daae79f4b652a8575

SHA256
83f974a35d793911688aeb8bc475b682144e1bf462f23618af5391439b4f54f1

SHA512
83334b15048208e384add8e78284e9f2ab625263eae2bbab6145c25a263213e9d3a0ae6c62d87288fb4ada861dd3c482337e8510dbff5a4a2cbcc68b3486b8ab

Download Submit
C:\Users\Admin\Desktop\00000000.res
Filesize
136B

MD5
336024a2c51d5a1ef9126605ee4b8f0d

SHA1
2367b0ffd9e0b330c602c223a29177fe17ada590

SHA256
4369bcf338e3c20345435e6551501d017a2d09577b4a91a4f189db0c8fdaa469

SHA512
1ccb598dd5aa32087fe05a04f92163f07612ec1d84315dbe499e57168522cd1067080b798291925d201d162739d0f54d0bc94456b6ef368958b6eefce5b7b9fd

Download Submit
C:\Users\Admin\Desktop\215431685252176.bat
Filesize
314B

MD5
a112cca9dc4d4389853960a4090375ee

SHA1
a41ef3b4ca3e316d1bc4095aedf80b07ccc2d045

SHA256
16cc3752392a4575db02c89c72f0808bd7e6b37ed5c69490a248b9309907c7b3

SHA512
470af17cc72848693327b30794a6f6d00ae77693780645259b5ed02256e3b1a9dd895489eca7e6a0dd558ce40e6e18ee3c3666fe0119935e6a1ca1bcb7e0ccd0

Download Submit
C:\Users\Admin\Desktop\c.vbs
Filesize
197B

MD5
67ac56e98bdb0c90862e8472916f11ab

SHA1
f961a11be9a04743f3e053a2bf46c12b9471fd28

SHA256
6e20336f20c42fc21f30dc362dfea245333b195597a42bb7c87143283be8ea10

SHA512
24267afc873e725d2c07bf51ce5b7e40026966a94919624baeb0d605770b9e64164948f9330b7e1910a913651b58132bffc76ceb4f0f8a5cecb9a56349bbc1da

Download Submit
C:\Users\Admin\Desktop\c.wry
Filesize
628B

MD5
c7e9e25be26a8adaacd3b46495568f17

SHA1
ff18a5fac54014d1423c2c6fc0cfc41ff6375df5

SHA256
4ebda8f2bee42ae30d648d84924c3e6a672d3e99bfb7f11d54dba2d81a1ecbd1

SHA512
aded48dead9a4e76e3c51005e8934c82ecd22096c9cbee9214cbd76ef160556f917e29adafad9fd68d4c99b6a9472b6c01c2b67dec4ea2b94aec6a8506d55c94

Download Submit
C:\Users\Admin\Desktop\c.wry
Filesize
628B

MD5
c7e9e25be26a8adaacd3b46495568f17

SHA1
ff18a5fac54014d1423c2c6fc0cfc41ff6375df5

SHA256
4ebda8f2bee42ae30d648d84924c3e6a672d3e99bfb7f11d54dba2d81a1ecbd1

SHA512
aded48dead9a4e76e3c51005e8934c82ecd22096c9cbee9214cbd76ef160556f917e29adafad9fd68d4c99b6a9472b6c01c2b67dec4ea2b94aec6a8506d55c94

Download Submit
C:\Users\Admin\Desktop\f.wry
Filesize
178B

MD5
be5eb45258379a1dc5fc41d9d829ce08

SHA1
c7b4bdab1ffd8ce030c2d49ee37aa799dda53ca3

SHA256
8128fbab3d4dcc792a9b037a563144d15cfdfee58d16ba15a5058d8ff5ae7cc2

SHA512
84798f1f1a1d4fd24a90ed20c3a4ed571f66e4241585198672477f06d6f45145d21d8e48428070beed05fcfd2cba3c46df60f96ac227712acb84b56c0f2b8c6b

Download Submit
C:\Users\Admin\Desktop\m.wry
Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Desktop\u.wry
Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 677896.crdownload
Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
\??\pipe\crashpad_4048_AKOQBYTZGLTKXHYG
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/544-386-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download