wannacry | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry[.]exe

Analysis

max time kernel
105s
max time network
99s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
26-08-2024 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry.exe

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD2F02.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD2F19.tmp	WannaCry.exe

Executes dropped EXE 5 IoCs

pid	Process
572	WannaCry.exe
3992	!WannaDecryptor!.exe
772	!WannaDecryptor!.exe
3972	!WannaDecryptor!.exe
2884	!WannaDecryptor!.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
14	raw.githubusercontent.com
25	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4272559161-3282441186-401869126-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
420	taskkill.exe
3292	taskkill.exe
476	taskkill.exe
2144	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133691100472671810"	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	chrome.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3452	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2284	chrome.exe
2284	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2284	chrome.exe
2284	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe
Token: SeDebugPrivilege	420	taskkill.exe
Token: SeDebugPrivilege	2144	taskkill.exe
Token: SeDebugPrivilege	476	taskkill.exe
Token: SeDebugPrivilege	3292	taskkill.exe
Token: SeShutdownPrivilege	2284	chrome.exe
Token: SeCreatePagefilePrivilege	2284	chrome.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe
2284	chrome.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
3992	!WannaDecryptor!.exe
3992	!WannaDecryptor!.exe
772	!WannaDecryptor!.exe
772	!WannaDecryptor!.exe
3972	!WannaDecryptor!.exe
3972	!WannaDecryptor!.exe
2884	!WannaDecryptor!.exe
2884	!WannaDecryptor!.exe
3452	EXCEL.EXE
3452	EXCEL.EXE
3452	EXCEL.EXE
3452	EXCEL.EXE
3452	EXCEL.EXE
3452	EXCEL.EXE
3452	EXCEL.EXE
3452	EXCEL.EXE
3452	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 3164	2284	chrome.exe	81
PID 2284 wrote to memory of 3164	2284	chrome.exe	81
PID 2284 wrote to memory of 4960	2284	chrome.exe	82
PID 2284 wrote to memory of 4960	2284	chrome.exe	82
PID 2284 wrote to memory of 4960	2284	chrome.exe	82
PID 2284 wrote to memory of 4960	2284	chrome.exe	82
PID 2284 wrote to memory of 4960	2284	chrome.exe	82
PID 2284 wrote to memory of 4960	2284	chrome.exe	82
PID 2284 wrote to memory of 4960	2284	chrome.exe	82
PID 2284 wrote to memory of 4960	2284	chrome.exe	82
PID 2284 wrote to memory of 4960	2284	chrome.exe	82
PID 2284 wrote to memory of 4960	2284	chrome.exe	82
PID 2284 wrote to memory of 4960	2284	chrome.exe	82
PID 2284 wrote to memory of 4960	2284	chrome.exe	82
PID 2284 wrote to memory of 4960	2284	chrome.exe	82
PID 2284 wrote to memory of 4960	2284	chrome.exe	82
PID 2284 wrote to memory of 4960	2284	chrome.exe	82
PID 2284 wrote to memory of 4960	2284	chrome.exe	82
PID 2284 wrote to memory of 4960	2284	chrome.exe	82
PID 2284 wrote to memory of 4960	2284	chrome.exe	82
PID 2284 wrote to memory of 4960	2284	chrome.exe	82
PID 2284 wrote to memory of 4960	2284	chrome.exe	82
PID 2284 wrote to memory of 4960	2284	chrome.exe	82
PID 2284 wrote to memory of 4960	2284	chrome.exe	82
PID 2284 wrote to memory of 4960	2284	chrome.exe	82
PID 2284 wrote to memory of 4960	2284	chrome.exe	82
PID 2284 wrote to memory of 4960	2284	chrome.exe	82
PID 2284 wrote to memory of 4960	2284	chrome.exe	82
PID 2284 wrote to memory of 4960	2284	chrome.exe	82
PID 2284 wrote to memory of 4960	2284	chrome.exe	82
PID 2284 wrote to memory of 4960	2284	chrome.exe	82
PID 2284 wrote to memory of 4960	2284	chrome.exe	82
PID 2284 wrote to memory of 4668	2284	chrome.exe	83
PID 2284 wrote to memory of 4668	2284	chrome.exe	83
PID 2284 wrote to memory of 3796	2284	chrome.exe	84
PID 2284 wrote to memory of 3796	2284	chrome.exe	84
PID 2284 wrote to memory of 3796	2284	chrome.exe	84
PID 2284 wrote to memory of 3796	2284	chrome.exe	84
PID 2284 wrote to memory of 3796	2284	chrome.exe	84
PID 2284 wrote to memory of 3796	2284	chrome.exe	84
PID 2284 wrote to memory of 3796	2284	chrome.exe	84
PID 2284 wrote to memory of 3796	2284	chrome.exe	84
PID 2284 wrote to memory of 3796	2284	chrome.exe	84
PID 2284 wrote to memory of 3796	2284	chrome.exe	84
PID 2284 wrote to memory of 3796	2284	chrome.exe	84
PID 2284 wrote to memory of 3796	2284	chrome.exe	84
PID 2284 wrote to memory of 3796	2284	chrome.exe	84
PID 2284 wrote to memory of 3796	2284	chrome.exe	84
PID 2284 wrote to memory of 3796	2284	chrome.exe	84
PID 2284 wrote to memory of 3796	2284	chrome.exe	84
PID 2284 wrote to memory of 3796	2284	chrome.exe	84
PID 2284 wrote to memory of 3796	2284	chrome.exe	84
PID 2284 wrote to memory of 3796	2284	chrome.exe	84
PID 2284 wrote to memory of 3796	2284	chrome.exe	84
PID 2284 wrote to memory of 3796	2284	chrome.exe	84
PID 2284 wrote to memory of 3796	2284	chrome.exe	84
PID 2284 wrote to memory of 3796	2284	chrome.exe	84
PID 2284 wrote to memory of 3796	2284	chrome.exe	84
PID 2284 wrote to memory of 3796	2284	chrome.exe	84
PID 2284 wrote to memory of 3796	2284	chrome.exe	84
PID 2284 wrote to memory of 3796	2284	chrome.exe	84
PID 2284 wrote to memory of 3796	2284	chrome.exe	84
PID 2284 wrote to memory of 3796	2284	chrome.exe	84
PID 2284 wrote to memory of 3796	2284	chrome.exe	84

