Resubmissions
08-04-2024 03:16
240408-dsz57sfc87 10Analysis
-
max time kernel
927s -
max time network
845s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
17-05-2024 05:43
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry.exe
Resource
win11-20240426-en
General
-
Target
https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry.exe
Malware Config
Extracted
C:\Users\Admin\Downloads\!Please Read Me!.txt
wannacry
15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Downloads MZ/PE file
-
Drops startup file 2 IoCs
Processes:
WannaCry.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDC423.tmp WannaCry.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDC43A.tmp WannaCry.exe -
Executes dropped EXE 5 IoCs
Processes:
WannaCry.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exepid process 4176 WannaCry.exe 2800 !WannaDecryptor!.exe 3660 !WannaDecryptor!.exe 4688 !WannaDecryptor!.exe 4684 !WannaDecryptor!.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
WannaCry.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r" WannaCry.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
Processes:
flow ioc 4 raw.githubusercontent.com 12 raw.githubusercontent.com 31 raw.githubusercontent.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
!WannaDecryptor!.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2994005945-4089876968-1367784197-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp" !WannaDecryptor!.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Kills process with taskkill 4 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1724 taskkill.exe 588 taskkill.exe 4656 taskkill.exe 2284 taskkill.exe -
NTFS ADS 5 IoCs
Processes:
msedge.exemsedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 121333.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 510648.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 539411.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 137915.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exepid process 1924 msedge.exe 1924 msedge.exe 1632 msedge.exe 1632 msedge.exe 1616 msedge.exe 1616 msedge.exe 3668 identity_helper.exe 3668 identity_helper.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 3296 msedge.exe 5100 msedge.exe 5100 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
Processes:
msedge.exepid process 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exeWMIC.exevssvc.exedescription pid process Token: SeDebugPrivilege 2284 taskkill.exe Token: SeDebugPrivilege 588 taskkill.exe Token: SeDebugPrivilege 1724 taskkill.exe Token: SeDebugPrivilege 4656 taskkill.exe Token: SeIncreaseQuotaPrivilege 4876 WMIC.exe Token: SeSecurityPrivilege 4876 WMIC.exe Token: SeTakeOwnershipPrivilege 4876 WMIC.exe Token: SeLoadDriverPrivilege 4876 WMIC.exe Token: SeSystemProfilePrivilege 4876 WMIC.exe Token: SeSystemtimePrivilege 4876 WMIC.exe Token: SeProfSingleProcessPrivilege 4876 WMIC.exe Token: SeIncBasePriorityPrivilege 4876 WMIC.exe Token: SeCreatePagefilePrivilege 4876 WMIC.exe Token: SeBackupPrivilege 4876 WMIC.exe Token: SeRestorePrivilege 4876 WMIC.exe Token: SeShutdownPrivilege 4876 WMIC.exe Token: SeDebugPrivilege 4876 WMIC.exe Token: SeSystemEnvironmentPrivilege 4876 WMIC.exe Token: SeRemoteShutdownPrivilege 4876 WMIC.exe Token: SeUndockPrivilege 4876 WMIC.exe Token: SeManageVolumePrivilege 4876 WMIC.exe Token: 33 4876 WMIC.exe Token: 34 4876 WMIC.exe Token: 35 4876 WMIC.exe Token: 36 4876 WMIC.exe Token: SeIncreaseQuotaPrivilege 4876 WMIC.exe Token: SeSecurityPrivilege 4876 WMIC.exe Token: SeTakeOwnershipPrivilege 4876 WMIC.exe Token: SeLoadDriverPrivilege 4876 WMIC.exe Token: SeSystemProfilePrivilege 4876 WMIC.exe Token: SeSystemtimePrivilege 4876 WMIC.exe Token: SeProfSingleProcessPrivilege 4876 WMIC.exe Token: SeIncBasePriorityPrivilege 4876 WMIC.exe Token: SeCreatePagefilePrivilege 4876 WMIC.exe Token: SeBackupPrivilege 4876 WMIC.exe Token: SeRestorePrivilege 4876 WMIC.exe Token: SeShutdownPrivilege 4876 WMIC.exe Token: SeDebugPrivilege 4876 WMIC.exe Token: SeSystemEnvironmentPrivilege 4876 WMIC.exe Token: SeRemoteShutdownPrivilege 4876 WMIC.exe Token: SeUndockPrivilege 4876 WMIC.exe Token: SeManageVolumePrivilege 4876 WMIC.exe Token: 33 4876 WMIC.exe Token: 34 4876 WMIC.exe Token: 35 4876 WMIC.exe Token: 36 4876 WMIC.exe Token: SeBackupPrivilege 2576 vssvc.exe Token: SeRestorePrivilege 2576 vssvc.exe Token: SeAuditPrivilege 2576 vssvc.exe -
Suspicious use of FindShellTrayWindow 56 IoCs
Processes:
msedge.exepid process 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
Processes:
