wannacry | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Resubmissions

27-09-2024 13:49

240927-q45laaxgne 10

27-09-2024 13:46

240927-q3bltaxfqc 9

27-09-2024 11:49

240927-ny4qpa1dkm 10

27-09-2024 11:43

240927-nvsh9a1bnk 10

Analysis

max time kernel
1040s
max time network
440s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-09-2024 13:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDDC3.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDD9D.tmp	WannaCry.exe

Executes dropped EXE 11 IoCs

pid	Process
2312	WannaCry.exe
4200	!WannaDecryptor!.exe
5152	WannaCry.exe
6064	!WannaDecryptor!.exe
4592	!WannaDecryptor!.exe
4360	!WannaDecryptor!.exe
5632	WannaCry.exe
5260	WannaCry.exe
5788	WannaCry.exe
5876	WannaCry.exe
1068	WannaCry.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
64	raw.githubusercontent.com
65	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
4480	taskkill.exe
4536	taskkill.exe
2844	taskkill.exe
3564	taskkill.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 110737.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 103776.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
464	msedge.exe
464	msedge.exe
4060	msedge.exe
4060	msedge.exe
3856	identity_helper.exe
3856	identity_helper.exe
4480	msedge.exe
4480	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	4536	taskkill.exe
Token: SeDebugPrivilege	4480	taskkill.exe
Token: SeDebugPrivilege	3564	taskkill.exe
Token: SeDebugPrivilege	2844	taskkill.exe
Token: SeIncreaseQuotaPrivilege	5172	WMIC.exe
Token: SeSecurityPrivilege	5172	WMIC.exe
Token: SeTakeOwnershipPrivilege	5172	WMIC.exe
Token: SeLoadDriverPrivilege	5172	WMIC.exe
Token: SeSystemProfilePrivilege	5172	WMIC.exe
Token: SeSystemtimePrivilege	5172	WMIC.exe
Token: SeProfSingleProcessPrivilege	5172	WMIC.exe
Token: SeIncBasePriorityPrivilege	5172	WMIC.exe
Token: SeCreatePagefilePrivilege	5172	WMIC.exe
Token: SeBackupPrivilege	5172	WMIC.exe
Token: SeRestorePrivilege	5172	WMIC.exe
Token: SeShutdownPrivilege	5172	WMIC.exe
Token: SeDebugPrivilege	5172	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5172	WMIC.exe
Token: SeRemoteShutdownPrivilege	5172	WMIC.exe
Token: SeUndockPrivilege	5172	WMIC.exe
Token: SeManageVolumePrivilege	5172	WMIC.exe
Token: 33	5172	WMIC.exe
Token: 34	5172	WMIC.exe
Token: 35	5172	WMIC.exe
Token: 36	5172	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5172	WMIC.exe
Token: SeSecurityPrivilege	5172	WMIC.exe
Token: SeTakeOwnershipPrivilege	5172	WMIC.exe
Token: SeLoadDriverPrivilege	5172	WMIC.exe
Token: SeSystemProfilePrivilege	5172	WMIC.exe
Token: SeSystemtimePrivilege	5172	WMIC.exe
Token: SeProfSingleProcessPrivilege	5172	WMIC.exe
Token: SeIncBasePriorityPrivilege	5172	WMIC.exe
Token: SeCreatePagefilePrivilege	5172	WMIC.exe
Token: SeBackupPrivilege	5172	WMIC.exe
Token: SeRestorePrivilege	5172	WMIC.exe
Token: SeShutdownPrivilege	5172	WMIC.exe
Token: SeDebugPrivilege	5172	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5172	WMIC.exe
Token: SeRemoteShutdownPrivilege	5172	WMIC.exe
Token: SeUndockPrivilege	5172	WMIC.exe
Token: SeManageVolumePrivilege	5172	WMIC.exe
Token: 33	5172	WMIC.exe
Token: 34	5172	WMIC.exe
Token: 35	5172	WMIC.exe
Token: 36	5172	WMIC.exe
Token: SeBackupPrivilege	5284	vssvc.exe
Token: SeRestorePrivilege	5284	vssvc.exe
Token: SeAuditPrivilege	5284	vssvc.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe
4060	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4200	!WannaDecryptor!.exe
4200	!WannaDecryptor!.exe