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/WannaCry.exe
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd9901cc40,0x7ffd9901cc4c,0x7ffd9901cc58
  2⤵
  PID:3164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1812,i,11532183100949061199,10370951482684376460,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1804 /prefetch:2
  2⤵
  PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2072,i,11532183100949061199,10370951482684376460,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2096 /prefetch:3
  2⤵
  PID:4668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2160,i,11532183100949061199,10370951482684376460,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1704 /prefetch:8
  2⤵
  PID:3796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3056,i,11532183100949061199,10370951482684376460,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3124 /prefetch:1
  2⤵
  PID:3492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3064,i,11532183100949061199,10370951482684376460,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:4024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4532,i,11532183100949061199,10370951482684376460,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4524 /prefetch:8
  2⤵
  PID:4840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4548,i,11532183100949061199,10370951482684376460,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4560 /prefetch:8
  2⤵
  PID:728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4620,i,11532183100949061199,10370951482684376460,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5184 /prefetch:8
  2⤵
  PID:1288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5148,i,11532183100949061199,10370951482684376460,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4596,i,11532183100949061199,10370951482684376460,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  PID:3568
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 51521724636469.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3268
  - - C:\Windows\SysWOW64\cscript.exe
      cscript //nologo c.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:3068
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe f
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3992
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im MSExchange*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:420
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Microsoft.Exchange.*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2144
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlserver.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:476
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlwriter.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3292
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe c
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:772
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b !WannaDecryptor!.exe v
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4260
  - - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
      !WannaDecryptor!.exe v
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3972
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3676
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2856
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2884

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4708

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4060

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\!Please Read Me!.txt
1⤵
PID:416

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\LockCompare.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
66f1591458f34528218e980524b000c7

SHA1
19796fe05b45231949ced28cea959c1adffa8620

SHA256
30f42bcd79860cde554afd4f5ffe2e17ff3c2a5afc872fb57c6436bb115e81dc

SHA512
2b7f6638eeb1ea07e15a206c72896a8c86599dff896777ae99eedf5b2a71424751d0ef63d01c9338aad5eaa0686496b9128361a141e8e83ef02397325673902e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
c5479c8714892267fc176918eb72b7d1