msedge.exepid process 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe 1632 msedge.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exepid process 2800 !WannaDecryptor!.exe 2800 !WannaDecryptor!.exe 3660 !WannaDecryptor!.exe 3660 !WannaDecryptor!.exe 4688 !WannaDecryptor!.exe 4688 !WannaDecryptor!.exe 4684 !WannaDecryptor!.exe 4684 !WannaDecryptor!.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 1632 wrote to memory of 3324 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 3324 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 2360 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 2360 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 2360 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 2360 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 2360 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 2360 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 2360 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 2360 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 2360 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 2360 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 2360 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 2360 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 2360 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 2360 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 2360 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 2360 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 2360 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 2360 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 2360 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 2360 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 2360 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 2360 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 2360 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 2360 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 2360 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 2360 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 2360 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 2360 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 2360 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 2360 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 2360 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 2360 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 2360 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 2360 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 2360 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 2360 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 2360 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 2360 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 2360 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 2360 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 1924 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 1924 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 4036 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 4036 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 4036 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 4036 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 4036 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 4036 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 4036 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 4036 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 4036 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 4036 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 4036 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 4036 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 4036 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 4036 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 4036 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 4036 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 4036 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 4036 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 4036 1632 msedge.exe msedge.exe PID 1632 wrote to memory of 4036 1632 msedge.exe msedge.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry.exe1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff84c183cb8,0x7ff84c183cc8,0x7ff84c183cd82⤵PID:3324
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,4238098336406420873,6461810032950758988,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1968 /prefetch:22⤵PID:2360
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1952,4238098336406420873,6461810032950758988,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1924 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1952,4238098336406420873,6461810032950758988,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:82⤵PID:4036
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,4238098336406420873,6461810032950758988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:12⤵PID:4732
