wannacry | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry[.]exe

Resubmissions

02-07-2024 08:51

240702-ksdqjavdph 10

22-02-2024 14:01

240222-rbpj2aba72 10

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
22-02-2024 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry.exe

Score

10^/10

wannacry persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Downloads MZ/PE file

Drops startup file 2 IoCs

Processes:

WannaCry.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD34E9.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD351E.tmp	WannaCry.exe

Executes dropped EXE 6 IoCs

Processes:

WannaCry.exe!WannaDecryptor!.exeWannaCry.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid process

2364 WannaCry.exe
220 !WannaDecryptor!.exe
4956 WannaCry.exe
3652 !WannaDecryptor!.exe
3388 !WannaDecryptor!.exe
4372 !WannaDecryptor!.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2364	WannaCry.exe
220	!WannaDecryptor!.exe
4956	WannaCry.exe
3652	!WannaDecryptor!.exe
3388	!WannaDecryptor!.exe
4372	!WannaDecryptor!.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WannaCry.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service
T1102

Processes:

flow ioc

64 raw.githubusercontent.com
65 raw.githubusercontent.com
66 raw.githubusercontent.com

flow	ioc
64	raw.githubusercontent.com
65	raw.githubusercontent.com
66	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

!WannaDecryptor!.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

1468 taskkill.exe
2292 taskkill.exe
4240 taskkill.exe
1012 taskkill.exe
Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000_Classes\Local Settings msedge.exe
NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 620563.crdownload:SmartScreen msedge.exe

pid	process
1468	taskkill.exe
2292	taskkill.exe
4240	taskkill.exe
1012	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000_Classes\Local Settings	msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 620563.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
4808	msedge.exe
4808	msedge.exe
1608	msedge.exe
1608	msedge.exe
3452	identity_helper.exe
3452	identity_helper.exe
3552	msedge.exe
3552	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe
1332	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid process

1608 msedge.exe
1608 msedge.exe
1608 msedge.exe
1608 msedge.exe
1608 msedge.exe
1608 msedge.exe
1608 msedge.exe
1608 msedge.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exevssvc.exe

description	pid	process
Token: SeDebugPrivilege	4240	taskkill.exe
Token: SeDebugPrivilege	1012	taskkill.exe
Token: SeDebugPrivilege	1468	taskkill.exe
Token: SeDebugPrivilege	2292	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3076	WMIC.exe
Token: SeSecurityPrivilege	3076	WMIC.exe
Token: SeTakeOwnershipPrivilege	3076	WMIC.exe
Token: SeLoadDriverPrivilege	3076	WMIC.exe
Token: SeSystemProfilePrivilege	3076	WMIC.exe
Token: SeSystemtimePrivilege	3076	WMIC.exe
Token: SeProfSingleProcessPrivilege	3076	WMIC.exe
Token: SeIncBasePriorityPrivilege	3076	WMIC.exe
Token: SeCreatePagefilePrivilege	3076	WMIC.exe
Token: SeBackupPrivilege	3076	WMIC.exe
Token: SeRestorePrivilege	3076	WMIC.exe
Token: SeShutdownPrivilege	3076	WMIC.exe
Token: SeDebugPrivilege	3076	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3076	WMIC.exe
Token: SeRemoteShutdownPrivilege	3076	WMIC.exe
Token: SeUndockPrivilege	3076	WMIC.exe
Token: SeManageVolumePrivilege	3076	WMIC.exe
Token: 33	3076	WMIC.exe
Token: 34	3076	WMIC.exe
Token: 35	3076	WMIC.exe
Token: 36	3076	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3076	WMIC.exe
Token: SeSecurityPrivilege	3076	WMIC.exe
Token: SeTakeOwnershipPrivilege	3076	WMIC.exe
Token: SeLoadDriverPrivilege	3076	WMIC.exe
Token: SeSystemProfilePrivilege	3076	WMIC.exe
Token: SeSystemtimePrivilege	3076	WMIC.exe
Token: SeProfSingleProcessPrivilege	3076	WMIC.exe
Token: SeIncBasePriorityPrivilege	3076	WMIC.exe
Token: SeCreatePagefilePrivilege	3076	WMIC.exe
Token: SeBackupPrivilege	3076	WMIC.exe
Token: SeRestorePrivilege	3076	WMIC.exe
Token: SeShutdownPrivilege	3076	WMIC.exe
Token: SeDebugPrivilege	3076	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3076	WMIC.exe
Token: SeRemoteShutdownPrivilege	3076	WMIC.exe
Token: SeUndockPrivilege	3076	WMIC.exe
Token: SeManageVolumePrivilege	3076	WMIC.exe
Token: 33	3076	WMIC.exe
Token: 34	3076	WMIC.exe
Token: 35	3076	WMIC.exe
Token: 36	3076	WMIC.exe
Token: SeBackupPrivilege	2384	vssvc.exe
Token: SeRestorePrivilege	2384	vssvc.exe
Token: SeAuditPrivilege	2384	vssvc.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