6064	!WannaDecryptor!.exe
6064	!WannaDecryptor!.exe
4592	!WannaDecryptor!.exe
4592	!WannaDecryptor!.exe
4360	!WannaDecryptor!.exe
4360	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 2632	4060	msedge.exe	82
PID 4060 wrote to memory of 2632	4060	msedge.exe	82
PID 4060 wrote to memory of 5100	4060	msedge.exe	83
PID 4060 wrote to memory of 5100	4060	msedge.exe	83
PID 4060 wrote to memory of 5100	4060	msedge.exe	83
PID 4060 wrote to memory of 5100	4060	msedge.exe	83
PID 4060 wrote to memory of 5100	4060	msedge.exe	83
PID 4060 wrote to memory of 5100	4060	msedge.exe	83
PID 4060 wrote to memory of 5100	4060	msedge.exe	83
PID 4060 wrote to memory of 5100	4060	msedge.exe	83
PID 4060 wrote to memory of 5100	4060	msedge.exe	83
PID 4060 wrote to memory of 5100	4060	msedge.exe	83
PID 4060 wrote to memory of 5100	4060	msedge.exe	83
PID 4060 wrote to memory of 5100	4060	msedge.exe	83
PID 4060 wrote to memory of 5100	4060	msedge.exe	83
PID 4060 wrote to memory of 5100	4060	msedge.exe	83
PID 4060 wrote to memory of 5100	4060	msedge.exe	83
PID 4060 wrote to memory of 5100	4060	msedge.exe	83
PID 4060 wrote to memory of 5100	4060	msedge.exe	83
PID 4060 wrote to memory of 5100	4060	msedge.exe	83
PID 4060 wrote to memory of 5100	4060	msedge.exe	83
PID 4060 wrote to memory of 5100	4060	msedge.exe	83
PID 4060 wrote to memory of 5100	4060	msedge.exe	83
PID 4060 wrote to memory of 5100	4060	msedge.exe	83
PID 4060 wrote to memory of 5100	4060	msedge.exe	83
PID 4060 wrote to memory of 5100	4060	msedge.exe	83
PID 4060 wrote to memory of 5100	4060	msedge.exe	83
PID 4060 wrote to memory of 5100	4060	msedge.exe	83
PID 4060 wrote to memory of 5100	4060	msedge.exe	83
PID 4060 wrote to memory of 5100	4060	msedge.exe	83
PID 4060 wrote to memory of 5100	4060	msedge.exe	83
PID 4060 wrote to memory of 5100	4060	msedge.exe	83
PID 4060 wrote to memory of 5100	4060	msedge.exe	83
PID 4060 wrote to memory of 5100	4060	msedge.exe	83
PID 4060 wrote to memory of 5100	4060	msedge.exe	83
PID 4060 wrote to memory of 5100	4060	msedge.exe	83
PID 4060 wrote to memory of 5100	4060	msedge.exe	83
PID 4060 wrote to memory of 5100	4060	msedge.exe	83
PID 4060 wrote to memory of 5100	4060	msedge.exe	83
PID 4060 wrote to memory of 5100	4060	msedge.exe	83
PID 4060 wrote to memory of 5100	4060	msedge.exe	83
PID 4060 wrote to memory of 5100	4060	msedge.exe	83
PID 4060 wrote to memory of 464	4060	msedge.exe	84
PID 4060 wrote to memory of 464	4060	msedge.exe	84
PID 4060 wrote to memory of 4980	4060	msedge.exe	85
PID 4060 wrote to memory of 4980	4060	msedge.exe	85
PID 4060 wrote to memory of 4980	4060	msedge.exe	85
PID 4060 wrote to memory of 4980	4060	msedge.exe	85
PID 4060 wrote to memory of 4980	4060	msedge.exe	85
PID 4060 wrote to memory of 4980	4060	msedge.exe	85
PID 4060 wrote to memory of 4980	4060	msedge.exe	85
PID 4060 wrote to memory of 4980	4060	msedge.exe	85
PID 4060 wrote to memory of 4980	4060	msedge.exe	85
PID 4060 wrote to memory of 4980	4060	msedge.exe	85
PID 4060 wrote to memory of 4980	4060	msedge.exe	85
PID 4060 wrote to memory of 4980	4060	msedge.exe	85
PID 4060 wrote to memory of 4980	4060	msedge.exe	85
PID 4060 wrote to memory of 4980	4060	msedge.exe	85
PID 4060 wrote to memory of 4980	4060	msedge.exe	85
PID 4060 wrote to memory of 4980	4060	msedge.exe	85
PID 4060 wrote to memory of 4980	4060	msedge.exe	85
PID 4060 wrote to memory of 4980	4060	msedge.exe	85
PID 4060 wrote to memory of 4980	4060	msedge.exe	85
PID 4060 wrote to memory of 4980	4060	msedge.exe	85