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,4238098336406420873,6461810032950758988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:12⤵PID:3056
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,4238098336406420873,6461810032950758988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:12⤵PID:1580
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,4238098336406420873,6461810032950758988,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:12⤵PID:2112
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1952,4238098336406420873,6461810032950758988,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3264 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1616 -
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1952,4238098336406420873,6461810032950758988,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5756 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3668 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,4238098336406420873,6461810032950758988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:12⤵PID:4656
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,4238098336406420873,6461810032950758988,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:12⤵PID:3812
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,4238098336406420873,6461810032950758988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:12⤵PID:2508
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1952,4238098336406420873,6461810032950758988,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5904 /prefetch:82⤵PID:1060
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,4238098336406420873,6461810032950758988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:12⤵PID:392
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1952,4238098336406420873,6461810032950758988,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5572 /prefetch:82⤵PID:1664
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,4238098336406420873,6461810032950758988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:12⤵PID:3684
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1952,4238098336406420873,6461810032950758988,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=1900 /prefetch:82⤵PID:2448
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,4238098336406420873,6461810032950758988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:12⤵PID:3888
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1952,4238098336406420873,6461810032950758988,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6152 /prefetch:82⤵PID:2864
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1952,4238098336406420873,6461810032950758988,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6156 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3296 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1952,4238098336406420873,6461810032950758988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:12⤵PID:1900
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1952,4238098336406420873,6461810032950758988,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:5100
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3544
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2248
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1148
-
C:\Users\Admin\Downloads\WannaCry.exe"C:\Users\Admin\Downloads\WannaCry.exe"1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
PID:4176 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 155851715924900.bat2⤵PID:3984
-
C:\Windows\SysWOW64\cscript.execscript //nologo c.vbs3⤵PID:3472
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe f2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2800 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im MSExchange*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1724 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Microsoft.Exchange.*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:588 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlserver.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4656 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlwriter.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2284 -
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe c2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3660 -
C:\Windows\SysWOW64\cmd.execmd.exe /c start /b !WannaDecryptor!.exe v2⤵PID:764
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe v3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4688 -
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵PID:4812
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4876 -
C:\Users\Admin\Downloads\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:4684
