Analysis
-
max time kernel
148s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
11-05-2024 03:04
Static task
static1
Behavioral task
behavioral1
Sample
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe
Resource
win10v2004-20240426-en
General
-
Target
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe
-
Size
224KB
-
MD5
5c7fb0927db37372da25f270708103a2
-
SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29
-
SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
-
SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206
-
SSDEEP
3072:Y059femWRwTs/dbelj0X8/j84pcRXPlU3Upt3or4H84lK8PtpLzLsR/EfcZ:+5RwTs/dSXj84mRXPemxdBlPvLzLeZ
Malware Config
Extracted
C:\Users\Admin\Documents\!Please Read Me!.txt
wannacry
15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Drops startup file 1 IoCs
Processes:
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD1BF9.tmp be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe -
Executes dropped EXE 4 IoCs
Processes:
!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exepid process 2472 !WannaDecryptor!.exe 320 !WannaDecryptor!.exe 2696 !WannaDecryptor!.exe 2784 !WannaDecryptor!.exe -
Loads dropped DLL 9 IoCs
Processes:
cscript.exebe22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.execmd.exepid process 2712 cscript.exe 2372 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe 2372 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe 2372 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe 2372 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe 816 cmd.exe 816 cmd.exe 2372 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe 2372 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe\" /r" be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
Processes:
!WannaDecryptor!.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp" !WannaDecryptor!.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Pictures\\My Wallpaper.jpg" !WannaDecryptor!.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 2056 vssadmin.exe -
Kills process with taskkill 4 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 1968 taskkill.exe 2544 taskkill.exe 348 taskkill.exe 1644 taskkill.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
!WannaDecryptor!.exepid process 2784 !WannaDecryptor!.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exevssvc.exeWMIC.exedescription pid process Token: SeDebugPrivilege 1968 taskkill.exe Token: SeDebugPrivilege 2544 taskkill.exe Token: SeDebugPrivilege 348 taskkill.exe Token: SeDebugPrivilege 1644 taskkill.exe Token: SeBackupPrivilege 560 vssvc.exe Token: SeRestorePrivilege 560 vssvc.exe Token: SeAuditPrivilege 560 vssvc.exe Token: SeIncreaseQuotaPrivilege 1496 WMIC.exe Token: SeSecurityPrivilege 1496 WMIC.exe Token: SeTakeOwnershipPrivilege 1496 WMIC.exe Token: SeLoadDriverPrivilege 1496 WMIC.exe Token: SeSystemProfilePrivilege 1496 WMIC.exe Token: SeSystemtimePrivilege 1496 WMIC.exe Token: SeProfSingleProcessPrivilege 1496 WMIC.exe Token: SeIncBasePriorityPrivilege 1496 WMIC.exe Token: SeCreatePagefilePrivilege 1496 WMIC.exe Token: SeBackupPrivilege 1496 WMIC.exe Token: SeRestorePrivilege 1496 WMIC.exe Token: SeShutdownPrivilege 1496 WMIC.exe Token: SeDebugPrivilege 1496 WMIC.exe Token: SeSystemEnvironmentPrivilege 1496 WMIC.exe Token: SeRemoteShutdownPrivilege 1496 WMIC.exe Token: SeUndockPrivilege 1496 WMIC.exe Token: SeManageVolumePrivilege 1496 WMIC.exe Token: 33 1496 WMIC.exe Token: 34 1496 WMIC.exe Token: 35 1496 WMIC.exe Token: SeIncreaseQuotaPrivilege 1496 WMIC.exe Token: SeSecurityPrivilege 1496 WMIC.exe Token: SeTakeOwnershipPrivilege 1496 WMIC.exe Token: SeLoadDriverPrivilege 1496 WMIC.exe Token: SeSystemProfilePrivilege 1496 WMIC.exe Token: SeSystemtimePrivilege 1496 WMIC.exe Token: SeProfSingleProcessPrivilege 1496 WMIC.exe Token: SeIncBasePriorityPrivilege 1496 WMIC.exe Token: SeCreatePagefilePrivilege 1496 WMIC.exe Token: SeBackupPrivilege 1496 WMIC.exe Token: SeRestorePrivilege 1496 WMIC.exe Token: SeShutdownPrivilege 1496 WMIC.exe Token: SeDebugPrivilege 1496 WMIC.exe Token: SeSystemEnvironmentPrivilege 1496 WMIC.exe Token: SeRemoteShutdownPrivilege 1496 WMIC.exe Token: SeUndockPrivilege 1496 WMIC.exe Token: SeManageVolumePrivilege 1496 WMIC.exe Token: 33 1496 WMIC.exe Token: 34 1496 WMIC.exe Token: 35 1496 WMIC.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
Processes:
!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exe!WannaDecryptor!.exepid process 2472 !WannaDecryptor!.exe 2472 !WannaDecryptor!.exe 320 !WannaDecryptor!.exe 320 !WannaDecryptor!.exe 2696 !WannaDecryptor!.exe 2696 !WannaDecryptor!.exe 2784 !WannaDecryptor!.exe 2784 !WannaDecryptor!.exe -
Suspicious use of WriteProcessMemory 56 IoCs
Processes:
