wannacry | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo[.]git

Analysis

max time kernel
84s
max time network
74s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-12-2024 21:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo.git

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD48CE.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD48E4.tmp	WannaCry.exe

Executes dropped EXE 6 IoCs

pid	Process
2464	WannaCry.exe
4816	WannaCry.exe
4956	!WannaDecryptor!.exe
3024	!WannaDecryptor!.exe
1016	!WannaDecryptor!.exe
1336	!WannaDecryptor!.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
57	raw.githubusercontent.com
58	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
724	taskkill.exe
2924	taskkill.exe
2832	taskkill.exe
264	taskkill.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 523666.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3972	msedge.exe
3972	msedge.exe
3100	msedge.exe
3100	msedge.exe
4400	identity_helper.exe
4400	identity_helper.exe
4604	msedge.exe
4604	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1336	!WannaDecryptor!.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	2832	taskkill.exe
Token: SeDebugPrivilege	724	taskkill.exe
Token: SeDebugPrivilege	264	taskkill.exe
Token: SeDebugPrivilege	2924	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3736	WMIC.exe
Token: SeSecurityPrivilege	3736	WMIC.exe
Token: SeTakeOwnershipPrivilege	3736	WMIC.exe
Token: SeLoadDriverPrivilege	3736	WMIC.exe
Token: SeSystemProfilePrivilege	3736	WMIC.exe
Token: SeSystemtimePrivilege	3736	WMIC.exe
Token: SeProfSingleProcessPrivilege	3736	WMIC.exe
Token: SeIncBasePriorityPrivilege	3736	WMIC.exe
Token: SeCreatePagefilePrivilege	3736	WMIC.exe
Token: SeBackupPrivilege	3736	WMIC.exe
Token: SeRestorePrivilege	3736	WMIC.exe
Token: SeShutdownPrivilege	3736	WMIC.exe
Token: SeDebugPrivilege	3736	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3736	WMIC.exe
Token: SeRemoteShutdownPrivilege	3736	WMIC.exe
Token: SeUndockPrivilege	3736	WMIC.exe
Token: SeManageVolumePrivilege	3736	WMIC.exe
Token: 33	3736	WMIC.exe
Token: 34	3736	WMIC.exe
Token: 35	3736	WMIC.exe
Token: 36	3736	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3736	WMIC.exe
Token: SeSecurityPrivilege	3736	WMIC.exe
Token: SeTakeOwnershipPrivilege	3736	WMIC.exe
Token: SeLoadDriverPrivilege	3736	WMIC.exe
Token: SeSystemProfilePrivilege	3736	WMIC.exe
Token: SeSystemtimePrivilege	3736	WMIC.exe
Token: SeProfSingleProcessPrivilege	3736	WMIC.exe
Token: SeIncBasePriorityPrivilege	3736	WMIC.exe
Token: SeCreatePagefilePrivilege	3736	WMIC.exe
Token: SeBackupPrivilege	3736	WMIC.exe
Token: SeRestorePrivilege	3736	WMIC.exe
Token: SeShutdownPrivilege	3736	WMIC.exe
Token: SeDebugPrivilege	3736	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3736	WMIC.exe
Token: SeRemoteShutdownPrivilege	3736	WMIC.exe
Token: SeUndockPrivilege	3736	WMIC.exe
Token: SeManageVolumePrivilege	3736	WMIC.exe
Token: 33	3736	WMIC.exe
Token: 34	3736	WMIC.exe
Token: 35	3736	WMIC.exe
Token: 36	3736	WMIC.exe
Token: SeBackupPrivilege	3300	vssvc.exe
Token: SeRestorePrivilege	3300	vssvc.exe
Token: SeAuditPrivilege	3300	vssvc.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
1336	!WannaDecryptor!.exe
1336	!WannaDecryptor!.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe
3100	msedge.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
4956	!WannaDecryptor!.exe
4956	!WannaDecryptor!.exe
3024	!WannaDecryptor!.exe
3024	!WannaDecryptor!.exe
1016	!WannaDecryptor!.exe