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaba0546f8,0x7ffaba054708,0x7ffaba054718
  2⤵
  PID:2632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1780,18209272781405794389,9126206959789491931,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
  2⤵
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1780,18209272781405794389,9126206959789491931,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2516 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1780,18209272781405794389,9126206959789491931,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1780,18209272781405794389,9126206959789491931,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:3048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1780,18209272781405794389,9126206959789491931,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:1988
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1780,18209272781405794389,9126206959789491931,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:8
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1780,18209272781405794389,9126206959789491931,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1780,18209272781405794389,9126206959789491931,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
  2⤵
  PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1780,18209272781405794389,9126206959789491931,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1780,18209272781405794389,9126206959789491931,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:1
  2⤵
  PID:2896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1780,18209272781405794389,9126206959789491931,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
  2⤵
  PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1780,18209272781405794389,9126206959789491931,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5452 /prefetch:8
  2⤵
  PID:3348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1780,18209272781405794389,9126206959789491931,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:3796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1780,18209272781405794389,9126206959789491931,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6352 /prefetch:8
  2⤵
  PID:652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1780,18209272781405794389,9126206959789491931,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4968 /prefetch:8
  2⤵
  PID:3356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1780,18209272781405794389,9126206959789491931,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4480
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 85821727445037.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3160
  - - C:\Windows\SysWOW64\cscript.exe
      cscript //nologo c.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:1732
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe f
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4200
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im MSExchange*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4480
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Microsoft.Exchange.*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4536
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlserver.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2844
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlwriter.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3564
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe c
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:6064
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b !WannaDecryptor!.exe v
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6076
  - - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
      !WannaDecryptor!.exe v
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:4592
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2480
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5172
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4360
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5152

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4948

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2256

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5284

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5480

C:\Users\Admin\Downloads\WannaCry.exe
"C:\Users\Admin\Downloads\WannaCry.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5632

C:\Users\Admin\Downloads\WannaCry.exe
"C:\Users\Admin\Downloads\WannaCry.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5260

C:\Users\Admin\Downloads\WannaCry.exe
"C:\Users\Admin\Downloads\WannaCry.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5788

C:\Users\Admin\Downloads\WannaCry.exe
"C:\Users\Admin\Downloads\WannaCry.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5876

C:\Users\Admin\Downloads\WannaCry.exe
"C:\Users\Admin\Downloads\WannaCry.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecf7ca53c80b5245e35839009d12f866

SHA1
a7af77cf31d410708ebd35a232a80bddfb0615bb

SHA256
882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

SHA512
706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
add6229293165a33c79e20691110e3e5