SHA1
54a688df7804e19846d6b0a833b6a4af35a28d4b

SHA256
3b4fbebd05f8abce115e10ae1ea6ed50bd02247dc9bd9d49d19590fa43944a69

SHA512
fcb7c919c64fed1f45c49da486d8958d72465b30b793dba59c7a4330b006c9c69510397a3eac9bdba2b9e5132d1a65566f2885f426b24fe2c6c57c2e457aa24f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
bc7624994ec7df976f6103ae1dc9ab5e

SHA1
60e2b0a906b00d258b4bba227d6d2a1499f386b3

SHA256
699c706db97ec99a6d17143e6bde6990e14fb876ee77d80f4a80e756f65fb146

SHA512
60f787ab9f9213f629ed20e3ebb63708945ce3538ea396c659b4969c8bd2f372828122de79f081ea873c13f0b116a9a1d80aa38622e88b3036cf50c9d60804f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
c23310ce654d6632a20719500606a725

SHA1
60bc473bb1fef901d4606dba2a8b49fe81159ecf

SHA256
9fc5818981414a3267a80d7e651be8c83301fee9002f14d2f8da135b447dec46

SHA512
b0c944b2c2f52487875de9f8a5623691a49a6d273a0207099e14b0ab60e39ccc34ce775732f925f41a299daf6a9e35277841c719b69929d56fa5e8117696e169

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
33fd9855895e4569eca5f23c16c41f37

SHA1
37bcf64ce4f93fe3978fa6140ca77dc5de08fde3

SHA256
22c53b7d7c8ace9b2b1939950e152fbd6fa8268056fce20cb64dc54f888727e7

SHA512
dd436319adf7c201c67419ff32a47e66c01c1f5185579d1bec4c79a70ec5530e72f7df2bd231f1d388d0d704fba9119493b594121a385a3b2d57e783a92f5fb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
80f2154cad9f70327c8779e196d34c42

SHA1
74b16e0af00995bbf88ec5de58ab1c18a54960a5

SHA256
a976e672de05e52014acfc436883af49aaf86d714c21b0e288bf4c081f41a1d4

SHA512
f8b7364405ebf3bc8291c5313698800913854004a7346b89a3a6e5e32d050725f94306489574f9426b60fa9f336842788bfcb6b3b02e7dae9b1da174fcd1b56f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
eadf09c2eb03b95aa8de4213255c601b

SHA1
c2ca41d6d7b647cee980a1af7e82da33bf0016f5

SHA256
92fc3b9331dc5c3678647d9749ef53ae4f122f36f775631ea0d0e7c0d2c532ec

SHA512
7a5d6bcb685bef91e8d55e469f5cedfa594b89d0e82bb3098dd3ad5eff0bda42d9f2a471b74b46a234f2e6bb7357633ffb9c1ae894a68bf487e3a40d87a7f767

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
614e770661eee0f2711efe729a75f642

SHA1
536b09987148786fac5c61333a1968c3dadefdaf

SHA256
b63c8053c5dfe86bff41718e8b6e1770a22c2b36d3db9ff910678a019249fa5a

SHA512
857db8eda899cb20104c8cfeb7828a22e880fd1ba58b740124b555022bae4dd87822a8e2fe4ea6af83aff8f826b8587cc84eead063219db457667215fe7b72bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
222ebd2dde3448f57f41a5239104ed23

SHA1
adaefc9aa5ff7ec26c9064e73e296e2363af32fa

SHA256
d2850153c693eba2bca7a6c5f0f935403d4e6726324741602394a34742df6a5a

SHA512
6d2db6a56f7ca6eed93f8fed690b6a52be1cb89a5c826f4fff1c19d16c36b65477a8c1a302338e98a4b163cf598e8ed1d09c46bf98eb2b8c3e56546c94b11245

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ff0a34ea3f3b6fbe212ee6162e76b2e9