msedge.exe!WannaDecryptor!.exe

pid	process
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
4372	!WannaDecryptor!.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe
1608	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe

pid	process
220	!WannaDecryptor!.exe
220	!WannaDecryptor!.exe
3652	!WannaDecryptor!.exe
3652	!WannaDecryptor!.exe
3388	!WannaDecryptor!.exe
3388	!WannaDecryptor!.exe
4372	!WannaDecryptor!.exe
4372	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1608 wrote to memory of 1216	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 1216	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 1116	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 1116	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 1116	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 1116	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 1116	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 1116	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 1116	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 1116	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 1116	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 1116	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 1116	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 1116	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 1116	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 1116	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 1116	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 1116	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 1116	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 1116	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 1116	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 1116	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 1116	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 1116	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 1116	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 1116	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 1116	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 1116	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 1116	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 1116	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 1116	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 1116	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 1116	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 1116	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 1116	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 1116	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 1116	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 1116	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 1116	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 1116	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 1116	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 1116	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 4808	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 4808	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 2120	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 2120	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 2120	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 2120	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 2120	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 2120	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 2120	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 2120	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 2120	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 2120	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 2120	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 2120	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 2120	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 2120	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 2120	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 2120	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 2120	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 2120	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 2120	1608	msedge.exe	msedge.exe
PID 1608 wrote to memory of 2120	1608	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry.exe
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8728846f8,0x7ff872884708,0x7ff872884718
2⤵
PID:1216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2220,12164106635775702173,13864885621952182145,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,12164106635775702173,13864885621952182145,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2
2⤵
PID:1116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2220,12164106635775702173,13864885621952182145,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
2⤵
PID:2120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12164106635775702173,13864885621952182145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
2⤵
PID:3716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12164106635775702173,13864885621952182145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
2⤵
PID:4140

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,12164106635775702173,13864885621952182145,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8
2⤵
PID:4776

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,12164106635775702173,13864885621952182145,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12164106635775702173,13864885621952182145,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
2⤵
PID:4800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12164106635775702173,13864885621952182145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:1
2⤵
PID:1144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12164106635775702173,13864885621952182145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
2⤵
PID:4992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2220,12164106635775702173,13864885621952182145,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4000 /prefetch:8
2⤵
PID:1368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12164106635775702173,13864885621952182145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1
2⤵
PID:1812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12164106635775702173,13864885621952182145,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
2⤵
PID:4604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2220,12164106635775702173,13864885621952182145,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6480 /prefetch:8
2⤵
PID:3376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,12164106635775702173,13864885621952182145,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
2⤵
PID:4684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2220,12164106635775702173,13864885621952182145,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3552

C:\Users\Admin\Downloads\WannaCry.exe
"C:\Users\Admin\Downloads\WannaCry.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
PID:2364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 194501708610537.bat
3⤵
PID:1840

C:\Windows\SysWOW64\cscript.exe
cscript //nologo c.vbs
4⤵
PID:3524

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe f
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:220

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im MSExchange*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1468

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im Microsoft.Exchange.*
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2292

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlwriter.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4240

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im sqlserver.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1012

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe c
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3652

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b !WannaDecryptor!.exe v
3⤵
PID:444

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe v
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3388

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
5⤵
PID:4844

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3076

C:\Users\Admin\Downloads\!WannaDecryptor!.exe
!WannaDecryptor!.exe
3⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,12164106635775702173,13864885621952182145,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5008 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1332