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.execmd.execmd.exe!WannaDecryptor!.execmd.exedescription pid process target process PID 2372 wrote to memory of 1580 2372 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe cmd.exe PID 2372 wrote to memory of 1580 2372 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe cmd.exe PID 2372 wrote to memory of 1580 2372 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe cmd.exe PID 2372 wrote to memory of 1580 2372 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe cmd.exe PID 1580 wrote to memory of 2712 1580 cmd.exe cscript.exe PID 1580 wrote to memory of 2712 1580 cmd.exe cscript.exe PID 1580 wrote to memory of 2712 1580 cmd.exe cscript.exe PID 1580 wrote to memory of 2712 1580 cmd.exe cscript.exe PID 2372 wrote to memory of 2472 2372 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe !WannaDecryptor!.exe PID 2372 wrote to memory of 2472 2372 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe !WannaDecryptor!.exe PID 2372 wrote to memory of 2472 2372 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe !WannaDecryptor!.exe PID 2372 wrote to memory of 2472 2372 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe !WannaDecryptor!.exe PID 2372 wrote to memory of 1968 2372 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 2372 wrote to memory of 1968 2372 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 2372 wrote to memory of 1968 2372 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 2372 wrote to memory of 1968 2372 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 2372 wrote to memory of 2544 2372 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 2372 wrote to memory of 2544 2372 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 2372 wrote to memory of 2544 2372 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 2372 wrote to memory of 2544 2372 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 2372 wrote to memory of 348 2372 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 2372 wrote to memory of 348 2372 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 2372 wrote to memory of 348 2372 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 2372 wrote to memory of 348 2372 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 2372 wrote to memory of 1644 2372 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 2372 wrote to memory of 1644 2372 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 2372 wrote to memory of 1644 2372 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 2372 wrote to memory of 1644 2372 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe taskkill.exe PID 2372 wrote to memory of 320 2372 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe !WannaDecryptor!.exe PID 2372 wrote to memory of 320 2372 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe !WannaDecryptor!.exe PID 2372 wrote to memory of 320 2372 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe !WannaDecryptor!.exe PID 2372 wrote to memory of 320 2372 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe !WannaDecryptor!.exe PID 2372 wrote to memory of 816 2372 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe cmd.exe PID 2372 wrote to memory of 816 2372 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe cmd.exe PID 2372 wrote to memory of 816 2372 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe cmd.exe PID 2372 wrote to memory of 816 2372 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe cmd.exe PID 816 wrote to memory of 2696 816 cmd.exe !WannaDecryptor!.exe PID 816 wrote to memory of 2696 816 cmd.exe !WannaDecryptor!.exe PID 816 wrote to memory of 2696 816 cmd.exe !WannaDecryptor!.exe PID 816 wrote to memory of 2696 816 cmd.exe !WannaDecryptor!.exe PID 2372 wrote to memory of 2784 2372 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe !WannaDecryptor!.exe PID 2372 wrote to memory of 2784 2372 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe !WannaDecryptor!.exe PID 2372 wrote to memory of 2784 2372 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe !WannaDecryptor!.exe PID 2372 wrote to memory of 2784 2372 be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe !WannaDecryptor!.exe PID 2696 wrote to memory of 1412 2696 !WannaDecryptor!.exe cmd.exe PID 2696 wrote to memory of 1412 2696 !WannaDecryptor!.exe cmd.exe PID 2696 wrote to memory of 1412 2696 !WannaDecryptor!.exe cmd.exe PID 2696 wrote to memory of 1412 2696 !WannaDecryptor!.exe cmd.exe PID 1412 wrote to memory of 2056 1412 cmd.exe vssadmin.exe PID 1412 wrote to memory of 2056 1412 cmd.exe vssadmin.exe PID 1412 wrote to memory of 2056 1412 cmd.exe vssadmin.exe PID 1412 wrote to memory of 2056 1412 cmd.exe vssadmin.exe PID 1412 wrote to memory of 1496 1412 cmd.exe WMIC.exe PID 1412 wrote to memory of 1496 1412 cmd.exe WMIC.exe PID 1412 wrote to memory of 1496 1412 cmd.exe WMIC.exe PID 1412 wrote to memory of 1496 1412 cmd.exe WMIC.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe"C:\Users\Admin\AppData\Local\Temp\be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\cmd.execmd /c 271511715396691.bat2⤵