SHA1
fbfa88d2dfdcb78cfd3a6546b47f6ff6e8d185fb

SHA256
6e5e64dfa4ed3c8590b63fa7aec6671b05efe205516fdfb5f9b5232e310d874a

SHA512
bb71d94c48ecfec2b3ab6c454f74803eb09dc46c6c5c626b2220258ce00ee8061bf484308ecca864112c09c278ce7bb96d09d9628c579fe941c306ffd4f216d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
31c04df34440a6677a1911d47716b98f

SHA1
9115a2ee4c65eb160afeb781650fbfae185afb58

SHA256
1909b6850c15f32b9832a3342c0130f6ac2e239847ad1378b72eb098dea75175

SHA512
d86e82f3c8ed9a1435a14fc29303b41870b13f81732da000b671e88e34a9b88d76da09aee880cb5f7d75d78e09965f4f73d2dba9085e5bcc24b17069e6e3c712

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8483569cf6c4ae1e80f157bc980cf13c

SHA1
21d05310bb8b89ade2b968d52e30d37b0b38c582

SHA256
abf01305b4a5d7c06cc4c5db1d19a52c55bc38e2c3bcdcf7daa8aff93f294fcf

SHA512
e4abe1a3b39ba287fbaeed2eabfc16f991e8bc123afb3d2a0ba557faae79cf375c8730110a220700a743b3f5cf8df8516a1292a540efb7662e9a6c7272024899

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3bb4271effcb850fa778ab446f7f0272

SHA1
25cf59a3a3a0ac39a5d3de8110e1cd7a8c0bd158

SHA256
1b65843bd70ff71a2b1609bc37a06ba5a7a662a43dc14e018dbe58f1b41e88fc

SHA512
99ba386d15f66cb2164f3802229f6f3c814bc010cdca3d6f894dea89aaa775a49d5ce4b763e3da984c25a82b14d5dd81fd4631a3be8438308492d38b70b7ef0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
795c3038397993c0add8a2b3e4c3d07c

SHA1
cbb31ba60cde5804aa259d748942ede44bf97606

SHA256
4ca0dea5339efaa2dd6abcdef6746417465098423840246f95afa4e2e24c9477

SHA512
33faa940ea4b953be559495d76e15deafd6e69fecc4db35d21fdd6be07a6ed533310fc105931a56b407a78d1ba2485f4c2b947b1e98eddbf3112052ca4620293

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
27284cbdb7f406ad4fa0d315854a767c

SHA1
8b72c1d8efd297eca57b61238a933b1e3a934198

SHA256
d0cd52a5717eceaebd0bd94636e81a75a70e866582f1031343d6a4b071a8154a

SHA512
d5fb4215eb37c40534bebec596c0fb5c6955c7306908c90bfbeafc37ba56aa7e4cac87761dced14b1a2b2ffc208d8d57a3a4e6c6f11d45986fb8ef16c674e656

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
d9215fc589525fc2281b0516a55f382e

SHA1
6ac6a2c6a6e0da4a42f80e8c2e22460cb715779a

SHA256
4f43ad12f892791f587eeecf65efcc3d5d6f3b1cca876f67747cff7f6ebd5c20

SHA512
e18e675b77ca5ebe6ed2b64c823830a917e8590b50bb67b58c215de5d18c5d3ab9fd4d044af246f2cb2ef6f6c3e55ef233c8a527b17c3e0fa3baa41ec2fcd1a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\first_party_sets.db

Filesize
48KB

MD5
5a1706ef2fb06594e5ec3a3f15fb89e2

SHA1
983042bba239018b3dced4b56491a90d38ba084a

SHA256
87d62d8837ef9e6ab288f75f207ffa761e90a626a115a0b811ae6357bb7a59dd

SHA512
c56a8b94d62b12af6bd86f392faa7c3b9f257bd2fad69c5fa2d5e6345640fe4576fac629ed070b65ebce237759d30da0c0a62a8a21a0b5ef6b09581d91d0aa16

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
eff91dfae74e7245ce4780d43623100e

SHA1
08a847acf857442c1389a6df43e9e7ebc6c15a78

SHA256
3b738f85fd4be72cb98b555c38fc202024b0f8540c4be30d6e9711622e178547

SHA512
44eff58d876aa8eee9cb89246aa215583d4f74aab137f20814301d8e653527032c82d23ea2e8169ce1d873ec0d413b38dca0ea1b92be21d91aa9f4d7b75b8b00