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1348

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5048

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4328

C:\Users\Admin\Downloads\WannaCry.exe
"C:\Users\Admin\Downloads\WannaCry.exe"
1⤵
- Executes dropped EXE
PID:4956

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\!Please Read Me!.txt
1⤵
PID:2036

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1f6d41bf10dc1ec1ca4e14d350bbc0b1

SHA1
7a62b23dc3c19e16930b5108d209c4ec937d7dfb

SHA256
35947f71e9cd4bda79e78d028d025dff5fe99c07ea9c767e487ca45d33a5c770

SHA512
046d6c2193a89f4b1b7f932730a0fc72e9fc95fbdb5514435a3e2a73415a105e4f6fa7d536ae6b24638a6aa97beb5c8777e03f597bb4bc928fa8b364b7192a13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4254f7a8438af12de575e00b22651d6c

SHA1
a3c7bde09221129451a7bb42c1707f64b178e573

SHA256
7f55f63c6b77511999eee973415c1f313f81bc0533a36b041820dd4e84f9879b

SHA512
e6a3244139cd6e09cef7dab531bff674847c7ca77218bd1f971aa9bf733a253ac311571b8d6a3fe13e13da4f506fec413f3b345a3429e09d7ceb821a7017ec70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
fe9ec3c5613d9b473c7c8e04c4bf3b12

SHA1
161c2624a73e185df0cd0d57108c86f1dd41e597

SHA256
8b66ad39891614eaea648a1ad8dc5d056ef6386da76f939648fe84ca723f115b

SHA512
33af606b381835e5a35267ed0548ff7689e1729a77d892f1c75192fb3befa3eb3fffca5094d57382611d94792d23aa2ca402716f9f72b625e5e7632c9312dcef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
5c8391c97bdd0ff4b9b37f00a3f8bf58

SHA1
3e1338f2161f6a885d81a4f194cb9fe64ff9a824

SHA256
2bfc160772af5ff7e3c318edeefdb85b014404dbf656a3ef52a6355cbb589fbd

SHA512
a9d08563e69b14b4c99d7e0b73f98e3e56913f70850194eae691cc0f240c6a423ac7ffcd8c62ffcaa0f12a26118c76f1135c8a1c99e4fc70392f3bfc8600bc76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c6eea746e6bd0c7097cd7ede3a6e4d1f

SHA1
d3d1f3c7fbb71cc0ac2b5a715aae271f432ed2e1

SHA256
2eadd325475794201ec69b169b7165956dcac97bd2400fd699ac13df7dc5d913

SHA512
56adb353cc91ce89dd549c5c3f06d97a09900633f6a3b384daa6cc7594e17988f1d8d6460d971da846e6160a502f1382305fc87dde021d4a74e5972fb06f1c90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e15d95133e077b3bad64564330eb12ea

SHA1
0d82f33990acb2106b9120718d5bd37f7d3dfc8b

SHA256
97f85a5502cc129814ec389924fdaeb997943c746e3ccd1ca5593cd67b1dbc68

SHA512
897485fd9eb3f9e2008d27c25d044910cc286c227be116d5d77b583bf7b907ead84f1f7e9b24aaedb37369cd37fb25d65919f2489749c9634895285efec67ba1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
db80ccee4e3850463be0a8b970e0b499

SHA1
4e8d2c3429dd8f41912ada2836a95e557b7b56b9

SHA256
f12a7ca34bad04f273d4b8bb7b286b33101f3ec5c09e02c6e87165570fa0837b

SHA512
01c4a5bb303e2846c7689e6f3874571a4c1a649b53c27b199b4fdd3f36f02ab3a5311933509d2232de6f3dba4c8a78adb5117d330172058725b6ac57c91a6de9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a170f7226134fe3bfcbeb3027fd35bcb

SHA1
3fdd8b387ce74bb7a743e6bda1ac0214f2d0a9c8

SHA256
d9d2f1ec573c810207a249f37c9e0374fcc3f3e713c0bfe9dd6468577c234f37

SHA512
a83a580cccaefce0025d99a8779dd1ba3f6bf08d5b7332ca29f156cc1ff424b1e075cb92bcf173f6863433ad56cc304182fb39aacf97301e3ab14250054bdcf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cc78f8dd36f3ff7c0306f64b3f69588b