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\cscript.execscript //nologo c.vbs3⤵
- Loads dropped DLL
PID:2712 -
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe!WannaDecryptor!.exe f2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2472 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im MSExchange*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1968 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Microsoft.Exchange.*2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2544 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlserver.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:348 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im sqlwriter.exe2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe!WannaDecryptor!.exe c2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:320 -
C:\Windows\SysWOW64\cmd.execmd.exe /c start /b !WannaDecryptor!.exe v2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe!WannaDecryptor!.exe v3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\vssadmin.exevssadmin delete shadows /all /quiet5⤵
- Interacts with shadow copies
PID:2056 -
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1496 -
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe!WannaDecryptor!.exe2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2784
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:560
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exeFilesize
236KB
MD5cf1416074cd7791ab80a18f9e7e219d9
SHA1276d2ec82c518d887a8a3608e51c56fa28716ded
SHA25678e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
SHA5120bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5
-
C:\Users\Admin\AppData\Local\Temp\!WannaDecryptor!.exe.lnkFilesize
921B
MD59f743a16deddf01436fb9711f7c1fe3e
SHA1309cfbe5b423d1fe09eecac9926ce8bed07f05ca
SHA256405cf385425ea8b0398b199ab404cade62d913d86481a458fbe6cbc6cbb8d68f
SHA5124de0c64bd06ae959070da823809602e2ef3c1ced9de724d9df77f11c473aac8f5aa446005407a8b54672411ba2c61631aa8d51dfd4c8df815c88091620fb2a50
-
C:\Users\Admin\AppData\Local\Temp\00000000.resFilesize
136B
MD5b6d2e8cd0f95aecb72f6dffed4645258
SHA1369b8264d4f2c9ef489335bc99db2dc0ca7b888b
SHA256feedc231e042f48026560a7b5da4a231a0079500d811ed5b89a71c00d9f9c8a4
SHA512e24c360696683d00d88ef7ae92c549ad57a144a99bf143d64a3fce614d7f7fedf7ff7dab3406cb6dd4dd1f60087c27fc821130561a0b2990437932c5f57fcbc4
-
C:\Users\Admin\AppData\Local\Temp\00000000.resFilesize
136B
MD522b2e3c9a7b25686604231702b2b6a2f
SHA1c3d7b84bfe15167d7f69511b7f3c52d558cf41c9
SHA256918c33bd20a66873d7d31eed97501a90f4a0d32032d7493e2980ddb061e19655
SHA5128febeef1725e541286123346e33deca076e32ffcc39e501e428258294e50c23ffad1915f1c2bf56f0d89d26baff5c7ba17a865e0d63546de3c127290929ecdb0
-
C:\Users\Admin\AppData\Local\Temp\00000000.resFilesize
136B
MD5455243e867b8a270f902b624ec8db44b
SHA13744b55425cc0b089a8817521fb81e6ea7f524d9
SHA25673e19206beb3cefda41d205c65dcd9113527a005566751e67ad6dd282b61236d
SHA5127fe3bdb62802ce08ae72c988d7b08be5bb585c9e15113106e1eda5fad4b4c191020732a2ca7c27d4a2990bd0c8aafd17515398110925e8dfa97411e82a3e3f27
-
C:\Users\Admin\AppData\Local\Temp\271511715396691.batFilesize
336B
MD53540e056349c6972905dc9706cd49418
SHA1492c20442d34d45a6d6790c720349b11ec591cde
SHA25673872a89440a2cba9d22bf4961c3d499ea2c72979c30c455f942374292fedadc
SHA512c949d147100aef59e382c03abf7b162ae62a4d43456eebd730fbedcf5f95f5e1a24f6e349690d52d75331878a6ee8f6b88a7162ee9cf2a49e142196b12d0133c
-
C:\Users\Admin\AppData\Local\Temp\c.vbsFilesize
219B
MD55f6d40ca3c34b470113ed04d06a88ff4
SHA150629e7211ae43e32060686d6be17ebd492fd7aa
SHA2560fb5039a2fe7e90cdf3f22140d7f2103f94689b15609efe0edcc8430dd772fc1
SHA5124d4aa1abd2c9183202fd3f0a65b37f07ee0166ba6561f094c13c8ea59752c7bdd960e37c49583746d4464bc3b1dc0b63a1fe36a37ce7e5709cd76ed433befe35
-
C:\Users\Admin\AppData\Local\Temp\c.wryFilesize
628B
MD5e87cc6ef236387a521431c602255725e
SHA1ddac91a80e27212471e9d7b3c4643f5566f0daa1
SHA256c429756fc12fb06d4ffb5fa1ec2312de37f5a23ae1a5e9d58afa59dd03c2a83b
SHA512525d0db61712537de1b0d2386e0d79cd2ad6efb1fcefdc721115ac8733d0d5747e8b79309cdb46c206ad2af2e463ab7ca0d68e0ef62d75d04fc05465e678e6ce
-
C:\Users\Admin\AppData\Local\Temp\m.wryFilesize
42KB
MD5980b08bac152aff3f9b0136b616affa5
SHA12a9c9601ea038f790cc29379c79407356a3d25a3
SHA256402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9
SHA512100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496
-
C:\Users\Admin\Documents\!Please Read Me!.txtFilesize
797B
MD5afa18cf4aa2660392111763fb93a8c3d
SHA1c219a3654a5f41ce535a09f2a188a464c3f5baf5
SHA256227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0
SHA5124161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b
-
memory/2372-6-0x0000000010000000-0x0000000010012000-memory.dmpFilesize
72KB