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
abd5c91169a9e0fd4ec495fd84dca413

SHA1
df0b1b8acae537d3a1a980bcc5f56a8fd1205bc8

SHA256
1483f85b3c38cd9b3b0ef258a9c91149b8e11a1439e9dc002f3262229bcbddce

SHA512
4b8824fc4a27d5f979682acd5d65cc5d9a3b6d8fe00bad830dd2721b2f20e65c93c3be8448ab7b17b47b84040feb20264bb1236b7edea3388834039d36c3c312

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
6e17efb9c11ea5dc40ae0bce1af3fbca

SHA1
e37677c76526ce0beb0117fde4e968278774ebda

SHA256
926ea0fde50f5526fb574ea2e8d4917b1ab038622e0ef9445bcf2e19c59eef4b

SHA512
0346a61ba0b9534f0f3b593e7fd0049dd6cb44042daf4abf4cf4893b9c27699038992508a670135097b29c2dfbc39e2e7ce852e2e9f29076fc4fc1b7736dd390

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
345753b46b92673803fedf3cf24ffbe6

SHA1
eb9a9932ce125b92fecc436c170ac7053a8191f0

SHA256
d7a95286810dec3dd182ca192340e28004c2557fc4699e961f32995d8c9fbf05

SHA512
8398029451d5889e487d9c0c9984ded947717f331425cfc2fec6baa2faf65ddeab9a6e5af8eae37742823c4067ab9bafa9c96aebb1b5400419f479d5dd99e6a9

Download Submit
C:\Users\Admin\Downloads\51521724636469.bat

Filesize
318B

MD5
a261428b490a45438c0d55781a9c6e75

SHA1
e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e

SHA256
4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44

SHA512
304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

Download Submit
C:\Users\Admin\Downloads\WannaCry.exe

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\c.vbs

Filesize
201B

MD5
02b937ceef5da308c5689fcdb3fb12e9

SHA1
fa5490ea513c1b0ee01038c18cb641a51f459507

SHA256
5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1

SHA512
843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

Download Submit
C:\Users\Admin\Downloads\c.wry

Filesize
628B

MD5
9cce22ea05a9367d2431c4f11e10b164

SHA1
5819a5b9a821d3d416ce2d20c1977110131fb588

SHA256
666b6de2788e186a45b31498fabd57e5693e278a40cf891816a6bedda606901b

SHA512
ee46ebfdcad36e9ab4563ace48528c41587d3be913f4285beee6e592a4eb046af7ff7869d4cea0500bcfb319226088724ce1ed6632631529de51d50e24d7648d

Download Submit
C:\Users\Admin\Downloads\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
memory/572-236-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/3452-1783-0x00007FFD682D0000-0x00007FFD682E0000-memory.dmp

Filesize
64KB

Download
memory/3452-1785-0x00007FFD682D0000-0x00007FFD682E0000-memory.dmp

Filesize
64KB

Download
memory/3452-1784-0x00007FFD682D0000-0x00007FFD682E0000-memory.dmp

Filesize
64KB

Download
memory/3452-1786-0x00007FFD682D0000-0x00007FFD682E0000-memory.dmp

Filesize
64KB

Download
memory/3452-1787-0x00007FFD682D0000-0x00007FFD682E0000-memory.dmp

Filesize
64KB

Download
memory/3452-1788-0x00007FFD65F20000-0x00007FFD65F30000-memory.dmp

Filesize
64KB

Download
memory/3452-1789-0x00007FFD65F20000-0x00007FFD65F30000-memory.dmp

Filesize
64KB

Download
memory/3452-1815-0x00007FFD682D0000-0x00007FFD682E0000-memory.dmp

Filesize
64KB

Download
memory/3452-1816-0x00007FFD682D0000-0x00007FFD682E0000-memory.dmp

Filesize
64KB

Download
memory/3452-1818-0x00007FFD682D0000-0x00007FFD682E0000-memory.dmp

Filesize
64KB

Download
memory/3452-1817-0x00007FFD682D0000-0x00007FFD682E0000-memory.dmp

Filesize
64KB

Download