SHA1
090a51476a82ee0232ed2e9244591971df995165

SHA256
732de6e4bb4dcfd6bcabe6924d6a5e9f2e26bc564f5cbe92d310d46c4970a036

SHA512
1505d42559974e3db756b98080f336a613bf7f381e4f51b73afe8e97e33be7bd13b074073de8f9dc2ddbd99fddaa8968f0c6a48722d8586f97a56e877cc4ef17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
75237b876e4ebf0cf587313ae92b7952

SHA1
ef712d6b1e678d091b39cd593b8d4a2a5520f139

SHA256
d7abd571a35eaba20a7c57d7ac93cbb59b8d4b417f4b67590ee1c29ff561442b

SHA512
0c96b1f590a69141018c2112e36de65fb30ab57320b4b76da3a672b23c716197fc06e0f381491975319a8ad4ae138660469d3149cfbb69be96a2cfdfcaf802b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
700d1f8be82c77f69216b5129358ea1c

SHA1
09e79f07e37caca4b7ae677f7c2ac69b0269e544

SHA256
a524b99a0ac2975f486694e1dae4893d45d8c1741c294f5a97c61083eac27771

SHA512
5863f99e3cd01b497f4ae75b1195f1c95cce50fbb71509d70a674addf31e259fb02147a2655b5c72f429860d141d074d3a9ec3359a7f25fc12b6a876979c165b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2a559891ae50b3f0fd8c003bb6ec83b4

SHA1
adb02962a4eb4a1fb72f57f9baa564a35d49363e

SHA256
cbd25cb5467421894da272f0af1fc404c7bd936f0f834d4294e2e0d4efef8a37

SHA512
559956cd54cde117c25a02c62cc350ddc0b8a3de85a796f46678a04b550ee5b422b504918cae94f64fdf1098b3be817e4c94ab605d40a804c6f01edd0145ee2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ccaef9d0fc608471d260f90236aba6a5

SHA1
a4e36a87afbd09b4efd9ad1cb25b9c5c171b109d

SHA256
e5b1882b423d0f41402cbedb957fd43b1530b81352a155f00a15147f4354f5b3

SHA512
990791d4b62c6093a335f02c31b30eb08dd44e9d00afe51897a6d230120f3478a093279038061567b1e917982ec2478e13f85bede0aa6f973693125a2e80d006

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
98a5f71663e4beae4e63b91d8f95621a

SHA1
b62bc18743a7f7f0be8de3fb261671372f3f83f4

SHA256
df88aa853a1dc92eee3ebb3f370f25bc987d52ede1fc559346df8293bc52d112

SHA512
5d70bb5e6540ee964d1cc48f902863cf9bf3a7cf96e6be86ce2e81e275cf2c235b1e26667bd78a37cf8e0520f08f6ff5b3bf9b00aec7713b356e14f0d0cc5b6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
086a98ba7c3df67d39fb13ceab4ba15e

SHA1
84d24ad9d90e72d3c7d582898ea2768709e5b73c

SHA256
1ab566a4486ae8a00f284fd26aaef3421099494995b84b646223a3f2feaf5633

SHA512
093930632114a61e6f04737626d51f9fc61bb009392bef272d015897d9fd60d5424928eb2b2d34497496874d821a897c04dbb36a9c3016e80cf6fba196d34bf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f7da3f27ac80e4cbf7b0c9e346854464

SHA1
13f0821f4fd3cdd982c3650fdc57deec8e319bc6

SHA256
721662627caff69edb57d325a636bb599971b91075d43ab770fccf26af4912a2

SHA512
53a0289c122d227fb9971b10423ff7c8f3429a1d463ec399e90b98c07da4a44b24e0b144e2c29ae9e6f68b3ac20792712ac1a22ea1682444f6328ef4f4d149be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c2e2.TMP