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2576
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD55e027def9b55f3d49cde9fb82beba238
SHA164baabd8454c210162cbc3a90d6a2daaf87d856a
SHA2569816e980b04f1fe7efaa4b9c83ff6a0fdd485ee65a884c001b43a0cad7c39d83
SHA512a315e1336c5ec70cbb002969e539068ba92f3ec681b6d863db95227fd1808a778fd994e2fb03f28f0e401677aa5f7c66813e315b6b99a5065384c49586f9782e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD50c5042350ee7871ccbfdc856bde96f3f
SHA190222f176bc96ec17d1bdad2d31bc994c000900c
SHA256b8b1cb139d4d19a85adce0152fa3c4f6adfb73a322d7253820e848c6f82afc1b
SHA5122efdb535fa6a06c4f9702b2129f2dd07c330e37fd10b492f2236007c660c1707773c22005d1e1fa580dbf633dc1a700ada3b7b611ef9accd9555a17a244f61ce
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD57005dea8cf73bd3c1e53dccb9f307f49
SHA1b76e51cde647a8a4bf414379ec511c49fc4bc5ae
SHA2563bd1243976ba4d92da67dc1d91faf749d28a30080a3e5d90a2a2c4f840c36c00
SHA5120b0a8626a231fa7848768aefbf29e842ec9c040f7efaa1ae4a8cee42be7bf09f3a455c46b6c0b59212840ef6c56d9e333799288e73f053e01d51db9a12409195
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
579B
MD57ac37464384ee7179ac68d1e99242b2d
SHA14ee441656cca629a32015adecc58aee62ae1f653
SHA256e1ccebabefc990c0bc44376e9070301b5f1d57ed0260c81c4e78136e66fe2690
SHA512ff6a8d9db51b9abeeceb69d251f38ccab6be5b670c193cab2f2b60292f5c66016db516980f14848021dbdb6e1933712d588fd3eafa7a7a36fd1657a3b55b3db1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD58a2e72de1e20c8a34de6ea6f3df9ae61
SHA1ed52016e162fea0a1f2c0b39b63368da7fc79d7f
SHA256c068d878d95b25cc8cc314446794ae47020daf14736e9c9abc9fb171d8188436
SHA5123c7adaaf7b294717b5f4fa849a8c8dc39d22cb96d45e4fbe1894115f730951ad9aff6dd5feaf92aa25a48ada018d6beb5f61752550c5ac2c294d0d22e705acff
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5152d8a79b826598a9e126a475f18cdc5
SHA17a03f366b5ed32305dd6e8c47d348a22d9551d33
SHA256e402799b445a6eef5096aad393fc8da653aec00ee034a9b31d05a42419252b8b
SHA512b911a73893882b7bb127541ee6a14972946e761eb9edb4266f51b4f6f65c255e75deff073caee5e67d5d413eea8fbee583ec28dd715b98c4909c178a7e20b2a4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD54ea5f18499a8a532c63910201759f9ad
SHA1256943107e2b1227a678b4e7625d328d711e27cc
SHA256cc4113c0878a2a5560045008d7a005a6ce18e415f0a6970c72708bfb9b3271b5
SHA512e5a092f9b304e897d619b3c42363b66d85dd3944f5531ad779044bbee226edf96394e462567fb7d0f5f2bc43e49de4a9a40ab765a70550cce3dd43ee0fa355f1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5c45eecf09d66ef4859278645366ee0f7
SHA1cd9297c06d2909ddf1094d2da6b3731642ce738e
SHA25621b27d3bd411282f450cd42d1ed8296a7d5db04aab2dcb9039a9816e269d1818
SHA51250dc422754f189dd776ba71b414d43ced82627862eae2641925c752d98f9654d32f90352820b697c2c1d7308b538ed34bdeb10324e3ddad78a501b5c036fa1cd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD58b631a4f4f83bbc66f082f8113e8f28a
SHA1e51b6e2c4a6de8bc020d662c41fb506a15008fec
SHA256c5aabec5522edc7b06ae6966b65355fd76e521af4b5049e2aba697d521b12c7b
SHA512c6cf3d91bcb61d1631f23961079765059333cdd029ff44575722f4c2c433f5b6e9b8ae95e3c23b7fb249e1b1ff27aaca437f3e7deccda727f49e648762fa70cd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD508ba70ca02ada1e77b6ac5609580f9dc
SHA10aa3706dbb6066f3f90b8fe68244e91e78bfcb54
SHA2565ba34c16d16de49bdd91f5af4bbf20dd521547099eae37b736a20174ddaadf31
SHA5121f4b344b9c556f97f3c60d9bf6b7416a145c543bb557be8882c7f1c7c1c3076298f4426228a86b773e223627946a83bc1cd26b2cad2fc94519fb09ca27dd48ec
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD539cf8c71f3dea837471014c2a65f47a2
SHA1ac34b279eaaf04c87ff7677245ced19bb7e13978
SHA256aad4af259ed9d744d9924a886872a9115167e7414e19052de3fa7e90eb36a37a
SHA512568c6bf442ed0e6e7658f3fee9866d4b7fe90a4c664179ef0ca8cbd258923ea1e533143c7327cbde2f1a11c2ded2590a64749182f0d99d8d651cdccbb31b4c3c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580c6f.TMPFilesize
874B
MD5dc258d41d197d20c2fd9aadc9b194e0e
SHA1812e78fe4c6f5f418b94117eaaa5553f88555654
SHA2563110c25202b132958aa899bef1753077d8a438bae7c6e7c0e0a24927a5f33f6b
SHA512bb5656055a746bcc26af9d98206a3d4d89bbf11755212f4e7104eb1fc736adf80d4a3c5e68ecbc48b65b923f5c346599a127b01304e50a0c82fe0c12813edff3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.dbFilesize
16KB
MD59a8e0fb6cf4941534771c38bb54a76be
SHA192d45ac2cc921f6733e68b454dc171426ec43c1c
SHA2569ee9211a57c3f6fa211fe0323fa8cd521e7cbffcd8ff0896645a45795dc472be
SHA51212ed22537dcc79d53f6c7d39e92a38f8fea076d793198928f5b7a5dd1234d50a3c0b4815632f3fadf8bc4ef0499773d22bd83f961d2d0ffd8afacf471bd3a5ae
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\previews_opt_out.dbFilesize
16KB
MD5d926f072b41774f50da6b28384e0fed1
SHA1237dfa5fa72af61f8c38a1e46618a4de59bd6f10
SHA2564f7b0e525d4bfc53d5df49589e25a0bccf2fcf6a1a0ca3f94d3285bb9cf0a249