1016	!WannaDecryptor!.exe
1336	!WannaDecryptor!.exe
1336	!WannaDecryptor!.exe
1336	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3100 wrote to memory of 2368	3100	msedge.exe	82
PID 3100 wrote to memory of 2368	3100	msedge.exe	82
PID 3100 wrote to memory of 4180	3100	msedge.exe	83
PID 3100 wrote to memory of 4180	3100	msedge.exe	83
PID 3100 wrote to memory of 4180	3100	msedge.exe	83
PID 3100 wrote to memory of 4180	3100	msedge.exe	83
PID 3100 wrote to memory of 4180	3100	msedge.exe	83
PID 3100 wrote to memory of 4180	3100	msedge.exe	83
PID 3100 wrote to memory of 4180	3100	msedge.exe	83
PID 3100 wrote to memory of 4180	3100	msedge.exe	83
PID 3100 wrote to memory of 4180	3100	msedge.exe	83
PID 3100 wrote to memory of 4180	3100	msedge.exe	83
PID 3100 wrote to memory of 4180	3100	msedge.exe	83
PID 3100 wrote to memory of 4180	3100	msedge.exe	83
PID 3100 wrote to memory of 4180	3100	msedge.exe	83
PID 3100 wrote to memory of 4180	3100	msedge.exe	83
PID 3100 wrote to memory of 4180	3100	msedge.exe	83
PID 3100 wrote to memory of 4180	3100	msedge.exe	83
PID 3100 wrote to memory of 4180	3100	msedge.exe	83
PID 3100 wrote to memory of 4180	3100	msedge.exe	83
PID 3100 wrote to memory of 4180	3100	msedge.exe	83
PID 3100 wrote to memory of 4180	3100	msedge.exe	83
PID 3100 wrote to memory of 4180	3100	msedge.exe	83
PID 3100 wrote to memory of 4180	3100	msedge.exe	83
PID 3100 wrote to memory of 4180	3100	msedge.exe	83
PID 3100 wrote to memory of 4180	3100	msedge.exe	83
PID 3100 wrote to memory of 4180	3100	msedge.exe	83
PID 3100 wrote to memory of 4180	3100	msedge.exe	83
PID 3100 wrote to memory of 4180	3100	msedge.exe	83
PID 3100 wrote to memory of 4180	3100	msedge.exe	83
PID 3100 wrote to memory of 4180	3100	msedge.exe	83
PID 3100 wrote to memory of 4180	3100	msedge.exe	83
PID 3100 wrote to memory of 4180	3100	msedge.exe	83
PID 3100 wrote to memory of 4180	3100	msedge.exe	83
PID 3100 wrote to memory of 4180	3100	msedge.exe	83
PID 3100 wrote to memory of 4180	3100	msedge.exe	83
PID 3100 wrote to memory of 4180	3100	msedge.exe	83
PID 3100 wrote to memory of 4180	3100	msedge.exe	83
PID 3100 wrote to memory of 4180	3100	msedge.exe	83
PID 3100 wrote to memory of 4180	3100	msedge.exe	83
PID 3100 wrote to memory of 4180	3100	msedge.exe	83
PID 3100 wrote to memory of 4180	3100	msedge.exe	83
PID 3100 wrote to memory of 3972	3100	msedge.exe	84
PID 3100 wrote to memory of 3972	3100	msedge.exe	84
PID 3100 wrote to memory of 1164	3100	msedge.exe	85
PID 3100 wrote to memory of 1164	3100	msedge.exe	85
PID 3100 wrote to memory of 1164	3100	msedge.exe	85
PID 3100 wrote to memory of 1164	3100	msedge.exe	85
PID 3100 wrote to memory of 1164	3100	msedge.exe	85
PID 3100 wrote to memory of 1164	3100	msedge.exe	85
PID 3100 wrote to memory of 1164	3100	msedge.exe	85
PID 3100 wrote to memory of 1164	3100	msedge.exe	85
PID 3100 wrote to memory of 1164	3100	msedge.exe	85
PID 3100 wrote to memory of 1164	3100	msedge.exe	85
PID 3100 wrote to memory of 1164	3100	msedge.exe	85
PID 3100 wrote to memory of 1164	3100	msedge.exe	85
PID 3100 wrote to memory of 1164	3100	msedge.exe	85
PID 3100 wrote to memory of 1164	3100	msedge.exe	85
PID 3100 wrote to memory of 1164	3100	msedge.exe	85
PID 3100 wrote to memory of 1164	3100	msedge.exe	85
PID 3100 wrote to memory of 1164	3100	msedge.exe	85
PID 3100 wrote to memory of 1164	3100	msedge.exe	85
PID 3100 wrote to memory of 1164	3100	msedge.exe	85
PID 3100 wrote to memory of 1164	3100	msedge.exe	85