SHA1
bb295eb31ee1421d4d32a8a880bef6df9235fe35

SHA256
953dac88680c07dbed20144053fcc5dc2349172e2022cac0ab8140e419412495

SHA512
fa602a1ebeedec8aa3b7513ed31c08978eaeebff9834b32efa17079af884c85aee439dc64ec007af439ee01b64f71b2951172190085d9ceeb9c7a8771ad0eec0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1a5171d863ba9cb333ece6124b18934a

SHA1
40d0bb5bbeb04aa67b8eca0fba3c28a41fc91bed

SHA256
e1b3eff428c58bccb3aa5bd22ce5eacc3cfb2458b0686b889192abaea14c3a43

SHA512
acd7d00b8be207a5d2f16cbc621c6232c079764dddf33880d01331ea0403dffa73777e743508809e0483cc60b86c3d1ef27b446b9cfddf55c5f6dfe2927c213d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
df907e78297b22f487d9eb66c3b4b9bc

SHA1
701d9949226622d89ed88c134c0a13ea32e0f7d4

SHA256
9beebdd3d6614f44a60771e9a6b79711816677dfdf095fa7c2024de05f196573

SHA512
d2e34708b66dc970c041120387d48a5ccfc52cefcca6404466718cb991895692ab372ccc40ebd1b7788602bc2c49050fa1ad6842b9e92d6582ad165d61ccb913

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c0cf.TMP

Filesize
874B

MD5
d84b90bc41eca252a7d0800f4df86ee7

SHA1
1fbc84714cdf3255c11aafa3c555d96ed89b6530

SHA256
ff2dab0c2795ad3828680bbcf5a0f90a3cf11f48148b8e2ef729cadb044f09b3

SHA512
b693f076dbb5b46add8440e40acabd67a9f46fea4959f24861d0b103160000fc116fdc951e3e6956978cd21a4807d8724ed64648537449f6f716167aba7272ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
1dce81a41be5fb34f82b8a7fa1be5557

SHA1
3dbd49de0c18f55b880a213498ac4d15dacb091b

SHA256
469dc5c2c58c629be03fb1155268f95a5f480dee04e5a9e9350c819e08e23837

SHA512
3222e6a4d1d75d5646315c4352538059e91ec0bf635fc146af06cc73d896eb6801f863f91cb0317c72c9f8cd88360be1d45a13327e3b09d361e1e6515f6126bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b4d28d29fce1fe386178974ca233dc59

SHA1
aef7c48ce2ec8fe6db5a2fffdb57860cf8f86991

SHA256
5a893468f1ed7b46bb65d41592eff77689572051f06bac61650c98473c6f9d30

SHA512
e1c8a7e3332d30b704e6a1705ced43d3df259fb037d8f4754186f6284fa95a7cbe01f425953726bbeaea3193c1a1648623f3170acd01e3e0b45e2a990a99e3b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\b6dddd78-c957-4a36-8ee9-c5d8471761f0.tmp

Filesize
11KB

MD5
d51192e1d82107907ac585b92e22eaf2

SHA1
b79efb1e7e54c5fba8ba001f463acba441a016fb

SHA256
91b975064410092444970c4c27583ea1a1e282cc21584abf5663f4dd59eeed15

SHA512
c3ff73de88bb29f00c50dd7a23e7312a61c9f05c981992d8b1730b1f2b515c302d3264521041a5295d7cc95d2771b05fe05ae3be7d9d4e8b8decb9b0e99cc1f9

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
bf84d2127b17486912894d1338460605

SHA1
597dfb9e74a7a04d457ecce6fdcb9e55f849ef3f

SHA256
111df945cc492e31c30039f990a55acfabf9e335c28837a6d16cf509cf456141

SHA512
79fa650ad8e52578a26cefb8d9361fa2a2802349e9d6e04ca52fa5a9141191e7e9a986f2f7ea4a6964e597fe041d843aa16f704ba36f2b5313464b2c7d3e4b89