Filesize
874B

MD5
7f5cc40bbf24daa1e5f04f8c171c7fd2

SHA1
7411a94cd4053150048ceea9d64068b39a532402

SHA256
707895b4507d026242af8b791e24c67e64e6f29244aea9b0deffc80ef16a0e6d

SHA512
c8fb7d0e769bc2859a939ee919072984ec7a592a6b5266984bd59ba4ca3c13c813b248c5a6f8b5fa05c8a117cc668457a58957df2fd7e8fb01bd9e3b8602fbce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\bddbf766-3e36-49dc-9ce5-894b244a9925.tmp

Filesize
874B

MD5
17ff0d39cc7313f6a851e3f72b38a4eb

SHA1
4079e6daeb4d2c3761556ef66c944699522931bf

SHA256
ea8f10feea4767ef2bd3edb20a6a8409efc965f28fae102da4b2497cb0ccc880

SHA512
4dd88f5d770af7def2bc88e18effd47c45218d1e74914879b6ea2265660fffa5f9d5f5776a844299ac7bfb88c07182a6d13302fa0838636edd8dfb0dee113a78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0c90e541bbdfd7d83769c325012b33a9

SHA1
eac95012b4ee2c5deab187c11819f299ea3cbf9b

SHA256
f03ced6fb8a031133cd2752f2c3241f86632388f0374ecaf771f10af015eaea0

SHA512
af90d136827e27f062b86bd51c1eadde2d565a9d0d2eded16b0813d5550b651b4103c4f486331633386772f58acdd29e617dfc5c7f1ab176730febe94e9142c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ebb87d6f4f39a463801b4242cba5a6b1

SHA1
8120b71737800d653c6e7be9340d82d0e8c2f52d

SHA256
7916529e7a47edccc8d336e6fb33fec0a5f1b12d14a52f60350ff2895594351f

SHA512
74f2f1b343222be0bc908342f72876178460cba03ef4bedde7213ea63cb9b9e4ce38a223fa2f76d7bb01e732c9e6028637867bbba3693df46be78a20584ab89d

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
281856499c33f572d80eb69cbc797485

SHA1
844f2fb5ad338134dbf1e1e9bb23c246ad6b584e

SHA256
253d9c17ecfa5dad8e08eb76d63cd1005399d6dff6265ceeb15b6307a55fcd4e

SHA512
c4a679a5c7d7c46dba28364d386295f0b0f7a2fd1fa09d01a7c0183d624d6a73068baa62935fa4936a46fffc37018d7cff7028c8970867ff77d93836d45696d9

Download Submit
C:\Users\Admin\Downloads\00000000.pky

Filesize
276B

MD5
ee1d9d0f0f89fb7fff74254ec0792c14

SHA1
61f10031d91a9d950d51c730e9dc90665114f00d

SHA256
e3294957481af817feb7e7c58b8de038a84e7629e027c0f40935748c4e467f84

SHA512
0b58f2c0ce1843be7c828452ceeb4109cca5c0612933f4fec37e7e07161db1c50f3247751be662ca335e8bbc75d4a4811fe4b964165b4a663cbcb5f0eaa82df5

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
6e099edf228a3768e8cdb104bc0314ce

SHA1
09725b719b086ba0d9b03a18c9e5c52769f7fef5

SHA256
1ea8e287745dd94c47fdd9bd599c3ce398c185cfd8f936fbdb333e16f657874a

SHA512
292a617d1326a39cc4be72e2764defff6d2d35fd4230b5a928c4c1537bb752b5d2c0db58ecceee1a99feb7ba6e76161091270dd58ec8263b16ac933786ca8af0

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
98badcfef412e093f7a5e213dacd270a

SHA1
8b5402e50aaa91c4e09f6592f5ca9c98053842e7

SHA256
19977d0d97024e06a3c8a584678ae9826774c03143b78ce631aa7a9659d9195c

SHA512
8369621e19d05e08e518334452bd7bc3bbe8a49b5a4b552693e058e288df44d38008c5004b8e60d577542dc12fa5bcfdee7a4444d140453bc67aba694c12179b