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo.git
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd0c6c46f8,0x7ffd0c6c4708,0x7ffd0c6c4718
  2⤵
  PID:2368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,18422814927986143428,10371043127529406900,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
  2⤵
  PID:4180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,18422814927986143428,10371043127529406900,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,18422814927986143428,10371043127529406900,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:8
  2⤵
  PID:1164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,18422814927986143428,10371043127529406900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,18422814927986143428,10371043127529406900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:4108
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,18422814927986143428,10371043127529406900,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,18422814927986143428,10371043127529406900,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2040,18422814927986143428,10371043127529406900,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5044 /prefetch:8
  2⤵
  PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,18422814927986143428,10371043127529406900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2040,18422814927986143428,10371043127529406900,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6124 /prefetch:8
  2⤵
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,18422814927986143428,10371043127529406900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2016 /prefetch:1
  2⤵
  PID:1668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,18422814927986143428,10371043127529406900,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2268 /prefetch:1
  2⤵
  PID:3888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,18422814927986143428,10371043127529406900,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,18422814927986143428,10371043127529406900,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:1
  2⤵
  PID:2636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,18422814927986143428,10371043127529406900,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6264 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4604
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4816
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:2464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 240831735420917.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1916
  - - C:\Windows\SysWOW64\cscript.exe
      cscript //nologo c.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:4540
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe f
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4956
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im MSExchange*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:724
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Microsoft.Exchange.*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2924
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlserver.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:264
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlwriter.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2832
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe c
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3024
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b !WannaDecryptor!.exe v
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4700
  - - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
      !WannaDecryptor!.exe v
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1016
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:412
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3736
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:1336

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2744

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4700

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc058ebc0f8181946a312f0be99ed79c

SHA1
0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

SHA256
378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

SHA512
36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0486d6f8406d852dd805b66ff467692

SHA1
77ba1f63142e86b21c951b808f4bc5d8ed89b571

SHA256
c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

SHA512
065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
f7ad9dd3b8c7fb110884eaca96ab8921

SHA1
d206dcbb89a9a349f89eeb62f88d43c2a390d68b

SHA256
bfe291ce2aff85eb70f1bfbb4c9e5b318cdab0fd46db230787c5ff1413e571e2

SHA512
ba6e5a1417adbbed5378f7365b61fd257a0e7f8c8ad409ce697816d35378574df6ab53619c8892686afc15c9ef1ade7fa7c3f66ee95cbfe5d70fbba7fab48031

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
c8f297c81963ae5d0233e8eb7b9674f4

SHA1
2a5439622a7e1465dc5225cad7e79d2c6e05070b

SHA256
d2b0ec6b8ccb6bbcccfb071565890ac3706acd2a141597159f8aba7942ccedf8

SHA512
62f973541648b4c1d5162cbf3f1c318a8123f9c7e038e8514b84c12d20d376bda7f79ee1ca28a4f140dc3e2ff00fd31e94835f196cbe1d133bf728eeffabbc5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
493ea3546d336e37b66885b76dc7bbc6

SHA1
d3f38d39e86d9976239f7f49da4c284b973ce465

SHA256
1d7cc0aa0db5734c61a0753a1db13468def6895579c9592115e00b19d3d9d97d

SHA512
7480001dcbaa0d8e3012d02a5cbae365c767be6ac36797e0ec1a46a3f28522c9c18644fcb411636a3301e0d7a49e5a5bb340a207ffcfa5920eb9c0293b9eb0ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
245cd17864959b723b49a838b5c001f7

SHA1
80fa664f83c90bf92cd0d4197578eedb93e1e6a7

SHA256
5db7ec4135e832293dbc3b6edd18cc534b302299373564f9312ee7686b584443

SHA512
ff264b5b651c79b38a7ae1f68fac72fc6fcbae195713368f3813547809ae273543cf28ac1c0c8e2548b0794b937b05dfc7e449dc07017c3612ae396d33065d26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3907655a70a4804ac4962c2d22e3e3c1

SHA1
88ca83c095591d42ee5284c892778461499a4bb9

SHA256
e8f7f8f402f8d1a63f223a4d8929885ed63401ea969756965e9c79407c1dad26

SHA512
7012562565bfd022a2763049d3311aabe10cc86245b7305b22cedd9ede04f54bf29104cc3d6f3197cd456b36df5442ef5c55086c01ab4fee473346066e1d049f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6c6c9be74f16249158c7f0a8fdd9d8b1