Download Submit
C:\Users\Admin\Downloads\00000000.eky

Filesize
1KB

MD5
626a8ffb6464d366c5c74b6f780c53f4

SHA1
b021e404558715d0b0953bf193fa97448ce96265

SHA256
4717e2eec3ea98db21b2f34f8a1eb76beebf671457db75a5894aaf4c39741043

SHA512
ae88b5b47529475f80eadf6d571f369a945d47d0af29a7fb2a24632633efc151df86a6594884050d45f239e421858a177815c860026125c5624a9553fc97b026

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
d5011eda42f77592b97f2cf43c2c7b8f

SHA1
46feb5d87e84ccdf18af1b72bd386ec4d047b9e1

SHA256
59b3905d72793b8d4b048f2c325cc86744d2f6160ddd62128c0c7543e803885c

SHA512
4ae6aa873929a1f35b736908a223a0cf0584297f589d0dc6fccd8bc79f33473e60dd6dcd0892c5cd2befba1bae44eec4034f9995304aa137a48222f7ca071457

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
5c4c30157f01d15704ff85484462cdaf

SHA1
a090b18ff0be100ab761b14c3d1a34654d30f66f

SHA256
dc23f8551ffb7bc23fc8547b4708a1166a0d7d297c67ed87123ec68f1f5f89c1

SHA512
cf2c6076d0453917e4abb6467566c8430f687fdc70816168c95a0ab97042591e36ce6a8474c1b8c966e6c9f4db66b77778ff43624e15077f557414d5fb1e350a

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
49c8ad4a68732e2cd39c71b3f93203b8

SHA1
096b7f5be9b6666db23745f7dda9b4e81949cbdf

SHA256
121ec6bf7e94a7aa097004ed8d67da059859863d72d9d15f0212cc9cadcfbddf

SHA512
e58c76c6c11f3da53bd22760c3a6d1a5a99b7428b2eafca9ee91aca6304448d458ae3a292007d8b3f6122f2bcfb2ddd0d6654cdae2b34a507df2d99d7de41dd4

Download Submit
C:\Users\Admin\Downloads\194501708610537.bat

Filesize
318B

MD5
a261428b490a45438c0d55781a9c6e75

SHA1
e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e

SHA256
4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44

SHA512
304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 620563.crdownload

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\c.vbs

Filesize
201B

MD5
02b937ceef5da308c5689fcdb3fb12e9

SHA1
fa5490ea513c1b0ee01038c18cb641a51f459507

SHA256
5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1

SHA512
843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

Download Submit
C:\Users\Admin\Downloads\c.wry

Filesize
628B

MD5
b35836eb81e5c5bc3d4bfc46d59e19d2

SHA1
d5af4d2e8cc93ab4267ed18e90aff9c472399d19

SHA256
70dd412f7aababcb32be29fe6068b28e7160490a0044a7a830610b4185ce5e72

SHA512
b78a8edfd8876b7d0e033077531fde0956e790c89682afa5d475ec3c6281747b197e0631301b2c1578c26f8a348669b7677464764348bdd9654910111a4c732a

Download Submit
C:\Users\Admin\Downloads\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Downloads\r.wry

Filesize
729B

MD5
880e6a619106b3def7e1255f67cb8099

SHA1
8b3a90b2103a92d9facbfb1f64cb0841d97b4de7

SHA256
c9e9dc06f500ae39bfeb4671233cc97bb6dab58d97bb94aba4a2e0e509418d35

SHA512
c35ca30e0131ae4ee3429610ce4914a36b681d2c406f67816f725aa336969c2996347268cb3d19c22abaa4e2740ae86f4210b872610a38b4fa09ee80fcf36243

Download Submit
C:\Users\Admin\Downloads\t.wry

Filesize
68KB

MD5
5557ee73699322602d9ae8294e64ce10

SHA1
1759643cf8bfd0fb8447fd31c5b616397c27be96

SHA256
a7dd727b4e0707026186fcab24ff922da50368e1a4825350bd9c4828c739a825

SHA512
77740de21603fe5dbb0d9971e18ec438a9df7aaa5cea6bd6ef5410e0ab38a06ce77fbaeb8fc68e0177323e6f21d0cee9410e21b7e77e8d60cc17f7d93fdb3d5e

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
\??\pipe\LOCAL\crashpad_1608_WJEFAEKOITDQQVVY

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2364-229-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download