SHA512a140df6ec0d3099ef374e8f3ece09bf91bc896ac4a1d251799a521543fe9bdea796ba09fa47932bd54fa939118495078f9258557b32c31d3d4011b0666a4723f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5db84438ec4e13645200433fdfdfc9b3d
SHA1ac120603f995832ae77956fde21986f0b5820214
SHA25654ee35902479aa0ce4e225966120949d073f8fef1b217fd2169e6462ac77d395
SHA512ca91cfc9680c9a53b401656fc7613ab2364961b94e29f424a120159f9112dc23448a118e3fd1dd672086541d8e3d8b31c20a19d02506cf8784b3bc97b23709ad
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5261530b5df30dd41b191b9b96fe67911
SHA17ee86d08ab5f86b0fb8f70518644404aac492e73
SHA2566e11ad666b7e12928ea0b6701c720b388a5777285fa63f588c75cffff8874dac
SHA512e2351a4329ee7cec41227daff95b6c3f2c66c73322f117d79001c2b63ab89b01d03b32c95ea951ef35699fb4ab037f84f8216ba6afbf17d1a961d45c9b30424c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5c1641a673f93536783d86b2401ab8d2f
SHA18da3a6645c4a2c61db4cca02d84925aa5bea2a51
SHA256026cc71dc36df515856b4a6601297cd3466e004fb0932ab74a40379fe044904b
SHA5125d8e9f6419b2a06feefbdd532138a4165a7d80f166eef3f4ea3c5099bd0382511605058f9255cd8abdf5b9f029a3d6cedec494941cf410063e6587b1447c2c8a
-
C:\Users\Admin\Downloads\!Please Read Me!.txtFilesize
797B
MD5afa18cf4aa2660392111763fb93a8c3d
SHA1c219a3654a5f41ce535a09f2a188a464c3f5baf5
SHA256227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0
SHA5124161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b
-
C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnkFilesize
590B
MD51b48b59e9e1ca16683e2bb2448833dcb
SHA1c8cd8a12de00fd973559b3d9628ac79d947e8600
SHA2564465f56ef93793b4c079a52edf384c821889a22adf354c43ef664fe0e1243aa4
SHA512bc641a704c38276a3de446c15305035202c3203f07143dba310f038f24c5ee661b4cbd718454c0df22788e17820716419ca06e7fcc81576f6c0f3c2fffd55c9c
-
C:\Users\Admin\Downloads\00000000.resFilesize
136B
MD5fe7f76cf541d3e5a85a78f64cebff558
SHA18cdff533a4c16d1abfa43b2dd3e4047457fcd88e
SHA256e26f09bf85df127776768bc20497792e55d2a86e78c9f7b6b9fa01cc761532d4
SHA5120b48ca1ca5776d7710c79583f5614b5c93724dcd43ba826f4c0c8fb3a8a1dca4b4a2d82c54fd9aefc07be629a97363e1fa63568ffd85ba1bb3d17970ff21af9b
-
C:\Users\Admin\Downloads\00000000.resFilesize
136B
MD57f5b4c1c40e478a5c2f70aab60beff64
SHA1f9a6dcd02749fd78568cbcf68499136488493a90
SHA256ef087c20e92d8080b48a9d36cbb882ad35b6cfe09ced050313ae94e72fc911b2
SHA5120be6258c47bb3cc2d7dc46ffbdbeb8b321dcfe79e20689de7f9cd87ef249dc970fa8751ca298b1c508a14119fa55d3816f53f77beccdacd7a43a159c8d6347a9
-
C:\Users\Admin\Downloads\00000000.resFilesize
136B
MD5c74641f3584d2ec4c292f55ecf43a821
SHA1b19b38f794ffa219e75308b2c6758a0d8ac0152a
SHA256906afe20c8a0e432df40c900a1985946b2cf8cdc5926bfb90aca8cd51beb3532
SHA512edd0c97d631c5d43c0b9b50e0cdb051daaca4f96f054689cb2f00406aa6891097b994b32751f0bffd4b9a609f34c649eed0f4f81d6b34598cf52520d258f75d0
-
C:\Users\Admin\Downloads\155851715924900.batFilesize
318B
MD5a261428b490a45438c0d55781a9c6e75
SHA1e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e
SHA2564288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44
SHA512304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40
-
C:\Users\Admin\Downloads\Unconfirmed 121333.crdownloadFilesize
224KB
MD55c7fb0927db37372da25f270708103a2
SHA1120ed9279d85cbfa56e5b7779ffa7162074f7a29
SHA256be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
SHA512a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
-
C:\Users\Admin\Downloads\WannaCry.exe:Zone.IdentifierFilesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
C:\Users\Admin\Downloads\c.vbsFilesize
201B
MD502b937ceef5da308c5689fcdb3fb12e9
SHA1fa5490ea513c1b0ee01038c18cb641a51f459507
SHA2565d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1
SHA512843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653
-
C:\Users\Admin\Downloads\c.wryFilesize
628B
MD5c0d7006feb588cdc575d5b5bf7879695
SHA151bf73ad23f103102f0f4c6ab75dc720399a6f3b
SHA256f219b1c1aeae3af9110f21ef1e696da7bd8c2b8e4de15a61dd12b92c3a0cd263
SHA512cb18f63388859bc631268dd86cc6394172bafec530dbafa2ee3790819c196f36ece22d44af18b33cfae9e4f75638a1ef0673356b2bcff1e28846dcfe3a5a8bf7
-
C:\Users\Admin\Downloads\m.wryFilesize
42KB
MD5980b08bac152aff3f9b0136b616affa5
SHA12a9c9601ea038f790cc29379c79407356a3d25a3
SHA256402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9
SHA512100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496
-
C:\Users\Admin\Downloads\u.wryFilesize
236KB
MD5cf1416074cd7791ab80a18f9e7e219d9
SHA1276d2ec82c518d887a8a3608e51c56fa28716ded
SHA25678e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA5120bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5
-
\??\pipe\LOCAL\crashpad_1632_LNVADSLGYBKQTYCBMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/4176-391-0x0000000010000000-0x0000000010012000-memory.dmpFilesize
72KB