SHA1
12d043f79cffa66baa75f72b25f34911a335db26

SHA256
c91b5c51372063d2c4486cb27c457a9232eeab961a07f7a3cdaf6469c32142f0

SHA512
9e4c754c630bc4b5961f8a2ee1ccbfb1841d9c39693dea4cfb9e1d83037da6a79747cd6fda0b48133aa2f6d6080f0c6e704f1f3e787ed0133740f08cbd50c386

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
efec756fb18ef71e81533990707dd696

SHA1
cdcf7d1ca62ba12c5be5c546479dec8fee55c146

SHA256
1800c209df8f71a9a489c7a2aeecb3a797b3078c527d3ea6ff38a5762c6a7423

SHA512
ece77fbad3fa88c21c38dbd2e0f889213b3efca4566da71103629f0a00e045dc95f11cd6001978fbc8f3e1c1bb5f82c27fe3b38e705435674a50ed078f783f7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
661545751b93d32c00b1cdd4079fdefd

SHA1
45b995d27329fd1948649ebc65be58f25451c44e

SHA256
d722cbea7ba9fe65530eace5efec2cdfbc7381ebfffe5c0a92f8f4912ec0782d

SHA512
14a9f0971657d4c0198edd6655ac81701a4eb66de3651daab7a2311cb749a3a1c7f28359b4a99d14ed87e98e8099f79cfb1c08db3f2f375aa1863f7513435a8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
27cc5b785708756ef14ef103e81b5a98

SHA1
6a741b19f2e8c9019c5d19e93ab9177f6061fbe2

SHA256
b28d3bae62a1be7bd660c2fad87874ef357808b212faead9b2198c73b7520cbf

SHA512
82f448a8dce49c76919e9e10e2e189e978accd9efef9b3bea8850d4a4bdd75f3a8b4d2896202a460f1ca9211d2e9b0cadd2a74eeaa28cd0f465b0fe9e91a45f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e956.TMP

Filesize
874B

MD5
a32c21e48569d6ad3987afcbbff59005

SHA1
2209f6df5344df23739be14732aa780d7c02c8a8

SHA256
1d0bcc18c218ededb9639df066d5916a9e51e60d19a7def516a77ac6773cc317

SHA512
0a82789aed58e98e94e244f9b8fad883746d62d8191384e7e060bfa07e914fb5ecfb4a974a4b827c07dc99e7ad37f14165b6b0c6ee09d9c2158bd207d685ac21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d905e78b3cc1ab3594c66027f8f29735

SHA1
36d7599b424c88185b01c4ad8cc4f23994db2b6e

SHA256
7adc1656093745b48270eaa1568cb04a17a59c5ea55d2aa11f5352b1e0475037

SHA512
7038925cda2d33868d90e3c3b15fd4e0fbd457b483c24e9b1496ea6e17e9fdfc343e6d8fd68ecf25da20c6cf7ccf54b197b880cd009b83a1fb408956d75c4d8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8e2896c48eafc91f39966199ebdeee12

SHA1
08683f8a7f69ee5113ec980e57c684cc1cdf1415

SHA256
70e34fc41eceff652b59a3a92b462861cebec512f51d4c8e41a329371995f158

SHA512
424a77b1163b56f9c22aadc9fd0c838d127bb946bc2fd8f3dc55dbf3e6f9edb2f614bd3faa126663cbfb8a6dbf45e6d351ff7dcd47077ed59229679970821dde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f8d8b4ff10d63f3193daa9a70d455b5e

SHA1
725f0bfb631ae02f262af7e3b229bd260169e212

SHA256
0912399669577ed359a9fe0cccbf563e2c00330bca6a3cb50ea4ff871ab3be08

SHA512
b98c31e36d680846203e30eef15e4ffd4715efa05f144ff9b44ba939775894664cf9d0a4a72c2f77df8d6af485b1d71bc95a3b68d059110443b52b033531fe17

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
d6a52b0263ae18c6c88bfee3784bb07b

SHA1
6b987de0e81e580eccf53642373fb8c5e5e1fcb4

SHA256
17107da469a4b35b82cbff69a467d8bf3a7f765fa468859d9d62374b5b85aafb

SHA512
3657bd6924b90bae8f5933569dd4e0067cc79fe88521b3938d968444878c09ae7e82a19fdae1c5b26f02b711f85d8e7799a73d11c08270d6cf17409051d0b5c1