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
c4749d4267b39bbabeeb30d76e712835

SHA1
f7e5f8d1f4753625583024a063b232b947b6d53c

SHA256
3eb220b6fe82719b92ea52c215ef292f6016b82defbe0af9e21fc32e9eab54d0

SHA512
be0cc527ecccc4dc44a98d9f9abf2533c98fbd168123312ac159d8f0dd4f1b306ddb26d257d3eff77418f918c291d6117b346a16c1f2aae01741e9a54b8df1c1

Download Submit
C:\Users\Admin\Downloads\85821727445037.bat

Filesize
318B

MD5
a261428b490a45438c0d55781a9c6e75

SHA1
e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e

SHA256
4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44

SHA512
304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 110737.crdownload

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\c.vbs

Filesize
201B

MD5
02b937ceef5da308c5689fcdb3fb12e9

SHA1
fa5490ea513c1b0ee01038c18cb641a51f459507

SHA256
5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1

SHA512
843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

Download Submit
C:\Users\Admin\Downloads\c.wry

Filesize
628B

MD5
663e55df21852bc8870b86bc38e58262

SHA1
1c691bf030ecfce78a9476fbdef3afe61724e6a9

SHA256
bf22e8e18db1638673f47591a13d18ee58d8c6019314bab5a90be82ae3dc9538

SHA512
6a54be1fa549633a2fd888c559207437b8f6efda98bb18d491c8749f39e9754f1e680fa8e2d623777b5f665b2c04d19385c75ce4e61fb251db16018963a9a6f9

Download Submit
C:\Users\Admin\Downloads\c.wry

Filesize
628B

MD5
795e5cb709cfdee1a3e37aa34b353dac

SHA1
4933a431d03898cd1ed3ed9830bc01fb66199ea2

SHA256
0dd8151a68e45134a343b414d53d5dac9423800ec860008193bb3264204ef921

SHA512
b20839db28f96591cf635b6ad47f04c7ac6d9470d41e2901687d7e725cd37328965aeb331e7f22b21bdb59e49d949e5b1db6c950d32a4c8f66487de7959fed5b

Download Submit
C:\Users\Admin\Downloads\f.wry

Filesize
593B

MD5
5ffc85857b532a29ca30469191bfbf5b

SHA1
ba37f54f564115c3ec62168d0e8a42fbfebdc98a

SHA256
1dafe7a3a03a87e0899ddbcae8bbbddbe0309347f865ab2c22e4d1ff9e08c7da

SHA512
473accd23fda2f0b2c500c178a6a5963b705a93f3e9a3a2970b96315bc1ebf0371cd9d6c816105cd0bd9fdf1376b0d3ccf937d91ae2fb5e1ea4fd6a273afa357

Download Submit
C:\Users\Admin\Downloads\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Downloads\r.wry

Filesize
729B

MD5
880e6a619106b3def7e1255f67cb8099

SHA1
8b3a90b2103a92d9facbfb1f64cb0841d97b4de7

SHA256
c9e9dc06f500ae39bfeb4671233cc97bb6dab58d97bb94aba4a2e0e509418d35

SHA512
c35ca30e0131ae4ee3429610ce4914a36b681d2c406f67816f725aa336969c2996347268cb3d19c22abaa4e2740ae86f4210b872610a38b4fa09ee80fcf36243

Download Submit
C:\Users\Admin\Downloads\t.wry

Filesize
68KB

MD5
5557ee73699322602d9ae8294e64ce10

SHA1
1759643cf8bfd0fb8447fd31c5b616397c27be96

SHA256
a7dd727b4e0707026186fcab24ff922da50368e1a4825350bd9c4828c739a825

SHA512
77740de21603fe5dbb0d9971e18ec438a9df7aaa5cea6bd6ef5410e0ab38a06ce77fbaeb8fc68e0177323e6f21d0cee9410e21b7e77e8d60cc17f7d93fdb3d5e

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
memory/2312-314-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download