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
dc70387972dbc790745072c4b82d9bce

SHA1
2f9d4906aed11c6b5310a58a47433cd64d71f7db

SHA256
4a58570c5f70daaab553c453f02264d7e2891b2d07cc4425c557067a64b6673c

SHA512
2f28160b781a46e675692f73d85bb14969ac64509d35ff8eb84362f357213784d654e72bfcf3b7227585162179bf491d6487f66c2be429b4558192e89c02df24

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
f1c258d55cd4523528ebbe47eb15ca68

SHA1
7070c600af6675916adc6ffadd186fc0bbe5abd4

SHA256
b8502471ae70a56964418048570989784c42390638244feca63c0f81825add09

SHA512
6b07175492e0113b7ba602128b9b8d618d5653d277335ce4964e3c38a2ef74850eb99eac08d8d5532217ca4542f6df627437291f553bce7d1e998c1ce692fd6f

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
49375e09517ad37bae4bc8c94a2f87f9

SHA1
707fc2673c4a5f20185220a8ffc859a057b50c04

SHA256
c0c8e619aed48ece90d5ac1817cec90207cc49bc84c121537b1b4580acf03e3c

SHA512
61203d428f0c60c4fa91aa7ff711652724c75fbd03164eb9fda010cd06fdee7ca97da5e0c2cc52d793dacb4a334d5297d32465b9c192bd194911669aea8474e3

Download Submit
C:\Users\Admin\Downloads\240831735420917.bat

Filesize
318B

MD5
a261428b490a45438c0d55781a9c6e75

SHA1
e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e

SHA256
4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44

SHA512
304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 523666.crdownload

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\c.vbs

Filesize
201B

MD5
02b937ceef5da308c5689fcdb3fb12e9

SHA1
fa5490ea513c1b0ee01038c18cb641a51f459507

SHA256
5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1

SHA512
843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

Download Submit
C:\Users\Admin\Downloads\c.wry

Filesize
628B

MD5
470f43ad2e2f09e10f85d5a44fc1f6f9

SHA1
8d803a5f9f73271752e87a5ba647bea3c6f089b3

SHA256
079faf37f48f89df649f027e51a9e2aca213afe63279baa171dbd9339a40f27a

SHA512
5b108edeba133dcaa988304a593c693b9ccb872c8c7719a0830dbce86632f38288de213333aebb5620b0498b07110233df50b5b0ea317e8cb9f78db476554a48

Download Submit
C:\Users\Admin\Downloads\c.wry

Filesize
628B

MD5
663e55df21852bc8870b86bc38e58262

SHA1
1c691bf030ecfce78a9476fbdef3afe61724e6a9

SHA256
bf22e8e18db1638673f47591a13d18ee58d8c6019314bab5a90be82ae3dc9538

SHA512
6a54be1fa549633a2fd888c559207437b8f6efda98bb18d491c8749f39e9754f1e680fa8e2d623777b5f665b2c04d19385c75ce4e61fb251db16018963a9a6f9

Download Submit
C:\Users\Admin\Downloads\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Downloads\r.wry

Filesize
729B

MD5
880e6a619106b3def7e1255f67cb8099

SHA1
8b3a90b2103a92d9facbfb1f64cb0841d97b4de7

SHA256
c9e9dc06f500ae39bfeb4671233cc97bb6dab58d97bb94aba4a2e0e509418d35

SHA512
c35ca30e0131ae4ee3429610ce4914a36b681d2c406f67816f725aa336969c2996347268cb3d19c22abaa4e2740ae86f4210b872610a38b4fa09ee80fcf36243

Download Submit
C:\Users\Admin\Downloads\t.wry

Filesize
68KB

MD5
5557ee73699322602d9ae8294e64ce10

SHA1
1759643cf8bfd0fb8447fd31c5b616397c27be96

SHA256
a7dd727b4e0707026186fcab24ff922da50368e1a4825350bd9c4828c739a825

SHA512
77740de21603fe5dbb0d9971e18ec438a9df7aaa5cea6bd6ef5410e0ab38a06ce77fbaeb8fc68e0177323e6f21d0cee9410e21b7e77e8d60cc17f7d93fdb3d5e

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
memory/2464-297-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download